Re: A secure connection to an SCO Unix 5.2 behind a pf firewall.
On Wed, Aug 03, 2005 at 05:06:37PM -0500, [EMAIL PROTECTED] wrote: I would appreciate any suggestions for a reasonably secure solution. I just found all this out and am totally blank. Have a look at OpenVPN (http://www.openvpn.org/), it is available as a FreeBSD port and it comes with a Windows GUI clients, if your client will need that. It allows your FreeBSD box to be the endpoint of the connection, and you can set network parameters for the connection from the server side, for example, a route to the SCO box for allowing ssh or telnet. Regards, Martin -- ,,Oh, there's a lot of opportunities, if you're knowing to take them, you know, there's a lot of opportunities, if there aren't you can make them, make or break them!'' (Tennant/Lowe) ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: A secure connection to an SCO Unix 5.2 behind a pf firewall.
Quoting Martin Welk [EMAIL PROTECTED]: On Wed, Aug 03, 2005 at 05:06:37PM -0500, [EMAIL PROTECTED] wrote: I would appreciate any suggestions for a reasonably secure solution. I just found all this out and am totally blank. Have a look at OpenVPN (http://www.openvpn.org/), it is available as a FreeBSD port and it comes with a Windows GUI clients, if your client will need that. It allows your FreeBSD box to be the endpoint of the connection, and you can set network parameters for the connection from the server side, for example, a route to the SCO box for allowing ssh or telnet. Thanks, Martin. I'm going there right now. From what you say that is exactly what I need if I can easily keep the users off the LAN by restricting them to telneting to the SCO box. These are far from being trusted users. The connection will be used by a large companies staff for everything from accounting system updates to reporte generation, and printing. I don't want them playing there :D. The more I talk the more this sounds like a VERY restrictive jail. Thanks again, ed ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Fetch able to get around firewall?
I have three clients behind my FreeBSD gateway/firewall. Two of the clients run FreeBSD and the other runs FreeBSD and Windows. I would like for my firewall to be fairly tight, disallowing unspecified connections outbound. However, while I have no trouble getting most services up and running correctly (qmail,apache,ssh,etc.), I am having trouble getting fetch (for portupgrade) to get through the firewall. I have tried 'fetch -p', which doesn't seem to work. My question is, is it going to be possible to maintain a restrictive firewall and still have the ability to upgrade my ports from the inside clients? Below is my firewall (a slightly edited version of the one available in the handbook). 5 allow ip from any to any via fxp0 00010 allow ip from any to any via lo0 00014 divert 8668 ip from any to any in via xl0 00015 check-state 00020 skipto 800 udp from any to X.X.X.X dst-port 53 out via xl0 keep-state 00021 skipto 800 udp from any to X.X.X.X dst-port 53 out via xl0 keep-state 00030 skipto 800 udp from any to X.X.X.X dst-port 67 out via xl0 keep-state 00040 skipto 800 tcp from any to any dst-port 80 out via xl0 setup keep-state 00050 skipto 800 tcp from any to any dst-port 443 out via xl0 setup keep-state 00060 skipto 800 tcp from any to any dst-port 25 out via xl0 setup keep-state 00061 skipto 800 tcp from any to any dst-port 110 out via xl0 setup keep-state 00070 skipto 800 tcp from me to any out via xl0 setup uid root keep-state 00080 skipto 800 icmp from any to any out via xl0 keep-state 00090 skipto 800 tcp from any to any dst-port 37 out via xl0 setup keep-state 00100 skipto 800 tcp from any to any dst-port 119 out via xl0 setup keep-state 00105 skipto 800 tcp from any to any dst-port 20,21 out via xl0 setup keep-state 00110 skipto 800 tcp from any to any dst-port 22 out via xl0 setup keep-state 00120 skipto 800 tcp from any to any dst-port 43 out via xl0 setup keep-state 00130 skipto 800 udp from any to any dst-port 123 out via xl0 keep-state 00300 deny ip from 192.168.0.0/16 to any in via xl0 00301 deny ip from 172.16.0.0/12 to any in via xl0 00303 deny ip from 127.0.0.0/8 to any in via xl0 00304 deny ip from 0.0.0.0/8 to any in via xl0 00305 deny ip from 169.254.0.0/16 to any in via xl0 00306 deny ip from 192.0.2.0/24 to any in via xl0 00307 deny ip from 204.152.64.0/23 to any in via xl0 00308 deny ip from 224.0.0.0/3 to any in via xl0 00315 deny tcp from any to any dst-port 113 in via xl0 00320 deny tcp from any to any dst-port 137 in via xl0 00321 deny tcp from any to any dst-port 138 in via xl0 00322 deny tcp from any to any dst-port 139 in via xl0 00323 deny tcp from any to any dst-port 81 in via xl0 00330 deny ip from any to any frag in via xl0 00332 deny tcp from any to any established in via xl0 00360 allow udp from X.X.X.X to any dst-port 68 in via xl0 keep-state 00370 allow tcp from any to me dst-port 80 in via xl0 setup limit src-addr 2 00380 allow tcp from any to me dst-port 22 in via xl0 setup limit src-addr 2 00390 allow tcp from any to me dst-port 25 in via xl0 setup limit src-addr 2 00400 deny log logamount 10 ip from any to any in via xl0 00450 deny log logamount 10 ip from any to any out via xl0 00800 divert 8668 ip from any to any out via xl0 00801 allow ip from any to any 00999 deny log logamount 10 ip from any to any 65535 deny ip from any to any Any suggestions? Is is the standard solution to allow all outbound connections through? Thanks, Jason ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
A secure connection to an SCO Unix 5.2 behind a pf firewall.
I installed a FreeBSD6.0 server/firewall for a remote customer about a week ago. Today they told me that on there LAN they had a Unix box that runs their internal ascii based accounting system that they have been accessing by modem from home. Now they want to access it over the Internet. The box is a pentiumIII running a SCO unixV from 1990 or 2000 with no secure anything that I have been able to find. In fact the company who maintains their system uses uucp for updating. I was thinking ipsec, originally but now I don't see a way to configure the SCO end of a tunnel. The server has a simple pf firewall with only a few ports open and opening ports isn't a problem. The application is a terminal session. Thirty users login in to it as root all with windows terminal sessions except for the modem connections and to make it more fun I shouldn't modify the SCO box because of their service contract. I would appreciate any suggestions for a reasonably secure solution. I just found all this out and am totally blank. thanks, ed ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
RE: A secure connection to an SCO Unix 5.2 behind a pf firewall.
Quoting Gayn Winters [EMAIL PROTECTED]: -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Wednesday, August 03, 2005 3:07 PM To: freebsd-questions@freebsd.org Subject: A secure connection to an SCO Unix 5.2 behind a pf firewall. I installed a FreeBSD6.0 server/firewall for a remote customer about a week ago. Today they told me that on there LAN they had a Unix box that runs their internal ascii based accounting system that they have been accessing by modem from home. Now they want to access it over the Internet. The box is a pentiumIII running a SCO unixV from 1990 or 2000 with no secure anything that I have been able to find. In fact the company who maintains their system uses uucp for updating. I was thinking ipsec, originally but now I don't see a way to configure the SCO end of a tunnel. The server has a simple pf firewall with only a few ports open and opening ports isn't a problem. The application is a terminal session. Thirty users login in to it as root all with windows terminal sessions except for the modem connections and to make it more fun I shouldn't modify the SCO box because of their service contract. I would appreciate any suggestions for a reasonably secure solution. I just found all this out and am totally blank. thanks, ed If your client is willing to use yet another box, you could front-end the old SCO box with a dual port FBSD box and establish a secure tunnel to the FBSD box. This could also be done with a low-end firewall. Thanks, gayn. I assume that you mean installing it on the LAN behind the firewall and opening the tunnel to it. I thought of that and mentioned it to them but found less that an enthusiastic response, that I expected. They don't understand the value, unfortunately. I guess I could do something like that with a jail, I would just need an extra IP, I guess. Thanks again, ed ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
FreeBSD 5.4 release firewall/router and PF not loading rule sets
Hello list...
I have a few questions I would like to ask. Some may sound stupid, but
please bear with me since I'm new to FreeBSD and networking for that
matter...
So, I'm trying to build this router/firewall thingy for our local
network. The box has 3 NIC's, one for the Internet and two for the
local subnets. I have to build it so that the two subnets can not
comunicate with each other. I would also like to implement NAT for the
both subnets so that only the routers IP is visible on the net. The
subnet hosts all have C-class adresses and not private network
addresses. I would also like to disable any connections from the
outside to the host and only allow the basic net services to be passed
out on the Internet, like web, smtp, etc...
The problem is I can not seem to get the firewall (PF) to work. The
computers IP's are all seen from the internet, NAT is not working...
if I type pfctl -s rules I only get two lines saying ALTQ support not
compiled in the kernel. Disabling ALTQ support. Do I need ALTQ
support for what I'm trying to do.
Any ideas on what should I check on my system? I read the man for
pfctl but couldn't find the command for just checking the pf.conf file
for syntax errors. I was using pf -f /etc/pf.conf for that, and it's
not outputting any errors only the ALTQ thingy and the ssh session
disconnects so than I have to reconnect.
I have pf enabled in rc.conf and as far as I can tell it's loading
fine and the pflogd is also running. It's just not working... guess
I'm measing something or am just plain stupid...
Maybe I didn't understend how this is supposed to be so here is my
first attempt at PF rule set building... ;) Here is my pf.conf
--
ext_if=rl0
ped_if=xl0
adm_if=xl1
priv_nets={ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8 }
porti={ 20 21 25 80 443 }
set loginterface $ext_if
scrub in all
nat on $ext_if from $ped_if:network to any - ($ext_if)
nat on $ext_if from $adm_if:network to any - ($ext_if)
block all
pass quick on lo0 all
antispoof quick for $ped_if inet
antispoof quick for $adm_if inet
block drop in quick on $ext_if from $priv_nets to any
block drop out quick on $ext_if from any to $priv_nets
block drop in quick on $ped_if from $ped_if:network to $adm_if
block drop in quick on $adm_if from $adm_if:network to $ped_if
pass in on $ped_if proto {tcp, udp } from $ped_if:network to $ext_if
port $porti keep state
pass out on $ped_if proto {tcp, udp } from $ped_if:network to $ext_if
port $porti keep state
pass in on $adm_if proto {tcp, udp } from $adm_if:network to $ext_if
port $porti keep state
pass out on $adm_if proto {tcp, udp} from $adm_if:network to $ext_if
port $porti keep state
pass in on $ext_if proto {tcp, udp} from any port { 22 } keep state
pass out on $ext_if proto tcp all modulate state flags S/SA
pass out on $ext_if proto { udp, icmp } all keep state
-
I you have any ideas please help. Thanks for your time and answers...
