Re: Ftp behind firewall/nat
On 31 Jan eric wyzerski wrote: The solution is to explicitly tell your FTP server what to report as its IP address, and give it a range of ports to give out as well. unix-server configuration file as follows: passive ports 0.0.0.0/0 32768 49151 passive address your.pub.IP.addr 0.0.0.0/0 At the time of writing, it's been reported that Microsoft IIS's FTP server is not capable of being configured this way. so, my problem exactly this: the client try to connect to 10.1.1.6 and not my external IP address. guess what? Im using IIS ftp server (I cant use anything else), so does there is a way to resolve this problem on doing something on the routeur (ipnat)? Only solution is open all your high incoming ports. You don't want that of course ;-) There is NO other way PASS can be handled or redirected. You *need* to know beforehand which ports exactly will be opened. Aks microsoft why they won't support this feature. They are moving into a more secure OS (at least they say they are..) -- dick -- http://nagual.st/ -- PGP/GnuPG key: F86289CE ++ Running FreeBSD 4.11 ++ FreeBSD 5.3 + Nai tiruvantel ar vayuvantel i Valar tielyanna nu vilja ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Ftp behind firewall/nat
eric wyzerski wrote: My setup work wells with Active ftp but not with passive ftp. Your setup doestnt work with passive ftp. From ipfilter faq: # I have an FTP server behind an IPF firewall, and I'm having problems serving passive FTP. Sorry, from your original post it was not clear to me if your problem was ftp-client behind nat or ftp-server behind nat. The solution I gave solve the ftp-client behind nat problem, both active and passive ftp. The IPF howto also notes that setting up an ftp server behind a NAT is a mess and one should _not_ try to reverse the setup for ftp-client behind nat. I don't have the solution for server behind nat. passive ports 0.0.0.0/0 32768 49151 passive address your.pub.IP.addr 0.0.0.0/0 I don't know what is standard or if there is one, but IANA has assigned ports 49151 for dynamic port allocation, which seems to suggest that the ports chosen should be in that interval. Cheers, Erik -- Ph: +34.666334818 web: http://www.locolomo.org S/MIME Certificate: http://www.locolomo.org/crt/2004071206.crt Subject ID: A9:76:7A:ED:06:95:2B:8D:48:97:CE:F2:3F:42:C8:F2:22:DE:4C:B9 Fingerprint: 4A:E8:63:38:46:F6:9A:5D:B4:DC:29:41:3F:62:D3:0A:73:25:67:C2 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Ftp behind firewall/nat
Hi, For a whole day I tried to make an ftp who is behind the firewall to work but Im not able. My ipf rules are: pass in quick from any to any pass out quick from any to any So it is not a ipf problem. My ipnat rules are: map rl0 10.0.0.0/8 - 0/32 rdr rl0 X.X.X.X/32 port 21 - 10.1.1.6 port 21 tcp where X.X.X.X is my external IP, rl0 my external interface and 10.1.1.6 the ftp server. I am able to login and when I do the dir command its freeze. I have do tcpdump and I see the SYN packet goes but its never get answer. I really need help/advise Thank you and please CC me the answer because im not in the list Eric _ Take advantage of powerful junk e-mail filters built on patented Microsoft® SmartScreen Technology. http://join.msn.com/?pgmarket=en-capage=byoa/premxAPID=1994DI=1034SU=http://hotmail.com/encaHL=Market_MSNIS_Taglines Start enjoying all the benefits of MSN® Premium right now and get the first two months FREE*. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
RE: Ftp behind firewall/nat
-Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of eric wyzerski Sent: Monday, January 31, 2005 2:11 PM To: freebsd-questions@freebsd.org Subject: Ftp behind firewall/nat Hi, For a whole day I tried to make an ftp who is behind the firewall to work but Im not able. My ipf rules are: pass in quick from any to any pass out quick from any to any So it is not a ipf problem. My ipnat rules are: map rl0 10.0.0.0/8 - 0/32 rdr rl0 X.X.X.X/32 port 21 - 10.1.1.6 port 21 tcp where X.X.X.X is my external IP, rl0 my external interface and 10.1.1.6 the ftp server. I am able to login and when I do the dir command its freeze. I have do tcpdump and I see the SYN packet goes but its never get answer. I really need help/advise Thank you and please CC me the answer because im not in the list Eric _ Take advantage of powerful junk e-mail filters built on patented MicrosoftR SmartScreen Technology. http://join.msn.com/?pgmarket=en-capage=byoa/premxAPID=1994DI=1034SU=htt p://hotmail.com/encaHL=Market_MSNIS_Taglines Start enjoying all the benefits of MSNR Premium right now and get the first two months FREE*. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] Hello, This setup is only working with active ftp connections.. It's freezing at dir command because it's trying to do a passive connection You would need to setup the ftp server for serve passive connections and ipnat to redirect in a range of ports something like: PassivePortRange 5000 5010- ftpd config rdr rl0 X.X.X.X/32 port 5000 - 10.1.1.6 port 5000 tcp rdr rl0 X.X.X.X/32 port 5001 - 10.1.1.6 port 5001 tcp rdr rl0 X.X.X.X/32 port 500x - 10.1.1.6 port 500x tcp Or use only active ftp connections.. Andras Kende http://www.kende.com ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Ftp behind firewall/nat
You also might want to pass and redirect tcp port 20 (ftp data).. this seems to work very well for me.. also.. what FTP client are you using? You might want to use PASV FTP options T - Original Message - From: eric wyzerski [EMAIL PROTECTED] To: freebsd-questions@freebsd.org Sent: Monday, January 31, 2005 12:11 PM Subject: Ftp behind firewall/nat Hi, For a whole day I tried to make an ftp who is behind the firewall to work but Im not able. My ipf rules are: pass in quick from any to any pass out quick from any to any So it is not a ipf problem. My ipnat rules are: map rl0 10.0.0.0/8 - 0/32 rdr rl0 X.X.X.X/32 port 21 - 10.1.1.6 port 21 tcp where X.X.X.X is my external IP, rl0 my external interface and 10.1.1.6 the ftp server. I am able to login and when I do the dir command its freeze. I have do tcpdump and I see the SYN packet goes but its never get answer. I really need help/advise Thank you and please CC me the answer because im not in the list Eric _ Take advantage of powerful junk e-mail filters built on patented Microsoft® SmartScreen Technology. http://join.msn.com/?pgmarket=en-capage=byoa/premxAPID=1994DI=1034SU=http://hotmail.com/encaHL=Market_MSNIS_Taglines Start enjoying all the benefits of MSN® Premium right now and get the first two months FREE*. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Ftp behind firewall/nat
Hi, Thanks for the hint but it does'nt work :/. However, now im using passive ftp and the problem is that when I try to login with the client and do the dir command, when the ftp server send his IP, it send 10.1.1.6 and the client try to connect to 10.1.1.6! How can I change this Ip for the ip of me routeur via ipnat command? Thanks! Eric From: Thomas Foster [EMAIL PROTECTED] To: eric wyzerski [EMAIL PROTECTED],freebsd-questions@freebsd.org Subject: Re: Ftp behind firewall/nat Date: Mon, 31 Jan 2005 14:24:15 -0800 You also might want to pass and redirect tcp port 20 (ftp data).. this seems to work very well for me.. also.. what FTP client are you using? You might want to use PASV FTP options T - Original Message - From: eric wyzerski [EMAIL PROTECTED] To: freebsd-questions@freebsd.org Sent: Monday, January 31, 2005 12:11 PM Subject: Ftp behind firewall/nat Hi, For a whole day I tried to make an ftp who is behind the firewall to work but Im not able. My ipf rules are: pass in quick from any to any pass out quick from any to any So it is not a ipf problem. My ipnat rules are: map rl0 10.0.0.0/8 - 0/32 rdr rl0 X.X.X.X/32 port 21 - 10.1.1.6 port 21 tcp where X.X.X.X is my external IP, rl0 my external interface and 10.1.1.6 the ftp server. I am able to login and when I do the dir command its freeze. I have do tcpdump and I see the SYN packet goes but its never get answer. I really need help/advise Thank you and please CC me the answer because im not in the list Eric _ Take advantage of powerful junk e-mail filters built on patented Microsoft® SmartScreen Technology. http://join.msn.com/?pgmarket=en-capage=byoa/premxAPID=1994DI=1034SU=http://hotmail.com/encaHL=Market_MSNIS_Taglines Start enjoying all the benefits of MSN® Premium right now and get the first two months FREE*. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] _ Powerful Parental Controls Let your child discover the best the Internet has to offer. http://join.msn.com/?pgmarket=en-capage=byoa/premxAPID=1994DI=1034SU=http://hotmail.com/encaHL=Market_MSNIS_Taglines Start enjoying all the benefits of MSN® Premium right now and get the first two months FREE*. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Ftp behind firewall/nat
Andras Kende wrote: -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of eric wyzerski Sent: Monday, January 31, 2005 2:11 PM To: freebsd-questions@freebsd.org Subject: Ftp behind firewall/nat Hi, For a whole day I tried to make an ftp who is behind the firewall to work but Im not able. My ipf rules are: pass in quick from any to any pass out quick from any to any So it is not a ipf problem. My ipnat rules are: map rl0 10.0.0.0/8 - 0/32 rdr rl0 X.X.X.X/32 port 21 - 10.1.1.6 port 21 tcp where X.X.X.X is my external IP, rl0 my external interface and 10.1.1.6 the ftp server. I am able to login and when I do the dir command its freeze. I have do tcpdump and I see the SYN packet goes but its never get answer. I really need help/advise First, ipnat is _first match_ unlike ipfilter which is _last match_, so in the above, you last rule would never apply. Your problem is well covered in the ipf-howto, do this: map rl0 10.0.0.0/8 - 0/32 proxy port ftp ftp/tcp map rl0 10.0.0.0/8 - 0/32 portmap tcp/udp auto map rl0 10.0.0.0/8 - 0/32 This gives you ftp not just for one client but for all of them. Read the ipf-howto for more, read why you shouldn't try to reverse these rules if you are trying to setup an ftp-server! Cheers, Erik -- Ph: +34.666334818 web: http://www.locolomo.org S/MIME Certificate: http://www.locolomo.org/crt/2004071206.crt Subject ID: A9:76:7A:ED:06:95:2B:8D:48:97:CE:F2:3F:42:C8:F2:22:DE:4C:B9 Fingerprint: 4A:E8:63:38:46:F6:9A:5D:B4:DC:29:41:3F:62:D3:0A:73:25:67:C2 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Ftp behind firewall/nat
Hi, My setup work wells with Active ftp but not with passive ftp. Your setup doestnt work with passive ftp. From ipfilter faq: # I have an FTP server behind an IPF firewall, and I'm having problems serving passive FTP. The IPF How-To gives a good explanation of this. The client will try to connect to the server's internal IP address because that's the way passive FTP works: the server tells the client its IP address in the payload and the client connects to it. The solution is to explicitly tell your FTP server what to report as its IP address, and give it a range of ports to give out as well. You will then need to redirect traffic from those ports on your IPF box to the FTP server. Each FTP server is different, and you'll need to read the manual for your specific software, but to give an example, you can specificy this information in WU-FTPd's configuration file as follows: passive ports 0.0.0.0/0 32768 49151 passive address your.pub.IP.addr 0.0.0.0/0 At the time of writing, it's been reported that Microsoft IIS's FTP server is not capable of being configured this way. However, most Unix FTP servers should have an option for this somewhere. --- so, my problem exactly this: the client try to connect to 10.1.1.6 and not my external IP address. guess what? Im using IIS ftp server (I cant use anything else), so does there is a way to resolve this problem on doing something on the routeur (ipnat)? Thanks Eric From: Erik Norgaard [EMAIL PROTECTED] To: Andras Kende [EMAIL PROTECTED] CC: 'eric wyzerski' [EMAIL PROTECTED],freebsd-questions@freebsd.org Subject: Re: Ftp behind firewall/nat Date: Tue, 01 Feb 2005 00:07:15 +0100 Andras Kende wrote: -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of eric wyzerski Sent: Monday, January 31, 2005 2:11 PM To: freebsd-questions@freebsd.org Subject: Ftp behind firewall/nat Hi, For a whole day I tried to make an ftp who is behind the firewall to work but Im not able. My ipf rules are: pass in quick from any to any pass out quick from any to any So it is not a ipf problem. My ipnat rules are: map rl0 10.0.0.0/8 - 0/32 rdr rl0 X.X.X.X/32 port 21 - 10.1.1.6 port 21 tcp where X.X.X.X is my external IP, rl0 my external interface and 10.1.1.6 the ftp server. I am able to login and when I do the dir command its freeze. I have do tcpdump and I see the SYN packet goes but its never get answer. I really need help/advise First, ipnat is _first match_ unlike ipfilter which is _last match_, so in the above, you last rule would never apply. Your problem is well covered in the ipf-howto, do this: map rl0 10.0.0.0/8 - 0/32 proxy port ftp ftp/tcp map rl0 10.0.0.0/8 - 0/32 portmap tcp/udp auto map rl0 10.0.0.0/8 - 0/32 This gives you ftp not just for one client but for all of them. Read the ipf-howto for more, read why you shouldn't try to reverse these rules if you are trying to setup an ftp-server! Cheers, Erik -- Ph: +34.666334818 web: http://www.locolomo.org S/MIME Certificate: http://www.locolomo.org/crt/2004071206.crt Subject ID: A9:76:7A:ED:06:95:2B:8D:48:97:CE:F2:3F:42:C8:F2:22:DE:4C:B9 Fingerprint: 4A:E8:63:38:46:F6:9A:5D:B4:DC:29:41:3F:62:D3:0A:73:25:67:C2 _ Take charge with a pop-up guard built on patented Microsoft® SmartScreen Technology. http://join.msn.com/?pgmarket=en-capage=byoa/premxAPID=1994DI=1034SU=http://hotmail.com/encaHL=Market_MSNIS_Taglines Start enjoying all the benefits of MSN® Premium right now and get the first two months FREE*. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: 2 quick firewall questions for FreBSD
