Re: Firewall and FreeBSD ports

[RW]

On Fri, 10 Oct 2008 11:41:40 -0700
Jeremy Chadwick <[EMAIL PROTECTED]> wrote:

> On Fri, Oct 10, 2008 at 06:54:32PM +0100, RW wrote:
> > On Fri, 10 Oct 2008 09:51:16 -0700
> > Jeremy Chadwick <[EMAIL PROTECTED]> wrote:

> > passive ftp has been the default for long time, fetch is called
> > with the -p option.
> 
> Let's give the users some actual detail, not terse one-liners which
> will induce more questions/confusion.


< Snip some facts used as a blunt instrument > 

> The OP did not disclose how he was installing ports.  A lot of users
> think that packages == ports, 

I don't normally do this as Watson is usually less impressed when
Holmes reveals his working, but the clues were there. He wrote: 

   "install software with ports (i.e, the 
   /usr/ports collection.)"

and 

   "FTP to grab source files from mirrors"

If you combine that with crediting the poster with enough common sense
to mention he was using a version before 6.2, then it seemed unlikely
to be a problem with active FTP. 

BTW neither of us actually answered the question. I know I forgot as I
was in a hurry. I'm pretty sure you didn't either, but I don't have the
time to read all of your reply in detail.

The answer is: enable outgoing tcp connections to port 21 and to all
ports above 1023.
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Fwd: Firewall and FreeBSD ports

[John Almberg]

sh/bash: export FTP_PASSIVE_MODE=true


Ah... because in passive mode, the client (my server) sets the data  
port, and my PF rules allow return data on the port used for the  
request.


Okay... that makes sense, I think... (little by little, it sinks in...)

-- John


___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Fwd: Firewall and FreeBSD ports

[John Almberg]

On Oct 10, 2008, at 2:41 PM, Jeremy Chadwick wrote:


On Fri, Oct 10, 2008 at 06:54:32PM +0100, RW wrote:

On Fri, 10 Oct 2008 09:51:16 -0700
Jeremy Chadwick <[EMAIL PROTECTED]> wrote:


On Fri, Oct 10, 2008 at 12:45:04PM -0400, John Almberg wrote:

I just set up a new server with a very restricted PF configuration.
One problem: I can no longer install software with ports (i.e,
the / usr/ports collection.) I have to disable PF to do so.
Obviously not a great solution.

Am I correct in guessing that ports uses FTP to grab source files
from mirrors? I'm trying to figure out the smallest number of ports
(the TCP/IP kind) that I need to open in my firewall. I don't want
to enable incoming FTP requests, but do want to allow outgoing ftp
requests, I believe.

Am I on the right track, here?


See the fetch(1) man page.  Try this first:

sh/bash: export FTP_PASSIVE_MODE=true
csh: setenv FTP_PASSIVE_MODE true


First off, this did solve the problem. Thank you, Jeremy.

Now, as to the why...



passive ftp has been the default for long time, fetch is called
with the -p option.


Let's give the users some actual detail, not terse one-liners which  
will

induce more questions/confusion.

First off, libfetch (which is what fetch(1)) uses) itself DOES NOT
default to using FTP passive mode.  You have to either pass the -p
option to the fetch(1) binary, or you have to set the FTP_PASSIVE_MODE
environment variable (which affects anything using libfetch).

Secondly, the ports framework (not pkg_* tools!), specifically
ports/Mk/bsd.port.mk, defines FETCH_ARGS with the -p argument to force
passive mode.  This will be used for things like "make fetch".  It  
*will

not* be used for things like "pkg_add -r" or "pkg_add ftp://...";

The addition of the -p argument to FETCH_ARGS in ports/Mk/bsd.port.mk
was applied to HEAD on 2006/09/20.  HEAD at that time is what became
FreeBSD 6.2.  Of course, anyone updating their ports tree after that
date would also get the change; I'm just pointing it out so people  
know
what the actual date was when -p was added to the default argument  
list.


Now let's expand a bit on FTP_PASSIVE_MODE, because I'm absolutely  
sure

someone will try to argue "that's also been turned on by default for a
long time"; I know how people are...  :-)

FTP_PASSIVE_MODE being set by default on login shells was induced  
by an

addition to login.conf(5) back in late 2001 (around the time of
RELENG_6).  See revision 1.45 (not 1.44!) of src/etc/login.conf in
cvsweb.

But I'll remind people that login.conf only applies to login shells;
logging in on the console, or logging in to an account via "ssh
[EMAIL PROTECTED]".  Most people I know of *do not* SSH into their servers as
root; they SSH in as themselves and use sudo.  Some use su2, and some
use su


Root ssh access is disabled on this machine. I login as a normal  
user, and then use sudo. The only time I use su is when sudo does not  
work (another question for another day!)



Let's examine the behaviours:

$ env | grep FTP
FTP_PASSIVE_MODE=YES

As you can see here, the machine I've SSH'd into as myself does apply
login.conf's defaults.  But...

$ sudo -s
# env | grep FTP
# exit
$ sudo -i
# env | grep FTP
#


H'mmm... yes. This is true on my machine, too.



The above scenario (as root) fails, since the FTP_PASSIVE_MODE
environment variable isn't being handed down from the login shell (my
user account) to the root shell spawned by sudo[1].

su, on the other hand, does it a little differently:

$ su
Password:
# env | grep FTP
FTP_PASSIVE_MODE=YES

And likewise, "su -l" behaves the same way.


Yes... although I must say I'm confused by this behavior... In fact,  
it's the exact opposite of what I'd expect... from the su man pages


 -l  Simulate a full login.  The environment is discarded  
except for
 HOME, SHELL, PATH, TERM, and USER.  HOME and SHELL are  
modified
 as above.  USER is set to the target login.  PATH is  
set to

 ``/bin:/usr/bin''.

So why isn't the FTP environment variable discarded?



The OP did not disclose how he was installing ports.  A lot of users
think that packages == ports, so for all we know, he could be
pkg_add'ing things while using sudo and running into this.


I believe I am using ports. In this case, I had just installed and  
configured PF (the first thing I do, now, when building a new machine.)


I then wanted to install NTP:

cd /usr/ports/net/ntp
make config; make install clean

This failed because the mirrors were not accessible.



If "make fetch" in an actual port is timing out, then he's either  
doing

it on a machine with a ports tree prior to 2006/09/20 (see above), or
his outbound pf rules are so strict that the machine is absurdly
limited.


The machine has Production Release 7.0

Re: Firewall and FreeBSD ports

[Wojciech Puchar]

problem: I can no longer install software with ports (i.e, the /usr/ports 
collection.) I have to disable PF to do so. Obviously not a great solution.


Am I correct in guessing that ports uses FTP to grab source files from


FTP or HTTP.

if you have http proxy like squid in your network do

export http_proxy=http://yourproxy:port
export ftp_proxy=http://yourproxy:port

___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: Firewall and FreeBSD ports

[Jeremy Chadwick]

On Fri, Oct 10, 2008 at 06:54:32PM +0100, RW wrote:
> On Fri, 10 Oct 2008 09:51:16 -0700
> Jeremy Chadwick <[EMAIL PROTECTED]> wrote:
> 
> > On Fri, Oct 10, 2008 at 12:45:04PM -0400, John Almberg wrote:
> > > I just set up a new server with a very restricted PF configuration.
> > > One problem: I can no longer install software with ports (i.e,
> > > the / usr/ports collection.) I have to disable PF to do so.
> > > Obviously not a great solution.
> > >
> > > Am I correct in guessing that ports uses FTP to grab source files
> > > from mirrors? I'm trying to figure out the smallest number of ports
> > > (the TCP/IP kind) that I need to open in my firewall. I don't want
> > > to enable incoming FTP requests, but do want to allow outgoing ftp
> > > requests, I believe.
> > >
> > > Am I on the right track, here?
> > 
> > See the fetch(1) man page.  Try this first:
> > 
> > sh/bash: export FTP_PASSIVE_MODE=true
> > csh: setenv FTP_PASSIVE_MODE true
> 
> passive ftp has been the default for long time, fetch is called
> with the -p option.

Let's give the users some actual detail, not terse one-liners which will
induce more questions/confusion.

First off, libfetch (which is what fetch(1)) uses) itself DOES NOT
default to using FTP passive mode.  You have to either pass the -p
option to the fetch(1) binary, or you have to set the FTP_PASSIVE_MODE
environment variable (which affects anything using libfetch).

Secondly, the ports framework (not pkg_* tools!), specifically
ports/Mk/bsd.port.mk, defines FETCH_ARGS with the -p argument to force
passive mode.  This will be used for things like "make fetch".  It *will
not* be used for things like "pkg_add -r" or "pkg_add ftp://...";

The addition of the -p argument to FETCH_ARGS in ports/Mk/bsd.port.mk
was applied to HEAD on 2006/09/20.  HEAD at that time is what became
FreeBSD 6.2.  Of course, anyone updating their ports tree after that
date would also get the change; I'm just pointing it out so people know
what the actual date was when -p was added to the default argument list.

Now let's expand a bit on FTP_PASSIVE_MODE, because I'm absolutely sure
someone will try to argue "that's also been turned on by default for a
long time"; I know how people are...  :-)

FTP_PASSIVE_MODE being set by default on login shells was induced by an
addition to login.conf(5) back in late 2001 (around the time of
RELENG_6).  See revision 1.45 (not 1.44!) of src/etc/login.conf in
cvsweb.

But I'll remind people that login.conf only applies to login shells;
logging in on the console, or logging in to an account via "ssh
[EMAIL PROTECTED]".  Most people I know of *do not* SSH into their servers as
root; they SSH in as themselves and use sudo.  Some use su2, and some
use su.

Let's examine the behaviours:

$ env | grep FTP
FTP_PASSIVE_MODE=YES

As you can see here, the machine I've SSH'd into as myself does apply
login.conf's defaults.  But...

$ sudo -s
# env | grep FTP
# exit
$ sudo -i
# env | grep FTP
#

The above scenario (as root) fails, since the FTP_PASSIVE_MODE
environment variable isn't being handed down from the login shell (my
user account) to the root shell spawned by sudo[1].

su, on the other hand, does it a little differently:

$ su
Password:
# env | grep FTP
FTP_PASSIVE_MODE=YES

And likewise, "su -l" behaves the same way.

The OP did not disclose how he was installing ports.  A lot of users
think that packages == ports, so for all we know, he could be
pkg_add'ing things while using sudo and running into this.

If "make fetch" in an actual port is timing out, then he's either doing
it on a machine with a ports tree prior to 2006/09/20 (see above), or
his outbound pf rules are so strict that the machine is absurdly
limited.

I've advocated in another thread my displeasure for filtering outbound
traffic *solely* because of this exact scenario.  Network admins seem
to think that "oh, HTTP is always going to use port 80", and likewise,
"oh, FTP is always going to use ports 20-21".  Bzzzt.  Nothing stops
a MASTER_SITE from being http://lelele.com:9382/.

[1]: The problem with sudo can be addressed; FTP_PASSIVE_MODE needs to
be added to the env_keep list in the default sudoers file.  I know the
port maintainer, so I'll take this up with him so that users (including
myself) don't keep getting bit by forgetting to set FTP_PASSIVE_MODE
after doing a sudo.

-- 
| Jeremy Chadwickjdc at parodius.com |
| Parodius Networking   http://www.parodius.com/ |
| UNIX Systems Administrator  Mountain View, CA, USA |
| Making life hard for others since 1977.  PGP: 4BD6C0CB |

___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: Firewall and FreeBSD ports

[RW]

On Fri, 10 Oct 2008 09:51:16 -0700
Jeremy Chadwick <[EMAIL PROTECTED]> wrote:

> On Fri, Oct 10, 2008 at 12:45:04PM -0400, John Almberg wrote:
> > I just set up a new server with a very restricted PF configuration.
> > One problem: I can no longer install software with ports (i.e,
> > the / usr/ports collection.) I have to disable PF to do so.
> > Obviously not a great solution.
> >
> > Am I correct in guessing that ports uses FTP to grab source files
> > from mirrors? I'm trying to figure out the smallest number of ports
> > (the TCP/IP kind) that I need to open in my firewall. I don't want
> > to enable incoming FTP requests, but do want to allow outgoing ftp
> > requests, I believe.
> >
> > Am I on the right track, here?
> 
> See the fetch(1) man page.  Try this first:
> 
> sh/bash: export FTP_PASSIVE_MODE=true
> csh: setenv FTP_PASSIVE_MODE true
> 


passive ftp has been the default for long time, fetch is called
with the -p option.

If you have access to an http-proxy that supports ftp requests over
http, fetch can use that. Alternately you can probably avoid ftp
altogether by setting:
 

MASTER_SORT_REGEX?=   ^http:

in make.conf
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: Firewall and FreeBSD ports

[Jeremy Chadwick]

On Fri, Oct 10, 2008 at 12:45:04PM -0400, John Almberg wrote:
> I just set up a new server with a very restricted PF configuration. One 
> problem: I can no longer install software with ports (i.e, the / 
> usr/ports collection.) I have to disable PF to do so. Obviously not a  
> great solution.
>
> Am I correct in guessing that ports uses FTP to grab source files from 
> mirrors? I'm trying to figure out the smallest number of ports (the 
> TCP/IP kind) that I need to open in my firewall. I don't want to enable 
> incoming FTP requests, but do want to allow outgoing ftp requests, I 
> believe.
>
> Am I on the right track, here?

See the fetch(1) man page.  Try this first:

sh/bash: export FTP_PASSIVE_MODE=true
csh: setenv FTP_PASSIVE_MODE true

Chances are this will address the problem for you.

-- 
| Jeremy Chadwickjdc at parodius.com |
| Parodius Networking   http://www.parodius.com/ |
| UNIX Systems Administrator  Mountain View, CA, USA |
| Making life hard for others since 1977.  PGP: 4BD6C0CB |

___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Firewall and FreeBSD ports

[John Almberg]

I just set up a new server with a very restricted PF configuration.  
One problem: I can no longer install software with ports (i.e, the / 
usr/ports collection.) I have to disable PF to do so. Obviously not a  
great solution.


Am I correct in guessing that ports uses FTP to grab source files  
from mirrors? I'm trying to figure out the smallest number of ports  
(the TCP/IP kind) that I need to open in my firewall. I don't want to  
enable incoming FTP requests, but do want to allow outgoing ftp  
requests, I believe.


Am I on the right track, here?

Thanks: John

___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: FreeBSD as PF/Router/Firewall dying on the vine

[Jeremy Chadwick]

On Mon, Oct 06, 2008 at 06:08:50PM -0700, Michael K. Smith - Adhost wrote:
> Hello All:
> 
> We have a load balanced pair of PF boxes sitting in front of a whole bunch of 
> server doing all manner of things!  It's been working great up until today 
> when it, well, didn't.  Here's what I see in top -S.
> 
>   PID USERNAME   THR PRI NICE   SIZERES STATE  C   TIME   WCPU COMMAND
>14 root 1 -44 -163 0K 8K CPU1   0  44:21 88.18% swi1: 
> net
>11 root 1 171   52 0K 8K RUN0  24:58 53.32% idle: 
> cpu0
>10 root 1 171   52 0K 8K RUN1  17:44 35.50% idle: 
> cpu1
>24 root 1 -68 -187 0K 8K *Giant 0   5:30 11.62% irq16: 
> em2 uhci3
>23 root 1 -68 -187 0K 8K WAIT   0   1:27  3.08% irq25: 
> em1
>25 root 1 -68 -187 0K 8K WAIT   1   1:16  2.64% irq17: 
> em3
> 
> This is 6.3 with Intel 1000 Fiber and Copper interfaces, all using the 'em' 
> driver.  Also, there are 15 VLAN's configured on one of the NIC's for subnet 
> separation.
> 
> If anyone has any ideas I'm all ears.  My google-fu is coming up empty with 
> the swi1: net 

Can you explain what the problem is?

-- 
| Jeremy Chadwickjdc at parodius.com |
| Parodius Networking   http://www.parodius.com/ |
| UNIX Systems Administrator  Mountain View, CA, USA |
| Making life hard for others since 1977.  PGP: 4BD6C0CB |

___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

FreeBSD as PF/Router/Firewall dying on the vine

[Michael K. Smith - Adhost]

Hello All:

We have a load balanced pair of PF boxes sitting in front of a whole bunch of 
server doing all manner of things!  It's been working great up until today when 
it, well, didn't.  Here's what I see in top -S.