best regards,
Uros
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: PF firewall log problems
I guess I'm failing to see the point of writing to the log faster. If you need real time stats, use tcpdump -n -e -ttt -i pflog0. If you want to get say the last 1000 entries in the log and then go to realtime, use: sudo tcpdump -n -e -tt -c 1000 -r /var/log/pflog sudo tcpdump -n -e -ttt -i pflog0 On 7/7/05, fbsd_user [EMAIL PROTECTED] wrote: I am viewing pf log this way tcpdump -n -e -ttt -r /var/log/pflog Your reference to pflog man page is useless. Been there already. That gives some field names but not what is in them One of the pf mane pages says there is way to shorten buffer write cycle time. How do tell PF in rc.conf these over ride options?? -Original Message- From: Hornet [mailto:[EMAIL PROTECTED] Sent: Thursday, July 07, 2005 8:54 PM To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] ORG Subject: Re: PF firewall log problems On 7/7/05, fbsd_user [EMAIL PROTECTED] wrote: How can I change the default wait time for PF buffer writes to the log file? The log records are being held in the buffers for a long time before being written out. I want to change this to a shorter time. How are you viewing the data? Realtime tcpdump tcpdump -n -e -ttt -i pflog0 or Viewing pflog tcpdump -n -e -ttt -r /var/log/pflog Anything written to the tty is going to be a bit slower, of course if you can jack into your brain all would be solved. Are there any tools or ports for use on the PF log file to create better standardized reports? I think there is one called hatchet. Of course you can't beat good old fashion grep,awk, and maybe sed Where can I find a description of the PF log record fields? http://www.freebsd.org/cgi/man.cgi?query=pflogsektion=4 Thanks ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] Erik ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Does PF firewall have stateless rules
On 2005-07-06 21:34, fbsd_user [EMAIL PROTECTED] wrote: Does the OpenBSD Packet Filter firewall have stateless rules? Yes. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
PF firewall log problems
How can I change the default wait time for PF buffer writes to the log file? The log records are being held in the buffers for a long time before being written out. I want to change this to a shorter time. Are there any tools or ports for use on the PF log file to create better standardized reports? Where can I find a description of the PF log record fields? Thanks ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: PF firewall log problems
On 7/7/05, fbsd_user [EMAIL PROTECTED] wrote: How can I change the default wait time for PF buffer writes to the log file? The log records are being held in the buffers for a long time before being written out. I want to change this to a shorter time. How are you viewing the data? Realtime tcpdump tcpdump -n -e -ttt -i pflog0 or Viewing pflog tcpdump -n -e -ttt -r /var/log/pflog Anything written to the tty is going to be a bit slower, of course if you can jack into your brain all would be solved. Are there any tools or ports for use on the PF log file to create better standardized reports? I think there is one called hatchet. Of course you can't beat good old fashion grep,awk, and maybe sed Where can I find a description of the PF log record fields? http://www.freebsd.org/cgi/man.cgi?query=pflogsektion=4 Thanks ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] Erik ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
RE: PF firewall log problems
I am viewing pf log this way tcpdump -n -e -ttt -r /var/log/pflog Your reference to pflog man page is useless. Been there already. That gives some field names but not what is in them One of the pf mane pages says there is way to shorten buffer write cycle time. How do tell PF in rc.conf these over ride options?? -Original Message- From: Hornet [mailto:[EMAIL PROTECTED] Sent: Thursday, July 07, 2005 8:54 PM To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] ORG Subject: Re: PF firewall log problems On 7/7/05, fbsd_user [EMAIL PROTECTED] wrote: How can I change the default wait time for PF buffer writes to the log file? The log records are being held in the buffers for a long time before being written out. I want to change this to a shorter time. How are you viewing the data? Realtime tcpdump tcpdump -n -e -ttt -i pflog0 or Viewing pflog tcpdump -n -e -ttt -r /var/log/pflog Anything written to the tty is going to be a bit slower, of course if you can jack into your brain all would be solved. Are there any tools or ports for use on the PF log file to create better standardized reports? I think there is one called hatchet. Of course you can't beat good old fashion grep,awk, and maybe sed Where can I find a description of the PF log record fields? http://www.freebsd.org/cgi/man.cgi?query=pflogsektion=4 Thanks ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] Erik ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Does PF firewall have stateless rules
Does the OpenBSD Packet Filter firewall have stateless rules? Meaning, if I coded a rule to pass in for port 23 without any of the different state options coded, do I also have to code the same kind of rule to allow that port 23 packet back out like in IPFW. Or is there no stateless rules in PF? Meaning that coding a rule to pass in for port 23 without any of the different state options coded, it defaults to standard state processing and the resulting outbound packet will be allowed out because it belongs to the same session. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Running FreeBSD server behind a firewall with nat
Hi, I'm really new to FreeBSD and UNIX, and I have to configure it to host a webserver. After a week I've managed to install Apache/mySQL/PhP and get everything running as I want it on my local network. Now I need to put it on the Internet, so that the developers can take control over it (ssh, ftp). The problem is that at the moment when I activate one-to-one nat on my hardware firewall for this machine, the services stop working and behave strangely (for example, if I connect to the box using ssh, it prompts for the login and nothing else happens, ftp doesn't work either). If I try to reboot, sendmail doesn't start at all (it just hangs, so I have to hit ^C to stop the script). I haven't found any information about configuring this correctly on the Internet, so I hope I can find an answer here. Thanks! ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Running FreeBSD server behind a firewall with nat
On 7/5/05, Roman Kouzmenko wrote: ... Now I need to put it on the Internet, so that the developers can take control over it (ssh, ftp). The problem is that at the moment when I activate one-to-one nat on my hardware firewall for this machine, the services stop working and behave strangely (for example, if I connect to the box using ssh, it prompts for the login and nothing else happens, ftp doesn't work either). If I try to reboot, sendmail doesn't start at all (it just hangs, so I have to hit ^C to stop the script). ... sendmail probably does not hang but just tries to resolve a name via DNS that apparently is not working. It should continue in a few minutes if you wait that long. What hardware firewall are you using? Is it possible to attach your server to the Internet directly, without using a firewall in the middle? -- Dmitry We live less by imagination than despite it - Rockwell Kent, N by E ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
PF firewall using anchors
I am running 5.4 using the run time loadable module for PF firewall. The PF rules load and work fine. The main rule set contains 2 anchor rules. I can add rules to the in core anchor name and then list the anchor and see the rules are really there. Problem is the anchor rules are never being executed by the main rule set. Is there anybody on this questions list who has PF working with anchors? Have read all the PF man pages 6-8 times and my config seems ok. Knowing that PF is new to FreeBSD base in 5.4 so thinking this may be a bug. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
PF firewall using anchors
I am running 5.4 using the run time loadable module for PF firewall. The PF rules load and work fine. The main rule set contains 2 anchor rules. I can add rules to the in core anchor name and then list the anchor and see the rules are really there. Problem is the anchor rules are never being executed by the main rule set. Is there anybody on this questions list who has PF working with anchors? Have read all the PF man pages 6-8 times and my config seems ok. Knowing that PF is new to FreeBSD base in 5.4 thinking this may be a bug. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: firewall on FreeBSD
--On June 26, 2005 12:40:14 AM +0100 Alex Zbyslaw [EMAIL PROTECTED] wrote: Paul Schmehl wrote: --On June 25, 2005 8:42:24 AM +0200 mess-mate [EMAIL PROTECTED] wrote: I've a firewall/router/proxy with openbsd and think to replace it with freebsd 5.4 Do you mean freebsd's PF don't support the 'quick' keyword ?? Thought PF on freebsd and openbsd was identical, isn't ? pf on freebsd does support the quick keyword. The default firewall, ipfw, does not. This makes no sense to me. The two firewalls work very differently. In pf, each rule is always processed on every packet and the last rule matching determines the action. quick terminates the rule matching and forces the quick rule to be, in effect, the final rule (assuming the packet matched it). ipfw does not match every rule for every packet, rather is processes down the rules until the packet matches one with a terminating action such as accept or deny. No quick keyword is needed. Precisely. Paul Schmehl ([EMAIL PROTECTED]) Adjunct Information Security Officer University of Texas at Dallas AVIEN Founding Member http://www.utdallas.edu/ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
CDROM firewall
Hi I'm searching for a CDROM firewall package FreeBSD based I know there is several but I can't remember their names. Thanks a lot. -- Cordialement/Regards Frank Bonnet ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: CDROM firewall
Hello, On Mon, Jun 27, 2005 at 10:55:42AM +0200 or thereabouts, Frank Bonnet wrote: Hi I'm searching for a CDROM firewall package FreeBSD based I know there is several but I can't remember their names. It is called m0n0wall, it is based on FreeBSD 4.x. Go and grab it from: http://www.m0n0.ch/wall/ Cheers, Martin -- martin hudec * 421 907 303 393 * [EMAIL PROTECTED] * http://www.aeternal.net Nothing travels faster than the speed of light with the possible exception of bad news, which obeys its own special laws. Douglas Adams, The Hitchhiker's Guide to the Galaxy pgpg25Omm85dP.pgp Description: PGP signature
Re: firewall on FreeBSD
* Paul Schmehl [EMAIL PROTECTED] [2005-06-24 12:58:51 -0500]: I've been using pf for a few years now, and I've never had problems understanding the syntax or how it works (but I also never do NAT, so that might be the reason it seems easy to me.) Yes, pf is great, but doing NAT with pf is also just as easy to understand. It depends on what you are doing, but for most people using NAT is as easy turning on ip forwarding via sysctl and adding a single line to your pf.conf configuration file (nat on $ext_if...). Thomas -- N.J. Thomas [EMAIL PROTECTED] Etiamsi occiderit me, in ipso sperabo ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: firewall on FreeBSD
Giorgos Keramidas wrote: On 2005-06-26 00:40, Alex Zbyslaw [EMAIL PROTECTED] wrote: Paul Schmehl wrote: pf on freebsd does support the quick keyword. The default firewall, ipfw, does not. This makes no sense to me. The two firewalls work very differently. [...] You describe very nicely the way rules are matched by two of the three different firewalls available on FreeBSD. The description, being very correct, *does* make sense. Why do you say that ``This makes no sense to you'' Maybe I'm misreading something, or taking it out of context, but the statement ipfw does not support the quick keyword makes no sense to me. For me, it implies that somehow ipfw could (or even should) support the quick keyword, and that is nonsensical. The way ipfw rules work there is not only no need to support a quick keyword, but no point in supporting one because all relevant matches are already quick, by definition. Maybe I'm being overly pedantic, but if I had stumbled across this message in an archive search, and knew nothing about FreeBSD firewalls, I could easily take it to mean that ipfw was lacking a feature with respect to pf when, in fact, it wasn't. (There may be plenty of other reasons for picking one firewall or the other, but the lack of a quick keyword in ipfw isn't one of them). Am *I* making any more sense, now? --Alex ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: firewall on FreeBSD
On 2005-06-26 22:15, Alex Zbyslaw [EMAIL PROTECTED] wrote: Giorgos Keramidas wrote: On 2005-06-26 00:40, Alex Zbyslaw [EMAIL PROTECTED] wrote: pf on freebsd does support the quick keyword. The default firewall, ipfw, does not. This makes no sense to me. The two firewalls work very differently. [...] You describe very nicely the way rules are matched by two of the three different firewalls available on FreeBSD. The description, being very correct, *does* make sense. Why do you say that ``This makes no sense to you'' Maybe I'm misreading something, or taking it out of context, but the statement ipfw does not support the quick keyword makes no sense to me. [...] Am *I* making any more sense, now? Yes, thank you :) ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: firewall on FreeBSD
-Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Khanh Cao Van Sent: Friday, June 24, 2005 9:33 AM To: freebsd-questions Subject: firewall on freebsd I'm going to learn about the freebsd firewall . In the handbook list some of them and I could not find out what is the best . So I decided to post here hoping to gain some of your opinion and experience . I would like to know what firewall was the most wanted ? I have used Linux several months and IP tables was a good statefull firewall . What about in freeBSD ? FreeBSD has m0n0wall and it just works. For example, yesterday I setup a site to site VPN using two m0n0wall boxes and it took me less then 5 minutes to reconfigure, in production use systems, the boxes to do it. I think I spent more time trying to generate a suitable 3DES shared key then it did to reconfigure the boxes ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: firewall on FreeBSD
...snip... | | Personally, I like the quick keyword of the OpenBSD firewall, (but not enough to bother | installing it.) | | Paul Schmehl ([EMAIL PROTECTED]) I've a firewall/router/proxy with openbsd and think to replace it with freebsd 5.4 Do you mean freebsd's PF don't support the 'quick' keyword ?? Thought PF on freebsd and openbsd was identical, isn't ? mess-mate -- What I tell you three times is true. -- Lewis Carroll ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: firewall on FreeBSD
On Sat, Jun 25, 2005 at 08:42:24AM +0200, mess-mate wrote: I've a firewall/router/proxy with openbsd and think to replace it with freebsd 5.4 Do you mean freebsd's PF don't support the 'quick' keyword ?? Thought PF on freebsd and openbsd was identical, isn't ? I don't know if they're identical, but PF does support the 'quick' keyword on FreeBSD. Roland -- R.F.Smith (http://www.xs4all.nl/~rsmith/) Please send e-mail as plain text. public key: http://www.xs4all.nl/~rsmith/pubkey.txt pgpf2HW9SdKtK.pgp Description: PGP signature
Re: firewall on FreeBSD
mess-mate wrote: I've a firewall/router/proxy with openbsd and think to replace it with freebsd 5.4 Do you mean freebsd's PF don't support the 'quick' keyword ?? Thought PF on freebsd and openbsd was identical, isn't ? It's a port, pf on FBSD 5.4 is the same as pf on OBSD 3.6, AFAIK. So if your OBSD is the latest or updated after 3.6, then you might have functionalities not supported yet on FBSD. The basic stuff is all the same, I don't think anyone could survive without 'quick', just as 'pass' and 'block' are supported on both platforms :-) Cheers, Erik -- Ph: +34.666334818 web: http://www.locolomo.org S/MIME Certificate: http://www.locolomo.org/crt/2004071206.crt Subject ID: A9:76:7A:ED:06:95:2B:8D:48:97:CE:F2:3F:42:C8:F2:22:DE:4C:B9 Fingerprint: 4A:E8:63:38:46:F6:9A:5D:B4:DC:29:41:3F:62:D3:0A:73:25:67:C2 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: firewall on FreeBSD