Andy Firman wrote: First, if one were to deploy FreeBSD 5.3 as a standard web and email server, would it need a firewall? I don't see the point because only ports like 25 for smtp, 110 for pop, 80 for http, etc... will be listening and open for connections with or without a firewall. You always should use a firewall. You may run other services that may bind to ports on all interfaces, eg syslog, mysql, or others. Having a firewall will protect you against accidental misconfigurations of services that should only be accessible locally. You may argue that your server is behind a routing firewall, but that argument only holds if there are no other servers. Otherwise you are at risk that if one server is compromised, the others fall easily thereafter. The point is to use layers of security and filtering both on network routers/firewalls and on individual hosts, to obtain finegrained control and prevent a compromise from propagating. Cheers, Erik -- Ph: +34.666334818 web: http://www.locolomo.org S/MIME Certificate: http://www.locolomo.org/crt/2004071206.crt Subject ID: A9:76:7A:ED:06:95:2B:8D:48:97:CE:F2:3F:42:C8:F2:22:DE:4C:B9 Fingerprint: 4A:E8:63:38:46:F6:9A:5D:B4:DC:29:41:3F:62:D3:0A:73:25:67:C2 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
2 quick firewall questions for FreBSD
First, if one were to deploy FreeBSD 5.3 as a standard web and email server, would it need a firewall? I don't see the point because only ports like 25 for smtp, 110 for pop, 80 for http, etc... will be listening and open for connections with or without a firewall. Second, I would like to replace my Linux gateway running Shorewall. Shorewall is a nice package for managing the netfilter firewall capabilities of the Linux kernel. Is there something similar for FreeBSD? ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: 2 quick firewall questions for FreBSD
Andy Firman wrote: First, if one were to deploy FreeBSD 5.3 as a standard web and email server, would it need a firewall? I don't see the point because only ports like 25 for smtp, 110 for pop, 80 for http, etc... will be listening and open for connections with or without a firewall. Second, I would like to replace my Linux gateway running Shorewall. Shorewall is a nice package for managing the netfilter firewall capabilities of the Linux kernel. Is there something similar for FreeBSD? Let's look at #2 - Is this server running a WM? If so, why? -- Best regards, Chris If the faulty part is in stock, it didn't need replacing in the first place. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: 2 quick firewall questions for FreBSD
Andy Firman wrote: Second, I would like to replace my Linux gateway running Shorewall. Shorewall is a nice package for managing the netfilter firewall capabilities of the Linux kernel. Is there something similar for FreeBSD? personally i don't like Shorewall at all but.. imho m0n0wall rocks : http://www.m0n0.ch/wall/ :) - based on FreeBSD - you can run it from a soekris, or from cdrom+floppy or from hdd - more responsive (at configuring) than some hardware-routers i've tried - features amongst others portforwarding, VPN, traffic shaper, traffic grapher ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: 2 quick firewall questions for FreBSD
Having a firewall prevents rogue programs from opening up other ports on your machine. You have to worry about services you don't install and configure just as much (maybe even more so) as the services you do install. On Sat, 29 Jan 2005 12:50:51 -0900, Andy Firman [EMAIL PROTECTED] wrote: First, if one were to deploy FreeBSD 5.3 as a standard web and email server, would it need a firewall? I don't see the point because only ports like 25 for smtp, 110 for pop, 80 for http, etc... will be listening and open for connections with or without a firewall. Second, I would like to replace my Linux gateway running Shorewall. Shorewall is a nice package for managing the netfilter firewall capabilities of the Linux kernel. Is there something similar for FreeBSD? ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: 2 quick firewall questions for FreBSD
For FreeBSD.. I highly recommend PF http://www.section6.net/help/pf.php Hope this helps T - Original Message - From: Andy Firman [EMAIL PROTECTED] To: freebsd-questions@freebsd.org Sent: Saturday, January 29, 2005 1:50 PM Subject: 2 quick firewall questions for FreBSD First, if one were to deploy FreeBSD 5.3 as a standard web and email server, would it need a firewall? I don't see the point because only ports like 25 for smtp, 110 for pop, 80 for http, etc... will be listening and open for connections with or without a firewall. Second, I would like to replace my Linux gateway running Shorewall. Shorewall is a nice package for managing the netfilter firewall capabilities of the Linux kernel. Is there something similar for FreeBSD? ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: firewall setup and whois for blacklisting IP's
On 01/10/05 01:34 PM, dave sat at the `puter and typed: Hello, For your setup of blacklisting IP's do you use any cron scripts for procedure automation? I'm assuming for your firewall block table that you store that in a separate file? Can you send that file my way? I've tried to come up with a perl script to get whois information out of a maillog, i'm gettin ssh atempts that corespond to mail relaying atempts so i thought that would be best, however there seems to be difference in the way certain servers return whois information, do you have any experience with this? When you email an abuse contact approximately what percentage of them write you back? I've emailed several providers comcast mostly in the US, but i have not heard anything back from the person. Is there some sort of standard email template you follow? Thanks. Dave. Good questions. I don't use any automation, I just look at the auth logs on a regular basis. The reason is that I don't want to block every network that attempts my system. I haven't found any of the security settings to include illegal user attempts in the security mailing - though I'd think that would be there, and on by default. If it were there, I'd use that as a more reliable alert. Also, I don't typically do anything at all with Amsterdam IPs, mostly because I haven't decided whether there's anything legitimate to be expected. I know there's a lot of porn sites, and this could easily be a starting point for a lot of these attempts, but it's a fairly open society, and I don't know whether the ISPs would really care about them. They may well care in those that I do block, but my experience has shown that they typically won't make much effort. Giving the benefit of the doubt, it's probably more of a language barrier than a lack of interest. When I used ipfw, I did keep the blocked lists in a separate file, /etc/rc.firewall.blocked contained a rule for each CIDR block I rejected. Now I keep it in a table definition in /etc/pf.conf. So far, in the last month, this is the full table definition for my pf firewall: table BLOCKED { \ 60.0.0.0/8, \ 61.0.0.0/8, \ 195.0.0.0/8, \ 202.0.0.0/7, \ 221.0.0.0/8, \ 222.0.0.0/8 \ } And at the appropriate place, I have a rule to block anything from those blocks: # Block Network Badlands (table BLOCKED) block in quick on $ext_if inet from BLOCKED to any I haven't figured out how to automagically include a separate file with this table defined yet, but I haven't really tried either. Another option I haven't tried is to simply pull the CIDR specs out of something like blackholes.us, which I use to block mail from Asia, but I haven't taken the time to do that. It probably wouldn't be rocket science to automagically scan for the table definition and add a CIDR spec at the top of the table if it wasn't already there, but like I said, I haven't really been trying. BTW, I'm copying this back to the list in case someone there *is* using some kind of automation to alert them to illegal user attempts, or if there is a switch I missed to include them in the security mailings. That will give them an opportunity to give you some help. That's usually a better option than getting me at the FreeBSD-at- address, since it goes to a mailbox specifically for the list, and unless the subject sets off any bells (like yours did in this case) I won't always read it. Besides, I'm more of a novice with network security/firewall setup, so you want some of the more knowledgeable folks there to have an opportunity to correct me :) For *true offlist* email, I can be reached more reliably at leblanc-at- Good luck. I'll continue to follow this thread in case someone posts something I can elaborate on to some useful end. Lou -- Louis LeBlanc [EMAIL PROTECTED] Fully Funded Hobbyist, KeySlapper Extrordinaire :) http://www.keyslapper.org ԿԬ McGowan's Madison Avenue Axiom: If an item is advertised as under $50, you can bet it's not $19.95. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
SSHing to a kerberized jail behind a NAT/firewall
I apologize in advance if this question is pretty information-dense. I'm using the kdc in the 5.3 base system as an authentication server for my home LAN. I can use kinit to get a TGT from the server from machines on the LAN and elsewhere on the Internet, and I can use SSH with the GSSAPIAuthentication yes option to connect to my main server via IPv4 or IPv6. So far, so good. Next, I decided to kerberize the SSH daemon inside one of my jail servers, virtual1.honeypot.net, so I created a principal for it (host/virtual1.honeypot.net) and extracted that into the jail's /etc/keytab file. Now, I can SSH to that machine from any of the hosts on my LAN, but when I try to connect from the outside world using the FQDN of the jail, I get a lot of errors like this in kdc.log: 2004-12-29T16:34:58 TGS-REQ [EMAIL PROTECTED] from IPv4:1.2.3.4 for krbtgt/[EMAIL PROTECTED] 2004-12-29T16:34:58 Server not found in database: krbtgt/[EMAIL PROTECTED]: No such entry in the database and ssh -v virtual1.honeypot.net fails with messages like: debug1: match: OpenSSH_3.8.1p1 FreeBSD-20040419 pat OpenSSH* debug1: Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-2.0-OpenSSH_3.8.1p1 Debian-krb5 3.8.1p1-7 debug1: Miscellaneous failure Server not found in Kerberos database HONEYPOT.NET is my LAN's realm, and conpoint.com is my home ISP's domain name. My questions are: 1) Why can I use Kerberos to authenticate to that jail server from inside my LAN, but not from outside (especially when I can connect to its parent machine from the outside world)? 2) Where on earth did that krbtgt/[EMAIL PROTECTED] request come from? -- Kirk Strauser pgpC53nRrYUyn.pgp Description: PGP signature
loading firewall rules dynamically at higher security levels
Hello, I was wondering is it possible to load ipf or pf via rc.conf with a system in a securelevel of 1 or greater? Trying this thus far has been unsuccessful, reading the man page suggests this is not possible but if anyone has a workaround i'd appreciate it. Thanks. Dave. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: loading firewall rules dynamically at higher security levels
On 2004-12-28 13:21, dave [EMAIL PROTECTED] wrote: Hello, I was wondering is it possible to load ipf or pf via rc.conf with a system in a securelevel of 1 or greater? Trying this thus far has been unsuccessful, reading the man page suggests this is not possible but if anyone has a workaround i'd appreciate it. Hmmm, as far as I can tell, all firewalls are loaded before the securelevel is bumped: % gothmog:/root# rcorder /etc/rc.d/* | egrep -e 'pf|securelevel' % /etc/rc.d/ipfilter % /etc/rc.d/ipfs % /etc/rc.d/ipfw % /etc/rc.d/pflog % /etc/rc.d/pf % /etc/rc.d/securelevel % gothmog:/root# How are you setting the system securelevel and how do firewall rules fail to load? ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Is this a hole in my firewall?