  PID USERNAME   THR PRI NICE   SIZERES STATE  C   TIME   WCPU COMMAND
   14 root 1 -44 -163 0K 8K CPU1   0  44:21 88.18% swi1: net
   11 root 1 171   52 0K 8K RUN0  24:58 53.32% idle: 
cpu0
   10 root 1 171   52 0K 8K RUN1  17:44 35.50% idle: 
cpu1
   24 root 1 -68 -187 0K 8K *Giant 0   5:30 11.62% irq16: 
em2 uhci3
   23 root 1 -68 -187 0K 8K WAIT   0   1:27  3.08% irq25: 
em1
   25 root 1 -68 -187 0K 8K WAIT   1   1:16  2.64% irq17: 
em3

This is 6.3 with Intel 1000 Fiber and Copper interfaces, all using the 'em' 
driver.  Also, there are 15 VLAN's configured on one of the NIC's for subnet 
separation.

If anyone has any ideas I'm all ears.  My google-fu is coming up empty with the 
swi1: net 

Thank You,

Mike



PGP.sig
Description: PGP signature

Re: nat and firewall

[Dominique Goncalves]

On Fri, Oct 3, 2008 at 5:24 AM, fire jotawski <[EMAIL PROTECTED]> wrote:
>
>
> On Thu, Oct 2, 2008 at 7:39 PM, Dominique Goncalves
> <[EMAIL PROTECTED]> wrote:
>>
>> Hi,
>>
>> On Thu, Oct 2, 2008 at 6:09 AM, fire jotawski <[EMAIL PROTECTED]> wrote:
>> > On Thu, Sep 25, 2008 at 12:10 AM, Kevin Kinsey <[EMAIL PROTECTED]> wrote:
>> >
>> >> FBSD1 wrote:
>> >>
>> >>>
>> >>> natd_enable="YES"  This statement in rc.conf enables ipfw nated
>> >>> function.
>> >>> firewall_nat_enable="YES"  This is an invalid statement. No such thing
>> >>> as
>> >>> you have here.
>> >>>
>> >>
>> >> This is no longer true; he did indeed find "firewall_nat_enable"
>> >> in /etc/defaults/rc.conf.  The knob seems to have first appeared
>> >> in February in HEAD and I'm guessing it cues the system to use a
>> >> new kernel-based nat rather than natd(8), but I've not read anything
>> >> further about this, as my system isn't as up to date as the OP's.
>> >> I don't know when this change was MFC'ed, but apparently fairly
>> >> recently?
>> >>
>> >> I suppose we need someone a tad more "in the know" to straighten
>> >> that out for us.
>> >>
>> >
>> > up to this moment, i do not know if natd and firewall_nat function in
>> > the
>> > same or different.
>> > and is there firewall_nat_flags thing too ?
>>
>> I'll try to explain,
>>
>> natd_* knobs are for natd(8), a daemon
>> firewall_nat_* knobs are for ipfw(8), NAT is processed by the kernel
>>
>> firewall_nat_* was added in the begenning of year in RELENG_7
>>
>> http://www.freebsd.org/cgi/cvsweb.cgi/src/etc/rc.firewall?r1=1.52.2.2#rev1.52.2.2
>>
>> The NAT configuration is done by /etc/rc.firewall, you can read this
>> file to know how the configuration is done.
>>
>> This is two different ways to do NAT. I can't speak about performance,
>> kernel vs daemon.
>
> many thanks indeed for your clear explanations.
> so we simply use just one of them but not both, do not we ?

Yes.

> once again, i appreciate all of your kind asistances in my case.
>
> with best regards,
> psr
>
>

Regards.

-- 
There's this old saying: "Give a man a fish, feed him for a day. Teach
a man to fish, feed him for life."
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: nat and firewall

[fire jotawski]

On Thu, Oct 2, 2008 at 7:39 PM, Dominique Goncalves <
[EMAIL PROTECTED]> wrote:

> Hi,
>
> On Thu, Oct 2, 2008 at 6:09 AM, fire jotawski <[EMAIL PROTECTED]> wrote:
> > On Thu, Sep 25, 2008 at 12:10 AM, Kevin Kinsey <[EMAIL PROTECTED]> wrote:
> >
> >> FBSD1 wrote:
> >>
> >>>
> >>> natd_enable="YES"  This statement in rc.conf enables ipfw nated
> function.
> >>> firewall_nat_enable="YES"  This is an invalid statement. No such thing
> as
> >>> you have here.
> >>>
> >>
> >> This is no longer true; he did indeed find "firewall_nat_enable"
> >> in /etc/defaults/rc.conf.  The knob seems to have first appeared
> >> in February in HEAD and I'm guessing it cues the system to use a
> >> new kernel-based nat rather than natd(8), but I've not read anything
> >> further about this, as my system isn't as up to date as the OP's.
> >> I don't know when this change was MFC'ed, but apparently fairly
> >> recently?
> >>
> >> I suppose we need someone a tad more "in the know" to straighten
> >> that out for us.
> >>
> >
> > up to this moment, i do not know if natd and firewall_nat function in the
> > same or different.
> > and is there firewall_nat_flags thing too ?
>
> I'll try to explain,
>
> natd_* knobs are for natd(8), a daemon
> firewall_nat_* knobs are for ipfw(8), NAT is processed by the kernel
>
> firewall_nat_* was added in the begenning of year in RELENG_7
>
> http://www.freebsd.org/cgi/cvsweb.cgi/src/etc/rc.firewall?r1=1.52.2.2#rev1.52.2.2
>
> The NAT configuration is done by /etc/rc.firewall, you can read this
> file to know how the configuration is done.
>
> This is two different ways to do NAT. I can't speak about performance,
> kernel vs daemon.
>

many thanks indeed for your clear explanations.
so we simply use just one of them but not both, do not we ?

once again, i appreciate all of your kind asistances in my case.

with best regards,
psr
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: nat and firewall

[n j]

>> This is no longer true; he did indeed find "firewall_nat_enable"
>> in /etc/defaults/rc.conf.  The knob seems to have first appeared
>> in February in HEAD and I'm guessing it cues the system to use a
>> new kernel-based nat rather than natd(8), but I've not read anything
>> further about this, as my system isn't as up to date as the OP's.
>> I don't know when this change was MFC'ed, but apparently fairly
>> recently?

> firewall_nat_* was added in the begenning of year in RELENG_7
> http://www.freebsd.org/cgi/cvsweb.cgi/src/etc/rc.firewall?r1=1.52.2.2#rev1.52.2.2
>
> This is two different ways to do NAT. I can't speak about performance,
> kernel vs daemon.

Apologies for jumping in another thread commenting on my own question,
but I think the questions are very similar (see "Recompile kernel or
module for ipfw+nat?",
http://lists.freebsd.org/pipermail/freebsd-questions/2008-September/183418.html).

It would seem that doing NAT with ipfw (in-kernel as opposed to using
userland natd) is not possible  in 7.0-RELEASE-p4 without recompiling
the kernel to include IPDIVERT even though IPDIVERT was converted to
loadable module way back. And I have doubts that even recompiling the
kernel would help doing "ipfw add nat 123 all from any to any".

However, I found the reason for that might be the following CVS commit message:

# $FreeBSD: src/sys/modules/ipfw_nat/Makefile,v 1.1 2008/02/29
22:27:18 piso Exp $

"Move ipfw's nat code into its own kld: ipfw_nat."

which got commited to RELENG_7 and HEAD only (explains why it doesn't
work on my 7.0-RELEASE-p4).

My guess is that this functionality is already available in 7.1-BETA
since the code freeze began in September and ipfw nat code got
committed in February.

I can only guess if what I wrote above if correct, but I'll upgrade
one machine to 7.1-BETA as soon as I get some spare time.

Regards,
-- 
Nino
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: nat and firewall

[Dominique Goncalves]

Hi,

On Thu, Oct 2, 2008 at 6:09 AM, fire jotawski <[EMAIL PROTECTED]> wrote:
> On Thu, Sep 25, 2008 at 12:10 AM, Kevin Kinsey <[EMAIL PROTECTED]> wrote:
>
>> FBSD1 wrote:
>>
>>>
>>> natd_enable="YES"  This statement in rc.conf enables ipfw nated function.
>>> firewall_nat_enable="YES"  This is an invalid statement. No such thing as
>>> you have here.
>>>
>>
>> This is no longer true; he did indeed find "firewall_nat_enable"
>> in /etc/defaults/rc.conf.  The knob seems to have first appeared
>> in February in HEAD and I'm guessing it cues the system to use a
>> new kernel-based nat rather than natd(8), but I've not read anything
>> further about this, as my system isn't as up to date as the OP's.
>> I don't know when this change was MFC'ed, but apparently fairly
>> recently?
>>
>> I suppose we need someone a tad more "in the know" to straighten
>> that out for us.
>>
>
> up to this moment, i do not know if natd and firewall_nat function in the
> same or different.
> and is there firewall_nat_flags thing too ?

I'll try to explain,

natd_* knobs are for natd(8), a daemon
firewall_nat_* knobs are for ipfw(8), NAT is processed by the kernel

firewall_nat_* was added in the begenning of year in RELENG_7
http://www.freebsd.org/cgi/cvsweb.cgi/src/etc/rc.firewall?r1=1.52.2.2#rev1.52.2.2

The NAT configuration is done by /etc/rc.firewall, you can read this
file to know how the configuration is done.

This is two different ways to do NAT. I can't speak about performance,
kernel vs daemon.

Hope this helps.

> thanks in advanced for any helps and hints.
> regards,
> psr
>
>
>>
>> Kevin Kinsey
>> --
>> A wise man can see more from a mountain top
>> than a fool can from the bottom of a well.
>>
> ___
> freebsd-questions@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
> To unsubscribe, send any mail to "[EMAIL PROTECTED]"
>

Regards.

-- 
There's this old saying: "Give a man a fish, feed him for a day. Teach
a man to fish, feed him for life."
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: nat and firewall

[fire jotawski]

On Thu, Sep 25, 2008 at 12:10 AM, Kevin Kinsey <[EMAIL PROTECTED]> wrote:

> FBSD1 wrote:
>
>>
>> natd_enable="YES"  This statement in rc.conf enables ipfw nated function.
>> firewall_nat_enable="YES"  This is an invalid statement. No such thing as
>> you have here.
>>
>
> This is no longer true; he did indeed find "firewall_nat_enable"
> in /etc/defaults/rc.conf.  The knob seems to have first appeared
> in February in HEAD and I'm guessing it cues the system to use a
> new kernel-based nat rather than natd(8), but I've not read anything
> further about this, as my system isn't as up to date as the OP's.
> I don't know when this change was MFC'ed, but apparently fairly
> recently?
>
> I suppose we need someone a tad more "in the know" to straighten
> that out for us.
>

up to this moment, i do not know if natd and firewall_nat function in the
same or different.
and is there firewall_nat_flags thing too ?

thanks in advanced for any helps and hints.
regards,
psr


>
> Kevin Kinsey
> --
> A wise man can see more from a mountain top
> than a fool can from the bottom of a well.
>
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: nat and firewall

[Kevin Kinsey]

FBSD1 wrote:


natd_enable="YES"  This statement in rc.conf enables ipfw nated function.
firewall_nat_enable="YES"  This is an invalid statement. No such thing as
you have here.


This is no longer true; he did indeed find "firewall_nat_enable"
in /etc/defaults/rc.conf.  The knob seems to have first appeared
in February in HEAD and I'm guessing it cues the system to use a
new kernel-based nat rather than natd(8), but I've not read anything
further about this, as my system isn't as up to date as the OP's.
I don't know when this change was MFC'ed, but apparently fairly
recently?

I suppose we need someone a tad more "in the know" to straighten
that out for us.

Kevin Kinsey
--
A wise man can see more from a mountain top
than a fool can from the bottom of a well.
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: nat and firewall

[fire jotawski]

On Wed, Sep 24, 2008 at 2:52 PM, FBSD1 <[EMAIL PROTECTED]> wrote:

>
>
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] Behalf Of fire jotawski
> Sent: Wednesday, September 24, 2008 12:13 PM
> To: freebsd-questions@freebsd.org
> Subject: nat and firewall
>
> hi sirs,
>
> i am confused now that what is the difference between nat and firewall_nat
> in /etc/rc file
>
> natd_enable="YES"
> firewall_nat_enable="YES"
>
> just one question per asking.  there will be another more questions about
> this but for this moment only this one first.
>
> thanks in advance for any helps and hints
>
> regards,
> psr
> ___
> freebsd-questions@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
> To unsubscribe, send any mail to [EMAIL PROTECTED]
>

sorry for top posting
first of all thanks indeed for your answers

>
>
> natd_enable="YES"  This statement in rc.conf enables ipfw nated function.
> firewall_nat_enable="YES"  This is an invalid statement. No such thing as
> you have here.



i found firewall_nat_enable in /etc/rc.firewall
my machine is
%uname -a
FreeBSD makham.serveblog.net 7.0-RELEASE FreeBSD 7.0-RELEASE #5: Thu Sep  4
09:48:32 ICT 2008 [EMAIL PROTECTED]:/usr/obj/usr/src/sys/SITING
i386
%



> FreeBSD has 3 different built in firewall for you to chose from. IPFW,
> Ipfilter, and PF
> Review /etc/defaults/rc.conf for their statements.
> It would do you good to read the firewall section of the FreeBSD Handbook
> for a complete explanation of the 3 firewalls and the differences between
> them.
> In my option the PF firewall has the easiest to use rule set and built in
> table functions for automated black listing attacking IP address. Its major
> weakness is it has very poorly designed logging function that results in
> very cumbersome usage.
> IPFilter comes next. It has easy logging and rules usage. It lacks the auto
> black listing table building of PF. These two firewalls were ported to
> FreeBSD from other Unix flavored operating systems. Both have teams
> supporting and maintaining them.
> The final firewall is IPFW that is the first firewall included in FreeBSD
> many years ago and was developed by the FreeBSD team. IPFW also lacks the
> auto black listing table building of PF, and its nated rules are much
> harder
> to get working using all stateful rules. IPFW had a major coding overhaul a
> few years back but the inhered design flaw of how nated rules are handled
> was not touched. Grape vine says IPFW nated code is a messed up can of
> worms
> and no one wants to touch it.
> I have used all 3 firewalls at one time or another to learn about them. I
> found IPFilter to be the easiest to use and get logging out put in standard
> format like all the other FreeBSD logs are.  But you should ready the
> handbook and decide for your self what best satisfies your firewall needs.
>

thanks indeed for your answers. i will ask more questions regarding to natd
and firewall again after reading handbook.

regards,
psr
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

RE: nat and firewall

[FBSD1]

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of fire jotawski
Sent: Wednesday, September 24, 2008 12:13 PM
To: freebsd-questions@freebsd.org
Subject: nat and firewall

hi sirs,

i am confused now that what is the difference between nat and firewall_nat
in /etc/rc file

natd_enable="YES"
firewall_nat_enable="YES"

just one question per asking.  there will be another more questions about
this but for this moment only this one first.

thanks in advance for any helps and hints

regards,
psr
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]


natd_enable="YES"  This statement in rc.conf enables ipfw nated function.
firewall_nat_enable="YES"  This is an invalid statement. No such thing as
you have here.
FreeBSD has 3 different built in firewall for you to chose from. IPFW,
Ipfilter, and PF
Review /etc/defaults/rc.conf for their statements.
It would do you good to read the firewall section of the FreeBSD Handbook
for a complete explanation of the 3 firewalls and the differences between
them.
In my option the PF firewall has the easiest to use rule set and built in
table functions for automated black listing attacking IP address. Its major
weakness is it has very poorly designed logging function that results in
very cumbersome usage.
IPFilter comes next. It has easy logging and rules usage. It lacks the auto
black listing table building of PF. These two firewalls were ported to
FreeBSD from other Unix flavored operating systems. Both have teams
supporting and maintaining them.
The final firewall is IPFW that is the first firewall included in FreeBSD
many years ago and was developed by the FreeBSD team. IPFW also lacks the
auto black listing table building of PF, and its nated rules are much harder
to get working using all stateful rules. IPFW had a major coding overhaul a
few years back but the inhered design flaw of how nated rules are handled
was not touched. Grape vine says IPFW nated code is a messed up can of worms
and no one wants to touch it.
I have used all 3 firewalls at one time or another to learn about them. I
found IPFilter to be the easiest to use and get logging out put in standard
format like all the other FreeBSD logs are.  But you should ready the
handbook and decide for your self what best satisfies your firewall needs.