On Saturday 25 June 2005 05:19 am, Erik Nørgaard wrote: mess-mate wrote: I've a firewall/router/proxy with openbsd and think to replace it with freebsd 5.4 Do you mean freebsd's PF don't support the 'quick' keyword ?? Thought PF on freebsd and openbsd was identical, isn't ? It's a port, pf on FBSD 5.4 is the same as pf on OBSD 3.6, AFAIK. So if your OBSD is the latest or updated after 3.6, then you might have functionalities not supported yet on FBSD. The basic stuff is all the same, I don't think anyone could survive without 'quick', just as 'pass' and 'block' are supported on both platforms :-) Cheers, Erik Minor correction: pf is built into the kernel by default in FreeBSD 5.4. I think this started with FreeBSD 5.3. It may still be in the ports system; but that would be for use in FreeBSD 4* and earlier versions of 5*. Have a great weekend! Andrew Gould ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: firewall on FreeBSD
Andrew L. Gould [EMAIL PROTECTED] wrote: | On Saturday 25 June 2005 05:19 am, Erik Nørgaard wrote: | mess-mate wrote: | I've a firewall/router/proxy with openbsd and think to replace it | with freebsd 5.4 | Do you mean freebsd's PF don't support the 'quick' keyword ?? | Thought PF on freebsd and openbsd was identical, isn't ? | | It's a port, pf on FBSD 5.4 is the same as pf on OBSD 3.6, AFAIK. So | if your OBSD is the latest or updated after 3.6, then you might have | functionalities not supported yet on FBSD. | | The basic stuff is all the same, I don't think anyone could survive | without 'quick', just as 'pass' and 'block' are supported on both | platforms :-) | | Cheers, Erik | | Minor correction: pf is built into the kernel by default in FreeBSD | 5.4. I think this started with FreeBSD 5.3. It may still be in the | ports system; but that would be for use in FreeBSD 4* and earlier | versions of 5*. | | Have a great weekend! | | Andrew Gould | The openbsd version is 3.5. Can i porting the pf config file to freebsd ? great weekend to. mess-mate -- There is a 20% chance of tomorrow. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: firewall on FreeBSD
--On June 25, 2005 8:42:24 AM +0200 mess-mate [EMAIL PROTECTED] wrote: I've a firewall/router/proxy with openbsd and think to replace it with freebsd 5.4 Do you mean freebsd's PF don't support the 'quick' keyword ?? Thought PF on freebsd and openbsd was identical, isn't ? pf on freebsd does support the quick keyword. The default firewall, ipfw, does not. Paul Schmehl ([EMAIL PROTECTED]) Adjunct Information Security Officer University of Texas at Dallas AVIEN Founding Member http://www.utdallas.edu/ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: firewall on FreeBSD
Paul Schmehl wrote: --On June 25, 2005 8:42:24 AM +0200 mess-mate [EMAIL PROTECTED] wrote: I've a firewall/router/proxy with openbsd and think to replace it with freebsd 5.4 Do you mean freebsd's PF don't support the 'quick' keyword ?? Thought PF on freebsd and openbsd was identical, isn't ? pf on freebsd does support the quick keyword. The default firewall, ipfw, does not. This makes no sense to me. The two firewalls work very differently. In pf, each rule is always processed on every packet and the last rule matching determines the action. quick terminates the rule matching and forces the quick rule to be, in effect, the final rule (assuming the packet matched it). ipfw does not match every rule for every packet, rather is processes down the rules until the packet matches one with a terminating action such as accept or deny. No quick keyword is needed. --Alex ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: firewall on FreeBSD
On 2005-06-26 00:40, Alex Zbyslaw [EMAIL PROTECTED] wrote: Paul Schmehl wrote: pf on freebsd does support the quick keyword. The default firewall, ipfw, does not. This makes no sense to me. The two firewalls work very differently. In pf, each rule is always processed on every packet and the last rule matching determines the action. quick terminates the rule matching and forces the quick rule to be, in effect, the final rule (assuming the packet matched it). ipfw does not match every rule for every packet, rather is processes down the rules until the packet matches one with a terminating action such as accept or deny. No quick keyword is needed. You describe very nicely the way rules are matched by two of the three different firewalls available on FreeBSD. The description, being very correct, *does* make sense. Why do you say that ``This makes no sense to you''? ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
firewall on freebsd
I'm going to learn about the freebsd firewall . In the handbook list some of them and I could not find out what is the best . So I decided to post here hoping to gain some of your opinion and experience . I would like to know what firewall was the most wanted ? I have used Linux several months and IP tables was a good statefull firewall . What about in freeBSD ? Thank for reading :) -- -- Cao Van Khanh ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
RE: firewall on FreeBSD
Which firewall you select to use should be based on your level of understanding of how information is moved across the internet. Ipfilter is best suited for people who are just learning about firewalling. PF is a little more automated and the rules are very close to IPF's. IPFW is for the advanced firewall users who have expert understanding of the internet. All 3 firewalls support stateful rules and are available in the 5.4 release. Best advice is start with Ipfilter and when you find out that you have needs which are not met by Ipfilter then move over to IPFW. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Khanh Cao Van Sent: Friday, June 24, 2005 9:33 AM To: freebsd-questions Subject: firewall on freebsd I'm going to learn about the freebsd firewall . In the handbook list some of them and I could not find out what is the best . So I decided to post here hoping to gain some of your opinion and experience . I would like to know what firewall was the most wanted ? I have used Linux several months and IP tables was a good statefull firewall . What about in freeBSD ? Thank for reading :) -- -- Cao Van Khanh ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: firewall on freebsd
On June 24, 2005 09:33 am, Khanh Cao Van wrote: I'm going to learn about the freebsd firewall . In the handbook list some of them and I could not find out what is the best . So I decided to post here hoping to gain some of your opinion and experience . I would like to know what firewall was the most wanted ? I have used Linux several months and IP tables was a good statefull firewall . What about in freeBSD ? All three are well written and all three pretty much do the same thing. Some things you may want to consider when choosing which firewall product to use: IPFW is part of FreeBSD and only runs on FreeBSD. Filtering is implemented in the kernel, NAT is a user-land daemon. IPFilter is written to work with many operating systems (FreeBSD and Solaris are two examples). Filtering and NAT both run in the kernel. IPF was written for OpenBSD and later ported to FreeBSD. IPF came into existence because of disagreements between certain members of the OpenBSD team and the author of IPFilter. Filtering is done in the kernel and I believe NAT is also in-kernel. I have used both IPFW and IPFilter professionally. I prefer IPFW but only because I am more used to its filtering language. I have not found a sufficiently good technical reason for choosing one over the other. For anyone who wants to start the in-kernel vs user-land NAT argument, I've already been through it and there are valid arguments for both sides. So, I won't get into it again. -- Ean Kingston E-Mail: ean AT hedron DOT org URL: http://www.hedron.org/ I am currently looking for work. If you need competent system/network administration please feel free to contact me directly. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: firewall on freebsd
On Friday 24 June 2005 10:59 am, Ean Kingston wrote: IPF was written for OpenBSD and later ported to FreeBSD. IPF came into existence because of disagreements between certain members of the OpenBSD team and the author of IPFilter. Filtering is done in the kernel and I believe NAT is also in-kernel. The OpenBSD packet filter is known as pf, not ipf. It exists in FreeBSD as pf. I have to say that I find it has some very useful features, though they are outside the mainstream firewall feature set. For instance, authpf. When you log into the firewall (usually via ssh), if the account's login type shell is authpf, a special set of firewall rules get loaded for the IP address the client is connecting from. I have used pf and ipfw, and they're both fine. If I had to pick, I'd choose pf because I like that it uses a seperate configuration file, rather than a shell script to load its rules. I'm not an expert on either. Mike ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
(PF) Packet filter firewall rule numbers
I see rule numbers in the pf.log file but can not find any way to list the incore rules with their internal rule numbers. Is there a way to list the incore PF rules with rule numbers? Can a pf rule be inserted into the incore rules after or before a selected rule? ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
RE: firewall on freebsd
I have been using ipfw for quite some time and I love it. The only issues I have with it are on the NAT side. Without a tool to modify the current nat rules, I can not change them dynamically without editing my config file then doing something like... killall -9 natd ; sleep 2 ; /sbin/natd -f /etc/natd.conf to reinitialize it. Also natd is resource intensive. I have a PII 266 (not exactly a monster) and natd chews up 20-30 percent of my cpu during the day while nating about 3Mb/sec of traffic. I am planning on switching to pf and implementing a load balanced pair of firewalls using carp and pfsync. I hope that using an in-kernel nat will help performance and give me better control while adding/removing rules. -- Chad -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Khanh Cao Van Sent: Friday, June 24, 2005 8:33 AM To: freebsd-questions Subject: firewall on freebsd I'm going to learn about the freebsd firewall . In the handbook list some of them and I could not find out what is the best . So I decided to post here hoping to gain some of your opinion and experience . I would like to know what firewall was the most wanted ? I have used Linux several months and IP tables was a good statefull firewall . What about in freeBSD ? Thank for reading :) -- -- Cao Van Khanh ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: (PF) Packet filter firewall rule numbers
On 2005-06-24 13:08, fbsd_user [EMAIL PROTECTED] wrote: I see rule numbers in the pf.log file but can not find any way to list the incore rules with their internal rule numbers. Is there a way to list the incore PF rules with rule numbers? # pfctl -vv -sr The double -v option *is* significant. Can a pf rule be inserted into the incore rules after or before a selected rule? Not sure. You can reload the rules *AND* keep the state information though, so this may not be necessary. - Giorgos ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: firewall on FreeBSD
On 2005-06-24 10:31, fbsd_user [EMAIL PROTECTED] wrote: Which firewall you select to use should be based on your level of understanding of how information is moved across the internet. Ipfilter is best suited for people who are just learning about firewalling. PF is a little more automated and the rules are very close to IPF's. True. IPFW is for the advanced firewall users who have expert understanding of the internet. Blatantly false. All 3 firewalls support stateful rules and are available in the 5.4 release. Best advice is start with Ipfilter and when you find out that you have needs which are not met by Ipfilter then move over to IPFW. IPFW or PF is fine for starting too. The choise of the best firewall is, these days, more often than not an issue of which one matches the specific application and the taste of the one who is going to set it up, i.e. * DUMMYNET is a very nice bandwidth limiting shaping tool, which may some times lead to choosing IPFW. * On the other hand, PF/ALTQ may be used to do similar things, so some users will obviously prefer this set of tools for other reasons (for instance, because the like the ruleset style better). * IP Filter, is almost obsoleted by PF on FreeBSD, but it's still one of the most portable firewalls out there (I use it on Solaris all the time, for example). There isn't a best firewall for all cases. They all have their respective strengths and/or weaknesses. === To the original poster === I say, try them all out and choose the one _YOU_ prefer, for the reasons that are important in _YOUR_ setup. - Giorgos ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: firewall on freebsd
On 2005-06-24 10:59, Ean Kingston [EMAIL PROTECTED] wrote: For anyone who wants to start the in-kernel vs user-land NAT argument, I've already been through it and there are valid arguments for both sides. So, I won't get into it again. Agreed. Most of the people who use FreeBSD in SOHO installations (small office, home office), and have far less than dozens of systems behind a NAT-ting FreeBSD system will very rarely have a chance to notice *ANY* difference between userlevel vs. in-kernel NAT. This top snapshot: http://keramida.serverhive.com/pixelshow-top.txt is from a relatively recent demo-party where ipfw/natd were used in a gateway of more than 100 systems madly downloading files from each other and from the wide Internet. Notice the 97% idle cpu percentage :-) If FreeBSD can handle NAT, packet forwarding, and general connectivity for more than 100 systems and still sit 97% of the time waiting for something interesting to happen, then I'd be surprised if SOHO users with less than 10-15 systems will notice anything :) ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: firewall on FreeBSD
--On June 24, 2005 5:31:13 PM +0100 [EMAIL PROTECTED] wrote: On Friday 24 June 2005 15:31, fbsd_user wrote: Which firewall you select to use should be based on your level of understanding of how information is moved across the internet. Ipfilter is best suited for people who are just learning about firewalling. PF is a little more automated and the rules are very close to IPF's. IPFW is for the advanced firewall users who have expert understanding of the internet. All 3 firewalls support stateful rules and are available in the 5.4 release. Best advice is start with Ipfilter and when you find out that you have needs which are not met by Ipfilter then move over to IPFW. Is this right? If it is, then I'm a lot smarter than I give myself credit for. The first firewall I ever used was ipchains. The I used iptables, but I never learned much about either because Linux obscures the config (unless you're doing something fancy, you can run setup on the cli, click a few check boxes and you're done. When I decided to switch a server over to FBSD, I had to read the man page to understand how pf worked, because there *was* no setup to run. I've been using pf for a few years now, and I've never had problems understanding the syntax or how it works (but I also never do NAT, so that might be the reason it seems easy to me.) I started off using IPFW, and found it no harder or easier than ipfilter, which I am using now. Can't remember the reason I changed to ipfilter, think it might have something to do with being easier to use with ipnat, but I am pretty happy with it. Is there anything that ipfw does better than ipfilter to make it preferable? The only thing I would say about firewalls is, know what you're doing and do it at the console. There's nothing like having to get dressed and drive 40 miles to fix a box because you screwed up the firewall config will working remotely to impress upon you the need to work at the console. :-) Personally, I like the quick keyword of the OpenBSD firewall, (but not enough to bother installing it.) Paul Schmehl ([EMAIL PROTECTED]) Adjunct Information Security Officer University of Texas at Dallas AVIEN Founding Member http://www.utdallas.edu/ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Firewall with USB