On Mon, Nov 29, 2004 at 04:14:07PM +0100, Ruben de Groot wrote: : : allow ip from ${INTERNAL_NET} to any keep-state out xmit tun0 : : : : where INTERNAL_NET would be e.g. 192.168.0.0/24 I was checking out the man page, and I'm a little unclear on whether I want 'xmit' or 'via' in this rule. Does it make much of a practical difference? jm -- ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Is this a hole in my firewall?
On Tuesday 30 November 2004 15:37, Jonathon McKitrick wrote: On Mon, Nov 29, 2004 at 04:14:07PM +0100, Ruben de Groot wrote: : : allow ip from ${INTERNAL_NET} to any keep-state out xmit tun0 : : : : where INTERNAL_NET would be e.g. 192.168.0.0/24 I was checking out the man page, and I'm a little unclear on whether I want 'xmit' or 'via' in this rule. Does it make much of a practical difference? If you want to check your firewall with a scan from nmap, go to: http://jeremino.homeunix.net/portscan.php ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Is this a hole in my firewall?
On Sun, Nov 28, 2004 at 02:27:41PM +0200, Giorgos Keramidas typed: On 2004-11-28 04:48, Jonathon McKitrick [EMAIL PROTECTED] wrote: On Sun, Nov 28, 2004 at 03:31:35AM +0200, Giorgos Keramidas wrote: : AFAIK, rule 00300 will never be hit by packets going out tun0 as long as : you also have rule 00200 in there. Hmmm here's a run after having the laptop running for a bit. I don't see why 200 doesn't cover the case either. [EMAIL PROTECTED]:~# ipfw show 001000 0 check-state 00200 6709 1277079 allow ip from me to any keep-state out xmit tun0 00300 2093 645797 allow ip from any to any keep-state out xmit tun0 Oops! That doesn't look good, unless I'm missing something about the way 'me' works. He's using ppp-nat. So packets from his laptop will first hit rule #300 and only after that get nat'ed. I believe this is normal behaviour. Ruben It's probably a good idea to send what you have so far to the freebsd-ipfw people. ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Is this a hole in my firewall?
On Mon, Nov 29, 2004 at 12:30:20PM +0100, Ruben de Groot wrote: : He's using ppp-nat. So packets from his laptop will first hit rule #300 and : only after that get nat'ed. I believe this is normal behaviour. Ah, yes. I always forget about ppp-nat. So, then, is this the best way to allow my laptop packets out? Or does it still leave the laptop exposed? I'd like to protect all the machines with one firewall, while keeping it simple, if possible. jm -- ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Is this a hole in my firewall?
On Mon, Nov 29, 2004 at 01:21:14PM +, Jonathon McKitrick typed: On Mon, Nov 29, 2004 at 12:30:20PM +0100, Ruben de Groot wrote: : He's using ppp-nat. So packets from his laptop will first hit rule #300 and : only after that get nat'ed. I believe this is normal behaviour. Ah, yes. I always forget about ppp-nat. So, then, is this the best way to allow my laptop packets out? Or does it still leave the laptop exposed? I'd like to protect all the machines with one firewall, while keeping it simple, if possible. Your laptop won't be exposed by this. You could however finetune your ruleset a little bit by modifying rule 300 to something like: allow ip from ${INTERNAL_NET} to any keep-state out xmit tun0 where INTERNAL_NET would be e.g. 192.168.0.0/24 Ruben ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Is this a hole in my firewall?
On Mon, Nov 29, 2004 at 03:09:30PM +0100, Ruben de Groot wrote: : On Mon, Nov 29, 2004 at 01:21:14PM +, Jonathon McKitrick typed: : On Mon, Nov 29, 2004 at 12:30:20PM +0100, Ruben de Groot wrote: : : He's using ppp-nat. So packets from his laptop will first hit rule #300 and : : only after that get nat'ed. I believe this is normal behaviour. : : Ah, yes. I always forget about ppp-nat. : : So, then, is this the best way to allow my laptop packets out? Or does it : still leave the laptop exposed? I'd like to protect all the machines with : one firewall, while keeping it simple, if possible. : : Your laptop won't be exposed by this. You could however finetune your : ruleset a little bit by modifying rule 300 to something like: : : allow ip from ${INTERNAL_NET} to any keep-state out xmit tun0 : : where INTERNAL_NET would be e.g. 192.168.0.0/24 Should I also run a firewall on the laptop then, since all traffic to the laptop is allowed to pass? jm -- ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Is this a hole in my firewall?
On Mon, Nov 29, 2004 at 02:44:58PM +, Jonathon McKitrick typed: On Mon, Nov 29, 2004 at 03:09:30PM +0100, Ruben de Groot wrote: : On Mon, Nov 29, 2004 at 01:21:14PM +, Jonathon McKitrick typed: : On Mon, Nov 29, 2004 at 12:30:20PM +0100, Ruben de Groot wrote: : : He's using ppp-nat. So packets from his laptop will first hit rule #300 and : : only after that get nat'ed. I believe this is normal behaviour. : : Ah, yes. I always forget about ppp-nat. : : So, then, is this the best way to allow my laptop packets out? Or does it : still leave the laptop exposed? I'd like to protect all the machines with : one firewall, while keeping it simple, if possible. : : Your laptop won't be exposed by this. You could however finetune your : ruleset a little bit by modifying rule 300 to something like: : : allow ip from ${INTERNAL_NET} to any keep-state out xmit tun0 : : where INTERNAL_NET would be e.g. 192.168.0.0/24 Should I also run a firewall on the laptop then, since all traffic to the laptop is allowed to pass? No. Only traffic on connections that were initiated by your laptop is allowed to pass. That what a stateful firewall does. Ruben jm -- ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Is this a hole in my firewall?
On 2004-11-29 14:44, Jonathon McKitrick [EMAIL PROTECTED] wrote: On Mon, Nov 29, 2004 at 03:09:30PM +0100, Ruben de Groot wrote: : Your laptop won't be exposed by this. You could however finetune your : ruleset a little bit by modifying rule 300 to something like: : : allow ip from ${INTERNAL_NET} to any keep-state out xmit tun0 : : where INTERNAL_NET would be e.g. 192.168.0.0/24 Should I also run a firewall on the laptop then, since all traffic to the laptop is allowed to pass? Probably, irrelevant to the original question, but... In general, it's not a bad idea. You won't have to remember to turn on firewalling when the laptop is connected to a different network; one that shouldn't really be trusted so much. ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Is this a hole in my firewall?
On Mon, Nov 29, 2004 at 05:13:44PM +0200, Giorgos Keramidas wrote: : In general, it's not a bad idea. You won't have to remember to turn : on firewalling when the laptop is connected to a different network; one : that shouldn't really be trusted so much. Not a bad idea. I also use it on the network at my job. They have a firewall, but who knows how it's set up jm -- My other computer is your Windows box. ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Is this a hole in my firewall?
On 2004-11-28 04:48, Jonathon McKitrick [EMAIL PROTECTED] wrote: On Sun, Nov 28, 2004 at 03:31:35AM +0200, Giorgos Keramidas wrote: : AFAIK, rule 00300 will never be hit by packets going out tun0 as long as : you also have rule 00200 in there. Hmmm here's a run after having the laptop running for a bit. I don't see why 200 doesn't cover the case either. [EMAIL PROTECTED]:~# ipfw show 001000 0 check-state 00200 6709 1277079 allow ip from me to any keep-state out xmit tun0 00300 2093 645797 allow ip from any to any keep-state out xmit tun0 Oops! That doesn't look good, unless I'm missing something about the way 'me' works. It's probably a good idea to send what you have so far to the freebsd-ipfw people. ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Is this a hole in my firewall?
Here are my rules: [EMAIL PROTECTED]:~# ipfw show 00100 0 0 check-state 00200 2 144 allow ip from me to any keep-state out xmit tun0 00300 0 0 allow ip from any to any keep-state out xmit tun0 00400 0 0 deny tcp from any to any in recv tun0 established 00500 0 0 allow ip from any to any via vr0 00600 0 0 allow ip from any to any via lo0 00700 0 0 deny ip from any to 127.0.0.0/8 00800 0 0 deny ip from 127.0.0.0/8 to any 00900 0 0 allow tcp from any to me 22 keep-state in recv vr0 setup 01000 0 0 allow icmp from any to any via tun0 icmptype 0,3,8,11,12 01100 0 0 deny log logamount 100 ip from any to any 65535 0 0 deny ip from any to any I added rule 300 so that my laptop on my wireless network can connect, ping, and get DNS and DHCP. Is there a better way to specify this? jm -- ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Is this a hole in my firewall?
Jonathon McKitrick wrote: Here are my rules: [EMAIL PROTECTED]:~# ipfw show 00100 0 0 check-state 00200 2 144 allow ip from me to any keep-state out xmit tun0 00300 0 0 allow ip from any to any keep-state out xmit tun0 00400 0 0 deny tcp from any to any in recv tun0 established 00500 0 0 allow ip from any to any via vr0 00600 0 0 allow ip from any to any via lo0 00700 0 0 deny ip from any to 127.0.0.0/8 00800 0 0 deny ip from 127.0.0.0/8 to any 00900 0 0 allow tcp from any to me 22 keep-state in recv vr0 setup 01000 0 0 allow icmp from any to any via tun0 icmptype 0,3,8,11,12 01100 0 0 deny log logamount 100 ip from any to any 65535 0 0 deny ip from any to any I added rule 300 so that my laptop on my wireless network can connect, ping, and get DNS and DHCP. Is there a better way to specify this? jm Well, maybe; is the laptop's IP assigned statically or dynamically? If static, I suppose allow ip from lap.top.id.addr to any keep-state out xmit tun0 would be the thing. You can also specify the network: allow ip from any 192.168.0/24 to any keep-state out via tun0. HTH, ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Is this a hole in my firewall?
On 2004-11-27 21:56, Jonathon McKitrick [EMAIL PROTECTED] wrote: [EMAIL PROTECTED]:~# ipfw show 00100 0 0 check-state 00200 2 144 allow ip from me to any keep-state out xmit tun0 00300 0 0 allow ip from any to any keep-state out xmit tun0 00400 0 0 deny tcp from any to any in recv tun0 established 00500 0 0 allow ip from any to any via vr0 00600 0 0 allow ip from any to any via lo0 00700 0 0 deny ip from any to 127.0.0.0/8 00800 0 0 deny ip from 127.0.0.0/8 to any 00900 0 0 allow tcp from any to me 22 keep-state in recv vr0 setup 01000 0 0 allow icmp from any to any via tun0 icmptype 0,3,8,11,12 01100 0 0 deny log logamount 100 ip from any to any 65535 0 0 deny ip from any to any I added rule 300 so that my laptop on my wireless network can connect, ping, and get DNS and DHCP. Is there a better way to specify this? AFAIK, rule 00300 will never be hit by packets going out tun0 as long as you also have rule 00200 in there. ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Is this a hole in my firewall?
