Hi there,
I was toy'ing around with ipfilter while deciding which firewall package to
use, and ran into the following:
- Build some testing rules in /etc/ipf.conf
- boot the system with ipfilter_enable="YES", ipmon_enable="YES",
ipmon_flags="-L security -Ds" in /etc/rc.conf
- Browse the web a bit, let pidgin start and authenticate with ICQ and MSN
- Browse email using mutt on an nfs mounted mailstore
- Check out the firewall statistics using for example "ipfstat -hio" and
"ipfstat -t"
- Probably other stuff I forgot to mention
Extra info: I'm using sudo to do root things.
Then I decided it was time to "/etc/rc.d/ipmon stop", "/etc/rc.d/ipfilter
stop" and "kldunload ipl".
When I did the final "kldunload ipl" from an xterm inside Xorg, my system
spontaneously rebooted seconds later.
The kernel did see the chance to flush "Dec 9 21:52:45 donald kernel: IP
Filter: v4.1.28 unloaded" to /var/log/messages through syslog(d).
No core was dumped, but I'm pretty sure that it never would, since I happen
to have the silly combination of dumpdev="/dev/ad4s1b" in /etc/rc.conf, but
also kern.coredump=0 in /etc/sysctl.conf. At some point I got bored by
linux-firefox/linux-flash dumping core in my nfs mounted homedirectory and
fixed it with the syscontrol, but didn't bother to get rid of the rc.conf
entry. That particular issue got fixed by the way, thank the gods for
freebsd native firefox in combination with linux-flashplayer10. But I'm
sidetracking here.
I'd be willing to send my firewall rules to some freebsd security address
somewhere, but I don't consider it wise to include it in an email to a
public list. Even though it ran on a test system behind a NAT gateway running
on my ADSL modem.
What I can share about it here is that it was a default open list in that
the rules for incoming and outgoing ended with the following for the sake of
diagnostics output/counters:
pass out log first quick on nfe0 proto tcp all
pass out log first quick on nfe0 proto udp all
pass out log first quick on nfe0 proto icmp all
pass out log first quick on nfe0 all
pass in log first quick on nfe0 all
I'm including my current rc.conf, pciconf -lv output, kernel config and
uname -a output assuming that might be usefull in case anyone wants to look
at this. I'm also willing to try to trigger it again while kern.coredump=1
if needed, hoping it wouldn't take to long. ;-)
You will see the ipfilter things taken out of the rc.conf, cause I booted
single-user and took it out for now, they used to be there however.
Other things that may be related is that I do load the days-ago released
nvidia kernel module, and also run powerd.
Anybody interested? :-)
For now I'll step away from ipfilter, but I may revisit it again later.
Thanks!
Marco van Tol
--
Micro$oft likes to discard vulnerabilities by `no standard client
would do this.' No, and no `standard visitor' would apply a crowbar
to your patio door, either." - H. Peter Anvin in linux-kernel.
cpu HAMMER
ident DONALD
makeoptions DEBUG=-g # Build kernel with gdb(1) debug symbols
options SCHED_ULE # ULE scheduler
options PREEMPTION # Enable kernel thread preemption
options INET # InterNETworking
options INET6 # IPv6 communications protocols
options SCTP # Stream Control Transmission Protocol
options FFS # Berkeley Fast Filesystem
options SOFTUPDATES # Enable FFS soft updates support
options UFS_ACL # Support for access control lists
options UFS_DIRHASH # Improve performance on big directories
options UFS_GJOURNAL # Enable gjournal-based UFS journaling
options NFSCLIENT # Network Filesystem Client
options NFSLOCKD # Network Lock Manager
options NTFS # NT File System
options MSDOSFS # MSDOS Filesystem
options CD9660 # ISO 9660 Filesystem
options PROCFS # Process filesystem (requires PSEUDOFS)
options PSEUDOFS # Pseudo-filesystem framework
options GEOM_PART_GPT # GUID Partition Tables.
options GEOM_LABEL # Provides labelization
options COMPAT_43TTY # BSD 4.3 TTY compat (sgtty)
options COMPAT_IA32 # Compatible with i386 binaries
options SCSI_DELAY=5000 # Delay (in ms) before probing SCSI
options KTRACE # ktrace(1) support
options STACK # stack(9) support
options SYSVSHM # SYSV-style shared memory
options SYSVMSG # SYSV-style message queues
options SYSVSEM # SYSV-style semaphores
options P1003_1B_SEMAPHORES # POSIX-style semaphores
options _KPOSIX_PRIORITY_SCHEDULING # POSIX P1003_1B real-time
extensions
options PRINTF_BUFR_SIZE=128 # Prevent printf output being
interspersed.