John Anderson [EMAIL PROTECTED] writes: Hi there folks, Having just moved into the country I am forced to use satellite for a broadband connection. Due to telsra having a monopoly on this, I need to have 2 USB connections, one for satellite download, one for ISDN upload. So my router doesn't fit. Does anyone know if the freebsd firewall will support two USB WAN connections to a normal LAN internal network? USB is irrelevant; you need to consider what kind of USB devices you using to connect. Having more than one external interface is not by itself a problem. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Firewall with USB
Hi, USB is not totally irrelevant, since it means I can't connect my firewall/router directly to my input, but I take your point. I will have USB connections to my ISDN upload and my satellite decoder, my question was more whether freebsd firewall supports USB devices in principle for the WAN or whether it will only take ethernet WAN and LAN. I guess the answer was yes, so long as the drivers for my external devices exist. John - Original Message - From: Lowell Gilbert [EMAIL PROTECTED] To: John Anderson [EMAIL PROTECTED]; freebsd-questions@FreeBSD.org Sent: Wednesday, June 22, 2005 4:18 PM Subject: Re: Firewall with USB John Anderson [EMAIL PROTECTED] writes: Hi there folks, Having just moved into the country I am forced to use satellite for a broadband connection. Due to telsra having a monopoly on this, I need to have 2 USB connections, one for satellite download, one for ISDN upload. So my router doesn't fit. Does anyone know if the freebsd firewall will support two USB WAN connections to a normal LAN internal network? USB is irrelevant; you need to consider what kind of USB devices you using to connect. Having more than one external interface is not by itself a problem. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Firewall with USB
Hi there folks, Having just moved into the country I am forced to use satellite for a broadband connection. Due to telsra having a monopoly on this, I need to have 2 USB connections, one for satellite download, one for ISDN upload. So my router doesn't fit. Does anyone know if the freebsd firewall will support two USB WAN connections to a normal LAN internal network? John ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Setting a simple firewall for PPPoE connection
Hopefully you'll find this link helpful: http://www.defcon1.org/html/Networking_Articles/Firewall-Ipfw/firewall-ipfw.html. -- Dmitry yep, I did begin with that, but was not liking the fact that it was an exclusive firewall (the end rule is to accept anything) rather than an inclusive one. I realized I could use me for my IP address (making it easy to write rules even my ISP give me a dynamic IP address). After reading it, looking at: http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/firewalls-ipfw.html was not looking so strange anymore, and contain a good inclusive example. I did modify it a bit, mostly to accept FTP connections. I realize this make much less secure, but I really like to use FTP links in my browser. I'll attach it to my message, so that wiser one than me could warn me if I made something stupid. I use /etc/rc.local to load the rules with a script containing: sh /etc/ipfw.rules Thanks for your help! -- http://www.fastmail.fm - Send your email first class ipfw.rules Description: Binary data ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Setting a simple firewall for PPPoE connection
On 6/12/05, Paul Dufresne [EMAIL PROTECTED] wrote: On Thu, 9 Jun 2005 18:22:45 +0200 (CEST), P.U.Kruppa [EMAIL PROTECTED] said: On Thu, 9 Jun 2005, dk dkrules wrote: I am very dissappointed. I have been looking on the net for 3 days now looking for easy setup guides or How to guides and setting up FreeBSD 5.x with transparent proxy and firewall and there simply is no easy way explaining to beginners how to do such a setup. 1) Before you start playing around with squid and firewall you have to make sure your FreeBSD box works as a gateway. 2) When this is done look into google for setup of squid as a transparent proxy (these are two or three entries in a config file). 3) enable firewall in /etc/rc.conf with lines like firewall_enable=YES firewall_script=/etc/firewall.conf 4) edit your /etc/firewall.conf with something like ipfw add 500 fwd 127.0.0.1 tcp from any to any 80 recv rl0 ipfw add 6 allow all from any to any where rl0 is the device name of your NIC. 5) reboot ... But the main question is: How to deal with dynamic IP address when writing firewall rules? Hopefully you'll find this link helpful: http://www.defcon1.org/html/Networking_Articles/Firewall-Ipfw/firewall-ipfw.html. -- Dmitry We live less by imagination than despite it - Rockwell Kent, N by E ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Setting a simple firewall for PPPoE connection
On Thu, 9 Jun 2005 18:22:45 +0200 (CEST), P.U.Kruppa [EMAIL PROTECTED] said: On Thu, 9 Jun 2005, dk dkrules wrote: I am very dissappointed. I have been looking on the net for 3 days now looking for easy setup guides or How to guides and setting up FreeBSD 5.x with transparent proxy and firewall and there simply is no easy way explaining to beginners how to do such a setup. 1) Before you start playing around with squid and firewall you have to make sure your FreeBSD box works as a gateway. 2) When this is done look into google for setup of squid as a transparent proxy (these are two or three entries in a config file). 3) enable firewall in /etc/rc.conf with lines like firewall_enable=YES firewall_script=/etc/firewall.conf 4) edit your /etc/firewall.conf with something like ipfw add 500 fwd 127.0.0.1 tcp from any to any 80 recv rl0 ipfw add 6 allow all from any to any where rl0 is the device name of your NIC. 5) reboot Well, I feel a bit like the original poster. I had in mind of activating a firewall for my PPPoE connection a bit like it is easy to do on Windows XP. So I began reading the handbook and found that there is mainly 3 different firewalls, and this put me with the problem of choosing one. IPFW seems to have default rules that would at first glance make it easy (would choose client setup for me). But then reading through /etc/rc.firewall I concluded that I had to set my IP address in it. But my ISP set it dynamically with PPPoE, so I did not know what to do next. So I thought that reading the ppp man page (yes, I use userland ppp program, but I think that there is a pppoed somewhere that I maybe should use instead), there is some kind of firewall rules that can be set inside ppp.conf. But I did not convince myself that it would help me with the fact that my IP address is dynamic. Now, maybe I can use 127.0.0.1 like you did in step 4 above, but I don't really understand these rules yet. It looks like to me the first one accept HTTP traffic (port 80) and that the second one accept every traffic. I would have expected that the second one would refuse every traffic, leaving only traffic from the first rule to go through. But the main question is: How to deal with dynamic IP address when writing firewall rules? -- http://www.fastmail.fm - Accessible with your email software or over the web ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Setting a simple firewall for PPPoE connection
On Sun, 12 Jun 2005, Paul Dufresne wrote: On Thu, 9 Jun 2005 18:22:45 +0200 (CEST), P.U.Kruppa [EMAIL PROTECTED] said: On Thu, 9 Jun 2005, dk dkrules wrote: I am very dissappointed. I have been looking on the net for 3 days now looking for easy setup guides or How to guides and setting up FreeBSD 5.x with transparent proxy and firewall and there simply is no easy way explaining to beginners how to do such a setup. 1) Before you start playing around with squid and firewall you have to make sure your FreeBSD box works as a gateway. 2) When this is done look into google for setup of squid as a transparent proxy (these are two or three entries in a config file). 3) enable firewall in /etc/rc.conf with lines like firewall_enable=YES firewall_script=/etc/firewall.conf 4) edit your /etc/firewall.conf with something like ipfw add 500 fwd 127.0.0.1 tcp from any to any 80 recv rl0 ipfw add 6 allow all from any to any where rl0 is the device name of your NIC. 5) reboot Well, I feel a bit like the original poster. Oops?! As you can see I answered a question about transparent proxying - which is interesting, too, but quite a different topic. I had in mind of activating a firewall for my PPPoE connection a bit like it is easy to do on Windows XP. There exists a very simple way to activate a firewall in freebsd: # /stand/sysinstall will open FreeBSD's installation menu. - Configure - Security - Security Profile gives you two options for standard firewalls. Now, maybe I can use 127.0.0.1 like you did in step 4 above, but I don't really understand these rules yet. It looks like to me the first one accept HTTP traffic (port 80) and that the second one accept every traffic. I would have expected that the second one would refuse every traffic, leaving only traffic from the first rule to go through. As I said: this is a setup for a transparent proxy, not a security firewall. It just catches all http requests (port 80) and forces them to check Squid's cache. Squid is the proxy-program. Good Luck, Uli. * * Peter Ulrich Kruppa - Wuppertal - Germany * * ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Setting a simple firewall for PPPoE connection
There exists a very simple way to activate a firewall in freebsd: # /stand/sysinstall will open FreeBSD's installation menu. - Configure - Security - Security Profile gives you two options for standard firewalls. Actually, doing this on 5.4R I just have: Secure Level NFS Port Anyway, would these options setup a firewall that would adjust IP address when I use ppp? -- http://www.fastmail.fm - Accessible with your email software or over the web ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Netgraph and firewall
Hi, Is there a stateful packet filtering/firewall/address translation node type for netgraph or the project of one? Thanks ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
VPN through a FreeBSD firewall?
Hello all! I have a small network at home which I am upgrading speedwise, i.e. I am about to go from 8 Mbit to 24 Mbit (ADSL2) on the WAN side. I intend then to use my FreeBSD 5.3 box as a firewall/NAT/proxy server. Two questions: First, the big one: I sometimes work from home. Then I connect to the office from my XP laptop via a VPN tunnel (today I have a ZyXEL G2000 as fw/nat/router). So, if I put the FreeBSD box in place of the ZyXEL and the FreeBSD does ipfw/nat, will it still work with the VPN stuff? N.B., the FreeBSD box will not do the VPN stuff, just pass it through! I am using the Cisco client on the laptop if that matters. Like this: laptop with vpn - FreeBSD with two network interfaces - ADSL modem - NET Anyone knows what happens if I put the ZyXEL as a wireless router between the laptop and FreeBSD; would VPN work then? VPN passes through the ZyXEL today without problem but can it pass through the two boxes? Second question: someone told me that the ZyXEL cannot handle 24 Mbit, therefor I want to use the FreeBSD box instead. Can FreeBSD handle 24Mbit from the ADSL modem? I think it can, anyone against? ;-) TIA! -- Per Berger /\ASCII Ribbon Campaign \ /No HTML/RTF in e-mail http://www.stortsett.se/ X No Word docs in e-mail http://hav.just.nu/ / \Respect for open standards ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: VPN through a FreeBSD firewall?
Per B wrote: Second question: someone told me that the ZyXEL cannot handle 24 Mbit, therefor I want to use the FreeBSD box instead. Can FreeBSD handle 24Mbit from the ADSL modem? I think it can, anyone against? ;-) We're using a FreeBSD 5.3 machine with pf and AltQ as our firewall/gateway/nat-solution for our 26 MBit link. We have about 1000 users, and it works flawlessly, but I guess it depends on what kind of hardware you're using. Cheers, Martin ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Generic Session-Limiting firewall rule.
Is there any way to do session limiting in ipfw? I can limit connections between any specific src and dst easy...what I'd like to do is just (either by some standard I don't get, or dynamic rules) limit between ANY given hosts Does anyone know a way of doing this? -Dan Mahoney -- It doesn't matter where I live, because I live in dataspace. That's my hometown. -Steve Roberts, Builder of BEHEMOTH Dan Mahoney Techie, Sysadmin, WebGeek Gushi on efnet/undernet IRC ICQ: 13735144 AIM: LarpGM Site: http://www.gushi.org --- ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
RE: IPF Firewall Rules... help!
Dick Since you say you have lime ware working on your LAN behind firewall why don't you post your rules so we can see how you did it. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Dick Hoogendijk Sent: Friday, April 08, 2005 5:26 PM To: freebsd-questions Subject: Re: IPF Firewall Rules... help! On 08 Apr [EMAIL PROTECTED] wrote: If you read the limewire website carefully you will see that no where does it say it will work on PC on a local area network (LAN). This is one of those products that buries the sending IP address in the packets. A PC on the LAN uses an NATed ip address and this product can not handle that. This is a common problem with products such as this. Are you saying here that limewire does /not/ run on clients on a NATted local area network? If so, how come then that limewire runs on my windows client, as well as on my OS-X and FreeBSD clients? All NATted of course. It's just not designed to work on PC that is on a LAN. It works like a charme for me though. -- dick -- http://nagual.st/ -- PGP/GnuPG key: F86289CE ++ Running FreeBSD 4.11 ++ FreeBSD 5.3 + Nai tiruvantel ar vayuvantel i Valar tielyanna nu vilja ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
smssend/firewall port
Hi all. I've installed the smssend program a few days back, it's a greate piece of software. However I wasn't able up till now to find out the TCP port number that it uses, in order to enable it with IPFilter. Does anyone have an idea? Thanks in advance. Dont let the bugs in, close the Windows ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
RE: smssend/firewall port
Code a ipfilter rule to log all blocked packets then look at log for logged packets at time when you test smssend. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Michael Sherman Sent: Saturday, April 09, 2005 3:17 PM To: freebsd-questions@freebsd.org Subject: smssend/firewall port Hi all. I've installed the smssend program a few days back, it's a greate piece of software. However I wasn't able up till now to find out the TCP port number that it uses, in order to enable it with IPFilter. Does anyone have an idea? Thanks in advance. Dont let the bugs in, close the Windows ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: IPF Firewall Rules... help!
On Sat, 9 Apr 2005 11:43:23 -0400 [EMAIL PROTECTED] wrote: Dick Since you say you have limewire working on your LAN behind firewall why don't you post your rules so we can see how you did it. # Limewire pass out quick on rl0 proto tcp from any to any port = 6346 flags S keep state pass out quick on rl0 proto udp from any to any port = 6346 keep state That's really all there is to it. No funny things. Just installed limewire on all machines using the defaults. My ipnat.rules is also quit simple: # ### ipnat.rules # # FTP traffic for the internal LAN map rl0 192.168.11.0/24 - 0/32 proxy port 21 ftp/tcp # FTP traffic from the gateway map rl0 0.0.0.0/0 - 0/32 proxy port 21 ftp/tcp # non-FTP traffic for the internal LAN map rl0 192.168.11.0/24 - 0/32 portmap tcp/udp auto map rl0 192.168.11.0/24 - 0/32 That's all. And as said: limewire works like a charm. -- dick -- http://nagual.st/ -- PGP/GnuPG key: F86289CE ++ Running FreeBSD 4.11 ++ FreeBSD 5.3 + Nai tiruvantel ar vayuvantel i Valar tielyanna nu vilja ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
RE: IPF Firewall Rules... help!