On Sun, Nov 28, 2004 at 03:31:35AM +0200, Giorgos Keramidas wrote: : AFAIK, rule 00300 will never be hit by packets going out tun0 as long as : you also have rule 00200 in there. Hmmm here's a run after having the laptop running for a bit. I don't see why 200 doesn't cover the case either. [EMAIL PROTECTED]:~# ipfw show 001000 0 check-state 00200 6709 1277079 allow ip from me to any keep-state out xmit tun0 00300 2093 645797 allow ip from any to any keep-state out xmit tun0 00400 917308 deny tcp from any to any in recv tun0 established 00500 436869 allow ip from any to any via vr0 00600 523080 allow ip from any to any via lo0 007000 0 deny ip from any to 127.0.0.0/8 008000 0 deny ip from 127.0.0.0/8 to any 009000 0 allow tcp from any to me 22 keep-state in recv vr0 setup 010000 0 allow icmp from any to any via tun0 icmptype 0,3,8,11,12 01100 111371 deny log logamount 100 ip from any to any 655350 0 deny ip from any to any [EMAIL PROTECTED]:~# jm -- My other computer is your Windows box. ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: IPFilter Firewall Tutorial
--- Darryl Hoar [EMAIL PROTECTED] wrote: Does anyone have a pointer to or know of a good tutorial for setting up a freebsd box as a firewall using IPFilter ? In the past, I have used the tutorial at: http://www.schlacter.net/ But it is for Freebsd 4.6-stable. I would need one for the stable version of Freebsd. any help greatly appreciated. -Darryl ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] http://www.obfuscation.org/ipf/ = ESCape with VI. Cheese A La mode. __ Do you Yahoo!? The all-new My Yahoo! - Get yours free! http://my.yahoo.com ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
IPFilter Firewall Tutorial
Does anyone have a pointer to or know of a good tutorial for setting up a freebsd box as a firewall using IPFilter ? In the past, I have used the tutorial at: http://www.schlacter.net/ But it is for Freebsd 4.6-stable. I would need one for the stable version of Freebsd. any help greatly appreciated. -Darryl ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: IPFilter Firewall Tutorial
On Wednesday 17 November 2004 17:57, Darryl Hoar wrote: Does anyone have a pointer to or know of a good tutorial for setting up a freebsd box as a firewall using IPFilter ? In the past, I have used the tutorial at: http://www.schlacter.net/ But it is for Freebsd 4.6-stable. I would need one for the stable version of Freebsd. any help greatly appreciated. -Darryl This is a bit dated as well, but might help you out. http://www.tcbug.org/ipf.html -- Thanks, Josh Paetzel ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: IPFilter Firewall Tutorial
On Wednesday 17 November 2004 17:57, Darryl Hoar wrote: Does anyone have a pointer to or know of a good tutorial for setting up a freebsd box as a firewall using IPFilter ? In the past, I have used the tutorial at: http://www.schlacter.net/ But it is for Freebsd 4.6-stable. I would need one for the stable version of Freebsd. This is a bit dated as well, but might help you out. http://www.tcbug.org/ipf.html http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/firewalls.html -- Regards, Doug ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: IPFilter Firewall Tutorial
darryl, take a look at /usr/share/examples/ipfilter/, it might be of some help, good luck El Miércoles 17 Noviembre 2004 17:57, Darryl Hoar escribió: Does anyone have a pointer to or know of a good tutorial for setting up a freebsd box as a firewall using IPFilter ? In the past, I have used the tutorial at: http://www.schlacter.net/ But it is for Freebsd 4.6-stable. I would need one for the stable version of Freebsd. any help greatly appreciated. -Darryl ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
ipf firewall questions
I'm using ipf as my firewall, and I can't figure out why OWA is being blocked going to 172.20.0.11. Below is the current config file which works. But if I removed the fourth line, my users can't access OWA externally. I would have thought the lines: pass out quick from 172.20.0.0/24 to any keep state and pass in quick from any to 172.20.0.0/24 would have superceded the line block out log proto tcp from any to any port = 80. Any suggestions would be helpful. Andrew # # Permit Outlook Web Access # pass in quick proto tcp from any to 172.20.0.11 port = 80 keep state # # Allow All College Traffic # pass in quick from 10.0.0.0/8 to any pass out quick from any to 10.0.0.0/8 # # Permit all Network Critical Machines Access # pass out quick from 172.20.0.0/24 to any keep state pass in quick from any to 172.20.0.0/24 # # Permit all Network Teacher/Staff Computers Access # pass out quick from 172.20.1.0/24 to any keep state pass in quick from any to 172.20.1.0/24 # # Block all Network Traffic from Student Used Computers # block out quick from 172.20.2.0/24 to any block in quick from any to 172.20.2.0/24 # # Block all Network Traffic from Student Owned Computers # block out quick from 172.20.3.0/24 to any block in quick from any to 172.20.3.0/24 # # Block any other Port 80 or 443 Access # block out log proto tcp from any to any port = 80 block out log proto tcp from any to any port = 443 ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: ipf firewall questions
On Mon, 15 Nov 2004 15:21:47 -0500, Andrew Smith [EMAIL PROTECTED] wrote: I'm using ipf as my firewall, and I can't figure out why OWA is being blocked going to 172.20.0.11. Below is the current config file which works. But if I removed the fourth line, my users can't access OWA externally. I would have thought the lines: pass out quick from 172.20.0.0/24 to any keep state and pass in quick from any to 172.20.0.0/24 would have superceded the line block out log proto tcp from any to any port = 80. Any suggestions would be helpful. Andrew # # Permit Outlook Web Access # pass in quick proto tcp from any to 172.20.0.11 port = 80 keep state # # Allow All College Traffic # pass in quick from 10.0.0.0/8 to any pass out quick from any to 10.0.0.0/8 # # Permit all Network Critical Machines Access # pass out quick from 172.20.0.0/24 to any keep state pass in quick from any to 172.20.0.0/24 # # Permit all Network Teacher/Staff Computers Access # pass out quick from 172.20.1.0/24 to any keep state pass in quick from any to 172.20.1.0/24 If you remove rule #4 - then there's nothing to allow response traffic that I can see (unless I'm missing something). I'd guess that if you remove #4 and add 'keep state' to #5 it'll work. Aaron ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: ipf firewall questions
On Mon, 15 Nov 2004 15:21:47 -0500, Andrew Smith [EMAIL PROTECTED] wrote: I'm using ipf as my firewall, and I can't figure out why OWA is being blocked going to 172.20.0.11. Below is the current config file which works. But if I removed the fourth line, my users can't access OWA externally. I would have thought the lines: pass out quick from 172.20.0.0/24 to any keep state and pass in quick from any to 172.20.0.0/24 would have superceded the line block out log proto tcp from any to any port = 80. Any suggestions would be helpful. Andrew # # Permit Outlook Web Access # pass in quick proto tcp from any to 172.20.0.11 port = 80 keep state Sorry - I missed the very first rule - how thorough of me. Given that - and my lack of familiarity with ipf vs. ipfw or pf - I'd say the problem may be the lack of any check state type rule which applies to the response traffic. I haven't exhaustively looked at the man page on ipf to verify this, but reviewing what rules will cause ipf to check for any existing states may help. If they are hitting that rule and nothing below is catching response traffic based on existing states then I'm guessing that is what's needed. Sorry for the confusion on the last post and my apologies if this one causes any more. Aaron Aaron ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Why use a firewall with dialup?
On Sat, Nov 13, 2004 at 09:12:37PM +, Jonathon McKitrick wrote: I've been using one for some time, but now that I have a mini network, it has become a bit of a hassle updating the rules. If I disable all services but ssh, stay STABLE, and do not have a broadband connection, what danger is there? Well, there is a possible DoS attack as your system gets hit with a load of TCP SYN packets which your system will respond with ICMP errors or SYN-ACK depending on the port. A firewall could drop all incoming packets not to TCP port 22 or part of an outgoing connection plus block incoming pings. And if you move ssh to, say, port 1243, there's very little chance anyone might even find your machine if they can't see ur outgoing traffic. Oh, and don't ever think your dial-up connection reduces the chance that you'll be attacked. You'd be a great target to use as a decoy when they decide to take down the FBI going through five cracked machines to hide their tracks. jm -- ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] -- I sense much NT in you. NT leads to Bluescreen. Bluescreen leads to downtime. Downtime leads to suffering. NT is the path to the darkside. Powerful Unix is. Public Key: ftp://ftp.tallye.com/pub/lorenl_pubkey.asc Fingerprint: B3B9 D669 69C9 09EC 1BCD 835A FAF3 7A46 E4A3 280C ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Why use a firewall with dialup?
I've been using one for some time, but now that I have a mini network, it has become a bit of a hassle updating the rules. If I disable all services but ssh, stay STABLE, and do not have a broadband connection, what danger is there? jm -- ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Why use a firewall with dialup?
On Saturday 13 November 2004 01:12 pm, Jonathon McKitrick wrote: I've been using one for some time, but now that I have a mini network, it has become a bit of a hassle updating the rules. If I disable all services but ssh, stay STABLE, and do not have a broadband connection, what danger is there? The script kiddies don't target broadband. They step through IP blocks. You are just as much at risk with dialup as you are with broadband. The only difference is the time of exposure. It has been a long time since I used dialup but IIRC, ppp-user had some features very much like a firewall. Kent -- Kent Stewart Richland, WA http://users.owt.com/kstewart/index.html ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Why use a firewall with dialup?
On Sat, Nov 13, 2004, Kent Stewart wrote: On Saturday 13 November 2004 01:12 pm, Jonathon McKitrick wrote: I've been using one for some time, but now that I have a mini network, it has become a bit of a hassle updating the rules. If I disable all services but ssh, stay STABLE, and do not have a broadband connection, what danger is there? The script kiddies don't target broadband. They step through IP blocks. You are just as much at risk with dialup as you are with broadband. The only difference is the time of exposure. The only time I've ever had a Linux box cracked was when I was using my laptop with a Ricochet wireless modem. I hadn't hardened the laptop because I was lazy, and it had never been out in the wild before, living on our internal LAN behind our firewalls and NAT. Bill -- INTERNET: [EMAIL PROTECTED] Bill Campbell; Celestial Software LLC UUCP: camco!bill PO Box 820; 6641 E. Mercer Way FAX:(206) 232-9186 Mercer Island, WA 98040-0820; (206) 236-1676 URL: http://www.celestial.com/ ``We maintain that the very foundation of our way of life is what we call free enterprise,'' said Cash McCall, ``but when one of our citizens show enough free enterprise to pile up a little of that profit, we do our best to make him feel that he ought to be ashamed of himself.'' -- Cameron Hawley ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Firewall and nmap
Hi! I'm compiled a Kernel using the GENERIC config-file that comes with the default 5.2.1 installation adding support for ipfw. I tried to scan my computer with a linux machine running nmap, but nmap tells me that the host seems to be down altough I was able to ping the freebsd-host. So I flushed all rools for the firewall with ipfw flush (the still existing default rule enables all trafic because I compiled this in my kernel, ipfw -c list told me that this is true.) Anyway, nothing changes, all ports seem to be closed running nmap, pings are successfull again! 1) What's wrong with my configuration? 2) I've tried to add all kernel options to this mail using the online handbook from www.freeebsd.org. I realized that the firewall section covers now the OpenBSD filter pf. What´s the state of the art? How do I enable pf under 5.2.1 - package or port? 3) Is there something similar like nmap or is there a BSD-network scanner, which usage is recommended? Thanks in advance, Florian -- Florian Hengstberger [EMAIL PROTECTED] http://stud3.tuwien.ac.at/~e0025265 -- ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Firewall and nmap
On 2004.10.27 11:26:00 +, Florian Hengstberger wrote: Hi! I'm compiled a Kernel using the GENERIC config-file that comes with the default 5.2.1 installation adding support for ipfw. I tried to scan my computer with a linux machine running nmap, but nmap tells me that the host seems to be down altough I was able to ping the freebsd-host. So I flushed all rools for the firewall with ipfw flush (the still existing default rule enables all trafic because I compiled this in my kernel, ipfw -c list told me that this is true.) Anyway, nothing changes, all ports seem to be closed running nmap, pings are successfull again! 1) What's wrong with my configuration? Don't know yet, but what does ipfw show says? Maybe it enabled the /etc/rc.firewall? 2) I've tried to add all kernel options to this mail using the online handbook from www.freeebsd.org. I realized that the firewall section covers now the OpenBSD filter pf. Whats the state of the art? How do I enable pf under 5.2.1 - package or port? To enable PF put in your firewall: options IPFILTER#ipfilter support These can be put optionally: options IPFILTER_LOG#ipfilter logging options IPFILTER_DEFAULT_BLOCK #block all packets by default I don't think you want the last one yet, so first comment it out. 3) Is there something similar like nmap or is there a BSD-network scanner, which usage is recommended? Dunno, i use nmap on my boxes as well. Works great. Thanks in advance, Florian Your welcome. Mark. -- Florian Hengstberger [EMAIL PROTECTED] http://stud3.tuwien.ac.at/~e0025265 -- ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Automatic Firewall software?