___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

nat and firewall

[fire jotawski]

hi sirs,

i am confused now that what is the difference between nat and firewall_nat
in /etc/rc file

natd_enable="YES"
firewall_nat_enable="YES"

just one question per asking.  there will be another more questions about
this but for this moment only this one first.

thanks in advance for any helps and hints

regards,
psr
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: Moving to freebsd firewall for a small DataCenter network

[Charles Trevor]

*This message was transferred with a trial version of CommuniGate(r) Pro*


Nejc Škoberne wrote:

*This message was transferred with a trial version of CommuniGate(r) Pro*

I think monowall is what you are looking for.


Or his more advanced brother - pfSense.

Bye,
Nejc


Either m0n0wall or pfsense seconded here. Advantage pfsense has in a 
datacentre environment is failover, imo


Charlie
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: Moving to freebsd firewall for a small DataCenter network

[Wojciech Puchar]

quite "light" for what I am doing. I have now 10 servers hosted on one uniq 
/28 network with direct connexion to the Net.


I was wondering if there is a good if possible "integrated" firewall device 
running on FreeBSD.


just read manual. ipfw is excellent.

___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

RE: Moving to freebsd firewall for a small DataCenter network

[Johan Hendriks]

Also have a look at pfsense
www.pfsense.org


regards,
Johan Hendriks


No virus found in this outgoing message.
Checked by AVG - http://www.avg.com 
Version: 8.0.169 / Virus Database: 270.7.0/1685 - Release Date: 22-9-2008 16:08
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: Moving to freebsd firewall for a small DataCenter network

[Nejc Škoberne]

> I think monowall is what you are looking for.

Or his more advanced brother - pfSense.

Bye,
Nejc
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: Moving to freebsd firewall for a small DataCenter network

[Olivier Nicole]

> I was wondering if there is a good if possible "integrated" firewall  
> device running on FreeBSD.


I think monowall is what you are looking for.

Olivier
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Moving to freebsd firewall for a small DataCenter network

[bsd]

Hello,


I have been using FreeBSD for many years as a server and have based  
most of my hosting services on this fantastic OS.
Since three years I have been using SonicWall firewall as a firewall  
device.


As my hosting services are growing, It seems that the SonicWall device  
is quite "light" for what I am doing. I have now 10 servers hosted on  
one uniq /28 network with direct connexion to the Net.


I was wondering if there is a good if possible "integrated" firewall  
device running on FreeBSD.
I have deployed local firewall on each of my servers based on ipf.  
Works great, but I am not sure I want to dig all the time into a file  
based config, little visual interface could ease my pain… (of course  
this is optional).


I would like something quite strong but simple that I could deploy on  
a small 1U server or dedicated device.


Any pointer / howto / feed back on experience will be most welcome.


Something similar to this could be nice: http://www.untangle.com/



Thanks for your support.


Gregober ---> PGP ID --> 0x1BA3C2FD
bsd @at@ todoo.biz

P "Please consider your environmental responsibility before printing  
this e-mail"



___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: portsnap in cron and firewall

[RW]

On Fri, 5 Sep 2008 16:49:26 +0100
RW <[EMAIL PROTECTED]> wrote:

> On Fri, 5 Sep 2008 16:14:02 +0200
> Albert Shih <[EMAIL PROTECTED]> wrote:
> 
But now with portsnap cron (that's mean random sleep) I don't known
> > when the system try to connect outside. 

> You can do this
> 
> sleep `jot -r  1 0 3599`
> 
> portsnap fetch
> 
>

Actually, I just took a look at portsnap and I see that "portsnap fetch"
has an explicit check for a terminal, so it wont work from crontab.

> 
> However, I would suggest you simply create pf rules to allow the
> server contact to the portsnap servers. 
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: portsnap in cron and firewall

[RW]

On Fri, 5 Sep 2008 16:14:02 +0200
Albert Shih <[EMAIL PROTECTED]> wrote:

> Hi all
> 
> I've some servers for internal use. On those servers I have some pf
> (or ipfw) rule to deny any connection from inside to outside. 
> 
> Long time ago when ports tree is update with cvs, I'm using something
> like
> 
> pf command to open inside --> outside connection
> cvsup 
> portupgrade --fetch-only --all
> pf command to close inside --> outside connection
> 
> But now with portsnap cron (that's mean random sleep) I don't known
> when the system try to connect outside. 
> 
> Do you have any idea how can I make my update using portsnap (I known

You can do this"

sleep `jot -r  1 0 3599`

portsnap fetch



However, I would suggest you simply create pf rules to allow the
server contact to the portsnap servers. 
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: portsnap in cron and firewall

[Albert Shih]

 Le 05/09/2008 à 11:51:57-0400, Sean Cavanaugh a écrit
> ---
> >
> > Yes I known. That's why I'm asking you how can I make portsnap through the
> > cron and opening firewall just before he going to make the connection.
> >
> > Of course I can hack the portsnap to make he don't try to see if it's fork
> > by cron or not. But it's not a good idea IMHO, what's happen if all person
> > do that ?
> 
> I think you misread what i was saying. Inside your cron job use "portsnap
> fetch" instead of "portsnap cron". that way it will fetch exactly when you run
> the cron job, without the randomized delay.
>  
> most likely a shell script that would have the following:
> 1)open pf
> 2)portsnap fetch
> 3)portsnap update (<- you were missing this important step also)
> 4)portupgrade --fetch-only --all
> 5)close pf

Yes I known ;-) and I understand what you saying. But what I'm saying is if
the developper of portsnap think it's useful to put some randomized delay
I'm going to follow this. Because if I make what you say how can I known
after 1 or 2 years there no other enough users to do same thing and make the
portsnap server overload ? Event I make some «randomize» time in the
crontab it's only when I make the crontab, that's mean every day the
portsnap is launch in the same moment. 

The best solution is to make some «hook_script» in the portsnap and after
the randomize delay is over just before the fetch is launch to run a
hook-script

So now 
portsnap cron = sleep random_time; portsnap fetch

what I think is 

portsnap cron -h hook-script = sleep random_time; sh hook-script; 
portsnap fetch

regards.


-- 
Albert SHIH
SIO batiment 15
Observatoire de Paris Meudon
5 Place Jules Janssen
92195 Meudon Cedex
Heure local/Local time:
Ven 5 sep 2008 17:53:37 CEST
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

RE: portsnap in cron and firewall

[Sean Cavanaugh]

> Date: Fri, 5 Sep 2008 17:43:44 +0200> From: [EMAIL PROTECTED]> To: [EMAIL 
> PROTECTED]> CC: freebsd-questions@freebsd.org> Subject: Re: portsnap in cron 
> and firewall> > > Le 05/09/2008 à 11:33:59-0400, Sean Cavanaugh a écrit> > > 
> > > > > Date: Fri, 5 Sep 2008 16:14:02 +0200> From: [EMAIL PROTECTED]>> > > 
> To: freebsd-questions@freebsd.org> Subject: portsnap in cron and> > > 
> firewall> > Hi all> > I've some servers for internal use. On those> > > 
> servers I have some pf (or> ipfw) rule to deny any connection from> > > 
> inside to outside. > > Long time ago when ports tree is update with> > > cvs, 
> I'm using something like> > pf command to open inside -->> > > outside 
> connection> cvsup > portupgrade --fetch-only --all> pf> > > command to close 
> inside --> outside connection> > But now with> > > portsnap cron (that's mean 
> random sleep) I don't known when> the> > > system try to connect outside. > > 
> Do you have any idea how can I> > > make my update using portsnap (I known I 
> can> use cvsup) in a> > > crontab with my network config ? >> > > > "portsnap 
> cron" just randomizes the time to download unlike "portsnap> > fetch" which 
> says to do it right now. cron was added to help randomize> > the time so 
> everyone syncing at midnight UTC arent all hitting at> > exact same time.> > 
> Yes I known. That's why I'm asking you how can I make portsnap through the> 
> cron and opening firewall just before he going to make the connection.> > Of 
> course I can hack the portsnap to make he don't try to see if it's fork> by 
> cron or not. But it's not a good idea IMHO, what's happen if all person> do 
> that ? 
I think you misread what i was saying. Inside your cron job use "portsnap 
fetch" instead of "portsnap cron". that way it will fetch exactly when you run 
the cron job, without the randomized delay.
 
most likely a shell script that would have the following:
1)open pf
2)portsnap fetch
3)portsnap update (<- you were missing this important step also)
4)portupgrade --fetch-only --all
5)close pf___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: portsnap in cron and firewall

[Albert Shih]

 Le 05/09/2008 à 11:33:59-0400, Sean Cavanaugh a écrit
> 
> 
> > Date: Fri, 5 Sep 2008 16:14:02 +0200> From: [EMAIL PROTECTED]>
> > To: freebsd-questions@freebsd.org> Subject: portsnap in cron and
> > firewall> > Hi all> > I've some servers for internal use. On those
> > servers I have some pf (or> ipfw) rule to deny any connection from
> > inside to outside. > > Long time ago when ports tree is update with
> > cvs, I'm using something like> > pf command to open inside -->
> > outside connection> cvsup > portupgrade --fetch-only --all> pf
> > command to close inside --> outside connection> > But now with
> > portsnap cron (that's mean random sleep) I don't known when> the
> > system try to connect outside. > > Do you have any idea how can I
> > make my update using portsnap (I known I can> use cvsup) in a
> > crontab with my network config ? >
>  
> "portsnap cron" just randomizes the time to download unlike "portsnap
> fetch" which says to do it right now. cron was added to help randomize
> the time so everyone syncing at midnight UTC arent all hitting at
> exact same time.

Yes I known. That's why I'm asking you how can I make portsnap through the
cron and opening firewall just before he going to make the connection.

Of course I can hack the portsnap to make he don't try to see if it's fork
by cron or not. But it's not a good idea IMHO, what's happen if all person
do that ? 

Regards.

-- 
Albert SHIH
SIO batiment 15
Observatoire de Paris Meudon
5 Place Jules Janssen
92195 Meudon Cedex
Heure local/Local time:
Ven 5 sep 2008 17:41:30 CEST
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

RE: portsnap in cron and firewall

[Sean Cavanaugh]

> Date: Fri, 5 Sep 2008 16:14:02 +0200> From: [EMAIL PROTECTED]> To: 
> freebsd-questions@freebsd.org> Subject: portsnap in cron and firewall> > Hi 
> all> > I've some servers for internal use. On those servers I have some pf 
> (or> ipfw) rule to deny any connection from inside to outside. > > Long time 
> ago when ports tree is update with cvs, I'm using something like> > pf 
> command to open inside --> outside connection> cvsup > portupgrade 
> --fetch-only --all> pf command to close inside --> outside connection> > But 
> now with portsnap cron (that's mean random sleep) I don't known when> the 
> system try to connect outside. > > Do you have any idea how can I make my 
> update using portsnap (I known I can> use cvsup) in a crontab with my network 
> config ? > 
 
"portsnap cron" just randomizes the time to download unlike "portsnap fetch" 
which says to do it right now. cron was added to help randomize the time so 
everyone syncing at midnight UTC arent all hitting at exact same 
time.___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

portsnap in cron and firewall

[Albert Shih]

Hi all

I've some servers for internal use. On those servers I have some pf (or
ipfw) rule to deny any connection from inside to outside. 

Long time ago when ports tree is update with cvs, I'm using something like

pf command to open inside --> outside connection
cvsup 
portupgrade --fetch-only --all
pf command to close inside --> outside connection

But now with portsnap cron (that's mean random sleep) I don't known when
the system try to connect outside. 

Do you have any idea how can I make my update using portsnap (I known I can
use cvsup) in a crontab with my network config ? 

Regards.

-- 
Albert SHIH
SIO batiment 15
Observatoire de Paris Meudon
5 Place Jules Janssen
92195 Meudon Cedex
Heure local/Local time:
Ven 5 sep 2008 16:07:27 CEST
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

FreeBSD 7.X/8.0: Firewall performance with pf, ipfw or ipf? Any benchmarks available?

[O. Hartmann]

Hello,

since FreeBSD 5.0 I was using 'pf' as the packet filter on FreeBSD due 
to some performance advantages over ipfw in the time when FreeBSD was 
introduced. Now I'm al littel bit detached from development and status 
quo. I read about problems in FreeBSD 7 when using 'pf' in a bridged 
environment, CPU load increaeses and packet drops are the result (on an 
IBM Server with Intel em0/1 NICs).
Well, I'm pleased that FreeBSD comes with at least three packet filters 
(ipfw, ipf, pf), but at the end, the choice is up to me and in question 
of the better support and performance this leaves me alone in the dark. 
So, does any of the network experts do have benchmarked any of the 
packet  filters? what is the preferred selection if someone would like 
to have a 'simple' packetfilter (no usage of special features of one of 
the mentioned packetfilters except of bridging and LAGG)? Talking about 
FreeBSD 8's virtualiziation capabilities on network stack: will this 
have implications on what filter will work or not (if ever, I do not 
know how abstract this virtualization is indeed from the packet 
filtering layer).


So, sorry for the little confuses,

Oliver
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: firewall high-load performance

[Wojciech Puchar]

> is there a way to check on running system how much CPU time is used to
> perform firewalling/traffic manager - be it pf or ipfw?

Sure, compare ping times / traffic throughput with firewall turned off
and on?


this will not measure CPU load but delays. delays are unnoticable and 
doesn't look like a problem.

___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: firewall high-load performance

[Ian Smith]

Woj, another of the few joys of -digests: two birds with one stone:

 > is there a way to check on running system how much CPU time is used to 
 > perform firewalling/traffic manager - be it pf or ipfw?

Sure, compare ping times / traffic throughput with firewall turned off
and on?  I recall that a FreeBSD 2.2.6 P166 with about 1000 ipfw rules
added up to ~2ms to ping times through - on a local 10Mbps network :)

On Wed, 11 Jun 2008 00:35:14 +0200 (CEST)
Wojciech Puchar <[EMAIL PROTECTED]> wrote:
(quoting Matthew Seaman)

 > > High load may or may not be a problem depending on your traffic patterns.
 > > I've seen pf firewalls suffer by running out of state-table space in
 > > situations where there are a lot of fairly short-lived but low volume
 > > network connections.  The default is 10,000 states.  If your firewall 
 > > machine
 > 
 > is this state-table a hash table or something similar. if so - making it 
 > much bigger than CPU cache may actually slow down things because DRAM 
 > access latency is huge on modern machines.

There was some discussion of the efficiency of ipfw stateful rules in
recent weeks, over on -net IIRC.  As someone else mentioned, that's the
place to be if you're interested in net stuff, and are prepared to sit
back and read some real expertise before saying too much for a while :)

ipfw hashes src.ip ^ dst.ip ^ src.port ^ dst.port for connections in a
default of 256 buckets, which is very fast when there are no collisions; 
duplicates however are added to a linked list, which gets slow if large,
such as for raw IP or ICMP where 'port' numbers = 0.  I'm not sure what
stateful rules really mean in those contexts anyway, but there was talk
of increasing both the (default) no. of buckets and maximum stetes kept,
the memory penalty being pretty insignificant on today's hardware. 

I tend to doubt that processor caching is an issue one way or the other. 

 > > On the whole I'd go with pf every time simply based on how much more
 > > manageable it is compared to ipfw -- you have to try, hard, to lock
 > > yourself out when reloading a new pf ruleset.
 > 
 > i already learned well locking myself after making mistake in ipfw rules
 > 
 > now i run screen and do something like that
 > 
 > cd /etc
 > cp firewall firewall.old
 > cp firewall firewall.new
 >  firewall.new
 > cp firewall.new firewall;/etc/rc.d/ipfw restart;sleep 100;cp firewall.old 
 > firewall;/etc/rc.d/ipfw restart
 > 
 > then i have 100 seconds to quickly test new rules, at least to make sure 
 > i'm not locked.

Yeah that'll work, as suggested in the manual's example.

I also wouldn't mind seeing some proper empirical comparisons between
ipfw and pf.  Many of the reasons sometimes offered to prefer pf have
been addressed in ipfw more recently (like in-kernel NAT for 7.x) and
development of both is always ongoing, so it's still largely personal
preference.  I've been using ipfw for just over 10 years and am fairly
familiar with it, and there are plenty of options I've not yet tried. 