Dick What you have working is only half of the product. Outbound works for me also but I have ports 6346, 6347, 6348 and 6349. What about the part of other internet users accessing your files. Watch the log and you will see limewire remote server trying to start session to your public ip address when you start limewire. Limewire software may not issue error message about remote users not being able to access your shared files but its is a problem that only happens when PC is nated on LAN. Here do this test, use lan PC to share files with another PC on your lan. I bet that will not work. Or have friend using limewire try to access your shared files on one of your lan pc's. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of dick hoogendijk Sent: Saturday, April 09, 2005 4:46 PM To: freebsd-questions@freebsd.org Subject: Re: IPF Firewall Rules... help! On Sat, 9 Apr 2005 11:43:23 -0400 [EMAIL PROTECTED] wrote: Dick Since you say you have limewire working on your LAN behind firewall why don't you post your rules so we can see how you did it. # Limewire pass out quick on rl0 proto tcp from any to any port = 6346 flags S keep state pass out quick on rl0 proto udp from any to any port = 6346 keep state That's really all there is to it. No funny things. Just installed limewire on all machines using the defaults. My ipnat.rules is also quit simple: # ### ipnat.rules # # FTP traffic for the internal LAN map rl0 192.168.11.0/24 - 0/32 proxy port 21 ftp/tcp # FTP traffic from the gateway map rl0 0.0.0.0/0 - 0/32 proxy port 21 ftp/tcp # non-FTP traffic for the internal LAN map rl0 192.168.11.0/24 - 0/32 portmap tcp/udp auto map rl0 192.168.11.0/24 - 0/32 That's all. And as said: limewire works like a charm. -- dick -- http://nagual.st/ -- PGP/GnuPG key: F86289CE ++ Running FreeBSD 4.11 ++ FreeBSD 5.3 + Nai tiruvantel ar vayuvantel i Valar tielyanna nu vilja ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
IPF Firewall Rules... help!
We have a freebsd gateway server for windows clients. We use IPF with nat. What ipf rules and ipnat rules are required on the gateway for Limewire peer-to-peer to connect on the clients. If you can help, please do... i'm doing something wrong! Thanks Gareth ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Fwd: IPF Firewall Rules... help!
Hi Bob, Thanks, I have read the handbook and a couple of other articles. I have attached my ipf and ipnat rule lists. Please advise on the commented out Bit torrent sections. The windows clients want to run Limewire. WRT the LAN environment, we have a couple of Windows XP SP2 clients, and the freeBSD gateway. The external connection from the gateway runs upstairs into the block's router, which is connected to an ADSL router (no static IP). Thanks for your help! Gareth On Apr 8, 2005 2:51 PM, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: Read the official FreeBSD handbook firewall section. It has working examples. Any more help can only be offered if you post your rules and give details of your LAN environment. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Gareth Bailey Sent: Friday, April 08, 2005 8:16 AM To: freebsd-questions Subject: IPF Firewall Rules... help! We have a freebsd gateway server for windows clients. We use IPF with nat. What ipf rules and ipnat rules are required on the gateway for Limewire peer-to-peer to connect on the clients. If you can help, please do... i'm doing something wrong! Thanks Gareth ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] ipf.rules Description: Binary data ipnat.rules Description: Binary data ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
RE: IPF Firewall Rules... help!
Gareth If you read the limewire website carefully you will see that no where does it say it will work on PC on a local area network (LAN). This is one of those products that buries the sending IP address in the packets. A PC on the LAN uses an NATed ip address and this product can not handle that. This is a common problem with products such as this. This is not an firewall problem. It's a design error in the products internet communications exchange of session packets. It's just not designed to work on PC that is on a LAN. To use this product your XP box has to be connected to the internet with a real public IP address. IE: not be on a LAN using NATed IP address. For your INFO attaching files is a bad thing to do. That is how virus get passed around and many people here on this list will not open them. Next time just post file content into body of your email post. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Gareth Bailey Sent: Friday, April 08, 2005 9:26 AM To: freebsd-questions Subject: Fwd: IPF Firewall Rules... help! Hi Bob, Thanks, I have read the handbook and a couple of other articles. I have attached my ipf and ipnat rule lists. Please advise on the commented out Bit torrent sections. The windows clients want to run Limewire. WRT the LAN environment, we have a couple of Windows XP SP2 clients, and the freeBSD gateway. The external connection from the gateway runs upstairs into the block's router, which is connected to an ADSL router (no static IP). Thanks for your help! Gareth On Apr 8, 2005 2:51 PM, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: Read the official FreeBSD handbook firewall section. It has working examples. Any more help can only be offered if you post your rules and give details of your LAN environment. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Gareth Bailey Sent: Friday, April 08, 2005 8:16 AM To: freebsd-questions Subject: IPF Firewall Rules... help! We have a freebsd gateway server for windows clients. We use IPF with nat. What ipf rules and ipnat rules are required on the gateway for Limewire peer-to-peer to connect on the clients. If you can help, please do... i'm doing something wrong! Thanks Gareth ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: IPF Firewall Rules... help!
On 08 Apr [EMAIL PROTECTED] wrote: If you read the limewire website carefully you will see that no where does it say it will work on PC on a local area network (LAN). This is one of those products that buries the sending IP address in the packets. A PC on the LAN uses an NATed ip address and this product can not handle that. This is a common problem with products such as this. Are you saying here that limewire does /not/ run on clients on a NATted local area network? If so, how come then that limewire runs on my windows client, as well as on my OS-X and FreeBSD clients? All NATted of course. It's just not designed to work on PC that is on a LAN. It works like a charme for me though. -- dick -- http://nagual.st/ -- PGP/GnuPG key: F86289CE ++ Running FreeBSD 4.11 ++ FreeBSD 5.3 + Nai tiruvantel ar vayuvantel i Valar tielyanna nu vilja ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
ipfw firewall mailing list ?
can u guys tell me , is there any ipfw firewall i can subscribe to to learn it or ask daily usage questions to ? thanks *º¤., ¸¸,.¤º*¨¨¨*¤ Allah-hu-Akber*º¤., ¸¸,.¤º*¨¨*¤ God is the Greatest __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: ipfw firewall mailing list ?
On 2005-04-06 08:53, faisal gillani [EMAIL PROTECTED] wrote: can u guys tell me , is there any ipfw firewall i can subscribe to to learn it or ask daily usage questions to ? The freebsd-questions list is the best place to ask about configuration details of ipfw. There is a freebsd-ipfw mailing list, but that's aimed towards more technical, in-depth discussions about the internals of ipfw dummynet; so, it's probably not a good idea to post usage questions to that list. Post them here... Since a lot of people have already asked a thousand and one things about ipfw, you may also search the mailing list archives and see if any questions you have have already been answered: http://lists.freebsd.org/pipermail/freebsd-questions/ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Firewall questions
Only a little note about the comment: On FreeBSD you have a choice of IPFW, IPF, and PF. IPFW is FreeBSD only, IPF runs on many OSes (but not Linux), Since i have been reading the Ipfilter maillist, you can see that Ipfilter now runs on Linux too. This is only information. Greetings. On Mar 23, 2005 1:03 PM, Ean Kingston [EMAIL PROTECTED] wrote: I have been looking for a great firewall, something not too technical, since I have only been using FreeBSD for two months now. I have FreeBSD-4.8 installed, Apache-1.3, and Netqmail-1.05. I am also planning on running an NTP time server and possibly a forum in the future. The web site is expected to become a well-recognized site, so that complicates matters. More attention to the site means more attacks. If it's a firewall you might want to upgrade to the latest in the series you are using (4.11). There may be security holes in 4.8 by now. Also, I am looking for antiviral protection for both the FreeBSD server, and any Windows or Macintosh systems that may be using the POP mail. I know qmail has one solution, which was contributed by a qmail user, but what are the alternatives? There are very few anti-virus packages for FreeBSD. AFAIK there are no viruses that target FreeBSD. There are a few that target x86 hardware but these don't propagate over the 'net. Have a look at amavis (it's in the ports collection). I've never used it but it's been mentioned a number of times on various lists. Also, F-Prot (www.f-prot.com http://www.f-prot.com) provides an AV product for FreeBSD (NetBSD, and OpenBSD too). They even have a mail scanner product. I used the file scanner for a while but stopped the last time I upgraded the OS. Any suggestions as to what firewall would provide me with the best protection, while not being overly too complicated? For simplicity, get one of the Firewall Router devices and stick your FreeBSD system behind it. Most have a web interface to manage them. Just make sure you get the Firewall model and not the Router with NAT model. Unless you get lucky, the guy a Best Buy (or whereever) won't have a clue about the differences and will not be able to help even if he thinks he is helping. You need to do your research on this. On FreeBSD you have a choice of IPFW, IPF, and PF. IPFW is FreeBSD only, IPF runs on many OSes (but not Linux), and PF is a port of the OpenBSD firewall. All are included with the FreeBSD distribution but require a kernel recomple (it's explained in the handbook and isn't nearly as scary as it sounds). All are about a complicated to configure/manage. -- Ean Kingston E-Mail: ean_AT_hedron_DOT_org PGP KeyID: 1024D/CBC5D6BB URL: http://www.hedron.org/ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Firewall questions
Only a little note about the comment: On FreeBSD you have a choice of IPFW, IPF, and PF. IPFW is FreeBSD only, IPF runs on many OSes (but not Linux), Since i have been reading the Ipfilter maillist, you can see that Ipfilter now runs on Linux too. This is only information. Greetings. Wow, I stand corrected. The last time I talked to Darren (years ago) he said IPFilter would never run on Linux. I guess the Linux folks fixed whatever was vexing him about their architecture. On Mar 23, 2005 1:03 PM, Ean Kingston [EMAIL PROTECTED] wrote: I have been looking for a great firewall, something not too technical, since I have only been using FreeBSD for two months now. I have FreeBSD-4.8 installed, Apache-1.3, and Netqmail-1.05. I am also planning on running an NTP time server and possibly a forum in the future. The web site is expected to become a well-recognized site, so that complicates matters. More attention to the site means more attacks. If it's a firewall you might want to upgrade to the latest in the series you are using (4.11). There may be security holes in 4.8 by now. Also, I am looking for antiviral protection for both the FreeBSD server, and any Windows or Macintosh systems that may be using the POP mail. I know qmail has one solution, which was contributed by a qmail user, but what are the alternatives? There are very few anti-virus packages for FreeBSD. AFAIK there are no viruses that target FreeBSD. There are a few that target x86 hardware but these don't propagate over the 'net. Have a look at amavis (it's in the ports collection). I've never used it but it's been mentioned a number of times on various lists. Also, F-Prot (www.f-prot.com http://www.f-prot.com) provides an AV product for FreeBSD (NetBSD, and OpenBSD too). They even have a mail scanner product. I used the file scanner for a while but stopped the last time I upgraded the OS. Any suggestions as to what firewall would provide me with the best protection, while not being overly too complicated? For simplicity, get one of the Firewall Router devices and stick your FreeBSD system behind it. Most have a web interface to manage them. Just make sure you get the Firewall model and not the Router with NAT model. Unless you get lucky, the guy a Best Buy (or whereever) won't have a clue about the differences and will not be able to help even if he thinks he is helping. You need to do your research on this. On FreeBSD you have a choice of IPFW, IPF, and PF. IPFW is FreeBSD only, IPF runs on many OSes (but not Linux), and PF is a port of the OpenBSD firewall. All are included with the FreeBSD distribution but require a kernel recomple (it's explained in the handbook and isn't nearly as scary as it sounds). All are about a complicated to configure/manage. -- Ean Kingston E-Mail: ean_AT_hedron_DOT_org PGP KeyID: 1024D/CBC5D6BB URL: http://www.hedron.org/ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] -- Ean Kingston E-Mail: ean_AT_hedron_DOT_org PGP KeyID: 1024D/CBC5D6BB URL: http://www.hedron.org/ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Firewall questions