On Fri, 2004-10-15 at 04:09, Vulpes Velox wrote: Doesn't Portsentry ignore ports that have a service bound to them like the SSH daemon? In that case, it wouldn't help Brian's problem, since ssh is running, portsentry would ignore any attacks to port 22, right? Move it and the like to a non-common port if one can. :) Security by obscurity??? NO! There is a tiny little configuration file to change portsentries behaviour! So tell portsentry not to listen on used ports! Richard ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Automatic Firewall software?
Doesn't Portsentry ignore ports that have a service bound to them like the SSH daemon? In that case, it wouldn't help Brian's problem, since ssh is running, portsentry would ignore any attacks to port 22, right? ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Automatic Firewall software?
Frankly I hadn't thought of that. You can configure portsentry to monitor any port *and* to ignore certain hosts, so I would think it could monitor port 22 although I haven't tested it personally. --On Thursday, October 14, 2004 02:07:24 PM -0500 Peter Pauly [EMAIL PROTECTED] wrote: Doesn't Portsentry ignore ports that have a service bound to them like the SSH daemon? In that case, it wouldn't help Brian's problem, since ssh is running, portsentry would ignore any attacks to port 22, right? Paul Schmehl ([EMAIL PROTECTED]) Adjunct Information Security Officer The University of Texas at Dallas AVIEN Founding Member http://www.utdallas.edu ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Automatic Firewall software?
On Thu, 14 Oct 2004 14:07:24 -0500 Peter Pauly [EMAIL PROTECTED] wrote: Doesn't Portsentry ignore ports that have a service bound to them like the SSH daemon? In that case, it wouldn't help Brian's problem, since ssh is running, portsentry would ignore any attacks to port 22, right? Move it and the like to a non-common port if one can. :) ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Automatic Firewall software?
All, This morning, I woke up to find one of my systems under hacker attack (considerable multiple attempts to log in to ftp, ssh, etc., mostly using system accounts). I loaded ipfw and set up a couple of quick rules to block the point of origin. Unfortunately, the address appears to be DHCP'ed, so I expect the hacker will at some point get a new address, and start over. Rather than having to hang over my machine is there any software out there that will monitor logs (e.g. /var/log/messages), parse out failed logins like this, and run an ipfw command to block it? Perhaps something can be done via PAM? An added extra bonus would be if it would unblock after some period of time, in case a legit. user bungles their password, and can't get in (saves the service call). -Brian ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Automatic Firewall software?
--On Wednesday, October 13, 2004 10:04:24 AM -0400 Brian J. McGovern [EMAIL PROTECTED] wrote: Rather than having to hang over my machine is there any software out there that will monitor logs (e.g. /var/log/messages), parse out failed logins like this, and run an ipfw command to block it? Perhaps something can be done via PAM? Yes. Look at the Sentry Tools project at Sourceforge. (http://sourceforge.net/projects/sentrytools/) In particular, portsentry will do exactly what you want. It will throw up a temporary rule in ipfw blocking the host. (I say temporary because when you restart ipfw it will go away.) It will also add the host to your /etc/hosts.allow file, blocking it permanently from accessing privileged services. An added extra bonus would be if it would unblock after some period of time, in case a legit. user bungles their password, and can't get in (saves the service call). It won't do that, but you can just run ipfw show and then delete the rule. Then you can add that host to the portsentry.ignore file, and it will never happen again. (Or you can do it proactively if you know the hosts or networks your users will be coming from.) I've been using it for years. Works very well, but be careful. On a large server with lots of activity, you probably want to start by not blocking anything until you're comfortable with your ignore file. I also use logsentry on a number of hosts. Very nice program. Both are well written and quite mature. Paul Schmehl ([EMAIL PROTECTED]) Adjunct Information Security Officer The University of Texas at Dallas AVIEN Founding Member http://www.utdallas.edu ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Firewall concept question
Looking to use a FreeBSD server as a firewall for a modem pool. The theory is we only want to give them access to HTTP and DNS (which we could do as proxy on the FreeBSD box). For accountability reasons, each modem will be assigned a specific IP address. That way, I'll be able to use Radius accounting to keep track of who was logged in on what ip at what time. The idea being that if someone uses the modems to launch an attack or whatever, we have something to work with for tracking the user down if the authorities come knocking. I haven't set up a FreeBSD firewall before, so I have a best way question: Should I use transparent mode where each modem has a public ip address or use something like static NAT entries? I'd planned on using a transparent mode, since I was familiar with it from using a Netscreen. It would seem to have the easiest accounting. But, wasn't sure if I could do that using FreeBSD, so static NAT entries would be the next best thing... Right? I would also entertain the idea of using something like Squid so all access is through a local proxy, then simply lock the firewall down completely. But, I'm still concerned about the accountability in case someone manages to launch an attack thru the proxy. I'd have to have some way of easily mapping back to the ip of the modem based on the external information given to me by authorities (ie: public ip address). Any other suggestions for methods to accomplish this task are welcome. Thanks! Brent ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: IP Firewall blocks cvsup
On Sun, 19 Sep 2004 06:45:28 -0700 Rob [EMAIL PROTECTED] wrote: Seems to work with everything else incl. ftp. What am I doing wrong? Thanks, Rob. block in log all pass out all pass out on lo all pass in on lo all pass out quick on bfe0 proto tcp/udp from any to any port 1024 For quick answer, replace above line with: pass out quick on bfe0 proto tcp/udp from any to any port 1024 keep state pass in quick on bfe0 proto icmp all icmp-type 0 pass in quick on bfe0 proto icmp all icmp-type 3 pass in quick on bfe0 proto icmp all icmp-type 11 block in on bfe0 proto tcp all flags S/SA block out on bfe0 proto tcp all flags SA/SA pass in quick on bfe0 proto tcp from any to any port = 22 flags S/SA keep state pass in quick on bfe0 proto tcp from any to any port = 25 flags S/SA keep state pass out on bfe0 proto tcp all keep state I don't think this line makes tcp connections below stateful. You must write down keep state phrase on every tcp (and udp, icmp) line you write. block return-rst in on bfe0 proto tcp from any to any port = 113 pass in on bfe0 proto tcp/udp from any port = 53 to any pass in on bfe0 proto tcp/udp from any port = 67 to any pass out on bfe0 proto tcp/udp from any port = 68 to any pass in on bfe0 proto tcp from any port = 80 to any Or, add the following line here: pass in on bfe0 proto tcp from any port = 5999 to any horio shoichi ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
IP Firewall blocks cvsup
Seems to work with everything else incl. ftp. What am I doing wrong? Thanks, Rob. block in log all pass out all pass out on lo all pass in on lo all pass out quick on bfe0 proto tcp/udp from any to any port 1024 pass in quick on bfe0 proto icmp all icmp-type 0 pass in quick on bfe0 proto icmp all icmp-type 3 pass in quick on bfe0 proto icmp all icmp-type 11 block in on bfe0 proto tcp all flags S/SA block out on bfe0 proto tcp all flags SA/SA pass in quick on bfe0 proto tcp from any to any port = 22 flags S/SA keep state pass in quick on bfe0 proto tcp from any to any port = 25 flags S/SA keep state pass out on bfe0 proto tcp all keep state block return-rst in on bfe0 proto tcp from any to any port = 113 pass in on bfe0 proto tcp/udp from any port = 53 to any pass in on bfe0 proto tcp/udp from any port = 67 to any pass out on bfe0 proto tcp/udp from any port = 68 to any pass in on bfe0 proto tcp from any port = 80 to any #block out quick on bfe0 proto tcp from any port 59996011 to any #block out quick on bfe0 proto tcp from any port 58995911 to any #block out quick on bfe0 from any port = 2049 to any #block out quick on bfe0 from any port 136140 to any ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
FreeBSD firewall for lazy people
I'm finding that configuring firewall/NAT rules on the gateway to my PPP connection is too much of a headache. Are there any FreeBSD based firewall distributions, something like http://thewall.sourceforge.net/, but with some sort of wrapper (web interface, curses interface, or whatever) for configuring pppoe, ipfw, NAT etc.? ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
RE: FreeBSD firewall for lazy people
[--] I'm finding that configuring firewall/NAT rules on the gateway to my PPP connection is too much of a headache. Are there any FreeBSD based firewall distributions, something like http://thewall.sourceforge.net/, but with some sort of wrapper (web interface, curses interface, or whatever) for configuring pppoe, ipfw, NAT etc.? [--] http://m0n0.ch/wall/ Cheers. --- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.754 / Virus Database: 504 - Release Date: 06/09/2004 ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: FreeBSD firewall for lazy people
--- Björn Lindström [EMAIL PROTECTED] wrote: I'm finding that configuring firewall/NAT rules on the gateway to my PPP connection is too much of a headache. Are there any FreeBSD based firewall distributions, something like http://thewall.sourceforge.net/, but with some sort of wrapper (web interface, curses interface, or whatever) for configuring pppoe, ipfw, NAT etc.? ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] http://m0n0.ch/wall/ www.closedbsd.org __ Do you Yahoo!? New and Improved Yahoo! Mail - 100MB free storage! http://promotions.yahoo.com/new_mail ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Using TCP_DROP_SYNFIN on DMZ firewall ?