Anyone reading the handbook these days would think ipfw was deprecated,
and one day I hope to do a number on the ipfw section there; it contains
out and out factual errors, some misconceptions and poor examples, still
the author does declare his familiarity is otherwise, ipf as I recall.

BTW I'm not dissing pf in any way, I've just never tried it.  ipfw plus
dummynet has done everything well that I've needed to do so far, mostly
on networks smaller even than yours :)

cheers, Ian

___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: firewall high-load performance

[Wojciech Puchar]

High load may or may not be a problem depending on your traffic patterns.
I've seen pf firewalls suffer by running out of state-table space in
situations where there are a lot of fairly short-lived but low volume
network connections.  The default is 10,000 states.  If your firewall machine



is this state-table a hash table or something similar. if so - making it 
much bigger than CPU cache may actually slow down things because DRAM 
access latency is huge on modern machines.



On the whole I'd go with pf every time simply based on how much more
manageable it is compared to ipfw -- you have to try, hard, to lock
yourself out when reloading a new pf ruleset.


i already learned well locking myself after making mistake in ipfw rules

now i run screen and do something like that

cd /etc
cp firewall firewall.old
cp firewall firewall.new
 firewall.new
cp firewall.new firewall;/etc/rc.d/ipfw restart;sleep 100;cp firewall.old 
firewall;/etc/rc.d/ipfw restart

then i have 100 seconds to quickly test new rules, at least to make sure 
i'm not locked.

___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

re: firewall high-load performance

[Wojciech Puchar]

Actually, I tracked down the guy who had originally given a poor review
of pf performance, and it turns out that the missing part of his review
was related to use of dummynet for bandwidth management.  Since I'm not
planning to use dummynet for bandwidth management, that's not really a
factor we need to consider.  It looks like, at this point, pf is a good
choice.


is there a way to check on running system how much CPU time is used to 
perform firewalling/traffic manager - be it pf or ipfw?


___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: firewall high-load performance

[Wojciech Puchar]

My preferred firewall these days, for general use, is pf.  I seem to
recall someone who has used it in high-load scenarios that it can kinda
choke at high loads, though I don't recall whether that was due to pf
itself or the fact he was running it on OpenBSD.  Until now, this has not
been a concern for me.


it would be good to check out ipfw. at least it's IMHO much cleaner and 
easier to make rules i need, but it is fast.


but please check, i don't have any side-to-side comparision.
of course it depends how you rules are complicated and how good/bad you 
will define them.


___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

re: firewall high-load performance

[Chad Perrin]

Matthew Seaman wrote:
> pf will perform very well.  I don't know if anyone has benchmarked it
> against ipfw, but I suspect that any difference in performance is pretty
> minimal.  If you're just doing packet filtering and using a fairly run of
> the mill modern machine, you should be able to keep up with Gb wire speed
> without problems.

Actually, I tracked down the guy who had originally given a poor review
of pf performance, and it turns out that the missing part of his review
was related to use of dummynet for bandwidth management.  Since I'm not
planning to use dummynet for bandwidth management, that's not really a
factor we need to consider.  It looks like, at this point, pf is a good
choice.


> 
> If performance is a limiting factor, then review your rule sets
> carefully:
> arranging things so that the most popular traffic types are handled as 
> early as possible, knowing when to use tables vs. use address-list macros 
> and judicious use of quick rules can make quite a difference.
> 
> Also, /stateful/ rules are generally faster than stateless once you've
> got
> beyond the initial packet that establishes the state.  Looking stuff up
> in the state table is quicker and takes place earlier in the processing 
> sequence than traversing the rulesets.
> 
> High load may or may not be a problem depending on your traffic patterns.
> I've seen pf firewalls suffer by running out of state-table space in
> situations where there are a lot of fairly short-lived but low volume
> network connections.  The default is 10,000 states.  If your firewall 
> machine  is dedicated to running pf and it has hundreds of MB if not GB
> of 
> RAM, then upping the size of some of those parameters by an order of 
> magnitude is feasible, and works well.

Thanks for the further elaboration.  I'll keep all this in mind as I
investigate the suitability of pf for this project.


> 
> On the whole I'd go with pf every time simply based on how much more
> manageable it is compared to ipfw -- you have to try, hard, to lock
> yourself out when reloading a new pf ruleset.

Just one more reason pf is my favorite firewall.

Thanks for the informative reply.

By the way, apologies if this doesn't thread properly.  I never got any
messages from this thread in my inbox, and had to copy everything from
the archive:

  http://lists.freebsd.org/pipermail/freebsd-questions/2008-June/176542.html

For some reason, mutt doesn't seem to want me to alter headers to make it
thread properly, and keeps throwing away my edits.

-- 
Chad Perrin [ content licensed PDL: http://pdl.apotheon.org ]
Dr. Ron Paul: "Liberty has meaning only if we still believe in it when
terrible things happen and a false government security blanket beckons."


pgp5YCXSbeSg8.pgp
Description: PGP signature

Re: firewall high-load performance

[Matthew Seaman]

Chad Perrin wrote:

My preferred firewall these days, for general use, is pf.  I seem to
recall someone who has used it in high-load scenarios that it can kinda
choke at high loads, though I don't recall whether that was due to pf
itself or the fact he was running it on OpenBSD.  Until now, this has not
been a concern for me.

I may be getting involved in a commercial project in the near future that
could very well involve handling very large numbers of connections
dealing with potentially high bandwidth demands, however.  The
circumstances would require some QOS, and I'm thinking of using pf/ALTQ
for this project, but I don't want to discover after we're well underway
that large numbers of connections would cause problems.  Should I
consider ipfw or ipfilter instead, or are my concerns with relation to
pf's ability to handle extremely high loads of legitimate traffic
unfounded?



pf will perform very well.  I don't know if anyone has benchmarked it
against ipfw, but I suspect that any difference in performance is pretty
minimal.  If you're just doing packet filtering and using a fairly run of
the mill modern machine, you should be able to keep up with Gb wire speed
without problems.

If performance is a limiting factor, then review your rule sets carefully:
arranging things so that the most popular traffic types are handled as 
early as possible, knowing when to use tables vs. use address-list macros 
and judicious use of quick rules can make quite a difference.


Also, /stateful/ rules are generally faster than stateless once you've got
beyond the initial packet that establishes the state.  Looking stuff up
in the state table is quicker and takes place earlier in the processing 
sequence than traversing the rulesets.


High load may or may not be a problem depending on your traffic patterns.
I've seen pf firewalls suffer by running out of state-table space in
situations where there are a lot of fairly short-lived but low volume
network connections.  The default is 10,000 states.  If your firewall 
machine  is dedicated to running pf and it has hundreds of MB if not GB of 
RAM, then upping the size of some of those parameters by an order of 
magnitude is feasible, and works well.


On the whole I'd go with pf every time simply based on how much more
manageable it is compared to ipfw -- you have to try, hard, to lock
yourself out when reloading a new pf ruleset.

Cheers,

Matthew

--
Dr Matthew J Seaman MA, D.Phil.   7 Priory Courtyard
 Flat 3
PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate
 Kent, CT11 9PW



signature.asc
Description: OpenPGP digital signature

firewall high-load performance

[Chad Perrin]

My preferred firewall these days, for general use, is pf.  I seem to
recall someone who has used it in high-load scenarios that it can kinda
choke at high loads, though I don't recall whether that was due to pf
itself or the fact he was running it on OpenBSD.  Until now, this has not
been a concern for me.

I may be getting involved in a commercial project in the near future that
could very well involve handling very large numbers of connections
dealing with potentially high bandwidth demands, however.  The
circumstances would require some QOS, and I'm thinking of using pf/ALTQ
for this project, but I don't want to discover after we're well underway
that large numbers of connections would cause problems.  Should I
consider ipfw or ipfilter instead, or are my concerns with relation to
pf's ability to handle extremely high loads of legitimate traffic
unfounded?

-- 
Chad Perrin [ content licensed PDL: http://pdl.apotheon.org ]
H. L. Mencken: "Democracy is the theory that the common people know what
they want and deserve to get it good and hard."


pgpschThvVFal.pgp
Description: PGP signature

Re: nfs & firewall, hard vs soft mount

[darren kirby]

quoth the Colin Brace:
> Hi all,
>
> I have a FreeBSD v7 box set up as gateway/mailserver/WAP. I leave my WAP
> unencrypted, so my neighbors can use it, and use PF to allow just a few
> specific services (dhcp dns, http, https).
>
> I'd like to be able to mount a couple of NFS shares from a desktop box
> running Fedora on a wireless client. I've opened  the sunrpc and nfs ports
> in PF, but that doesn't seem to be enough. tcpdump indicates some high upd
> ports in the 40k-50k range are used in the nfs negotiation, but I can't
> figure out exactly what is going on. Does anyone know what additional ports
> need to be opened for nfs? Will I need to use PF to redirect this udf
> traffic to the fedora host or will it find the nfs server on its own?

'rpcinfo -p ' will show the ports/proto you need open. However, it 
should change some each time because rpc.mountd, rpc.statd, and lockd assign 
ports dynamically. You can set a few NFS options to lock these down:

Eg:
RPCMOUNTDOPTS="-p 4002"
RPCSTATDOPTS="-p 4000"

Sadly, I have only ever run an NFS server on Linux, so I do not know if there 
is a config to set these, or if you have to add the '-p n' to the startup 
scripts directly.

Also, On Linux you must set the lockd port at boot time. Perhaps there is a 
sysctl for this on FreeBSD?

HTH
-d
-- 
darren kirby :: Part of the problem since 1976 :: http://badcomputer.org
"...the number of UNIX installations has grown to 10, with more expected..."
- Dennis Ritchie and Ken Thompson, June 1972
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

nfs & firewall, hard vs soft mount

[Colin Brace]

Hi all,

I have a FreeBSD v7 box set up as gateway/mailserver/WAP. I leave my WAP
unencrypted, so my neighbors can use it, and use PF to allow just a few
specific services (dhcp dns, http, https).

I'd like to be able to mount a couple of NFS shares from a desktop box
running Fedora on a wireless client. I've opened  the sunrpc and nfs ports
in PF, but that doesn't seem to be enough. tcpdump indicates some high upd
ports in the 40k-50k range are used in the nfs negotiation, but I can't
figure out exactly what is going on. Does anyone know what additional ports
need to be opened for nfs? Will I need to use PF to redirect this udf
traffic to the fedora host or will it find the nfs server on its own?

Also, this page here:  mentions
hard vs soft mounts. Since wifi is ocassionally flaky, and since the
wireless client (a laptop) is not always within range, I'd prefer to not to
mount them via fstab, but via in a batch file with "mount", but that command
doesn't appear to support soft mounts. In the past, I've noticed that
nautilus etc on the client has a fit when hard-mounted nfs shares disappear.
Can anyone recommend a robust way of mounting NFS shares?

I've also tried to mount remote file systems using sftp in gnome (ie,
sftp://host/dir), but the new gvfs subsystem (which apparently replaces
gnome-vfs) still seems flaky; it freezes up my laptop every few times.
Another drawback of sftp is that it appears to add some overhead which I
notice when watching AVI files -- the media player ocassionally stutters.

In any case, suggestions for alternative approaches to mounting remote file
systems via wireless would be most welcome.

-- 
Colin Brace
Amsterdam
http://lim.nl
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: FTP server behind firewall?

[Gilles]

On Thu, 17 Apr 2008 07:59:20 +0300, Manolis Kiagias <[EMAIL PROTECTED]>
wrote:
>Running an FTP behind a home DSL router is perfectly possible. You will 
>just have to open a range of ports on the router itself eg 25000-25050 
>and forward them to your ftp server internal IP address. Then set the 
>FTP server to only use these ports for passive transfers.

Thanks guys, I think I'll try this, as it's the easiest to allow VB
clients to upload files.

___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: FTP server behind firewall?

[Mel]

On Thursday 17 April 2008 04:32:41 Gilles wrote:

> Actually, we don't necessarily need an FTP. Whatever solution to send
> files is fine, provided I can add this feature in a VB Classic client
> application.

Depends a bit on the max filesize and number of files. You can do a HTTP POST 
request, using a simple upload script (numerous examples of those to be found 
on the web). Of course, the traffic for that is larger since it will be 
base64 encoded. On the plus side, you don't need local user accounts on the 
ftp server, while still having full control over where the files end up.

This can get tedious if you have multiple small files, or filesizes in the 
order >100M.
-- 
Mel

Problem with today's modular software: they start with the modules
and never get to the software part.
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: FTP server behind firewall?

[Julius Huang]

On Apr 17, 2008, at 12:59 , Manolis Kiagias wrote:

Gilles wrote:

On Wed, 16 Apr 2008 22:06:24 -0400, Jon Radel <[EMAIL PROTECTED]> wrote:


What control do you have over the firewall?  One of the cleaner
solutions would be to run an ftp proxy on the firewall, such as that
supplied with pf.  See ftp-proxy(8) or
http://www.openbsd.org/faq/pf/ftp.html



Unfortunately, the router/NAT firewall can be neither replaced nor
tweaked, since it's a modem/router provided by our ISP.

Actually, we don't necessarily need an FTP. Whatever solution to send
files is fine, provided I can add this feature in a VB Classic client
application.



Hi,

May be you can consider using sshd + sftp on Server.
  (Single Port for just about everything, see below)

PSCP or PSFTP (from same as PuTTY) allow send / receive file via  
command line,

  eg. you can issue "exec" from VB to send files.
  "pscp [options] source [source...] [EMAIL PROTECTED]:target"
  (PSFTP is prefer over PSCP, but PSCP is simple)

  http://www.putty.nl/download.html

Also, bind sshd on high port will prevent too many port scan and
  the connection is consider to be more secure than ftp.

IMHO, sftp is more easily managed than ftp in the long run (Both  
Server and Client).


ps.
I also use ssh to forward 3389, the M$ Terminal Server (even XP has  
one), no need for PC ANYWHERE.
If you need to solve problem remotely, you don't need to open another  
port (PC ANYWHERE needs 2).


J.





Running an FTP behind a home DSL router is perfectly possible. You  
will just have to open a range of ports on the router itself eg  
25000-25050 and forward them to your ftp server internal IP  
address. Then set the FTP server to only use these ports for  
passive transfers.


For example, I am using ftp/proftpd and have this directive in the  
configuration file:


PassivePorts 25000-25050

You will, of course, need to forward port 21 as well.
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions- 
[EMAIL PROTECTED]"


___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: FTP server behind firewall?

[Manolis Kiagias]

Gilles wrote:

On Wed, 16 Apr 2008 22:06:24 -0400, Jon Radel <[EMAIL PROTECTED]> wrote:
  

What control do you have over the firewall?  One of the cleaner
solutions would be to run an ftp proxy on the firewall, such as that
supplied with pf.  See ftp-proxy(8) or
http://www.openbsd.org/faq/pf/ftp.html



Unfortunately, the router/NAT firewall can be neither replaced nor
tweaked, since it's a modem/router provided by our ISP.

Actually, we don't necessarily need an FTP. Whatever solution to send
files is fine, provided I can add this feature in a VB Classic client
application.


  
Running an FTP behind a home DSL router is perfectly possible. You will 
just have to open a range of ports on the router itself eg 25000-25050 
and forward them to your ftp server internal IP address. Then set the 
FTP server to only use these ports for passive transfers.


For example, I am using ftp/proftpd and have this directive in the 
configuration file:


PassivePorts 25000-25050

You will, of course, need to forward port 21 as well.
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: FTP server behind firewall?

[Gilles]

On Wed, 16 Apr 2008 22:06:24 -0400, Jon Radel <[EMAIL PROTECTED]> wrote:
>What control do you have over the firewall?  One of the cleaner
>solutions would be to run an ftp proxy on the firewall, such as that
>supplied with pf.  See ftp-proxy(8) or
>http://www.openbsd.org/faq/pf/ftp.html

Unfortunately, the router/NAT firewall can be neither replaced nor
tweaked, since it's a modem/router provided by our ISP.

Actually, we don't necessarily need an FTP. Whatever solution to send
files is fine, provided I can add this feature in a VB Classic client
application.