options KBD_INSTALL_CDEV # install a CDEV entry in /dev
options HWPMC_HOOKS # Necessary kernel hooks for hwpmc(4)
options AUDIT # Security event auditing
options MAC # TrustedBSD MAC Framework
options FLOWTABLE # per-cpu routing cache
# Make an SMP-capable kernel by default
options SMP # Symmetric MultiProcessor Kernel
# CPU frequency control
device cpufreq
# Bus support.
device acpi
device pci
# Floppy drives
device fdc
# ATA and ATAPI devices
device ata
device atadisk # ATA disk drives
device ataraid # ATA RAID drives
device atapicd # ATAPI CDROM drives
device atapifd # ATAPI floppy drives
options ATA_STATIC_ID # Static device numbering
# SCSI peripherals
device scbus # SCSI bus (required for SCSI)
device ch # SCSI media changers
device da # Direct Access (disks)
device cd # CD
device pass # Passthrough device (direct SCSI access)
device ses # SCSI Environmental Services (and SAF-TE)
# atkbdc0 controls both the keyboard and the PS/2 mouse
device atkbdc # AT keyboard controller
device atkbd # AT keyboard
device psm # PS/2 mouse
device kbdmux # keyboard multiplexer
device vga # VGA video card driver
device splash # Splash screen and screen saver support
# syscons is the default console driver, resembling an SCO console
device sc
device agp # support several AGP chipsets
# Serial (COM) ports
device uart # Generic UART driver
# Parallel port
device ppc
device ppbus # Parallel port bus (required)
device lpt # Printer
device ppi # Parallel port interface device
# PCI Ethernet NICs that use the common MII bus controller code.
# NOTE: Be sure to keep the 'device miibus' line in order to use these NICs!
device miibus # MII bus support
device nfe # nVidia nForce MCP on-board Ethernet
# Pseudo devices.
device loop # Network loopback
device random # Entropy device
device ether # Ethernet support
device pty # BSD-style compatibility pseudo ttys
device md # Memory "disks"
device firmware # firmware assist module
# The `bpf' device enables the Berkeley Packet Filter.
# Be aware of the administrative consequences of enabling this!
# Note that 'bpf' is required for DHCP.
device bpf # Berkeley packet filter
# USB support
device ohci # OHCI PCI->USB interface
device ehci # EHCI PCI->USB interface (USB 2.0)
device usb # USB Bus (required)
device uhid # "Human Interface Devices"
device ukbd # Keyboard
device ulpt # Printer
device umass # Disks/Mass storage - Requires scbus and da
device ums # Mouse
# FireWire support
device firewire # FireWire bus code
device dcons # Dumb console driver
device dcons_crom # Configuration ROM for dcons
#
# [email protected]
#
device smbus # Bus support, required for smb below.
device nfsmb # NVIDIA nForce2/3/4 MCP SMBus 2.0 Controller
device smb
device sound
device snd_ich
options COMPAT_LINUX32 # Enable Linux ABI emulation
options LINPROCFS # Enable the linux-like proc filesystem support
options LINSYSFS # Enable the linux-like sys filesystem support
# Direct Rendering modules for 3D acceleration.
device drm
# amdtemp: on-die sensor on AMD K8/K10/K11 CPUs
device amdtemp
no...@pci0:0:0:0: class=0x058000 card=0x50001458 chip=0x005e10de rev=0xa3
hdr=0x00
vendor = 'Nvidia Corp'
device = 'nForce4 Memory Controller'
class = memory
is...@pci0:0:1:0: class=0x060100 card=0x0c111458 chip=0x005010de rev=0xa3
hdr=0x00
vendor = 'Nvidia Corp'
device = 'nForce4 PCI to ISA Bridge'
class = bridge
subclass = PCI-ISA
nfs...@pci0:0:1:1: class=0x0c0500 card=0x0c111458 chip=0x005210de rev=0xa2
hdr=0x00
vendor = 'Nvidia Corp'
device = 'nForce4 SMBus'
class = serial bus
subclass = SMBus
oh...@pci0:0:2:0: class=0x0c0310 card=0x50041458 chip=0x005a10de rev=0xa2
hdr=0x00
vendor = 'Nvidia Corp'
device = 'nForce4 USB Controller'
class = serial bus
subclass = USB
eh...@pci0:0:2:1: class=0x0c0320 card=0x50041458 chip=0x005b10de rev=0xa3
hdr=0x00
vendor = 'Nvidia Corp'
device = 'nForce4 USB 2.0 Controller'
class = serial bus
subclass = USB
p...@pci0:0:4:0: class=0x040100 card=0xae011458 chip=0x005910de rev=0xa2
hdr=0x00
vendor = 'Nvidia Corp'
device = 'Realtek AC'97 Audio (Realtek ALC850)'
class = multimedia
subclass = audio