If I use this setting on the DMZ firewall would it affect a web server running in the DMZ behind the FW ? The web server IP/port would be redirected into the DMZ by natd, or does this only break SYN+FIN if the web server is running on the same box ? As stated in LINT: # TCP_DROP_SYNFIN adds support for ignoring TCP packets with SYN+FIN. This # prevents nmap et al. from identifying the TCP/IP stack, but breaks support # for RFC1644 extensions and is not recommended for web servers. # options TCP_DROP_SYNFIN #drop TCP packets with SYN+FIN Thanks, Jon. ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Configuring IPFW (Firewall) and Proxy/Nylon, Help Please
Hello There, I currently am a running 5.2.1-Release which is configured as a gateway with kernel firewall support. I have installed Squid (Proxy) and Nylon (SOCKS) which seem to be configured fine. However, I need help in getting all http/https traffic to only route to the proxy (Port 3128) and all other traffic to point to nylon (Port 1080). This way the proxy and socks server cannot be circumvented. Could someone please suggest some tips or a website? I am using the standard rc.firewall configuration. Thanks! Below is my rc.conf file: --- gateway_enable=YES firewall_enable=YES firewall_type=OPEN natd_enable=YES natd_interface=ed0 #natd_flags=-f /etc/natd.conf hostname=** ifconfig_ed0=DHCP inetd_enable=YES keyrate=fast sshd_enable=YES usbd_enable=YES ifconfig_dc0=inet 192.168.1.254 netmask 255.255.255.0 defaultrouter=192.168.1.254 ___ Do you Yahoo!? Declare Yourself - Register online to vote today! http://vote.yahoo.com ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Configuring IPFW (Firewall) and Proxy/Nylon, Help Please
Hello, On Mon, 13 Sep 2004 16:26:15 -0700 (PDT), JP [EMAIL PROTECTED] wrote: Hello There, I currently am a running 5.2.1-Release which is configured as a gateway with kernel firewall support. I have installed Squid (Proxy) and Nylon (SOCKS) which seem to be configured fine. However, I need help in getting all http/https traffic to only route to the proxy (Port 3128) and all other traffic to point to nylon (Port 1080). This way the proxy and socks server cannot be circumvented. Could someone please suggest some tips or a website? I am using the standard rc.firewall configuration. http runs on port 80 by default and https on port 443 so you can divert incoming traffic on port 80 and 443 on port 3128. And do not forget to save the states for the incoming traffic or the reply traffic wont get through. For the later section you can set up a default divert for everthing to port 1080. Thanks! You are welcome Below is my rc.conf file: --- gateway_enable=YES firewall_enable=YES firewall_type=OPEN ---you need to remove this and make this point to your firewall ruleset file natd_enable=YES ---You need to comment this out because if natd is running the clients can anyway get through the NAT and avoid proxy. natd_interface=ed0 #natd_flags=-f /etc/natd.conf hostname=** ifconfig_ed0=DHCP inetd_enable=YES keyrate=fast sshd_enable=YES usbd_enable=YES ifconfig_dc0=inet 192.168.1.254 netmask 255.255.255.0 defaultrouter=192.168.1.254 Regards S. -- Subhro Sankha Kar School of Information Technology Block AQ-13/1 Sector V ZIP 700091 India ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Configuring IPFW (Firewall) and Proxy/Nylon, Help Please
On Tue, 14 Sep 2004 10:22:16 +0530, Subhro [EMAIL PROTECTED] wrote: Hello, On Mon, 13 Sep 2004 16:26:15 -0700 (PDT), JP [EMAIL PROTECTED] wrote: Hello There, I currently am a running 5.2.1-Release which is configured as a gateway with kernel firewall support. I have installed Squid (Proxy) and Nylon (SOCKS) which seem to be configured fine. However, I need help in getting all http/https traffic to only route to the proxy (Port 3128) and all other traffic to point to nylon (Port 1080). This way the proxy and socks server cannot be circumvented. Could someone please suggest some tips or a website? I am using the standard rc.firewall configuration. http runs on port 80 by default and https on port 443 so you can divert incoming traffic on port 80 and 443 on port 3128. And do not forget to save the states for the incoming traffic or the reply traffic wont get through. For the later section you can set up a default divert for everthing to port 1080. Thanks! You are welcome Below is my rc.conf file: --- gateway_enable=YES firewall_enable=YES firewall_type=OPEN ---you need to remove this and make this point to your firewall ruleset file natd_enable=YES ---You need to comment this out because if natd is running the clients can anyway get through the NAT and avoid proxy. natd_interface=ed0 #natd_flags=-f /etc/natd.conf hostname=** ifconfig_ed0=DHCP inetd_enable=YES keyrate=fast sshd_enable=YES usbd_enable=YES Sorry to backpost but what are trying to achieve by the next two lines? ifconfig_dc0=inet 192.168.1.254 netmask 255.255.255.0 defaultrouter=192.168.1.254 Regards S. -- Subhro Sankha Kar School of Information Technology Block AQ-13/1 Sector V ZIP 700091 India ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Proxy/Firewall Question
On Sat, 11 Sep 2004 22:48:50 -0700 (PDT), JP [EMAIL PROTECTED] wrote: Hello Gang, I am a novice at this so please bear with me. I have successfully configured Squid, Nylon and my firewall, my question is how do I disable any net traffic that is not going through the proxy? It would be best for all LAN traffic (telnet, ftp, chat, socks, etc) to pass through the proxy otherwise get dropped. I would imagine its a Windows configuration thing but I am not for certain. Thanks, JP disable NATting. using firewall allow connections to ports on which squid and/or nylon is listening. BTW, which firewall are you using? Shantanoo ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Proxy/Firewall Question
Thank you, I am using the standard firewall and firewall script that came with FreeBSD. By default, everything on the firewall is set to open. I attempting what you suggested (disabling nat) and I could no longer get ou to see the net. I could ping the FreeBSD box just fine, but nothing beyond that. Suggestions? --- Shantanoo [EMAIL PROTECTED] wrote: On Sat, 11 Sep 2004 22:48:50 -0700 (PDT), JP [EMAIL PROTECTED] wrote: Hello Gang, I am a novice at this so please bear with me. I have successfully configured Squid, Nylon and my firewall, my question is how do I disable any net traffic that is not going through the proxy? It would be best for all LAN traffic (telnet, ftp, chat, socks, etc) to pass through the proxy otherwise get dropped. I would imagine its a Windows configuration thing but I am not for certain. Thanks, JP disable NATting. using firewall allow connections to ports on which squid and/or nylon is listening. BTW, which firewall are you using? Shantanoo ___ Do you Yahoo!? Express yourself with Y! Messenger! Free. Download now. http://messenger.yahoo.com ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Proxy/Firewall Question
That is expected. After all that is all about proxy. When NAT is enabled then you can ping outside world, that is fine. If you want to provide transparent access to the clients, then you need to enable NAT. You can control the type of access provided (browsing, IRC, IMs, etc) by blocking(opening) the required ports from the firewall. Alternatively, as you say...PROXY, you wont be able to ping outside and the clients have to explicitly configure their softwares to use the proxy running on the BSD Box. Regards S. On Sun, 12 Sep 2004 00:31:41 -0700 (PDT), JP [EMAIL PROTECTED] wrote: Thank you, I am using the standard firewall and firewall script that came with FreeBSD. By default, everything on the firewall is set to open. I attempting what you suggested (disabling nat) and I could no longer get ou to see the net. I could ping the FreeBSD box just fine, but nothing beyond that. Suggestions? --- Shantanoo [EMAIL PROTECTED] wrote: On Sat, 11 Sep 2004 22:48:50 -0700 (PDT), JP [EMAIL PROTECTED] wrote: Hello Gang, I am a novice at this so please bear with me. I have successfully configured Squid, Nylon and my firewall, my question is how do I disable any net traffic that is not going through the proxy? It would be best for all LAN traffic (telnet, ftp, chat, socks, etc) to pass through the proxy otherwise get dropped. I would imagine its a Windows configuration thing but I am not for certain. Thanks, JP disable NATting. using firewall allow connections to ports on which squid and/or nylon is listening. BTW, which firewall are you using? Shantanoo ___ Do you Yahoo!? Express yourself with Y! Messenger! Free. Download now. http://messenger.yahoo.com ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] -- Subhro Sankha Kar School of Information Technology Block AQ-13/1 Sector V ZIP 700091 India ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Proxy/Firewall Question
Hello Gang, I am a novice at this so please bear with me. I have successfully configured Squid, Nylon and my firewall, my question is how do I disable any net traffic that is not going through the proxy? It would be best for all LAN traffic (telnet, ftp, chat, socks, etc) to pass through the proxy otherwise get dropped. I would imagine its a Windows configuration thing but I am not for certain. Thanks, JP __ Do you Yahoo!? New and Improved Yahoo! Mail - 100MB free storage! http://promotions.yahoo.com/new_mail ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
setup firewall/router/proxy
Hi, What are the best firewall - routing and proxy packages for FreeBSD ? Have only experience with debian/proxy/masquerading/iptables. Thansks in advance for the help. mess-mate ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: setup firewall/router/proxy
On Wed, 1 Sep 2004 17:08:04 +0200 messmate [EMAIL PROTECTED] spake thus: Hi, What are the best firewall - routing and proxy packages for FreeBSD ? Have only experience with debian/proxy/masquerading/iptables. Thansks in advance for the help. mess-mate Google is your best pal. Try googling for FreeBSD gateway router/firewall and combinations of the above. You'll get more howto's and pages of advice than you'll ever need. HTH LukeK -- Luke Kearney [EMAIL PROTECTED] ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: setup firewall/router/proxy
Hi, What are the best firewall - routing and proxy packages for FreeBSD ? FW/Routing: IPFW + natd (both have man pages) Proxy: squid (/usr/ports/www/squid) IMHO. Steve Have only experience with debian/proxy/masquerading/iptables. Thansks in advance for the help. mess-mate ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: setup firewall/router/proxy
Oki all, If it isn't too much of a bother, someone asked me the same question, but for a platform I'm unfamiliar with -- a 2.4.18-6mdk (Mandrake) linux distro. As the target is not freebsd, I'll be happy with any technical response, and off-list is probably better than on. TiA, Eric What are the best firewall - routing and proxy packages for FreeBSD ? FW/Routing: IPFW + natd (both have man pages) Proxy: squid (/usr/ports/www/squid) IMHO. Steve Have only experience with debian/proxy/masquerading/iptables. Thansks in advance for the help. mess-mate ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: setup firewall/router/proxy
it was said: Hi, What are the best firewall - routing and proxy packages for FreeBSD ? Hello, Firewall: pf (/usr/ports/security/pf) Routing: routed (man 8 routed) Proxy: squid (/usr/ports/www/squid) just my 2% of your preferred currency's base unit, Stheg __ Do you Yahoo!? Yahoo! Mail - 50x more storage than other providers! http://promotions.yahoo.com/new_mail ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: setup firewall/router/proxy