___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: FTP server behind firewall?

[Jon Radel]

Gilles wrote:
> Hello
> 
> We have FreeBSD server on our private LAN behind a NAT firewall on
> which I'd like to add an FTP server so that customers can send us
> stuff.
> 
> Problem is, since customers might have a NAT firewall on their end,
> the client application must connect in passive mode... but this just
> moves the problem to our end, where the FTP server will open a random
> port for data... to which the client will fail connecting since our
> NAT firewall is keeping them out of our LAN :-/
> 
> Is there a way to keep our server in the private LAN and still provide
> a way for customers to upload data? Hard-code the socket number used
> by the FTP server for data? Use a different type of server?

What control do you have over the firewall?  One of the cleaner
solutions would be to run an ftp proxy on the firewall, such as that
supplied with pf.  See ftp-proxy(8) or
http://www.openbsd.org/faq/pf/ftp.html

--Jon Radel


smime.p7s
Description: S/MIME Cryptographic Signature

FTP server behind firewall?

[Gilles]

Hello

We have FreeBSD server on our private LAN behind a NAT firewall on
which I'd like to add an FTP server so that customers can send us
stuff.

Problem is, since customers might have a NAT firewall on their end,
the client application must connect in passive mode... but this just
moves the problem to our end, where the FTP server will open a random
port for data... to which the client will fail connecting since our
NAT firewall is keeping them out of our LAN :-/

Is there a way to keep our server in the private LAN and still provide
a way for customers to upload data? Hard-code the socket number used
by the FTP server for data? Use a different type of server?

Thank you.

___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Firewall that supports Port triggering

[Marcin Polewski]

hi,

i am facing a problem while extracting a package

1)i created a package using pkg_create

command used is :
*pkg_create -f cwd/filelist -p cwd/avamar -c cwd/comments -d cwd/desc*
package is getting created and it is in cwd

2)extracting it using pkg_add

command used is :*pkg_add packagename.tbz*
here package is getting extracted but it is extracted into cwd/avamar now
what i want is i want to extract it into a default location
/usr/local/avamar
can u please help me in doing this

3)using *pkg_add -p /usr/local/avamar packagename.tbz* we can extract it
into /usr/local/avamar but i do't want to do it in that format
after package is craeted if i give the command *pkg_add packagename.tbz* it
should be extracted into /usr/lcoal/avamar.
how to do this?

i shall be thank full to u if u can help me out in this issue..

*cwd : current working directory*

Thanks,
Lokesh.
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

PF firewall NAT and Windows IPSEC tunnel

[Nerius Landys]

Howdy folks.  I have several computers behind a FreeBSD router (NAT
192.168.0.x using OpenBSD's PF) .  One of those computers is a Windows
machine which is using software called "Cisco Systems VPN Client" to connect
to some other computers outside of our internal network.  Our connection to
the outside world is DHCP via cable modem.  I can connect the Windows
machine directly to the cable modem, bypassing the FreeBSD router entirely;
the VPN works fine in this case.  However, when I try going through the
FreeBSD router I get dropped VPN connections after four to eight minutes;
the VPN works fine only when it first connects and for five minutes
thereafter.

  Secure VPN Connection terminated locally by the client.
  Reason 412: The remote peer is no longer responding.

We contacted the administrator on the other side and he said to do the
following:

  The following ports should be allowed through the local firewall:
  UDP port 500, port 1
  ESP all ports
  AH all ports


My original /etc/pf.conf:

  ext_if="fxp0"
  int_if="fxp3"
  internal_net="192.168.0.0/24
  nat on $ext_if from $internal_net to any -> ($ext_if)

and I added these three lines (the Windows machine is 192.168.0.3):

  rdr on $ext_if proto udp from any to ($ext_if) port {500,1} ->
192.168.0.3
  rdr on $ext_if proto esp from any to ($ext_if) -> 192.168.0.3
  rdr on $ext_if proto ah from any to ($ext_if) -> 192.168.0.3

But the VPN connections still get dropped after five minutes.  Any ideas?

I'm also running a bridge between several network interfaces.
My /etc/sysctl.conf looks like this:

  net.link.ether.bridge.enable=1
  net.link.ether.bridge.config=em0,em1,fxp1,fxp2,fxp3

The interesting lines from /etc/rc.conf are:

  ifconfig_fxp0="DHCP"
  ifconfig_fxp3="inet 192.168.0.254 netmask 255.255.255.0"
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: Dell 1950 for PF firewall

[shinny knight]

Wojciech Puchar <[EMAIL PROTECTED]> wrote: > Memory: 4GB 667MHz (4x1GB), Dual 
Ranked DIMMs

incredibly important for firewall to have 4GB RAM. why not 64GB or more? 
;)
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

:)
For many reasons.
Company policy is to prefer ordering 4GB RAM servers than upgrade later so that 
we can easily switch them to heavy-loaded jail or DB servers.

Appreciate if anyone can advise on  using Intel® PRO 1000VT Quad Port Gigabit 
NIC and what is the max throughput they got on same with or w/o pooling.
Thanks in advance.



Best Regards,
Catalin

   
-
Be a better friend, newshound, and know-it-all with Yahoo! Mobile.  Try it now.
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: PF firewall

[Roland Smith]

On Fri, Dec 07, 2007 at 06:20:37AM -0600, ajtiM wrote:
> Hi!
> 
> I am a new FreeBSD 7.0 beta3 user and I have standalone computer connected to 
> the internet  (cable). I use both, console and KDE desktop. I tried to setup 
> PF firewall for the standalone computer but I have a problem with internal 
> messages (mail) which are blocked if firewall running.
> This is from /var/log/mail:
> "sm-msp-queue[15113]: lB493C1i007320: to=root, ctladdr=root (0/0), 
> delay=1+21:37:55, xdelay=00:00:00, mailer=relay, pri
> =2552408, relay=[127.0.0.1], dsn=4.0.0, stat=Deferred: Operation not 
> permitted"
> 
> My pf.conf looks like:
> 
> pass out  quick inet  from (sk0)  to any keep state  label "RULE 0 -- ACCEPT "
> block drop in quick inet all label "RULE 1 -- DROP "
> block drop out quick inet all label "RULE 1 -- DROP "
> block drop in quick inet all label "RULE 1 -- DROP "
> block drop out quick inet all label "RULE 1 -- DROP "

You're dropping all incoming traffic, also on the local interface!

Try adding:

set skip on lo

furthermore, your ruleset has duplicates, especially since you use the
quick keyword.

Below is a commented example a pf.conf for a workstation (mine :-)
 /etc/pf.conf -
# /etc/pf.conf

# Macros: define common values, so they can be referenced and changed easily.
ext_if = "rl0"
int_if = "rl1"

# Addresses that can't be routed externally. 
# See http://www.rfc-editor.org/rfc/rfc3330.txt
# (10.0.0.138 is my router, so it should be reachable!)
table  const { 0.0.0.0/8, 10.0.0.0/8, !10.0.0.138, 127.0.0.0/8, \
169.254.0.0/16, 172.16.0.0/12, 192.0.2.0/24, 192.168.0.0/16, 240.0.0.0/4 }

# Options: tune the behavior of pf.
set optimization normal
set block-policy drop
set loginterface $ext_if
set skip on lo

# Normalization: reassemble fragments etc.
scrub in all

# Translate outgoing packets' source addresses (any protocol).
# In this case, any address but the gateway's external address is mapped.
# The sysctl net.inet.ip.forwarding should be set for this to work.
# Alternatively, set gateway_enable="YES" in /etc/rc.conf.
nat pass on $ext_if inet from $int_if:network to any -> $ext_if

# Filtering
antispoof quick for $int_if

# Nobody gets in from the outside!
block in log quick on $ext_if all label "inblock"
# Block packets to unroutable addresses
block out log quick on $ext_if from any to  label "unroutable"
# Block by default.
block out log on $ext_if all label "outblock"

# Internal "network" is trusted.
pass in on $int_if all 
# Let outgoing traffic through, and keep state
# 'modulate state' only works with TCP!
pass out on $ext_if inet proto tcp all flags S/SA modulate state
pass out on $ext_if inet proto udp all keep state
# Let pings through.
pass out on $ext_if inet proto icmp all icmp-type 8 code 0 keep state

 /etc/pf.conf -

HTH,
Roland
-- 
R.F.Smith   http://www.xs4all.nl/~rsmith/
[plain text _non-HTML_ PGP/GnuPG encrypted/signed email much appreciated]
pgp: 1A2B 477F 9970 BA3C 2914  B7CE 1277 EFB0 C321 A725 (KeyID: C321A725)


pgpNW39Glm2bb.pgp
Description: PGP signature

Re: PF firewall

[shinny knight]

ajtiM wrote:
> Hi!
> 
> I am a new FreeBSD 7.0 beta3 user and I have standalone computer connected to 
> the internet (cable). I use both, console and KDE desktop. I tried to setup 
> PF firewall for the standalone computer but I have a problem with internal 
> messages (mail) which are blocked if firewall running.
> This is from /var/log/mail:
> "sm-msp-queue[15113]: lB493C1i007320: to=root, ctladdr=root (0/0), 
> delay=1+21:37:55, xdelay=00:00:00, mailer=relay, pri
> =2552408, relay=[127.0.0.1], dsn=4.0.0, stat=Deferred: Operation not 
> permitted"
> 
> My pf.conf looks like:
> 
> pass out quick inet from (sk0) to any keep state label "RULE 0 -- ACCEPT "
> block drop in quick inet all label "RULE 1 -- DROP "
> block drop out quick inet all label "RULE 1 -- DROP "
> block drop in quick inet all label "RULE 1 -- DROP "
> block drop out quick inet all label "RULE 1 -- DROP "
> 
> Thanks in advance.

Everything on the loopback interface is blocked with this rule set. You 
will normally want a rule at top like this:

pass quick on lo0 all

This will pass anything on the loopback interface be it IPv4 or IPv6.

Cheers, Erik
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
  
Hi there,
   
  I will recommend you using below rule if you are not planning filtering 
traffic on loopback:
   
  #Skip all PF processing on interface lo0
set skip on lo0

  However, if this doed not solve your issue maybe you should paste your 
pf.conf.
  This way we could help you further.
   
   
   
   
  Cheers,
   
  Catalin

   
-
Looking for last minute shopping deals?  Find them fast with Yahoo! Search.
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: PF firewall

[Erik Norgaard]

ajtiM wrote:

Hi!

I am a new FreeBSD 7.0 beta3 user and I have standalone computer connected to 
the internet  (cable). I use both, console and KDE desktop. I tried to setup 
PF firewall for the standalone computer but I have a problem with internal 
messages (mail) which are blocked if firewall running.

This is from /var/log/mail:
"sm-msp-queue[15113]: lB493C1i007320: to=root, ctladdr=root (0/0), 
delay=1+21:37:55, xdelay=00:00:00, mailer=relay, pri
=2552408, relay=[127.0.0.1], dsn=4.0.0, stat=Deferred: Operation not 
permitted"


My pf.conf looks like:

pass out  quick inet  from (sk0)  to any keep state  label "RULE 0 -- ACCEPT "
block drop in quick inet all label "RULE 1 -- DROP "
block drop out quick inet all label "RULE 1 -- DROP "
block drop in quick inet all label "RULE 1 -- DROP "
block drop out quick inet all label "RULE 1 -- DROP "

Thanks in advance.


Everything on the loopback interface is blocked with this rule set. You 
will normally want a rule at top like this:


pass quick on lo0 all

This will pass anything on the loopback interface be it IPv4 or IPv6.

Cheers, Erik
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

PF firewall

[ajtiM]

Hi!

I am a new FreeBSD 7.0 beta3 user and I have standalone computer connected to 
the internet  (cable). I use both, console and KDE desktop. I tried to setup 
PF firewall for the standalone computer but I have a problem with internal 
messages (mail) which are blocked if firewall running.
This is from /var/log/mail:
"sm-msp-queue[15113]: lB493C1i007320: to=root, ctladdr=root (0/0), 
delay=1+21:37:55, xdelay=00:00:00, mailer=relay, pri
=2552408, relay=[127.0.0.1], dsn=4.0.0, stat=Deferred: Operation not 
permitted"

My pf.conf looks like:

pass out  quick inet  from (sk0)  to any keep state  label "RULE 0 -- ACCEPT "
block drop in quick inet all label "RULE 1 -- DROP "
block drop out quick inet all label "RULE 1 -- DROP "
block drop in quick inet all label "RULE 1 -- DROP "
block drop out quick inet all label "RULE 1 -- DROP "

Thanks in advance.
-- 
mItjA
__
http://www.gnu.org/
http://www.freebsd.org
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

ng_netflow on PF + CARP firewall question

[shinny knight]

Hello all,
   
  I'm trying to use ng_netflow module along with PF+CARP implementation on 
freebsd 6.2.
  I understand from different posts that ng_netflow module is performing quite 
well and does not add so much cpu load since packets are processed in the 
kernel.
  However, ng_netflow documentation is very confusing for begginers and I'm 
having a hard time to figure it out.
   
  Like mentioned before, I have PF+CARP implementation along with 
/usr/ports/net/ifstated port. This part is tested and is working fine. (If 
anybody wants advice here feel free to ask:) )
   
  I'm wonder if it's a good ideea to add ng_netflow on top of it or should I 
use an additional system with TAP interface and just mirror incoming/outgoing 
traffic from switch.
   
  This is what I want to try for ng_netflow:
   
  cat /boot/loader.conf
   
  ng_ether_load="YES"
ng_ksocket_load="YES"
ng_tee_load="YES"
  ng_socket_load="YES"
ng_netflow_load="YES"
   
  cat /etc/rc.conf |grep ng
   
  ng_netflow_enable="YES"
   
   
  cat /usr/local/etc/rc.d/ng_netflow
   
  #!/bin/sh
#
  # PROVIDE: ng_netflow
# REQUIRE: DAEMON
  . /etc/rc.subr
   
  name="ng_netflow"
rcvar=`set_rcvar`
   
  ng_netflow_start()

  {
echo "Starting ${name}."
  /usr/sbin/ngctl -f- <<-SEQ
   
  mkpeer bge2: tee lower right
connect bge2: bge2:lower upper left
name bge2:lower bge2_tee
mkpeer bge2_tee: netflow left2right iface0
name bge2:lower.left2right netflow
connect bge2_tee: netflow: right2left iface1
msg netflow: setifindex { iface=0 index=2 }
msg netflow: setifindex { iface=1 index=1 }
mkpeer netflow: ksocket export inet/dgram/udp
msg netflow:export connect inet/127.0.0.1:8818
   
  mkpeer bge1: tee lower right
connect bge1: bge1:lower upper left
name bge1:lower bge1_tee
mkpeer bge1_tee: netflow left2right iface2
name bge1:lower.left2right netflow0
msg netflow0: setifindex { iface=2 index=4 }
connect bge1_tee: netflow0: right2left iface3
msg netflow0: setifindex { iface=3 index=3 }
mkpeer netflow0: ksocket export inet/dgram/udp
msg netflow0:export connect inet/127.0.0.1:8818
   
  SEQ
}
   
  ng_netflow_stop()
{
echo "Stopping ${name}."
  /usr/sbin/ngctl -f- <<-SEQ
shutdown netflow:
SEQ
}
   
  start_cmd="ng_netflow_start"
stop_cmd="ng_netflow_stop"
   
  load_rc_config $name
   
  : ${ng_netflow_enable="NO"}
   
  run_rc_command "$1"
   
  As can be seen from above script I'm planning sending packets on localhost 
port 8818 first.
  Is the above configuration correct?
   
  It will affect in any way PF+CARP implementation regardging the fact that I'm 
not using CARP inetrfaces with ng_netflow but physical ones like bge1 and bge2? 
(I want to mention here that I'm not planning using ng_netflow on pf_sync 
interface)
   
  Should I stick with solutions from ports like softflowd & similar?
   
  What could be cpu/memory requirements difference for 100Mbps traffic between 
ng_netflow and with softflowd?
   
   
   
   
   
  Thanks in advance for any help.
   
   
   
  Senior Network/Security Administrator
  Catalin Miclaus
   
  Starcomms Ltd.
   

   
-
Be a better friend, newshound, and know-it-all with Yahoo! Mobile.  Try it now.
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: Firewall Redirect

[CyberLeo Kitsana]

Lucas Neves Martins wrote:
>422  ipfw add 950 divert 8082 tcp from any to any 80 via em0

Hi!

I do something similar, except with a small home-grown server used to
serve 'You are banned' pages to people who insist on driving my poor
little webserver into swap.

