Re: Blocking RIP requests on firewall
On Wednesday 13 August 2003 11:27 am, Darryl Hoar wrote: -Original Message- From: Mark Woodson [mailto:[EMAIL PROTECTED] Sent: Wednesday, August 13, 2003 11:54 AM To: [EMAIL PROTECTED] Subject: Re: Blocking RIP requests on firewall On Wednesday 13 August 2003 07:53 am, Darryl Hoar wrote: Greetings, I have a FreeBSD 4.7S machine that is running IPFilter and is configured as a firewall. My external interface is xl0. I put block in quick on xl0 proto udp from 10.0.0.1 to any port = 520 reloaded the rules (by rebooting. I have it locked down). it still generates log entries in my firewall_log file. Can you show an example of the log entry you're seeing? block return-rst in log quick on xl0 proto tcp from any to any block return-icmp-as-dest(port-unr) in log quick on xl0 proto udp from any to any block in quick on xl0 proto udp from 10.0.0.1 to any port = 520 if you change this to: block in quick on xl0 proto udp from any to any port = 520 You will drop any packet bound for port 520 without logging, not just ones from 10.0.0.1 block in log quick on xl0 all The other entries have the log keyword so will be generating entries. here's a couple of the entries: Aug 13 13:20:59 darryl ipmon[98]: 13:20:58.166238 xl0 @0:3 b 10.0.0.1,router - 10.0.0.255,router PR udp len 2 0 72 IN Aug 13 13:21:28 darryl ipmon[98]: 13:21:28.164643 xl0 @0:3 b 10.0.0.1,router - 10.0.0.255,router PR udp len 2 0 72 IN I'm kind of at a loss, since it's using rule 3 (which appears to be the rule you've got to not log). What's the output of ipfstat -in (shows the input filter with line #'s). -Mark ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Blocking RIP requests on firewall
Darryl Hoar [EMAIL PROTECTED] writes: Greetings, I have a FreeBSD 4.7S machine that is running IPFilter and is configured as a firewall. My external interface is xl0. I put block in quick on xl0 proto udp from 10.0.0.1 to any port = 520 All of the packets are coming from 10.0.0.1? ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Blocking RIP requests on firewall
(top quoting make following threads difficult) On Wednesday 13 August 2003 12:49 pm, Darryl Hoar wrote: ipfstat -in shows: @1 pass in quick on xl0 proto udp from 10.0.0.1/32 to any port = 68 keep state @2 block return-rst in log quick on xl0 proto tcp from any to any @3 block return-icmp-as-dest(port-unr) in log quick on xl0 proto udp from any to any This line is blocking the router messages. Put the rule above it in the list and that should take care of it. That message would seem to be in effect just blocking any udp traffic in on that interface. I'm not sure that the rule is working like you expect it to. Not sure how to fix it, but I don't think icmp port-unreach's come in as udp packets. @4 block in quick on xl0 proto udp from 10.0.0.1/32 to any port = 520 @5 block in log quick on xl0 from any to any @6 pass in quick on xl1 proto tcp from any to any flags S/FSRPAU @7 pass in quick on xl1 proto udp from any to any keep state @8 pass in quick on xl1 proto icmp from any to any keep state @9 block in quick on xl1 from any to any @10 pass in quick on lo0 from any to any I don't get it . the log entries seem to be from rip, but its logging at rule 3. If you ignore the reutnr-icmp-as-dest(port-unr) it make total sense, since it is denying any udp from any address coming in on xl0. -Mark ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Blocking RIP requests on firewall
Greetings, I have a FreeBSD 4.7S machine that is running IPFilter and is configured as a firewall. My external interface is xl0. I put block in quick on xl0 proto udp from 10.0.0.1 to any port = 520 reloaded the rules (by rebooting. I have it locked down). it still generates log entries in my firewall_log file. here is my ipf.rules file. # Outside Interface #--- # Allow out all TCP, UDP and ICMP traffic keep state on it # so that it's allowed back in. #--- pass out quick on xl0 proto tcp from any to any keep state pass out quick on xl0 proto udp from any to any keep state pass out quick on xl0 proto icmp from any to any keep state block out quick on xl0 all #-- # Allow bootp traffic in from your ISP's DHCP server only #-- pass in quick on xl0 proto udp from 10.0.0.1/32 to any port = 68 keep state #--- # Block and log all remaining traffic coming into the firewall # - Block TCP with a RST (to make it appear as if the service isn't listening # - Block UDP with an ICMP Port Unreachable (make it appear as if it isn't #listening) # - Block all remaining traffic the good 'ol fashioned way # block return-rst in log quick on xl0 proto tcp from any to any block return-icmp-as-dest(port-unr) in log quick on xl0 proto udp from any to any block in quick on xl0 proto udp from 10.0.0.1 to any port = 520 block in log quick on xl0 all ## # Inside Interface ## #- # Allow out all TCP, UDP, and ICMP traffic keep state #- pass out quick on xl1 proto tcp from any to any keep state pass out quick on xl1 proto udp from any to any keep state pass out quick on xl1 proto icmp from any to any keep state block out quick on xl1 all # # Allow in all TCP, UDP and ICMP traffic and keep state # pass in quick on xl1 proto tcp from any to any flags S pass in quick on xl1 proto udp from any to any keep state pass in quick on xl1 proto icmp from any to any keep state block in quick on xl1 all # Loopback Interface #-- # Alow everything to/from your loopback interface so you # can ping yourself (e.g ping localhost) #- pass in quick on lo0 all pass out quick on lo0 all thanks in advance. -Darryl ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
RE: Blocking RIP requests on firewall
Yes, 10.0.0.1 is the SMC ADSL modem (external). It is running DHCP and assigns the ip to my firewall. -ISP's DSL Line - ADSL Modem - Firewall - LAN -Darryl -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Lowell Gilbert Sent: Wednesday, August 13, 2003 12:51 PM To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Subject: Re: Blocking RIP requests on firewall Darryl Hoar [EMAIL PROTECTED] writes: Greetings, I have a FreeBSD 4.7S machine that is running IPFilter and is configured as a firewall. My external interface is xl0. I put block in quick on xl0 proto udp from 10.0.0.1 to any port = 520 All of the packets are coming from 10.0.0.1? ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Blocking RIP requests on firewall
...top-post ,please don't Darryl Hoar [EMAIL PROTECTED] writes: Yes, 10.0.0.1 is the SMC ADSL modem (external). It is running DHCP and assigns the ip to my firewall. -ISP's DSL Line - ADSL Modem - Firewall - LAN Then the packets *aren't* being sourced from 10.0.0.1; that's just the last router that passed them along. I think you want to say any instead of that IP address. -Darryl -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Lowell Gilbert Sent: Wednesday, August 13, 2003 12:51 PM To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Subject: Re: Blocking RIP requests on firewall Darryl Hoar [EMAIL PROTECTED] writes: Greetings, I have a FreeBSD 4.7S machine that is running IPFilter and is configured as a firewall. My external interface is xl0. I put block in quick on xl0 proto udp from 10.0.0.1 to any port = 520 All of the packets are coming from 10.0.0.1? ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]