- Original Message - From: Eric Brunner-Williams in Portland Maine [EMAIL PROTECTED] To: Steve Bertrand [EMAIL PROTECTED] Cc: [EMAIL PROTECTED]; messmate [EMAIL PROTECTED]; freebsd-questions-en [EMAIL PROTECTED] Sent: Wednesday, September 01, 2004 7:27 AM Subject: Re: setup firewall/router/proxy Oki all, If it isn't too much of a bother, someone asked me the same question, but for a platform I'm unfamiliar with -- a 2.4.18-6mdk (Mandrake) linux distro. As the target is not freebsd, I'll be happy with any technical response, and off-list is probably better than on. TiA, Eric It's been a long time since I've played with Linux in general, last one was RH. If Mandrake has ipchains or ipfw, I'd say go with either and still use squid. It's popular, easy to configure, works well and has support. It shouldn't need any routing daemon as long as none of the advanced routing protocols are needed. -- Micheal Patterson TSG Network Administration 405-917-0600 Confidentiality Notice: This e-mail message, including any attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message. ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: setup firewall/router/proxy
It's been a long time since I've played with Linux in general, last one was RH. If Mandrake has ipchains or ipfw, I'd say go with either and still use squid. It's popular, easy to configure, works well and has support. It shouldn't need any routing daemon as long as none of the advanced routing protocols are needed. I assumed by ``routing'', you meant Network Address Translation (NAT), which is called natd and is included as part of the base system. `routed', is a router _discovery_ protocol, and used if your router has multiple routes and the network is configured to share this information. If you simply want an internal network translated to a public IP, use natd+IPFW (my choice), and if you have more than the default route for the internal network, for simplicity sake you can manipulate your routing table and specify static routes using the route(8) command. ...and as I and others have said, squid is probably the best choice for proxy. Using IPFW with a squid proxy, you can even configure it for transparent mode, so you don't have to modify the browsers at all. There are a few docs out there for this... Steve -- Micheal Patterson TSG Network Administration 405-917-0600 Confidentiality Notice: This e-mail message, including any attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message. ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: sendmail from 4.10-STABLE firewall
+++ Joe Kraft [freebsd] [24-08-04 22:49 +0100]: | | | Chuck Swiger wrote: | Joe Kraft wrote: | | I'm using a 4.10-STABLE based firewall, which is happily chugging | along. It's sending it's daily messages to a local account via | sendmail, which I check by logging in using an ssh connection. | | [ ... ] | | 3) Is there a way to convince sendmail to send to something like | [EMAIL PROTECTED] I could just put that in my existing aliases file and | not have to install anything more. | | | The key part of your request is answered by using IP addrs in square | brackets, which will not require DNS MX or A lookups. So, add something | like: | | [EMAIL PROTECTED] | | ...to the ~/.forward file of root or wherever the mail is going to now. | Yes, you could put this in the aliases, or even use a mailertable to | redirect all local mail to the other system. | | | I tried doing it that way and it wouldn't go out either. I wound up | adding the 10.0.0.55 server to /etc/hosts and letting sendmail do it's | lookup there. I never convinced sendmail to send to to the user foo on | the 10.0.0.55 server, is that supposed to be possible? | | Joe. try: echo this is a test mail | mail [EMAIL PROTECTED] (works in tcsh) Regards, Shantanu ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: sendmail from 4.10-STABLE firewall
Chuck Swiger wrote: Joe Kraft wrote: I'm using a 4.10-STABLE based firewall, which is happily chugging along. It's sending it's daily messages to a local account via sendmail, which I check by logging in using an ssh connection. [ ... ] 3) Is there a way to convince sendmail to send to something like [EMAIL PROTECTED] I could just put that in my existing aliases file and not have to install anything more. The key part of your request is answered by using IP addrs in square brackets, which will not require DNS MX or A lookups. So, add something like: [EMAIL PROTECTED] ...to the ~/.forward file of root or wherever the mail is going to now. Yes, you could put this in the aliases, or even use a mailertable to redirect all local mail to the other system. I tried doing it that way and it wouldn't go out either. I wound up adding the 10.0.0.55 server to /etc/hosts and letting sendmail do it's lookup there. I never convinced sendmail to send to to the user foo on the 10.0.0.55 server, is that supposed to be possible? Joe. ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: sendmail from 4.10-STABLE firewall
Joe Kraft wrote: I'm using a 4.10-STABLE based firewall, which is happily chugging along. It's sending it's daily messages to a local account via sendmail, which I check by logging in using an ssh connection. [ ... ] 3) Is there a way to convince sendmail to send to something like [EMAIL PROTECTED] I could just put that in my existing aliases file and not have to install anything more. The key part of your request is answered by using IP addrs in square brackets, which will not require DNS MX or A lookups. So, add something like: [EMAIL PROTECTED] ...to the ~/.forward file of root or wherever the mail is going to now. Yes, you could put this in the aliases, or even use a mailertable to redirect all local mail to the other system. -- -Chuck ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
sendmail from 4.10-STABLE firewall
I'm using a 4.10-STABLE based firewall, which is happily chugging along. It's sending it's daily messages to a local account via sendmail, which I check by logging in using an ssh connection. I would like to have it send those mails to another mail server behind the firewall, but I'm curious recommendations for the best way to do that. I've looked at a couple of different ways: 1) Add the local domain DNS to it's list so it can find the IP of the local mail server. It seems like this would decrease the security of the firewall a bit. 2) The handbook has a section about setting up to send only using the mail/ssmtp port. This looks like my local mailer needs to resolve somehow (/etc/hosts??) on my firewall 3) Is there a way to convince sendmail to send to something like [EMAIL PROTECTED] I could just put that in my existing aliases file and not have to install anything more. 4) Better options?? I appreciate recommendations you can provide or any pointers to existing information to help me figure out the best solution. Thanks, Joe Kraft ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Application level inspection - firewall?
Quick question, is there an Application Level firewall available to FreeBSD. I understand IPFilter is a stateful packet filter, but has it or any other packages moved to the next level - Application Level Inspection? Sorry I am all googled out on this one. Thanks Paul ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Application level inspection - firewall?
Paul Hillen wrote: Quick question, is there an Application Level firewall available to FreeBSD. For some definitions of that buzzword, sure. I understand IPFilter is a stateful packet filter, but has it or any other packages moved to the next level - Application Level Inspection? Squid plus a firewall which blocks or redirects port 80 will serve for HTTP; Postfix or Qmail or whatever plus firewall rules which do the same for port 25 serve as application-level filtering for SMTP (enough to protect that Exchange server some people want to run), etc. -- -Chuck ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
RE: Firewall Rule Set not allowing access to DNS servers?
I changed the DNS rules as you suggested, and the firewall works perfectly - thanks very much. This has been a great learning experience for me - thanks to all who responded. Jim C -Original Message- From: JJB [mailto:[EMAIL PROTECTED] Sent: Saturday, July 31, 2004 1:08 PM To: James A. Coulter; [EMAIL PROTECTED] Subject: RE: Firewall Rule Set not allowing access to DNS servers? Look back at the ipfw sample rule set and you will see that there are both udp and tcp protocol access to DSN. Also not that udp does not use setup keyword. # Allow out access to my ISP's Domain name server. # x.x.x.x must be the IP address of your ISP's DNS # Dup these lines if your ISP has more than one DNS server # Get the IP addresses from /etc/resolv.conf file $cmd 00110 allow tcp from any to x.x.x.x 53 out via $pif setup keep-state $cmd 00111 allow udp from any to x.x.x.x 53 out via $pif keep-state You DNS rules are # Allow out access to my ISP's Domain name server. # x.x.x.x must be the IP address of your ISP's DNS # Dup these lines if your ISP has more than one DNS server # Get the IP addresses from /etc/resolv.conf file $cmd 020 $skip UDP from any to 68.105.161.20 53 out via $pif setup keep-state $cmd 021 $skip UDP from any to 68.1.18.25 53 out via $pif setup keep-state $cmd 022 $skip UDP from any to 68.10.16.30 53 out via $pif setup keep-state As you can see you have no tcp protocol statements. Your udp rules use setup keyword which is only for tcp rules so your udp packets never match this rule and default to getting blocked which is why you get log error messages and you can not access public internet. Also if you look closely at the first 4 ipfw log messages you will see first message is about ip address 193.0.14.129 which is the primary dns server pointed to by url search pn.at.cox.net in /etc/resolv.conf Change your DNS rules to look like this # Allow out access to my ISP's Domain name server. # x.x.x.x must be the IP address of your ISP's DNS # Dup these lines if your ISP has more than one DNS server # Get the IP addresses from /etc/resolv.conf file $cmd 020 $skip udp from any to 193.0.14.129 53 out via $pif keep-state $cmd 021 $skip udp from any to 68.1.18.25 53 out via $pif keep-state $cmd 022 $skip udp from any to 68.10.16.30 53 out via $pif keep-state $cmd 023 $skip udp from any to 68.105.161.20 53 out via $pif keep-state $cmd 024 $skip tcp from any to 193.0.14.129 53 out via $pif setup keep-state $cmd 025 $skip tcp from any to 68.1.18.25 53 out via $pif setup keep-state $cmd 026 $skip tcp from any to 68.10.16.30 53 out via $pif setup keep-state $cmd 027 $skip tcp from any to 68.105.161.20 53 out via $pif setup keep-state -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of James A. Coulter Sent: Saturday, July 31, 2004 1:09 PM To: [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: RE: Firewall Rule Set not allowing access to DNS servers? My LAN is configured with static IP addresses, 192.168.1.x. I have no problems communicating within the LAN. I have full connectivity with the internet from every machine on my LAN when the firewall is open. When I use the rule set in question, I can ping and send mail but I cannot access the DNS servers listed in resolv.conf. These are the same DNS servers placed in resolv.conf when the firewall is open. I'm sorry, but I never said dc1 was my inside nic. Again, I appreciate any help with this. The files you requested follow. Here's my ifconfig - a: sara# ifconfig -a dc0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500 inet 192.168.1.1 netmask 0xff00 broadcast 192.168.1.255 inet6 fe80::204:5aff:fe76:55f0%dc0 prefixlen 64 scopeid 0x1 ether 00:04:5a:76:55:f0 media: Ethernet autoselect (100baseTX full-duplex) status: active dc1: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500 inet6 fe80::2a0:ccff:fe33:e1f6%dc1 prefixlen 64 scopeid 0x2 inet 68.105.58.150 netmask 0xfe00 broadcast 68.105.59.255 ether 00:a0:cc:33:e1:f6 media: Ethernet autoselect (100baseTX full-duplex) status: active lp0: flags=8810POINTOPOINT,SIMPLEX,MULTICAST mtu 1500 lo0: flags=8049UP,LOOPBACK,RUNNING,MULTICAST mtu 16384 inet6 ::1 prefixlen 128 inet6 fe80::1%lo0 prefixlen 64 scopeid 0x4 inet 127.0.0.1 netmask 0xff00 ppp0: flags=8010POINTOPOINT,MULTICAST mtu 1500 sl0: flags=c010POINTOPOINT,LINK2,MULTICAST mtu 552 faith0: flags=8002BROADCAST,MULTICAST mtu 1500 Here's resolv.conf: sara# more /etc/resolv.conf search pn.at.cox.net nameserver 68.105.161.20 nameserver 68.1.18.25 nameserver 68.10.16.30 Here's the entire rule set I'm trying to use. I did follow the comments. Please note the variable pif is set to dc1, my outside nic. Start of IPFW rules
RE: Firewall Rule Set not allowing access to DNS servers?