I have been looking for a great firewall, something not too technical, since I have only been using FreeBSD for two months now. I have FreeBSD-4.8 installed, Apache-1.3, and Netqmail-1.05. I am also planning on running an NTP time server and possibly a forum in the future. The web site is expected to become a well-recognized site, so that complicates matters. More attention to the site means more attacks. Also, I am looking for antiviral protection for both the FreeBSD server, and any Windows or Macintosh systems that may be using the POP mail. I know qmail has one solution, which was contributed by a qmail user, but what are the alternatives? Any suggestions as to what firewall would provide me with the best protection, while not being overly too complicated? All help is greatly appreciated. __ Post your free ad now! http://personals.yahoo.ca ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Firewall questions
I have been looking for a great firewall, something not too technical, since I have only been using FreeBSD for two months now. I have FreeBSD-4.8 installed, Apache-1.3, and Netqmail-1.05. I am also planning on running an NTP time server and possibly a forum in the future. The web site is expected to become a well-recognized site, so that complicates matters. More attention to the site means more attacks. If it's a firewall you might want to upgrade to the latest in the series you are using (4.11). There may be security holes in 4.8 by now. Also, I am looking for antiviral protection for both the FreeBSD server, and any Windows or Macintosh systems that may be using the POP mail. I know qmail has one solution, which was contributed by a qmail user, but what are the alternatives? There are very few anti-virus packages for FreeBSD. AFAIK there are no viruses that target FreeBSD. There are a few that target x86 hardware but these don't propagate over the 'net. Have a look at amavis (it's in the ports collection). I've never used it but it's been mentioned a number of times on various lists. Also, F-Prot (www.f-prot.com) provides an AV product for FreeBSD (NetBSD, and OpenBSD too). They even have a mail scanner product. I used the file scanner for a while but stopped the last time I upgraded the OS. Any suggestions as to what firewall would provide me with the best protection, while not being overly too complicated? For simplicity, get one of the Firewall Router devices and stick your FreeBSD system behind it. Most have a web interface to manage them. Just make sure you get the Firewall model and not the Router with NAT model. Unless you get lucky, the guy a Best Buy (or whereever) won't have a clue about the differences and will not be able to help even if he thinks he is helping. You need to do your research on this. On FreeBSD you have a choice of IPFW, IPF, and PF. IPFW is FreeBSD only, IPF runs on many OSes (but not Linux), and PF is a port of the OpenBSD firewall. All are included with the FreeBSD distribution but require a kernel recomple (it's explained in the handbook and isn't nearly as scary as it sounds). All are about a complicated to configure/manage. -- Ean Kingston E-Mail: ean_AT_hedron_DOT_org PGP KeyID: 1024D/CBC5D6BB URL: http://www.hedron.org/ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Firewall questions
Well, I suggest PF from openbsd ok, it's really simple, and it exist a good page on freebsd to learn how it works ok see ya Le Wed, Mar 23, 2005 at 03:47:10PM -0500, Shawn B a écrit: From: Shawn B [EMAIL PROTECTED] To: freebsd-questions@freebsd.org Date: Wed, 23 Mar 2005 15:47:10 -0500 (EST) Subject: Firewall questions I have been looking for a great firewall, something not too technical, since I have only been using FreeBSD for two months now. I have FreeBSD-4.8 installed, Apache-1.3, and Netqmail-1.05. I am also planning on running an NTP time server and possibly a forum in the future. The web site is expected to become a well-recognized site, so that complicates matters. More attention to the site means more attacks. Also, I am looking for antiviral protection for both the FreeBSD server, and any Windows or Macintosh systems that may be using the POP mail. I know qmail has one solution, which was contributed by a qmail user, but what are the alternatives? Any suggestions as to what firewall would provide me with the best protection, while not being overly too complicated? All help is greatly appreciated. __ Post your free ad now! http://personals.yahoo.ca -- Vincent Bachelier [EMAIL PROTECTED] Language: Francais / English Societ(e/y) : Solintech - http://www.solintech.fr - Serveurs linux Citation (fortune): How long a minute is depends on which side of the bathroom door you're on. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
RE: Firewall questions
http://www.unixguide.net/freebsd/fbsd_installguide/index.php This install guide covers both of the 2 firewalls that come built in to FreeBSD for all 4.x release. Software firewalls are heads and shoulders above hardware firewalls which can not do stateful type of protection. I recommend ipfilter over ipfw as it so much easier to use and is supported be its own open source development team. Its been stable for a long time while ipfw is FreeBSD developed and has been rewritten between 4.8 and 5.3 Firewalls only protect your private network and not email content for various. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Shawn B Sent: Wednesday, March 23, 2005 3:47 PM To: freebsd-questions@freebsd.org Subject: Firewall questions I have been looking for a great firewall, something not too technical, since I have only been using FreeBSD for two months now. I have FreeBSD-4.8 installed, Apache-1.3, and Netqmail-1.05. I am also planning on running an NTP time server and possibly a forum in the future. The web site is expected to become a well-recognized site, so that complicates matters. More attention to the site means more attacks. Also, I am looking for antiviral protection for both the FreeBSD server, and any Windows or Macintosh systems that may be using the POP mail. I know qmail has one solution, which was contributed by a qmail user, but what are the alternatives? Any suggestions as to what firewall would provide me with the best protection, while not being overly too complicated? All help is greatly appreciated. __ Post your free ad now! http://personals.yahoo.ca ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
RE: Firewall questions
http://www.unixguide.net/freebsd/fbsd_installguide/index.php This install guide covers both of the 2 firewalls that come built in to FreeBSD for all 4.x release. Software firewalls are heads and shoulders above hardware firewalls which can not do stateful type of protection. You might want to check your sources again. My Linksys hardware firewalls do a good job of providing statefull packet inspection. -- Ean Kingston E-Mail: ean_AT_hedron_DOT_org PGP KeyID: 1024D/CBC5D6BB URL: http://www.hedron.org/ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Firewall questions
On Wednesday 23 March 2005 21:03, Ean Kingston wrote: Also, I am looking for antiviral protection for both the FreeBSD server, and any Windows or Macintosh systems that may be using the POP mail. I know qmail has one solution, which was contributed by a qmail user, but what are the alternatives? There are very few anti-virus packages for FreeBSD. AFAIK there are no viruses that target FreeBSD. There are a few that target x86 hardware but these don't propagate over the 'net. Clamav is supposed to be good for filtering windows viruses out of email. I know Fastmail.fm dropped Kaspersky in favour of Clamav, they claimed the updates to be at least as good. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Firewall questions
--On Wednesday, March 23, 2005 09:45:56 PM + RW [EMAIL PROTECTED] wrote: Clamav is supposed to be good for filtering windows viruses out of email. I know Fastmail.fm dropped Kaspersky in favour of Clamav, they claimed the updates to be at least as good. We did some pretty thorough testing of Clamav, uvscan (McAfee) and sophie (Sophos) side by side on a mail gateway using amavisd. Clamav was *almost* as good as McAfee and definitely better than Sophos at detecting viruses. Clamav beat uvscan hands down on cpu usage and detection of Phishing scams. Here's our latest stats - clamav is primary. uvscan only gets used if clamav doesn't detect a virus. These statistics represent data from 2005-03-01 to yesterday Total detections - 7369 Total phishing scams - 7080 Total viruses - 289 Total McAfee - 23 Total ClamAV - 266 The last two lines are *unique* detections. Basically what it means is that clamav missed 23 viruses that uvscan subsequently caught. So clamav has a 92.04% virus detection rate so far for the month. (Updates are fetched and installed automatically for both scanners.) When I was keeping separate stats on each, clamav ran about a half a percent behind uvscan and sophie *never* had an independent detection. It also had a much lower detection rate. (E.g. clamav 94.6, uvscan 95.3, sophie 91.8) Paul Schmehl ([EMAIL PROTECTED]) Adjunct Information Security Officer The University of Texas at Dallas AVIEN Founding Member http://www.utdallas.edu ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Router/Firewall?
Hi: I am trying to set up a router/firewall with Freebsd 5.3 this is my information: Winxp and Freebsd machine connected to Firewall machine using a hub Firewall has two ethernet cards: card1: dc0 connected to cable internet using DHCP card 2: rl0 setup to use 192.168.1.1 I can connect to the internet from the firewall: ping -c 3 www.yahoo.con successfull I can ping from Firewall to the other two machines (WinXP and FreeBSD) I can ping from XP to FreeBsd and Firewall I can pin from FreeBSD to XP and Firewall Here is the problem: I cant connect to internet from neither XP nor FreeBSD machine Here is my rc.conf from the firewall machine: gateway_enable=YES ifconfig_lo0=inet 127.0.0.1 ifconfig_dc0=DHCP ifconfig_rl0=inet 192.168.1.1 netmask 255.255.255.0 ipfilter_enable=YES ipmon_enable=YES ipmon_flags=-Dsvn ipnat_enable=YES ipfs_enable=YES Can anyabody tell me what I am missing? ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
RE: Router/Firewall?
This is covered in detail at http://www.unixguide.net/freebsd/fbsd_installguide/index.php -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Aperez Sent: Tuesday, March 22, 2005 3:19 PM To: freebsd-questions@freebsd.org Subject: Router/Firewall? Hi: I am trying to set up a router/firewall with Freebsd 5.3 this is my information: Winxp and Freebsd machine connected to Firewall machine using a hub Firewall has two ethernet cards: card1: dc0 connected to cable internet using DHCP card 2: rl0 setup to use 192.168.1.1 I can connect to the internet from the firewall: ping -c 3 www.yahoo.con successfull I can ping from Firewall to the other two machines (WinXP and FreeBSD) I can ping from XP to FreeBsd and Firewall I can pin from FreeBSD to XP and Firewall Here is the problem: I cant connect to internet from neither XP nor FreeBSD machine Here is my rc.conf from the firewall machine: gateway_enable=YES ifconfig_lo0=inet 127.0.0.1 ifconfig_dc0=DHCP ifconfig_rl0=inet 192.168.1.1 netmask 255.255.255.0 ipfilter_enable=YES ipmon_enable=YES ipmon_flags=-Dsvn ipnat_enable=YES ipfs_enable=YES Can anyabody tell me what I am missing? ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Router/Firewall?
Aperez wrote: Hi: I am trying to set up a router/firewall with Freebsd 5.3 this is my information: Winxp and Freebsd machine connected to Firewall machine using a hub Firewall has two ethernet cards: card1: dc0 connected to cable internet using DHCP card 2: rl0 setup to use 192.168.1.1 I can connect to the internet from the firewall: ping -c 3 www.yahoo.con successfull I can ping from Firewall to the other two machines (WinXP and FreeBSD) I can ping from XP to FreeBsd and Firewall I can pin from FreeBSD to XP and Firewall OK, it appears your internal network is working. Did you set 'defaultrouter' on FreeBSD and XP (whatever it may be called on Windows) to 192.168.1.1 (IP of the gateway)? Here is the problem: I cant connect to internet from neither XP nor FreeBSD machine Here is my rc.conf from the firewall machine: gateway_enable=YES ifconfig_lo0=inet 127.0.0.1 ifconfig_dc0=DHCP ifconfig_rl0=inet 192.168.1.1 netmask 255.255.255.0 ipfilter_enable=YES ipmon_enable=YES ipmon_flags=-Dsvn ipnat_enable=YES What rules do you have in ipfilter and ipnat? Have you enabled NAT? ipfs_enable=YES Can anyabody tell me what I am missing? Regards, Karol -- Karol Kwiatkowski freebsd at orchid dot homeunix dot org ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Router/Firewall?