atap...@pci0:0:6:0: class=0x01018a card=0x50021458 chip=0x005310de rev=0xf2
hdr=0x00
vendor = 'Nvidia Corp'
device = 'nForce4 Parallel ATA Controller'
class = mass storage
subclass = ATA
atap...@pci0:0:7:0: class=0x010185 card=0xb0031458 chip=0x005410de rev=0xf3
hdr=0x00
vendor = 'Nvidia Corp'
device = 'CK804 SATA/RAID Controller (CK804)'
class = mass storage
subclass = ATA
atap...@pci0:0:8:0: class=0x010185 card=0xb0031458 chip=0x005510de rev=0xf3
hdr=0x00
vendor = 'Nvidia Corp'
device = 'CK804 SATA/RAID Controller (CK804)'
class = mass storage
subclass = ATA
pc...@pci0:0:9:0: class=0x060401 card=0x00000000 chip=0x005c10de rev=0xa2
hdr=0x01
vendor = 'Nvidia Corp'
device = 'nForce4 PCI Bridge'
class = bridge
subclass = PCI-PCI
n...@pci0:0:10:0: class=0x068000 card=0xe0001458 chip=0x005710de rev=0xa3
hdr=0x00
vendor = 'Nvidia Corp'
device = 'NVidia Network Bus Enumerator Description du priphriquenVIDIA
nForce4 SLI (CK8-04) - LAN Controll (nForce4 Ultra)'
class = bridge
pc...@pci0:0:11:0: class=0x060400 card=0x00000000 chip=0x005d10de rev=0xa3
hdr=0x01
vendor = 'Nvidia Corp'
device = 'nForce4 PCIe Bridge'
class = bridge
subclass = PCI-PCI
pc...@pci0:0:12:0: class=0x060400 card=0x00000000 chip=0x005d10de rev=0xa3
hdr=0x01
vendor = 'Nvidia Corp'
device = 'nForce4 PCIe Bridge'
class = bridge
subclass = PCI-PCI
pc...@pci0:0:13:0: class=0x060400 card=0x00000000 chip=0x005d10de rev=0xa3
hdr=0x01
vendor = 'Nvidia Corp'
device = 'nForce4 PCIe Bridge'
class = bridge
subclass = PCI-PCI
pc...@pci0:0:14:0: class=0x060400 card=0x00000000 chip=0x005d10de rev=0xa3
hdr=0x01
vendor = 'Nvidia Corp'
device = 'nForce4 PCIe Bridge'
class = bridge
subclass = PCI-PCI
hos...@pci0:0:24:0: class=0x060000 card=0x00000000 chip=0x11001022 rev=0x00
hdr=0x00
vendor = 'Advanced Micro Devices (AMD)'
device = 'Athlon64/Opteron/Sempron (K8 Family) HyperTransport
Technology Configuration'
class = bridge
subclass = HOST-PCI
hos...@pci0:0:24:1: class=0x060000 card=0x00000000 chip=0x11011022 rev=0x00
hdr=0x00
vendor = 'Advanced Micro Devices (AMD)'
device = 'Athlon64/Opteron/Sempron (K8 Family) Address Map'
class = bridge
subclass = HOST-PCI
hos...@pci0:0:24:2: class=0x060000 card=0x00000000 chip=0x11021022 rev=0x00
hdr=0x00
vendor = 'Advanced Micro Devices (AMD)'
device = 'Athlon64/Opteron/Sempron (K8 Family) DRAM Controller'
class = bridge
subclass = HOST-PCI
hos...@pci0:0:24:3: class=0x060000 card=0x00000000 chip=0x11031022 rev=0x00
hdr=0x00
vendor = 'Advanced Micro Devices (AMD)'
device = 'Athlon64/Opteron/Sempron (K8 Family) Miscellaneous Control'
class = bridge
subclass = HOST-PCI
fwoh...@pci0:1:10:0: class=0x0c0010 card=0x10001458 chip=0x8025104c rev=0x01
hdr=0x00
vendor = 'Texas Instruments (TI)'
device = '1394b OHCI-Lynx IEEE 1394 Host Controller (TSB82AA2)'
class = serial bus
subclass = FireWire
vgap...@pci0:5:0:0: class=0x030000 card=0x21801682 chip=0x009110de rev=0xa1
hdr=0x00
vendor = 'Nvidia Corp'
device = 'GeForce 7800 GTX (G70)'
class = display
subclass = VGA
FreeBSD donald.home.tols.org 8.0-STABLE FreeBSD 8.0-STABLE #2: Sat Dec 5
02:31:09 CET 2009 [email protected]:/usr/obj/usr/src/sys/DONALD
amd64
# -- sysinstall generated deltas -- # Mon Sep 22 14:34:31 2008
# Created: Mon Sep 22 14:34:31 2008
# Enable network daemons for user convenience.
# Please make all changes to this file, not to /etc/defaults/rc.conf.
# This file now contains just the overrides from /etc/defaults/rc.conf.
anacron_enable="YES"
background_fsck="NO"
cupsd_enable="YES"
dbus_enable="YES"
dumpdev="/dev/ad4s1b"
fsck_y_enable="YES"
hald_enable="YES"
hostname="donald.home.tols.org"
linux_enable="YES"
ntpd_enable="YES"
ntpd_sync_on_start="YES"
powerd_enable="YES"
smartd_enable="YES"
smartd_flags="-l local0"
sshd_enable="YES"
syslogd_flags="-ss"
# Interface settings
# Synchronus dhcp, otherwise ntpd and nfs mounts fail
ifconfig_nfe0="syncdhcp"
# NFS Settings
nfs_client_enable="YES"
rpc_lockd_enable="YES"
rpc_statd_enable="YES"
_______________________________________________
[email protected] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-stable
To unsubscribe, send any mail to "[email protected]"