The directive you're looking for is 'fwd'.

ipfw add 44001 fwd 127.0.0.44 tcp from "${luser}" to any 80 in recv fxp0

-- 
Fuzzy love,
-CyberLeo
Technical Administrator
CyberLeo.Net Webhosting
http://www.CyberLeo.Net
<[EMAIL PROTECTED]>

Furry Peace! - http://.fur.com/peace/
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: Firewall Redirect

[pete wright]

On Nov 30, 2007 5:59 AM, Lucas Neves Martins <[EMAIL PROTECTED]> wrote:
> Hello guys,
>
> I´m having the following problem:
>
> Redirect requests from the port 80, to the port 8082. - for apache tomcat.
>
> I´m new on freeBSD, Of course, I had looked out on google, and read the
> firewall section on the Handbook.
>
snipping some ipfw rules...

>
> PS: I´m trying to do this, to make the user "tomcat" run the apache-tomcat,
> opening the port 8082, and make it
>
> transparent to users who access the domain by the common port 80.
>

another method to achieve this that may be interesting for you is to
use mod_jk to redirect requests coming in on your priv'd port 80
apache daemon to your tomcat processes on an unpriv'd port:

http://tomcat.apache.org/connectors-doc/

I won't go into the whole configuration here - but going this route
may give you more flexibility than using a packetfilter ruleset and
will allow you take advantage of load balancing etc. with mod_jk as
well.  i currently use this setup for a site that serves both static
content from httpd and .jsp pages from tomcat all on the same box.

HTH
-pete

-- 
~~o0OO0o~~
Pete Wright
www.nycbug.org
NYC's *BSD User Group
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: Firewall Redirect

[Rob]

Lucas Neves Martins wrote:

Redirect requests from the port 80, to the port 8082. - for apache tomcat.
[[snip]]
   422  ipfw add 950 divert 8082 tcp from any to any 80 via em0
   425  ipfw add 950 divert 8082 tcp from any to any 80 via em0
   428  ipfw add 950 divert 80 tcp from any to any 8082 via em0


It's not as "clean" as doing it with ipfw, but there a port redirect utilty in 
ports/net/redir that might do might accomplish what you want.

 -RW

___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: Firewall Redirect

[usleepless]

On 11/30/07, Lucas Neves Martins <[EMAIL PROTECTED]> wrote:
> Hello guys,
>
> I´m having the following problem:
>
> Redirect requests from the port 80, to the port 8082. - for apache tomcat.
>
> I´m new on freeBSD, Of course, I had looked out on google, and read the
> firewall section on the Handbook.
>
> But only found missed things, and nothing worked.
>
> I have tried this commands:
>
> #history | grep divert
>
> H
>
>
>
>422  ipfw add 950 divert 8082 tcp from any to any 80 via em0
>425  ipfw add 950 divert 8082 tcp from any to any 80 via em0
>428  ipfw add 950 divert 80 tcp from any to any 8082 via em0
>432  ipfw add 950 divert 8082 tcp from any to any 80 via em0
>435  ipfw add 950 divert 8082 tcp from any to any 80 via em0
>
>
>
> I know how works the number 950, I know it is on the right position, but I
> dont know how works the divert,
>
> and even what it is. I dont know if "divert 8082" makes the requests come
> from 80, or go to 80.
>
> damn...
>
> Any help will be useful.

AFAIK, divert in ipfw diverts to unix-domain sockets.

i think you might pull it off with ipnat +

/etc/ipnat.conf:
 rdr em0 0.0.0.0/0 port 80 -> 0.0.0.0/0 port 8082

regards,

usleep
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Firewall Redirect

[Lucas Neves Martins]

Hello guys,

I´m having the following problem:

Redirect requests from the port 80, to the port 8082. - for apache tomcat.

I´m new on freeBSD, Of course, I had looked out on google, and read the
firewall section on the Handbook.

But only found missed things, and nothing worked.

I have tried this commands:

#history | grep divert

H



   422  ipfw add 950 divert 8082 tcp from any to any 80 via em0
   425  ipfw add 950 divert 8082 tcp from any to any 80 via em0
   428  ipfw add 950 divert 80 tcp from any to any 8082 via em0
   432  ipfw add 950 divert 8082 tcp from any to any 80 via em0
   435  ipfw add 950 divert 8082 tcp from any to any 80 via em0



I know how works the number 950, I know it is on the right position, but I
dont know how works the divert,

and even what it is. I dont know if "divert 8082" makes the requests come
from 80, or go to 80.

damn...

Any help will be useful.

--

PS: I´m trying to do this, to make the user "tomcat" run the apache-tomcat,
opening the port 8082, and make it

transparent to users who access the domain by the common port 80.


Thanks.


-- 
Snowniak - BR
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: Advanced Routing/Firewall Interface Options for FreeBSD 7

[Erik Osterholm]

On Wed, Nov 28, 2007 at 09:08:37PM +0100, Ivan Voras wrote:
> [EMAIL PROTECTED] wrote:
> 
> > FreeBSD 7 supports ZFS. From there, NFS and Samba are easy. I've been
> > using Solaris for this, but it's rather archaic in many ways, and the
> > only reason I use it is for the stable ZFS support. Everything else in
> > Solaris - given my needs - is a poor match.
> 
> People have reported problems with ZFS and NFS and Samba in the past.
> Test throughly before using (and report problems, if any :) ).
> 

While this is true, recent versions of Samba have addressed the issue.
I'm running a ZFS pool with Samba sharing it to my network, and it's
working flawlessly.

FreeBSD localhost 7.0-BETA1.5 FreeBSD 7.0-BETA1.5 #0: Wed Oct 24 23:17:30 UTC 
2007 [EMAIL PROTECTED]:/usr/obj/usr/src/sys/GENERIC  amd64

samba-3.0.26a_1,1   A free SMB and CIFS client and server for UNIX

Erik
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: Advanced Routing/Firewall Interface Options for FreeBSD 7

[Ivan Voras]

[EMAIL PROTECTED] wrote:

> FreeBSD 7 supports ZFS. From there, NFS and Samba are easy. I've been
> using Solaris for this, but it's rather archaic in many ways, and the
> only reason I use it is for the stable ZFS support. Everything else in
> Solaris - given my needs - is a poor match.

People have reported problems with ZFS and NFS and Samba in the past.
Test throughly before using (and report problems, if any :) ).



signature.asc
Description: OpenPGP digital signature

Advanced Routing/Firewall Interface Options for FreeBSD 7

[[EMAIL PROTECTED]]

Hello,

I am trying to combine my file server and router into a single box.  
Before you tell me this is a bad idea, let me remind you this is a  
personal installation (not intensive file serving) and the machine and  
NICs are fairly beefy.


FreeBSD 7 supports ZFS. From there, NFS and Samba are easy. I've been  
using Solaris for this, but it's rather archaic in many ways, and the  
only reason I use it is for the stable ZFS support. Everything else in  
Solaris - given my needs - is a poor match.


Can anybody suggest what options there are for having a router/ 
firewall configuration interface placed atop FreeBSD 7 with ZFS? I  
want something along the lines of pfSense (GUI for traffic shaping,  
hopefully setup a simple VPN) that can also serve files and perhaps  
run some software that puts free CPU cycles to use. Maybe I might run  
Apache/MySQL for testing a few sites locally.


Any ideas? pfSense is not designed to work atop a standard FreeBSD  
distribution, nor is m0n0wall, and even if I used or modified their  
integrated distribution, I suspect it lacks ZFS support.


-Galen
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: Getting around ISP SMTP firewall settings (Re: Submitting a new port if send-pr is broken)

[Michael C. Cambria]

Ted Mittelstaedt wrote:

[deleted]
Don't know but a dime is too much right now (I am personally living on
$15/mo once the rent, food and connectivity is paid for [the wonders
of a startup with no investors]).   That is one reason why colo is not
possible... yes I understand most of the hassles involved since I was
the head sysadmin for a full service ISP in a former life (mid to late
90's).




Well, I think your stuck paying money for a service, but there are
some cheap ones out there.

This guy is pretty cheap:

http://www.domainmx.net/

This one is free - if you can deal with UUCP and the LD charges
to access with it:

http://www.bungi.com

  
I have a similar "virtual company" with people all over the place.  I 
was running everything locally at one time.  Since my (FreeBSD) router 
is always up, and my provider keeps the IP the same it worked for me.  
There were some reverse DNS issues where incoming mail from say AOL 
wouldn't make it but for me it was "who cares".  The senders I cared 
about worked.


I since moved mail for my domains to http://www.csoft.net.  These guys 
fit my budget ($15/mo), provide a static IP, let me pick FreeBSD as my 
server (vs. OpenBSD or Linux last time I checked; there may be other 
choices now.)  I also get shell access which lets me port forward when 
needed to get around providers (or hotels) that block ports I need.  
Last I checked, there are no bandwidth or other restrictions.  They are 
also very open source friendly.


MikeC

___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: Getting around ISP SMTP firewall settings (Re: Submitting a new port if send-pr is broken)

[Bob Richards]

>To be perfectly clear this isn't really receiving mail.  Your
>configuring a system at dydns.org or some other mail forwarder to
>receive your mail for you then forward it on to your system using the
>alternative port.

Not what I am doing. I only suggested that to the original poster who
has an inbound port25 restriction. I receive all my important email
directly.

>Frankly, unless you processing mail for a lot of people, there is no
>benefit to running your own mailserver, and you really ought to be
>using a client-server model for getting mail, as you are doing.  The
>OP just hasn't realized this yet.

There are very good reasons why one might want to receive mail
directly. 

I live and work aboard a trawler, I do not always have the same ISP for
connectivity. At the home dock, I have DSL, underway, I have a satellite
link, close to shore while cruising, or anchored,  I have Sprint 
some marinas offer 80211, etc 

My "Important" email, like weather/navigation alerts, family e-mail,
work related email is delivered directly to the on-board server, which
has a name.servebbs.org, and is kept DNS's properly via dyndns.

All of my outbound email is smart-hosted to another ISP on port 587
Start TLS.

This way, I do not have to have any special access to any particular
ISP to get and send email, it shows up immediately, and I am notified.
 
Bob





-- 
  _
 /o\
// \\ The ASCII
\\ // Ribbon Campaign
 \V/  Against HTML
 /A\  eMail!
// \\


signature.asc
Description: PGP signature

Re: Best FreeBSD Firewall for 6.X?

[Peo Nilsson]

On Tue, 2007-11-27 at 02:07 -0600, W. D. wrote:
> Hi folks,
> 
> Just built a 6.2 box.
> 
> Wondering what is the best software firewall.
> Yes, I know that this is a loaded, and
> subjective issue.
> 
> I just couldn't find a definitive answer:

There is no such "thing" best.
It's a matter of you defining your own needs,
then pick a piece of software that match your
needs.

-- 
/Peo



--
-   PGP signed/encrypted emails is prefered  - 
--
 
 [novice about this? ~> visit: www.gnupg.org]


signature.asc
Description: This is a digitally signed message part

RE: Best FreeBSD Firewall for 6.X?

[Ted Mittelstaedt]

> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] Behalf Of W. D.
> Sent: Tuesday, November 27, 2007 12:08 AM
> To: FreeBSD-Questions@freebsd.org
> Subject: Best FreeBSD Firewall for 6.X?
> 
> 
> Hi folks,
> 
> Just built a 6.2 box.
> 
> Wondering what is the best software firewall.
> Yes, I know that this is a loaded, and
> subjective issue.
> 

So, quit trolling and don't ask.

> I just couldn't find a definitive answer

That is because there isn't one and you knew that already,
or you wouldn't have stated it was a subjective question.

Ted
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Best FreeBSD Firewall for 6.X?

[W. D.]

Hi folks,

Just built a 6.2 box.

Wondering what is the best software firewall.
Yes, I know that this is a loaded, and
subjective issue.

I just couldn't find a definitive answer:

<http://www.google.com/search?hl=en&safe=off&q=firewall+%282007+OR+2006%29+site%3Alists.freebsd.org%2Fpipermail%2Ffreebsd-questions&btnG=Search>

Start Here to Find It Fast!™ -> http://www.US-Webmasters.com/best-start-page/
$8.77 Domain Names -> http://domains.us-webmasters.com/

___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

RE: Getting around ISP SMTP firewall settings (Re: Submitting a new port if send-pr is broken)

[Ted Mittelstaedt]

> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] Behalf Of Aryeh M.
> Friedman
> Sent: Monday, November 26, 2007 11:40 PM
> To: Ted Mittelstaedt
> Cc: freebsd-questions@freebsd.org; Bob Richards
> Subject: Re: Getting around ISP SMTP firewall settings (Re: Submitting a
> new port if send-pr is broken)
> 
> 
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA1
> 
> 
> >
> >
> > Really, as others have said, it's easier to pay the money for the
> > business line.  How much extra do they want for it?
> 
> Don't know but a dime is too much right now (I am personally living on
> $15/mo once the rent, food and connectivity is paid for [the wonders
> of a startup with no investors]).   That is one reason why colo is not
> possible... yes I understand most of the hassles involved since I was
> the head sysadmin for a full service ISP in a former life (mid to late
> 90's).
> 

Well, I think your stuck paying money for a service, but there are
some cheap ones out there.

This guy is pretty cheap:

http://www.domainmx.net/

This one is free - if you can deal with UUCP and the LD charges
to access with it:

http://www.bungi.com

Is there any way you could get your webhoster to be a bit more
flexible on their e-mail forwarding?  If for example you could get
them to forward your e-mail to a script run out of your .forward
file on their webserver, you got it made.  They might do that since
it wouldn't require them to devote disk space to a mailbox on
their server.  You would write a perl script that would make a
connection to a nonstandard port on your mailserver.

Ted
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: Getting around ISP SMTP firewall settings (Re: Submitting a new port if send-pr is broken)

[Aryeh M. Friedman]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1


>
>
> Really, as others have said, it's easier to pay the money for the
> business line.  How much extra do they want for it?

Don't know but a dime is too much right now (I am personally living on
$15/mo once the rent, food and connectivity is paid for [the wonders
of a startup with no investors]).   That is one reason why colo is not
possible... yes I understand most of the hassles involved since I was
the head sysadmin for a full service ISP in a former life (mid to late
90's).

- --
Aryeh M. Friedman
Developer, not business, friendly
http://www.flosoft-systems.com
-BEGIN PGP SIGNATURE-
Version: GnuPG v2.0.4 (FreeBSD)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFHS8nGJ9+1V27SttsRArd6AKCRhAduE7P7roZB4x+WohcR1NCUQQCfX6zu
i1rqakoG9WshIdsHHYQQdt4=
=lWnQ
-END PGP SIGNATURE-

___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

RE: Getting around ISP SMTP firewall settings (Re: Submitting a new port if send-pr is broken)

[Ted Mittelstaedt]

> -Original Message-
> From: Aryeh M. Friedman [mailto:[EMAIL PROTECTED]
> Sent: Monday, November 26, 2007 10:02 PM
> To: Aryeh M. Friedman
> Cc: Ted Mittelstaedt; Bob Richards; freebsd-questions@freebsd.org
> Subject: Re: Getting around ISP SMTP firewall settings (Re: Submitting a
> new port if send-pr is broken)
>
>
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA1
>
> Aryeh M. Friedman wrote:
> >
> > > Frankly, unless you processing mail for a lot of people, there is no
> > > benefit to running your own mailserver, and you really ought to be
> > > using a client-server model for getting mail, as you are doing.  The
> > > OP just hasn't realized this yet.
> >
> > Actually I am processing mail for over a dozen people and almost 100
> > diff addrs so it does make sense if it is possible.
> >
> >
>
> Oops forgot to mention there is a small set of complicating factors:
>
> 1. The people and addrs I process mail for all have the same domain
> but live in locations all around the globe (virtual company)
>
> 2. The domain should/must be the same as the company's web page (see
> my sig for addr) which is on a convention web hosting arrangement
>
> 3. As far I can all inbound/outbound smtp/http (25, 587, and 80) are
> blocked by the ISP (they offer them under a business package that also
> includes a static IP but currently that is too pricey)
>

You really need to clarify what you mean by inbound and outbound.

I'll assume that by inbound, you mean you cannot have inbound
connections to ports 25, 587, and 80.  This is perfectly legitimate
for a residential ISP connection.

I'll assume that by outbound, you mean you cannot have outbound
connections to ports 25, 587, and 80.  This is silly.  A block on
an outbound connection to port 80 would mean you couldn't surf
the web.