[please cc freebsd-questions, someone may be interested, too] Aperez wrote: Karol Kwiatkowski wrote: Aperez wrote: Hi: I am trying to set up a router/firewall with Freebsd 5.3 this is my information: Winxp and Freebsd machine connected to Firewall machine using a hub Firewall has two ethernet cards: card1: dc0 connected to cable internet using DHCP card 2: rl0 setup to use 192.168.1.1 I can connect to the internet from the firewall: ping -c 3 www.yahoo.con successfull I can ping from Firewall to the other two machines (WinXP and FreeBSD) I can ping from XP to FreeBsd and Firewall I can pin from FreeBSD to XP and Firewall OK, it appears your internal network is working. Did you set 'defaultrouter' on FreeBSD and XP (whatever it may be called on Windows) to 192.168.1.1 (IP of the gateway)? Here is the problem: I cant connect to internet from neither XP nor FreeBSD machine Here is my rc.conf from the firewall machine: gateway_enable=YES ifconfig_lo0=inet 127.0.0.1 ifconfig_dc0=DHCP ifconfig_rl0=inet 192.168.1.1 netmask 255.255.255.0 ipfilter_enable=YES ipmon_enable=YES ipmon_flags=-Dsvn ipnat_enable=YES What rules do you have in ipfilter and ipnat? Have you enabled NAT? ipfs_enable=YES Can anyabody tell me what I am missing? Regards, Karol Hi I did set up Winxp to use 192.168.1.1 as gateway and I put defaultrouter=192.168.1.1 in the Freebsd machine. I dont have rules for ipfilter because I was trying to see if there was connectivity box---firewall---internet. Do I have to have ipnat rules in oder for the machines to connect to the internet? Yes. NAT is not working yet. With ipnat_enable=YES you've just enabled ipnat but you didn't tell it what to do yet. Something like this would do: map dc0 192.168.1.0/24 - 0/32 portmap tcp/udp auto# NAT for LAN +port mapping map dc0 192.168.1.0/24 - 0/32 # NAT for LAN (icmp) But keep in mind I no longer use ipfilter/ipnat. Please check manpage for ipnat(1). Also handbook section: 24.5.14 NAT http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/firewalls-ipf.html Dind't I enable natd by putting ipnat_enable=YES or do I have to put this instead natd_enable=YES? 'natd' is another way to do NAT. You'll need only one of them. And ipnat just doesn't do NAT yet. Regards, Karol -- Karol Kwiatkowski freebsd at orchid dot homeunix dot org ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Firewall
Hi, I set up a firewall in my freebsd box using ipfw.conf and its working fine. I'm running on my firewall ( i know its not recommended ) smtp server and all my services is working fine but smtp is not receiving incomming connections from outside(internet). I would like to show my ipfw rules and get some answer why its not working. Thanks Guys, here is my firewall: # QoS: LAN pipe 10 config mask src-ip 0xfff0 bw 40Kbit/s # LAN Upload pipe 20 config mask dst-ip 0xfff0 bw 20Kbit/s # Lan Download # QoS: SERVICES pipe 30 config bw 120Kbit/s queue 6Kbytes # FTP pipe 40 config mask bw 75Kbit/s # SMTP pipe 50 config mask bw 70Kbit/s # DNS TCP pipe 60 config mask bw 300Kbit/s queue 20Kbytes # WEB / SSL pipe 70 config mask bw 75Kbit/s # POP3 # DEVICE: lo0 add 100 allow all from any to any via lo0 add 101 allow tcp from any to 127.0.0.1 110 add 102 deny ip from any to 127.0.0.0/8 # LAN: NAT add 200 divert natd ip from any to any in via rl0 # LAN: IN add 300 allow tcp from 10.1.1.0/28 to 10.1.1.1 22,139,445 in via vr0 add 400 allow udp from 10.1.1.0/28 to 10.1.1.1 137,138 in via vr0 # CHECK STATE add 500 check-state # DNS: SYNC add 600 allow ip from any to any 53 via rl0 add 601 allow ip from any 53 to any via rl0 # DHCP: CLIENT add 700 allow udp from any to 10.12.0.1 67 out via rl0 # LAN: ROOT add 800 allow tcp from me to any out via rl0 setup keep-state uid root # LAN: OUT add 900 skipto 2000 tcp from any to any 80 out via rl0 setup keep-state add 901 skipto 2000 tcp from any to any 443 out via rl0 setup keep-state add 902 skipto 2000 tcp from any to any 25 out via rl0 setup keep-state add 903 skipto 2000 tcp from any to any 110 out via rl0 setup keep-state add 905 skipto 2000 icmp from any to anyout via rl0 icmptypes 8 add 906 skipto 2000 tcp from any to any 20,21 out via rl0 setup keep-state add 907 skipto 2000 tcp from any to any 43 out via rl0 setup keep-state add 909 skipto 2000 tcp from any to any 1755out via rl0 setup keep-state add 910 skipto 2000 tcp from any to any 1863out via rl0 setup keep-state add 911 skipto 2000 tcp from any to any out via rl0 setup keep-state add 912 skipto 2000 tcp from any to any 6667out via rl0 setup keep-state #add 913 skipto 2000 tcp from any to any 1-4000 out via rl0 setup keep-state # NETCRAFT add 1000 deny all from 195.92.95.0/32 to any in via rl0 add 1100 allow icmp from any to any in via rl0 icmptypes 0 # ICMP: BLOCK PING add 1101 prob 0.2 allow icmp from any to 201.6.24.17 in via rl0 icmptypes 8 add 1102 prob 0.2 allow icmp from 201.6.24.17 to any out via rl0 icmptypes 0 # LAN: RFC add 1200 deny all from 192.168.0.0/16 to any in via rl0 add 1220 deny all from 172.16.0.0/12 to any in via rl0 add 1240 deny all from 127.0.0.0/8 to any in via rl0 add 1250 deny all from 0.0.0.0/8 to any in via rl0 add 1260 deny all from 169.254.0.0/16 to any in via rl0 add 1270 deny all from 192.0.2.0/24to any in via rl0 add 1280 deny all from 204.152.64.0/23 to any in via rl0 add 1290 deny all from 224.0.0.0/3 to any in via rl0 # INTERNET: FRAG add 1300 deny all from any to any frag in via rl0 # INTERNET: STATE STABLE add 1400 deny ip from any to any established in via rl0 # DHCP: CLIENT add 1500 allow udp from 10.12.0.1 to any 68 in via rl0 keep-state # INTERNET: SERVICES IN add 1600 pipe 30 ip from any to 201.6.24.17 20,21 in via rl0 setup limit src-addr 2 add 1601 pipe 40 tcp from any to 201.6.24.17 25 in via rl0 add 1602 pipe 50 ip from any to 201.6.24.17 53 in via rl0 setup limit src-addr 2 add 1603 pipe 60 tcp from any to 201.6.24.17 80,443 in via rl0 setup limit src-addr 2 add 1604 pipe 70 tcp from any to 201.6.24.17 995 in via rl0 setup limit src-addr 2 # DENY / LOG add 1800 deny log all from any to any out via rl0 add 1900 deny log all from any to any in via rl0 # LAN: NAT add 2000 divert natd ip from any to any out via rl0 add 2001 allow ip from any to any Adolfo Bravo Ferreira Admninistrador de Redes / Analista de Segurança / Desenvolvedor Grupo Ferreira Limitada Telefone: 11 50628877 Adolfo Bravo Ferreira Admninistrador de Redes / Analista de Segurança / Desenvolvedor Grupo Ferreira Limitada Telefone: 11 50628877 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
FTP Problems (probably my firewall)
Hello list, I'm trying to get FTPD working, but I think I'm not opening the correct ports for it in my firewall. I've got 20 and 21 open, and I get the login prompt and such, but only after a 10 to 20 second delay. After that, everything seems to work fine, until I try to upload to the incoming directory, which is disabled right now. The error takes another 10 to 20 seconds to pop up. when I have a rule such as: ipfw add 1 allow log all from any to any Everything works as fast as it normally should. Thanks. ___ Eric F Crist I am so smart, S.M.R.T! Secure Computing Networks -Homer J Simpson PGP.sig Description: This is a digitally signed message part
Re: FTP Problems (probably my firewall)
Eric F Crist wrote: Hello list, I'm trying to get FTPD working, but I think I'm not opening the correct ports for it in my firewall. I've got 20 and 21 open, and I get the login prompt and such, but only after a 10 to 20 second delay. After that, everything seems to work fine, until I try to upload to the incoming directory, which is disabled right now. The error takes another 10 to 20 seconds to pop up. when I have a rule such as: ipfw add 1 allow log all from any to any Everything works as fast as it normally should. Thanks. Try this: ipfw add 1 allow log all from any to me 20,21 -- Best regards, Chris Keep emotionally active, cater to your favorite neurosis. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Problem accessing net from a NAT Firewall
Micheal, The IP addresses are the same ones used in The Complete FreeBSD from Greg Lehey for the back end network. I can use 192.x.x.x or 172.x.x.x to see if they work. Will let you know. Thanks for the help. David Michael L. Squires wrote: I don't understand this entry: On Wed, 16 Feb 2005, David Wassman wrote: # static address for internal interface ifconfig_xe0=inet 223.147.37.1 netmask 255.255.255.0 broadcast 223.147.37.255 This is a valid IP address, not one of the three sets of IP numbers reserved for internal networks (you use one, 172.x.x.x, in your firewall script). Shouldn't the internal network address be one of those three, i.e., one of 192.x.x.x, 172.x.x.x, 10.x.x.x ? Or I may not be understanding your setup at all. I have a cable model, FreeBSD 4.11 firewall/NAT, internal network using 10.x.x.x numbers (bad choice, 10.x.x.x is used by Comcast/ATT, etc.), 100Mbit switch, 1 Mac, 4 MS, 3 FreeBSD clients all using IP numbers in the 10.x.x.x range. MLS ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Problem accessing net from a NAT Firewall
Ok, after two days with little sleep I am now going to ask for some help. Here are my problems to ponder and I will give my sys info and configs after. 1) I want to connect to my wireless router (A) from one computer (B) and connect through it a wired network (C) to access the internet. Is this possible? I know you can do it with a wired network through nat but am not sure about the wireless in the middle. 2)I have setup the computer A as a router with a firewall and NAT. I can access to web from it through the wireless link but cannot ping out from C behind it. The net hardware: I have cable. A - Linksys WGT54G D- WG511T wireless PC card Xircom 10Mbps PC card C RealTek 8139 3Com 3c905-TX I have put the following options in the kernel and compiled IPFIREWALL IPDIVERT IPSEC (I know this is for IPsec and not the firewall directly. I have not installed racoon and am not using IPsec. Included it here in case this is the problem.) IPSEC_ESP IPSEC_DEBUG I modified the following configs from this site http://lugbe.ch/lostfound/contrib/freebsd_router/ rc.conf: # use DHCP for external interface ifconfig_ath0=ssid ifconfig_ath0=DHCP # static address for internal interface ifconfig_xe0=inet 223.147.37.1 netmask 255.255.255.0 broadcast 223.147.37.255 # enable IP forwarding gateway_enable=YES sshd_enable=YES # enable firewall firewall_enable=YES # set path to custom firewall config firewall_type=/etc/rc.firewall.rules # be non-verbose? set to YES after testing firewall_quiet=NO # enable natd, the NAT daemon natd_enable=YES # which is the interface to the internet that we hide behind? natd_interface=ath0 # flags for natd natd_flags=-f /etc/natd.conf rc.firewall.rules # be quiet and flush all rules on start -q flush # allow local traffic, deny RFC 1918 addresses on the outside add 00100 allow ip from any to any via lo0 add 00110 deny ip from any to 127.0.0.0/8 add 00120 deny ip from any to any not verrevpath in add 00301 deny ip from 10.0.0.0/8 to any in via ep0 add 00302 deny ip from 172.16.0.0/12 to any in via ath0 add 00303 deny ip from 192.168.0.0/16 to any in via ath0 # check if incoming packets belong to a natted session, allow through if yes add 01000 divert natd ip from any to me in via ath0 add 01001 check-state # allow some traffic from the local net to the router # SSH add 04000 allow tcp from 223.147.37.0/24 to me dst-port 22 in via xe0 setup keep-state # NTP add 04002 allow tcp from 223.147.37.0/24 to me dst-port 123 in via xe0 setup keep-state add 04003 allow udp from 223.147.37.0/24 to me dst-port 123 in via xe0 keep-state # DNS add 04006 allow udp from 223.147.37.0/24 to me dst-port 53 in via xe0 # drop everything else add 04009 deny ip from 223.147.37.0/24 to me # pass outgoing packets (to be natted) on to a special NAT rule add 04109 skipto 61000 ip from 223.147.37.0/24 to any in via xe0 keep-state # allow all outgoing traffic from the router (maybe you should be more restrictive) add 05010 allow ip from me to any out keep-state # drop everything that has come so far. This means it doesn't belong to an established connection, don't log the most noisy scans. add 59998 deny icmp from any to me add 5 deny ip from any to me dst-port 135,137-139,445,4665 add 6 deny log tcp from any to any established add 6 deny log ip from any to any # this is the NAT rule. Only outgoing packets from the local net will come here. # First, nat them, then pass them on (again, you may choose to be more restrictive) add 61000 divert natd ip from 223.147.37.0/24 to any out via ath0 add 61001 allow ip from any to any natd.conf unregistered_only interface ath0 use_sockets #dynamic(Don't think I need this as not running any services for the outside) # dyamically open fw for ftp, irc #punch_fw 53 Any help would be greatly appreciated as I am very tired of pulling my hair out at 4 in the morning. It is also annoying to have to use M$ on my wife's laptop to access the internet. Please help bring FreeBSD back into my everyday life:-) David ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Firewall throughput question
Greetings, I have had a Freebsd firewall (Older computer with (1) 3com 10Mb ethernet PCI card, and (1) 3 com 10/100 Mb ethernet PCI card). The firewall croaked on me (motherboard died). As a quick fix, I plugged in a Linksys BEFSX41. My Question is, should I build a new Freebsd firewall or just continue using the Linksys ? Throughput and security are my concern. I can have up to 20 machines on the LAN at one time using the internet, so traffic throughput is a factor. Anyway, my inclination is to build a new freebsd firewall, but don't want to do the work if the Linksys is good enough. Thanks for any ideas or suggestions. -Darryl ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Firewall throughput question
DH Greetings, DH I have had a Freebsd firewall (Older computer with (1) 3com 10Mb DH ethernet PCI card, and (1) 3 com 10/100 Mb ethernet PCI card). DH The firewall croaked on me (motherboard died). As a quick fix, DH I plugged in a Linksys BEFSX41. DH My Question is, should I build a new Freebsd firewall or just DH continue using the Linksys ? Throughput and security are my DH concern. I can have up to 20 machines on the LAN at one time DH using the internet, so traffic throughput is a factor. DH Anyway, my inclination is to build a new freebsd firewall, but DH don't want to do the work if the Linksys is good enough. DH Thanks for any ideas or suggestions. DH -Darryl - Many people say, the only way to truly answer the traffic throughput question is test the firewall you have under life conditions and see if it can handle what the LAN throws at it. As for security, that has imho more to do with setup than with hardware used imho. Get hardware cryptographic accelerators if you need that much and have the money to spent. Hexren ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Firewall throughput question
Darryl Hoar wrote: Greetings, I have had a Freebsd firewall (Older computer with (1) 3com 10Mb ethernet PCI card, and (1) 3 com 10/100 Mb ethernet PCI card). The firewall croaked on me (motherboard died). As a quick fix, I plugged in a Linksys BEFSX41. My Question is, should I build a new Freebsd firewall or just continue using the Linksys ? Throughput and security are my concern. I can have up to 20 machines on the LAN at one time using the internet, so traffic throughput is a factor. Anyway, my inclination is to build a new freebsd firewall, but don't want to do the work if the Linksys is good enough. Thanks for any ideas or suggestions. How old are those 3com cards? I think the most important area to look at is guaging how much packet loss will occur under these high loads. And that in-of-itself might appear differently in one type of traffic and not others, i.e. vpn, ssh, encrypted traffic, ssl. Also, how well and quick a device can handle packet loss can be determined by newer equipment (new linksys router) handling packets that come over the wire verses and older 3com card with aging firmware. It's a toss up that's hard to make a definative suggestion... unless you can do what Hexren mentioned and pit them against each other. That would be the easiest way to appease your needs. -.mag ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Firewall throughput question
Darryl Hoar wrote: Greetings, I have had a Freebsd firewall (Older computer with (1) 3com 10Mb ethernet PCI card, and (1) 3 com 10/100 Mb ethernet PCI card). The firewall croaked on me (motherboard died). As a quick fix, I plugged in a Linksys BEFSX41. My Question is, should I build a new Freebsd firewall or just continue using the Linksys ? Throughput and security are my concern. I can have up to 20 machines on the LAN at one time using the internet, so traffic throughput is a factor. You should use the Linksys if you are comfortable with it. It does use less electricity. If you are really concerned with security and perforance, I recommend at least 500 MHz and 256 MB RAM. I have used Intel/3Com cards and both are reliable. I recommend using PF though. I am working on a replacement firewall right now. I am using a Sun Ultra 5 (360MHz) with a quad ethernet card. It will be running OpenBSD and PF. I may using FreeBSD though, because I want to use ntop and ntop does not work on OpenBSD. Hope that helps. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
RE: natd or firewall problem?