I'll assume you mean that outbound port 25 is blocked to everywhere
except for the ISP's own mailserver.  That also is perfectly legitimate
for a residential ISP connection.

A block on an outbound port 587 connection has only ONE purpose,
to prevent you from using a legitimate mailserver for sending
mail other than the ISPs server.  Servers on the Internet that
respond to port 587 are only supposed to relay mail from AUTH
connections to 587 so allowing ISP customers to use 587 is not
a security or SPAM problem.  587 is not used for server-to-server
mail traffic.  If your ISP is indeed blocking outbound 587 then
you have justifyable reasons to scream and bitch, and they do
NOT have any justifyable reason to block it.

None of the large cable or DLS providers block outbound 587

> 4. The ISP is the only one in my area (semi-rural) that offers high
> speed bandwidth
>
> 5. Even though my web hoster offers mail forwarding it does not offer
> mail box and/or mailing list hosting (having prepaid for 2 years and
> only being 2 months into the deal I am not going to switch providers)

There's plenty of ISP's on the Internet that offer mailboxes only.
I can't fault your webhoster for not wanting to get into offering
mailboxes.  It is a speciality, just as webhosting is a speciality.

What you really should have done, (of course hindsight is a great
revealer) is to have contracted with an ISP where you could have
colocated a server.  For probably $100 a month you could have your
own box with a public IP address and run a mailserver on it, hosted
your website on it, and you could have modified it so that instead of
port 587, you did auth-smtp on port 588 and then gotten around your
ISP's block on outbound 587 (if infact, such exists)

You really only have 2 non-business connection choices as I see it.

First, contract with some ISP that will sell you a mailbox that
will take domain mail.  Next build a mailserver at your site
that uses fetchmail to pop down that mail and port 587 to send it out.
Last, on your site mailserver, setup
a pop3 or imap server that uses a non-standard port#, then config
your road warrior clients to use that port, or setup a webmail
interface and use a URL like webmail.flosoft-systems.com:86/webmaillogin.cgi
to access it.  This assumes outbound port 110 and 587 are NOT blocked.

If outbound port 587 and 110 ARE blocked, then you cannot do
anything other than the colocated box that has all non-standard
ports, OR say hell with it and work out a deal with
an ISP to do virtual mailboxes and mailhosting.  If you want
to do that last, I'd be happy to pitch pricing to you for my
employer off list.  (as no doubt, many other list readers could)

Really, as others have said, it's easier to pay the money for the
business line.  How much extra do they want for it?

Ted

___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: Getting around ISP SMTP firewall settings (Re: Submitting a new port if send-pr is broken)

[Aryeh M. Friedman]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Aryeh M. Friedman wrote:
>
> > Frankly, unless you processing mail for a lot of people, there is no
> > benefit to running your own mailserver, and you really ought to be
> > using a client-server model for getting mail, as you are doing.  The
> > OP just hasn't realized this yet.
>
> Actually I am processing mail for over a dozen people and almost 100
> diff addrs so it does make sense if it is possible.
>
>

Oops forgot to mention there is a small set of complicating factors:

1. The people and addrs I process mail for all have the same domain
but live in locations all around the globe (virtual company)

2. The domain should/must be the same as the company's web page (see
my sig for addr) which is on a convention web hosting arrangement

3. As far I can all inbound/outbound smtp/http (25, 587, and 80) are
blocked by the ISP (they offer them under a business package that also
includes a static IP but currently that is too pricey)

4. The ISP is the only one in my area (semi-rural) that offers high
speed bandwidth

5. Even though my web hoster offers mail forwarding it does not offer
mail box and/or mailing list hosting (having prepaid for 2 years and
only being 2 months into the deal I am not going to switch providers)
- --
Aryeh M. Friedman
Developer, not business, friendly
http://www.flosoft-systems.com
-BEGIN PGP SIGNATURE-
Version: GnuPG v2.0.4 (FreeBSD)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFHS7K8J9+1V27SttsRAoO0AKCaofoaJd+fg0qNXQDYaQ7lcBkeswCglitn
W0VpYc+LO3eronkojgV9lwc=
=UWBT
-END PGP SIGNATURE-

___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: Getting around ISP SMTP firewall settings (Re: Submitting a new port if send-pr is broken)

[Aryeh M. Friedman]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1


>
> Frankly, unless you processing mail for a lot of people, there is no
> benefit to running your own mailserver, and you really ought to be
> using a client-server model for getting mail, as you are doing.  The
> OP just hasn't realized this yet.

Actually I am processing mail for over a dozen people and almost 100
diff addrs so it does make sense if it is possible.


- --
Aryeh M. Friedman
Developer, not business, friendly
http://www.flosoft-systems.com
-BEGIN PGP SIGNATURE-
Version: GnuPG v2.0.4 (FreeBSD)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFHS7CnJ9+1V27SttsRArGMAJ4xhax13Nd/ikb2CSQikEJVmrAzRwCeLxhT
jz/Qhcjy8jmzwq/QP8g0i7g=
=9928
-END PGP SIGNATURE-

___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

RE: Getting around ISP SMTP firewall settings (Re: Submitting a new port if send-pr is broken)

[Ted Mittelstaedt]

> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] Behalf Of Bob Richards
> Sent: Monday, November 26, 2007 3:45 AM
> To: freebsd-questions@freebsd.org
> Subject: Re: Getting around ISP SMTP firewall settings (Re: Submitting a
> new port if send-pr is broken)
> 
> 
> On Mon, 26 Nov 2007 13:15:59 +0200
> Giorgos Keramidas <[EMAIL PROTECTED]> wrote:
> 
> > 
> > I don't think there's an easy way to set up the local Sendmail
> > installation to *receive* email from the world without some sort of
> > `static address' though. 
> 
> Actually there is an easy way, I do it here at my work station which is
> on a boat, and uses many different modes of connectivity. All of which
> are floating IPs.
> 
> Get a domain name at dyndns. ANYTHING.servebbs.com/net/org. (it's free) 
> 
> You can also DNS any domain you own for about $29.00/Year, and simply
> MX your mail to your dynamic domain machine on a variety of alternative
> ports.
> 

To be perfectly clear this isn't really receiving mail.  Your configuring
a system at dydns.org or some other mail forwarder to receive your
mail for you then forward it on to your system using the alternative
port.

You can just as easily set up a mailbox on the dydns server (or
whoever will sell you a mailbox - tons of ISPs will do it) and
fetchmail your mail via POP3 from it.

> Install ddclient on your machine; it will keep your IP updated at
> dyndns.
> 
> Install an mta, like sendmail, and smart-host it to your ISP; or
> smart-host it to dyndns if your ISP can't/won't do it.
> 
> I have been doing this for about 2 years now, and have had no problems
> at all.
> 

I'm sure you don't because in effect your doing exactly the same thing
that any typical e-mail client does - your offloading the heavy lifting
of receiving mail - the spam and antivirus filtering - to a real mailserver
somewhere on the Internet.

Frankly, unless you processing mail for a lot of people, there is no
benefit to running your own mailserver, and you really ought to be
using a client-server model for getting mail, as you are doing.  The
OP just hasn't realized this yet.

Ted
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: Getting around ISP SMTP firewall settings (Re: Submitting a new port if send-pr is broken)

[Bob Richards]

On Mon, 26 Nov 2007 13:15:59 +0200
Giorgos Keramidas <[EMAIL PROTECTED]> wrote:

> 
> I don't think there's an easy way to set up the local Sendmail
> installation to *receive* email from the world without some sort of
> `static address' though. 

Actually there is an easy way, I do it here at my work station which is
on a boat, and uses many different modes of connectivity. All of which
are floating IPs.

Get a domain name at dyndns. ANYTHING.servebbs.com/net/org. (it's free) 

You can also DNS any domain you own for about $29.00/Year, and simply
MX your mail to your dynamic domain machine on a variety of alternative
ports.

Install ddclient on your machine; it will keep your IP updated at
dyndns.

Install an mta, like sendmail, and smart-host it to your ISP; or
smart-host it to dyndns if your ISP can't/won't do it.

I have been doing this for about 2 years now, and have had no problems
at all.

Bob

-- 
  _
 /o\
// \\ The ASCII
\\ // Ribbon Campaign
 \V/  Against HTML
 /A\  eMail!
// \\
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: Getting around ISP SMTP firewall settings (Re: Submitting a new port if send-pr is broken)

[Gerard Seibert]

> On November 26, 2007 at 04:00AM Aryeh M. Friedman wrote:

> > You should be able to set up a local mailer/MTA (sendmail, postfix,
> > etc.) and tell it to use your ISP's mail server on TCP port 25, and it
> > all should just "magically work" unless they require SMTP AUTH (not many
> > do from what I've seen; they base authentication on the source IP of
> > customers).
> >
> > sendmail refers to this feature as SMART_HOST, while postfix refers to
> > it as a transport destination (see transport(5)).
> 
> I have not set the MTA up yet for it but I did test it with
> thunderbird... an other question how can I set it up that I can
> receive mail (dynamic IP and 25 inbound is blocked)?

If you attempt to send mail using a dynamic IP, it is going to be blocked by
most MTAs since it fails reverse DNS checking. I am assuming that you are
attempting to bypass your ISP. You have to get a static IP from your provider.
With port 25 presently blocked, you might consider using something like mail
relaying/forwarding from a service like DYNDNS: http://www.dyndns.com/.


-- 
Gerard
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: Getting around ISP SMTP firewall settings (Re: Submitting a new port if send-pr is broken)

[Giorgos Keramidas]

On 2007-11-26 04:00, "Aryeh M. Friedman" <[EMAIL PROTECTED]> wrote:
>BTW I a redirected this to -questions
>> You should be able to set up a local mailer/MTA (sendmail, postfix,
>> etc.) and tell it to use your ISP's mail server on TCP port 25, and
>> it all should just "magically work" unless they require SMTP AUTH
>> (not many do from what I've seen; they base authentication on the
>> source IP of customers).
>>
>> sendmail refers to this feature as SMART_HOST, while postfix refers
>> to it as a transport destination (see transport(5)).
>
> I have not set the MTA up yet for it but I did test it with
> thunderbird... an other question how can I set it up that I can
> receive mail (dynamic IP and 25 inbound is blocked)?

Thunderbird doesn't necessarily go through an SMTP connection to the
local host, so it may work with or without a local MTA installation &
setup (depending on which host you forward outgoing email).

If you set up Thunderbird to use `localhost' for outgoing email, then
you have to also configure a local MTA (Sendmail, Postfix, or qmail are
popular choices).

I don't think there's an easy way to set up the local Sendmail
installation to *receive* email from the world without some sort of
`static address' though.  To do that, you would have to work with your
ISP, so that:

* Your address does not change semi-randomly or ramdonly.

* Your fully qualified domain resolves correctly and its MX records
  point to your static IP address.

* Your incoming port 25 traffic is not filtered.

___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Getting around ISP SMTP firewall settings (Re: Submitting a new port if send-pr is broken)

[Aryeh M. Friedman]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

BTW I a redirected this to -questions
>
>
> You should be able to set up a local mailer/MTA (sendmail, postfix,
> etc.) and tell it to use your ISP's mail server on TCP port 25, and it
> all should just "magically work" unless they require SMTP AUTH (not many
> do from what I've seen; they base authentication on the source IP of
> customers).
>
> sendmail refers to this feature as SMART_HOST, while postfix refers to
> it as a transport destination (see transport(5)).

I have not set the MTA up yet for it but I did test it with
thunderbird... an other question how can I set it up that I can
receive mail (dynamic IP and 25 inbound is blocked)?


- --
Aryeh M. Friedman
Developer, not business, friendly
http://www.flosoft-systems.com
-BEGIN PGP SIGNATURE-
Version: GnuPG v2.0.4 (FreeBSD)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFHSotEJ9+1V27SttsRAt9YAJ4jChELEEMCUfcdaGbN0cBbTNR6hwCgobMA
c0b8rVYs9bcZeAlxLtmv2AE=
=BwaS
-END PGP SIGNATURE-

___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: firewall is blocking our access

[Bill Moran]

Rodrigo Moura Bittencourt <[EMAIL PROTECTED]> wrote:
>
> Prazado Bill Moran,

Take a bit of advice -- wildly CCing dozens of people is just going to piss
people off and cause them to start ignoring you.  You'll get much more
helpful results if you take the time to understand who you need to be
contacting, and contact only that person.

I understand that in the business world it's normal to CC everyone and all
of their managers as well, but that's because in the business world,
politics is more important than getting things done.

> The reason we believe to be problems of a firewall is to make the 
> connection through a proxy, we managed to connect to your server.

I've no idea how that symptom would lead to that conclusion.

> Another problem that could consider is to have rules in our firewall 
> bloquendo access to your pages, but checking the rules found that there 
> is no restriction on our firewall rules regarding communication with 
> your server.

I assumed you checked that first.

> Here the annexed traceroute, stressing that the earlier steps are our 
> internal equipment:
> 
> 7 ansp.ptta.ansp.br (200.136.37.1) 6,820 ms 8,215 ms 8,370 ms
>   8 143 to 108-254-130.ansp.br (143,108,254,130) 8,614 ms 8,271 ms 
> 10,004 ms
>   9 g-1 - 1-0.ar1.GRU2.gblx.net (64.209.93.237) 9,704 ms 8,685 ms 8,206 ms
> 10 te3-1-10G.ar2.DCA3.gblx.net (67.16.128.1) 128,309 ms 127,803 ms 
> 128,290 ms
> 11 yahoo - 6.ar2.DCA3.gblx.net (64,215,195,110) 140,091 ms 140,141 ms 
> 138,295 ms
> 12 so-0 - 0-0.pat2.pao.yahoo.com (216,115,101,130) 193,000 ms 192,656 ms 
> 190,878 ms
> 13 g-1-0 - 0-p141.msr1.sp1.yahoo.com (216.115.107.55) 190,711 ms 193,645 
> ms 193,119 ms
> 14 ge-1-42.bas - b1.sp1.yahoo.com (209.131.32.27) 191,713 ms ge-1-48.bas 
> - b1.sp1.yahoo.com (209.131.32.47) 190,836 ms 190,406 ms

It certainly does look like Yahoo is blocking you for some reason.
This lends credence to my earlier statement about contacting the correct
person: there's little the FreeBSD team can do about this, you'll have to
contact Yahoo directly.

> Here also attached the ping in your server:
> 
> PING www.freebsd.org (69.147.83.33) 56 (84) bytes of data.
> 
> --- Www.freebsd.org ping statistics ---
> 33 packets transmitted, 0 received, 100% packet loss, time 32015ms

Unfortunately, ping results are nearly useless in this day and age, because
so many people block ICMP at firewalls as if it's the plague.

> I am the provision of any other information nescessaria,

Are you unable to reach the mirror sites in Brazil?:
http://www.br.freebsd.org/
This could be a workaround while you sort out the issue with Yahoo.
Actually, it may be preferable on an ongoing basis.

-- 
Bill Moran
http://www.potentialtech.com
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: firewall is blocking our access

[Bill Moran]

Rodrigo Moura Bittencourt <[EMAIL PROTECTED]> wrote:
>
> Dear Gentlemen,
> 
> We INPE / CPTEC an institution of meteorology government of Brazil, we 
> are having trouble accessing the servers of FreeBSD, we believe that 
> your firewall is blocking our access.

While this is possible, I find it unlikely.

What evidence do you have to show that it's a firewall blocking
communication?  Furthermore, what evidence do you have to show that it's
a firewall under the control of the FreeBSD project.

I (and I'm sure others on this list) will be happy to help, but you're
going to have to provide more details of the problem.  What, exactly,
are you trying to do, and how, exactly, is it failing.  Please provide
exact commands and responses (error messages).

Additionally, the output of "traceroute www.freebsd.org" from the
problematic server would be helpful.

I've removed various emails from the return message, as there's no reason
to spam them with troubleshooting on the questions mailing list.

-- 
Bill Moran
http://www.potentialtech.com
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

firewall is blocking our access

[Rodrigo Moura Bittencourt]

Dear Gentlemen,

We INPE / CPTEC an institution of meteorology government of Brazil, we 
are having trouble accessing the servers of FreeBSD, we believe that 
your firewall is blocking our access.


Due to use its operating system in our computational park, blocking our 
access is causing problems for upgrade of ports.