I think that has to depend on how your natting and firewalling is set up. Aka how do you manage incoming traffic, outgoing and forwarding traffic between 2 interfaces. I'm using ipchains for it, and I got my rules per interface setup, and do thorough checks regarding sources. But it is something that could work. Just have to work out your firewall rules. I use 2 types of dns, one for internal use, and the other for external. My 0,2 cents Patrick -Original Message- From: Chris Hodgins [mailto:[EMAIL PROTECTED] Sent: Saturday, February 05, 2005 4:06 PM To: Gelsema, Patrick Cc: 'Cristian Salan'; 'Gelsema, Patrick'; freebsd-questions@freebsd.org Subject: Re: natd or firewall problem? Gelsema, Patrick wrote: Thats right, you can do the following: Put the ip-address with its FQDn (www.webserverwhatever.com) in every hosts file (taken its windows) or in its hosts file on freebsd. Or you run an internal DNS with an internal zone for your domain whilst running on the internet the external zone. Regards, Patrick Out of interest, why would using the external ip address not work. Would the packets not just be directed out to the router as per usual and then the router would notice it should forward the packets to the www server? What am I missing? The only problem I can think of might be sending packets back to the internal ip address. Thanks Chris [snip] ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
natd or firewall problem?
Hello dear list, I have one FreeBSD router in front of the internal network. Now I've installed another FreeBSD box which must be the www sever. I've managed to redirect the port 80 at the router and the web server is visible to the outside world. But the problem is now at the other internal workstations which are unable to browse the web server. Please enlighten me, Cristian Salan ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: natd or firewall problem?
Hi, IN order to enlighten you we need some more information. Sounds to me you could be having issues with internal/external DNS and ip-addresses. In other words, you are querying your www server from a dns and is getting the Internet ip back instead of the lan ip. Can you connect to your www server with ip? Regards Patrick Hello dear list, I have one FreeBSD router in front of the internal network. Now I've installed another FreeBSD box which must be the www sever. I've managed to redirect the port 80 at the router and the web server is visible to the outside world. But the problem is now at the other internal workstations which are unable to browse the web server. Please enlighten me, Cristian Salan ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: natd or firewall problem?
Hello dear list, I have one FreeBSD router in front of the internal network. Now I've installed another FreeBSD box which must be the www sever. I've managed to redirect the port 80 at the router and the web server is visible to the outside world. But the problem is now at the other internal workstations which are unable to browse the web server. Please enlighten me, Cristian Salan On Sat, 5 Feb 2005 12:42:13 +0100 (CET), Gelsema, Patrick [EMAIL PROTECTED] wrote: Hi, IN order to enlighten you we need some more information. Sounds to me you could be having issues with internal/external DNS and ip-addresses. In other words, you are querying your www server from a dns and is getting the Internet ip back instead of the lan ip. Can you connect to your www server with ip? I can only connect using the internal ip address. Otherwise, yes, when querying for the name I get the external IP address. There is no DNS server on this lan. Is this the problem? Cristian Salan ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
RE: natd or firewall problem?
Thats right, you can do the following: Put the ip-address with its FQDn (www.webserverwhatever.com) in every hosts file (taken its windows) or in its hosts file on freebsd. Or you run an internal DNS with an internal zone for your domain whilst running on the internet the external zone. Regards, Patrick -Original Message- From: Cristian Salan [mailto:[EMAIL PROTECTED] Sent: Saturday, February 05, 2005 1:51 PM To: Gelsema, Patrick Cc: freebsd-questions@freebsd.org Subject: Re: natd or firewall problem? Hello dear list, I have one FreeBSD router in front of the internal network. Now I've installed another FreeBSD box which must be the www sever. I've managed to redirect the port 80 at the router and the web server is visible to the outside world. But the problem is now at the other internal workstations which are unable to browse the web server. Please enlighten me, Cristian Salan On Sat, 5 Feb 2005 12:42:13 +0100 (CET), Gelsema, Patrick [EMAIL PROTECTED] wrote: Hi, IN order to enlighten you we need some more information. Sounds to me you could be having issues with internal/external DNS and ip-addresses. In other words, you are querying your www server from a dns and is getting the Internet ip back instead of the lan ip. Can you connect to your www server with ip? I can only connect using the internal ip address. Otherwise, yes, when querying for the name I get the external IP address. There is no DNS server on this lan. Is this the problem? Cristian Salan ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: natd or firewall problem?
On Sat, 5 Feb 2005 13:54:23 +0100, Gelsema, Patrick [EMAIL PROTECTED] wrote: Thats right, you can do the following: Put the ip-address with its FQDn (www.webserverwhatever.com) in every hosts file (taken its windows) or in its hosts file on freebsd. Or you run an internal DNS with an internal zone for your domain whilst running on the internet the external zone. Regards, Patrick Thank you Patrick, that's what I was afraid of. I've never managed to understand the DNS service but I think the time has come. Best regards, Cristian Salan ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: natd or firewall problem?
Gelsema, Patrick wrote: Thats right, you can do the following: Put the ip-address with its FQDn (www.webserverwhatever.com) in every hosts file (taken its windows) or in its hosts file on freebsd. Or you run an internal DNS with an internal zone for your domain whilst running on the internet the external zone. Regards, Patrick Out of interest, why would using the external ip address not work. Would the packets not just be directed out to the router as per usual and then the router would notice it should forward the packets to the www server? What am I missing? The only problem I can think of might be sending packets back to the internal ip address. Thanks Chris [snip] ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Newbie Help: IP firewall configuration
Hello, I am a UNIX/FreeBSD-5.3-RELEASE newbie. I have posted several times to freebsd-newbies, but I think this question will get better reception here. I have installed Free-BSD-5.3-RELEASE full base installation with X. I am currently trying to configure my firewall. I have followed the instructions in the Handbook explicitly, though I didn't add any scripts to my ipf.rules file. My ipf.rules file is verbatim from the Handbook, though I altered some of the commented out sections; the rules themselves are verbatim. I am having a difficult time with this specific section: # Allow out access to my ISP's DHCP server for cable or DSL networks. # This rule is not needed for 'user ppp' type connection to the # public Internet, so you can delete this whole group. # Use the following rule and check log for IP address. # Then put IP address in commented out rule delete first rule pass out log quick on dc0 proto udp from any to any port = 67 keep state #pass out quick on dc0 proto udp from any to z.z.z.z port = 67 keep state Please help. How do I find the IP address referenced in the fourth #? Where is the log file that is referenced in the fourth #? If I need to use find, whereis, locate, or some other command line search tool to find the log file, please write out the details for me, because I am really struggling with command line syntax at this point. I have clearly suffered from too much exposure to the point and click world. Thank you! Mark P.S. Please let me know if I haven't provided enough information. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Newbie Help: IP firewall configuration
On Fri, Feb 04, 2005 at 09:32:31AM -0500, [EMAIL PROTECTED] wrote: # Allow out access to my ISP's DHCP server for cable or DSL networks. # This rule is not needed for 'user ppp' type connection to the # public Internet, so you can delete this whole group. # Use the following rule and check log for IP address. # Then put IP address in commented out rule delete first rule pass out log quick on dc0 proto udp from any to any port = 67 keep state #pass out quick on dc0 proto udp from any to z.z.z.z port = 67 keep state Please help. How do I find the IP address referenced in the fourth #? That will be the IP address of your ISP's DHCP server. They may well have givenyou some documentation, or put that information on a website, or failing that, you could just call their help line and ask. Where is the log file that is referenced in the fourth #? If I need to use find, whereis, locate, or some other command line search tool to find the log file, please write out the details for me, because I am really struggling with command line syntax at this point. I have clearly suffered from too much exposure to the point and click world. The log file you need is /var/log/auth.log -- that's where anything security related generally gets logged. Almost everything in the base systeem and many of the ports which write data into logfiles will keep those logfiles under /var/log. Makes them much easier to find... Cheers, Matthew -- Dr Matthew J Seaman MA, D.Phil. 8 Dane Court Manor School Rd PGP: http://www.infracaninophile.co.uk/pgpkey Tilmanstone Tel: +44 1304 617253 Kent, CT14 0JL UK pgpbRtMoDs0De.pgp Description: PGP signature
Freebsd firewall
Hello: I am trying to set up a FreeBSD 5.3 firewall. I have an old P I with 64 KB of memory. When I try to install FreeBSD, the PC hangs just after showing the deamon screen and showes the following message: stack overflow I am thinking maybe the PC is too old for FreeBSD because I managed to install Debian in it. Does anybody know what does stack overflow mean? and is there anything I can do in order to install Freebsd in this old PC? Thanks in advance ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Freebsd firewall
Kevin A. Pieckiel wrote: On Thu, Feb 03, 2005 at 08:41:07AM -0500, Aperez wrote: Hello: I am trying to set up a FreeBSD 5.3 firewall. I have an old P I with 64 KB of memory. When I try to install FreeBSD, the PC hangs just after showing the deamon screen and showes the following message: stack overflow If you truely have only 64k of memory in it, then you need to add more RAM. You should install at least several megabytes instead. Yes, I am sorry I made a mistake. I meant 64 MB Any idea what is the problem? ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Freebsd firewall
On Thu, Feb 03, 2005 at 09:41:07AM -0500, Kevin A. Pieckiel wrote: On Thu, Feb 03, 2005 at 09:22:09AM -0500, Aperez wrote: Yes, I am sorry I made a mistake. I meant 64 MB Any idea what is the problem? It's possible that it's faulty hardware. A system that old could very well have its share of problems. You may try replacing the RAM, removing cards--things like that to try to track down if it's a single piece of equipment that's causing it to fault. For whatever it's worth, I had the same problem on a Pentium I system, but I ended up retiring it before I tracked it down. We may have an issue with FreeBSD 5.3 on older systems. Might I suggest FreeBSD 4-STABLE for this system? -- John Lind [EMAIL PROTECTED] ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Freebsd firewall
On Thu, Feb 03, 2005 at 09:22:09AM -0500, Aperez wrote: Yes, I am sorry I made a mistake. I meant 64 MB Any idea what is the problem? It's possible that it's faulty hardware. A system that old could very well have its share of problems. You may try replacing the RAM, removing cards--things like that to try to track down if it's a single piece of equipment that's causing it to fault. That's the best I can offer. Kevin ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Freebsd firewall
John wrote: On Thu, Feb 03, 2005 at 09:41:07AM -0500, Kevin A. Pieckiel wrote: On Thu, Feb 03, 2005 at 09:22:09AM -0500, Aperez wrote: Yes, I am sorry I made a mistake. I meant 64 MB Any idea what is the problem? It's possible that it's faulty hardware. A system that old could very well have its share of problems. You may try replacing the RAM, removing cards--things like that to try to track down if it's a single piece of equipment that's causing it to fault. For whatever it's worth, I had the same problem on a Pentium I system, but I ended up retiring it before I tracked it down. We may have an issue with FreeBSD 5.3 on older systems. Might I suggest FreeBSD 4-STABLE for this system? Hello. I have installed FreeBSD 5.3 successfully on an old pentium 75MHz with 32 MB RAM. 16MB RAM did not work. So I would check your memory for faulty chips. Try with 32MB and see what happens. Good luck. Ramiro. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