This problem affecting the implementation of new projects, I ask please 
urgency in resolving this problem,


Thank you,
--
+-+ 


Rodrigo Moura Bittencourt

email: [EMAIL PROTECTED]
Fone : (12)3186-8632 CEL:(12)9129-0970

INPE - Centro de Previsão de Tempo e Estudos Climáticos - CPTEC |
+-+ 


___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

ATM DSL - Firewall - Lan How to configure?

[NetOpsCenter]

Aloha,

Anybody on this list know of a how to for configuring a firewall for a 5 
IP ATM DSL? I know that the firewall has to come between the DSL modem 
and the Switch/router for the 5 IP's assigned. However the gateway IP 
must be able to be seen through the firewall in order for the ATM 
circuit to work. So you cant use addresses for the nics.  Is there a way 
to use  incoming and outgoing nic cards in a firewall FreeBSD  box for 
this purpose.
I am looking at a netgear firewall/switch for this purpose but I would 
rather use FreeBSD box for this firewall.


Thanks,

 
~Al Plant - Honolulu, Hawaii -  Phone:  808-284-2740

 + http://hawaiidakine.com + http://freebsdinfo.org + [EMAIL PROTECTED] +
 + http://internetohana.org   - Supporting - FreeBSD 6.* - 7.* +
"All that's really worth doing is what we do for others."- Lewis Carrol


___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

m0n0wall on Firebox II vs. Trend Micro firewall on ZyXel P-334 router

[L Goodwin]

I found this interesting account of someone installing
the (freebsd-based) m0n0wall firewall on an old
WatchGuard Firebox II firewall using a discarded 8MB
compact flash card:

http://www.ls-net.com/m0n0wall-watchguard/

I happen to have a Firebox II sitting around, and was
wondering what the benefit might be of doing this
conversion vs. just using the Trend Micro firewall on
a ZyXel P-334 router.

I was also wondering if the Firebox II might be put to
any other/additional uses? It's a cool little red box
containing a PII/200, 2 PCI slots and an expansion
port that I don't know anything about, but I expect I
can get an adapter that will enable me to plug a
1.2Gig laptop HDD into it.


   

Be a better Heartthrob. Get better relationship answers from someone who knows. 
Yahoo! Answers - Check it out. 
http://answers.yahoo.com/dir/?link=list&sid=396545433
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: Firewall rules / Proper directory

[Tuc at T-B-O-H.NET]

> > I've made a "/etc/rc.firewall.local" I may rename it in the future
> > to stand out more, but we'll see how it goes for now.
> 
> Neat.  Have fun with the new firewall ruleset then.
> 
Thanks. I wish it wasn't necessary, but the server runs MySQL
and if I turn TCPwrappers on, someone just trying to connect a few
times creates a DOS on it. I've tried before to bring this up with
the MySQL people with no luck.

Thanks, Tuc
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: Firewall rules / Proper directory

[Giorgos Keramidas]

On 2007-08-02 14:49, "Tuc at T-B-O-H.NET" <[EMAIL PROTECTED]> wrote:
>Giorgos Keramidas wrote:
>>On 2007-08-02 12:36, "Tuc at T-B-O-H.NET" <[EMAIL PROTECTED]> wrote:
>>> Hi,
>>> I'm developing firewall rules for a machine, and I'm wondering what
>>> the standard is for putting my version of an ipfw "firewall_script"?
>>
>> I usually save my rules in '/etc/pf.conf' or '/etc/ipfw.rules'.
>>
>> It's not like the '/etc' directory is a "please do not touch" area.
>
> Thanks...
>
> I always DO try to keep things out of /etc if at all possible, I
> regard that as "system space", and if I do "trespass" into it its
> usually a file or directory previously allocated for that
> (/etc/rc.conf, /etc/mail/*).

That's ok, but it's not like the world is going to end if you add a bit
of customization to '/etc' files.  We have mergemaster(8) to make sure
these local updates and customizations are not lost when you upgrade :-)

> I've made a "/etc/rc.firewall.local" I may rename it in the future
> to stand out more, but we'll see how it goes for now.

Neat.  Have fun with the new firewall ruleset then.

___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: Firewall rules / Proper directory

[Tuc at T-B-O-H.NET]

> 
> On 2007-08-02 12:36, "Tuc at T-B-O-H.NET" <[EMAIL PROTECTED]> wrote:
> > Hi,
> > I'm developing firewall rules for a machine, and I'm wondering what
> > the standard is for putting my version of an ipfw "firewall_script"?
> 
> I usually save my rules in '/etc/pf.conf' or '/etc/ipfw.rules'.
> 
> It's not like the '/etc' directory is a "please do not touch" area.
> 
Thanks...

I always DO try to keep things out of /etc if at all possible, I
regard that as "system space", and if I do "trespass" into it its usually
a file or directory previously allocated for that (/etc/rc.conf, /etc/mail/*).

I've made a "/etc/rc.firewall.local" I may rename it in the future
to stand out more, but we'll see how it goes for now.

Thanks, Tuc
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: Firewall rules / Proper directory

[Giorgos Keramidas]

On 2007-08-02 12:36, "Tuc at T-B-O-H.NET" <[EMAIL PROTECTED]> wrote:
> Hi,
> I'm developing firewall rules for a machine, and I'm wondering what
> the standard is for putting my version of an ipfw "firewall_script"?

I usually save my rules in '/etc/pf.conf' or '/etc/ipfw.rules'.

It's not like the '/etc' directory is a "please do not touch" area.

___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: Firewall question

[z999]

On Thu, Aug 02, 2007 at 10:04:20AM -0400, [EMAIL PROTECTED] wrote:
> It might not be as challenging as rolling your own... but have you 
> considered using one of the ready-to-install BSD firewall/router 
> packages like m0n0wall ?  http://m0n0.ch/wall/

I have thinked about it. I have tried monowall just with firewall
router and it's a good choice. The down-thing is that you can't
setup the dhcp as freely as I wan to do (e.g. setup the dhcpd for
pxeboot for diskless for example). And there is not so much to do
to secure the firewall further than the monowall group already
have done.  

> I don't know if it supports the 3rd interface, but it does run on 
> Soekris hardware.

Well, it does. And there is a good description for a dmz also. 

/Regards
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: Firewall rules / Proper directory

[RW]

On Thu, 2 Aug 2007 12:36:51 -0400 (EDT)
"Tuc at T-B-O-H.NET" <[EMAIL PROTECTED]> wrote:

> Hi,
> 
>   I'm developing firewall rules for a machine, and I'm wondering
> what the standard is for putting my version of an ipfw
> "firewall_script"?
> 
>   I'd normally drop it onto /usr/local/etc somewhere, but
> my /u/l/e is an NFS filesystem, and according to rcorder it starts
> ipfw WAY before the nfsclient. I don't want to stomp
> on /etc/rc.firewall, I like having it as a reference and one less
> thing to have to worry about mergemaster overwriting.

cp /etc/rc.firewall /etc/my.firewall

add to rc.conf:

firewall_script="/etc/my.firewall"
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Firewall rules / Proper directory

[Tuc at T-B-O-H.NET]

Hi,

I'm developing firewall rules for a machine, and I'm wondering
what the standard is for putting my version of an ipfw "firewall_script"?

I'd normally drop it onto /usr/local/etc somewhere, but my /u/l/e
is an NFS filesystem, and according to rcorder it starts ipfw WAY before 
the nfsclient. I don't want to stomp on /etc/rc.firewall, I like having
it as a reference and one less thing to have to worry about mergemaster
overwriting.

Thanks, Tuc
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Firewall question

[z999]

Hi
What I want to accomplish is a DMZ on the third ethernet on my
soekrisbox. I have done this before with OpenBSD and PF but now I
want to do it with FreeBSD and ipfw. My isp uses dhcp but they
don't change my ip so very often (almost never) so you can see it
like I have a static ip. First the ipnumbers on the three cards
in the box.
sis0 have 83.x.x.x  
sis1 have 192.168.0.1 , and this is the lan.
sis2 have 10.0.0.1 , and this is meant to be a dmz.
Another box with ip 10.0.0.2 is connected to sis2 and is
configured as a webserver.
I have a working firewall in the soekris-box with ipfw. What I
want to do is redirect incoming on port 80 to 10.0.0.2. I have
tried this in my /etc/natd.conf
redirect_port tcp 10.0.0.2:80 80
In combination with an opening for incoming in the firewall for
port 80 (any to any). I also opened for it in hosts.allow. I can
see the website on my local lan and I can see it from the
firewall, but not from outside. I use my cellphone to check if
it's reachable (and that worked under OpenBSD and pf). In my
rc.conf I have the 
natd_flags="-f /etc/natd.conf" after the firewall, I want the
firewall early in the file before the ethernets are configured.

I then tried to do the natd directly in my ipfw_rules (my ipfw
rules file) with this 
natd -redirect_port tcp 10.0.0.2:80 80 which gave me this
natd:instance default: aliasing address not given.
The hand book says "The external IP address on the natd machine
must be active and aliased to the external interface. Look at
rc.conf (5) to do so."

Well ifconfig_sis0_alias0="inet 10.0.0.2 netmask 255.255.255.255"
would not make it (I have tried other netmasks as well). I have
googled around and seen that others have had the same problem,
but no solutions or suggestions that leads in the right
direction.

Someone must have done this before I assume? Or if someone have
some ideas I will be very happy.

/Regards from Sweden.
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: IP Firewall disconnecting me after firewall changes

[Norberto Meijome]

On Wed, 16 May 2007 16:58:39 +1200
"Brett Davidson" <[EMAIL PROTECTED]> wrote:

> I keep firewall rules in a file that I then run via a "sh" command. You
> know, like /etc/rc.firewall. :-)
>  
> Essentially the file does 
> ipfw -q -f flush
> $cmd 0015 check-state
> $cmd set 31   to me 22 in via
> $pif setup keep-state
>  
> where $cmd = "ipfw -q add"  and $pif = "em0".
>  
> I understand that this set 31 rule should remain even after the flush
> action on the first line.
>  
> This does not appear to be the case. If I run this script from an ssh
> session I get disconnected which is not what I expected. 
>  
> What am I doing wrong?

Nothing wrong really, i've always found it worked like this (it's actually
mentioned in man ipfw , @ the end, in the section about using ipfw as a kld).

If you dont want to lose your session, use a tool like screen to keep your
term alive even when getting booted.

To avoid bad rules  that lock you out altogether, implement a crontab that will
reset the rules to a known good configuration after a short period of time
(say, if u can't get in for 10 minutes, reset the rules. If you can get it,
update the crontab so it doesnt get run). 

Beto

_
{Beto|Norberto|Numard} Meijome

"They redundantly repeated themselves over and over again incessantly without
end ad infinitum" ibid.

I speak for myself, not my employer. Contents may be hot. Slippery when wet.
Reading disclaimers makes you go blind. Writing them is worse. You have been
Warned.
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

IP Firewall disconnecting me after firewall changes

[Brett Davidson]

I keep firewall rules in a file that I then run via a "sh" command. You
know, like /etc/rc.firewall. :-)
 
Essentially the file does 
ipfw -q -f flush
$cmd 0015 check-state
$cmd set 31   to me 22 in via
$pif setup keep-state
 
where $cmd = "ipfw -q add"  and $pif = "em0".
 
I understand that this set 31 rule should remain even after the flush
action on the first line.
 
This does not appear to be the case. If I run this script from an ssh
session I get disconnected which is not what I expected. 
 
What am I doing wrong?
 
Cheers,
Brett.
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: What is the default firewall setup in 6.2?

[Victor Engmark]

On 4/4/07, Javier Henderson <[EMAIL PROTECTED]> wrote:


Can SSH clients on your local network connect to your system?

You say packets are arriving at your machine, can you elaborate on this
further? Assuming a SYN packet arrives from a host, so you see a
SYN+ACK go out, etc?



Actually, it turns out I was wrong - The packets I saw in tcpdump were just
the console updates from the server I was connected to, in order to connect
back to myself :) Also, the local network uses VPN and NAT, which is why an
ordinary connection doesn't work. That just leaves the mystery of why my
setup worked on SUSE. I'll be using my home PC as the server instead - Much
less hassle.

Thanks anyway!

--
Victor Engmark
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: What is the default firewall setup in 6.2?

[Javier Henderson]

On Wed, 4 Apr 2007 13:56:47 +0200, Victor Engmark wrote:
> Hi all,
> 
> My goal is to set up a Subversion (v1.4, running on Apache 2.2 and available
> only through SSL) and SSH server, available to the world. I've managed to
> make it work locally; i.e.,
> # svn list 
> 
https://localhost/svn/repos/repository_name<https://localhost/svn/repos/repos_name>
> and
> # ssh [EMAIL PROTECTED]
> work fine. However, I'm having problems accessing these from other hosts.
> 
> My machine is connected to the internet. I'm able to SSH to other machines,
> and use the web. Therefore, I believe the problem is that the machine is
> discarding packets. However, I can't find any record of the connection
> attempts in /var/log (grepping for the host name or IP of the other machine
> gives no results, and even ping doesn't work), and it seems that, according
> to the FreeBSD handbook chapter 26, there is no firewall installed by
> default.
> 
> Why would FreeBSD be dropping packets, without recording it, when there are
> processes listening on the ports (see below), and no firewall?
> 
> # netstat -an | grep 22
> gives (among other lines):
> tcp4 0 0 *.22 *.* LISTEN
> 
> According to
> tcpdump port 22
> , the packets are arriving at my machine.

Can SSH clients on your local network connect to your system?

You say packets are arriving at your machine, can you elaborate on this 
further? Assuming a SYN packet arrives from a host, so you see a 
SYN+ACK go out, etc?

-jav
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

What is the default firewall setup in 6.2?

[Victor Engmark]

Hi all,

My goal is to set up a Subversion (v1.4, running on Apache 2.2 and available
only through SSL) and SSH server, available to the world. I've managed to
make it work locally; i.e.,
# svn list 
https://localhost/svn/repos/repository_name<https://localhost/svn/repos/repos_name>
and
# ssh [EMAIL PROTECTED]
work fine. However, I'm having problems accessing these from other hosts.

My machine is connected to the internet. I'm able to SSH to other machines,
and use the web. Therefore, I believe the problem is that the machine is
discarding packets. However, I can't find any record of the connection
attempts in /var/log (grepping for the host name or IP of the other machine
gives no results, and even ping doesn't work), and it seems that, according
to the FreeBSD handbook chapter 26, there is no firewall installed by
default.

Why would FreeBSD be dropping packets, without recording it, when there are
processes listening on the ports (see below), and no firewall?

# netstat -an | grep 22
gives (among other lines):
tcp4 0 0 *.22 *.* LISTEN

According to
tcpdump port 22
, the packets are arriving at my machine.

/etc/rc.conf contains the following:
hostname=[removed]
ifconfig_bge0=dhcp
keymap="us.dvorak"
linux_enable="YES"
sshd_enable="YES"
usbd_enable="YES"
apache2_enable="YES"
network_interfaces=bge0

I haven't changed anything in /etc/defaults/rc.conf. It contains
firewall_enable="NO"
, which should be enough to avoid having any firewall. In addition,
pf_enable="NO"
and
ipfilter_enable="NO"
are in the defaults, so I'm completely stumped as to what is blocking the
traffic. Is FreeBSD by default dropping any incoming connections (it should
be, but I can't find mention of it in the firewall chapter)?

Any help would be appreciated.

--
Victor Engmark
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

firewall/proxy question

[Bart Silverstrim]

I am trying to find a way to stop some people on our network from  
accessing certain websites.  We have been using Squid with SquidGuard  
on an older FreeBSD system.


The Squid that was installed from ports doesn't seem to see https:  
connections.  From what I can find, this appears to be normal  
behavior since https: connections are encrypted.


Is there some way to set up ipfw to block access to port 443 if the  
URL/IP matches a certain address?  These users are bypassing our  
filter rules by accessing a proxy site that is using https.  The  
current ruleset on the box is

00049 allow tcp from  to any
00050 fwd ,3128 tcp from any to any 80
00100 allow ip from any to any via lo0
00200 deny ip from any to 127.0.0.0/8
00300 deny ip from 127.0.0.0/8 to any
65000 allow ip from any to any
65535 deny ip from any to any

Can someone help with some suggestions?  Does the Linux firewall  
system have a similar way to block access to a particular IP if it  
were doing forwarding?  We were experimenting with a new proxy  
machine but it is running Ubuntu.


-Bart
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"