Thanks for the response. . . I changed rule 5 from x10 to dc0 - thanks Not sure why I would want my inside nic requesting DHCP service from my ISP. It has been working fine in the configuration I have it so I've left it the way it is. I checked the security log, and found this: Jul 30 08:58:37 sara /kernel: ipfw: 450 Deny UDP 68.105.58.150:2609 68.105.161.20:53 out via dc1 Jul 30 08:58:37 sara /kernel: ipfw: 450 Deny UDP 68.105.58.150:4067 68.1.18.25:53 out via dc1 Jul 30 08:58:37 sara /kernel: ipfw: 450 Deny UDP 68.105.58.150:3773 68.10.16.30:53 out via dc1 These are the three name servers specified in the rule set I checked the rule set and found this: # Allow out access to my ISP's Domain name server. # x.x.x.x must be the IP address of your ISP's DNS # Dup these lines if your ISP has more than one DNS server # Get the IP addresses from /etc/resolv.conf file $cmd 020 $skip tcp from any to 68.105.161.20 53 out via $pif setup keep-state $cmd 021 $skip tcp from any to 68.1.18.25 53 out via $pif setup keep-state $cmd 022 $skip tcp from any to 68.10.16.30 53 out via $pif setup keep-state Because security said the firewall was denying UDP packets, I changed the rules to this: $cmd 020 $skip udp from any to 68.105.161.20 53 out via $pif setup keep-state $cmd 021 $skip udp from any to 68.1.18.25 53 out via $pif setup keep-state $cmd 022 $skip udp from any to 68.10.16.30 53 out via $pif setup keep-state But that hasn't helped. I'm still getting: Jul 31 08:31:21 sara /kernel: ipfw: 550 Deny UDP 68.105.58.150:3178 68.105.161.20:53 out via dc1 Jul 31 08:31:21 sara /kernel: ipfw: 550 Deny UDP 68.105.58.150:4476 68.1.18.25:53 out via dc1 Jul 31 08:31:21 sara /kernel: ipfw: 550 Deny UDP 68.105.58.150:4747 68.10.16.30:53 out via dc1 FWIW, these rules are skipping to: # This is skipto location for outbound stateful rules $cmd 800 divert natd ip from any to any out via $pif $cmd 801 allow ip from any to any I apologize for being such a bother and I do appreciate any help or suggestions. TIA Jim C. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of JJB Sent: Friday, July 30, 2004 1:20 PM To: James A. Coulter; [EMAIL PROTECTED] Subject: RE: Firewall Rule Set not allowing access to DNS servers? Change this ipfw rule from 5 allow ip from any to any via xl0 To 5 allow ip from any to any via dc0 because dc0 is the lan interface name and not xl0. Change these statement in rc.conf because you have interface name backwards. Dc1 is the NIC connected to your cable modem and you want to get DHCP info from your ISP. Dc0 is the NIC connected to your LAN. From ifconfig_dc1=DHCP ifconfig_dc0=inet 192.168.1.1 netmask 255.255.255.0 to ifconfig_dc0=DHCP ifconfig_dc1=inet 192.168.1.1 netmask 255.255.255.0 You do not say how your LAN PCs get their ip address. You can hard code them on each LAN PC or you have to run isc-dhcp-server on your Gateway box to auto assign ip address to LAN PCs. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of James A. Coulter Sent: Friday, July 30, 2004 10:56 AM To: [EMAIL PROTECTED] Subject: Firewall Rule Set not allowing access to DNS servers? I am using FreeBSD 4.10 as a gateway/router for a small home LAN. My outside interface (dc1) is connected to a cable modem and is configured for DHCP. I have compiled and installed a custome kernel with IPFIREWALL and IPDIVERT options and with a rule set allowing any to any with no problems I am in the process of adding a proper rule set to provide security. I was referred to http://freebsd.a1poweruser.com:6088/FBSD_firewall/ and installed the Stateful + NATD Rule Set modified for my outside interface, domain name servers, and DHCP server. I can ping IP addresses and pass SMTP mail back and forth from the gateway/router and all machines on the LAN, but I cannot ping URLs - I am getting ping: cannot resolve www.freebsd.org: Host name lookup failure errors. This is what ipfw -a list looks like: sara# ipfw -a list 5 0 0 allow ip from any to any via xl0 00010 52 3640 allow ip from any to any via lo0 00014 0 0 divert 8668 ip from any to any in recv dc1 00015 0 0 check-state 00020 0 0 skipto 800 tcp from any to 68.105.161.20 53 keep-state out xmit dc1 setup 00021 0 0 skipto 800 tcp from any to 68.1.18.25 53 keep-state out xmit dc1 setup 00022 0 0 skipto 800 tcp from any to 68.10.16.30 53 keep-state out xmit dc1 setup 00030 0 0 skipto 800 udp from any to 172.19.17.22 67 keep-state out xmit dc1 00040 0 0 skipto 800 tcp from any to any 80 keep-state out xmit dc1 setup 00050 0 0 skipto 800 tcp from any to any 443 keep-state out xmit dc1 setup 00060 0 0 skipto 800 tcp from any to any 25 keep-state out xmit dc1 setup 00061 0 0 skipto 800 tcp from any to any 110
RE: Firewall Rule Set not allowing access to DNS servers?
You better re-read what you posted in early post. You posted that dc1 is your outside NIC, which is connected to your cable modem which is connected to your ISP. Your outside NIC needs DHCP to get ip and dns info from your ISP. NOW YOU SAY dc1 IS INSIDE INTERFACE NAME. Make up your mind which is correct. Verify you have correct interface name coded in ipfw rules for NIC connected to cable modem and that the same NIC interface name is the one in rc.conf with DHCP option. When DHCP gets DNS info from ISP /etc/resolv.conf will auto updated with correct info. Read comments in sample firewall source and follow what comments say. You are making this harder than it really is. Also there is no setup option on UDP packets just keepstate Post full contents of your current dmesg.boot, rc.conf, ipfw rule set, and ipfw log files so people can see just want you have configured. And answer question of how you are assigning ip address to LAN PCs? Also post output of ifconfig -a command after boot completes. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of James A. Coulter Sent: Saturday, July 31, 2004 9:55 AM To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Subject: RE: Firewall Rule Set not allowing access to DNS servers? Thanks for the response. . . I changed rule 5 from x10 to dc0 - thanks Not sure why I would want my inside nic requesting DHCP service from my ISP. It has been working fine in the configuration I have it so I've left it the way it is. I checked the security log, and found this: Jul 30 08:58:37 sara /kernel: ipfw: 450 Deny UDP 68.105.58.150:2609 68.105.161.20:53 out via dc1 Jul 30 08:58:37 sara /kernel: ipfw: 450 Deny UDP 68.105.58.150:4067 68.1.18.25:53 out via dc1 Jul 30 08:58:37 sara /kernel: ipfw: 450 Deny UDP 68.105.58.150:3773 68.10.16.30:53 out via dc1 These are the three name servers specified in the rule set I checked the rule set and found this: # Allow out access to my ISP's Domain name server. # x.x.x.x must be the IP address of your ISP's DNS # Dup these lines if your ISP has more than one DNS server # Get the IP addresses from /etc/resolv.conf file $cmd 020 $skip tcp from any to 68.105.161.20 53 out via $pif setup keep-state $cmd 021 $skip tcp from any to 68.1.18.25 53 out via $pif setup keep-state $cmd 022 $skip tcp from any to 68.10.16.30 53 out via $pif setup keep-state Because security said the firewall was denying UDP packets, I changed the rules to this: $cmd 020 $skip udp from any to 68.105.161.20 53 out via $pif setup keep-state $cmd 021 $skip udp from any to 68.1.18.25 53 out via $pif setup keep-state $cmd 022 $skip udp from any to 68.10.16.30 53 out via $pif setup keep-state But that hasn't helped. I'm still getting: Jul 31 08:31:21 sara /kernel: ipfw: 550 Deny UDP 68.105.58.150:3178 68.105.161.20:53 out via dc1 Jul 31 08:31:21 sara /kernel: ipfw: 550 Deny UDP 68.105.58.150:4476 68.1.18.25:53 out via dc1 Jul 31 08:31:21 sara /kernel: ipfw: 550 Deny UDP 68.105.58.150:4747 68.10.16.30:53 out via dc1 FWIW, these rules are skipping to: # This is skipto location for outbound stateful rules $cmd 800 divert natd ip from any to any out via $pif $cmd 801 allow ip from any to any I apologize for being such a bother and I do appreciate any help or suggestions. TIA Jim C. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of JJB Sent: Friday, July 30, 2004 1:20 PM To: James A. Coulter; [EMAIL PROTECTED] Subject: RE: Firewall Rule Set not allowing access to DNS servers? Change this ipfw rule from 5 allow ip from any to any via xl0 To 5 allow ip from any to any via dc0 because dc0 is the lan interface name and not xl0. Change these statement in rc.conf because you have interface name backwards. Dc1 is the NIC connected to your cable modem and you want to get DHCP info from your ISP. Dc0 is the NIC connected to your LAN. From ifconfig_dc1=DHCP ifconfig_dc0=inet 192.168.1.1 netmask 255.255.255.0 to ifconfig_dc0=DHCP ifconfig_dc1=inet 192.168.1.1 netmask 255.255.255.0 You do not say how your LAN PCs get their ip address. You can hard code them on each LAN PC or you have to run isc-dhcp-server on your Gateway box to auto assign ip address to LAN PCs. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of James A. Coulter Sent: Friday, July 30, 2004 10:56 AM To: [EMAIL PROTECTED] Subject: Firewall Rule Set not allowing access to DNS servers? I am using FreeBSD 4.10 as a gateway/router for a small home LAN. My outside interface (dc1) is connected to a cable modem and is configured for DHCP. I have compiled and installed a custome kernel with IPFIREWALL and IPDIVERT options and with a rule set allowing any to any with no problems I am in the process of adding a proper rule set to provide security. I was referred to http://freebsd.a1poweruser.com:6088/FBSD_firewall/ and installed the Stateful
RE: Firewall Rule Set not allowing access to DNS servers?
My LAN is configured with static IP addresses, 192.168.1.x. I have no problems communicating within the LAN. I have full connectivity with the internet from every machine on my LAN when the firewall is open. When I use the rule set in question, I can ping and send mail but I cannot access the DNS servers listed in resolv.conf. These are the same DNS servers placed in resolv.conf when the firewall is open. I'm sorry, but I never said dc1 was my inside nic. Again, I appreciate any help with this. The files you requested follow. Here's my ifconfig - a: sara# ifconfig -a dc0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500 inet 192.168.1.1 netmask 0xff00 broadcast 192.168.1.255 inet6 fe80::204:5aff:fe76:55f0%dc0 prefixlen 64 scopeid 0x1 ether 00:04:5a:76:55:f0 media: Ethernet autoselect (100baseTX full-duplex) status: active dc1: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500 inet6 fe80::2a0:ccff:fe33:e1f6%dc1 prefixlen 64 scopeid 0x2 inet 68.105.58.150 netmask 0xfe00 broadcast 68.105.59.255 ether 00:a0:cc:33:e1:f6 media: Ethernet autoselect (100baseTX full-duplex) status: active lp0: flags=8810POINTOPOINT,SIMPLEX,MULTICAST mtu 1500 lo0: flags=8049UP,LOOPBACK,RUNNING,MULTICAST mtu 16384 inet6 ::1 prefixlen 128 inet6 fe80::1%lo0 prefixlen 64 scopeid 0x4 inet 127.0.0.1 netmask 0xff00 ppp0: flags=8010POINTOPOINT,MULTICAST mtu 1500 sl0: flags=c010POINTOPOINT,LINK2,MULTICAST mtu 552 faith0: flags=8002BROADCAST,MULTICAST mtu 1500 Here's resolv.conf: sara# more /etc/resolv.conf search pn.at.cox.net nameserver 68.105.161.20 nameserver 68.1.18.25 nameserver 68.10.16.30 Here's the entire rule set I'm trying to use. I did follow the comments. Please note the variable pif is set to dc1, my outside nic. Start of IPFW rules file ### # Flush out the list before we begin. ipfw -q -f flush # Set rules command prefix cmd=ipfw -q add skip=skipto 800 pif=dc1 # public interface name of Nic card # facing the public internet # # No restrictions on Inside Lan Interface for private network # Change xl0 to your Lan Nic card interface name # $cmd 005 allow all from any to any via dc0 # # No restrictions on Loopback Interface # $cmd 010 allow all from any to any via lo0 # # check if packet is inbound and nat address if it is # $cmd 014 divert natd ip from any to any in via $pif # # Allow the packet through if it has previous been added to the # the dynamic rules table by a allow keep-state statement. # $cmd 015 check-state # # Interface facing Public internet (Outbound Section) # Interrogate session start requests originating from behind the # firewall on the private network or from this gateway server # destine for the public internet. # # Allow out access to my ISP's Domain name server. # x.x.x.x must be the IP address of your ISP's DNS # Dup these lines if your ISP has more than one DNS server # Get the IP addresses from /etc/resolv.conf file $cmd 020 $skip UDP from any to 68.105.161.20 53 out via $pif setup keep-state $cmd 021 $skip UDP from any to 68.1.18.25 53 out via $pif setup keep-state $cmd 022 $skip UDP from any to 68.10.16.30 53 out via $pif setup keep-state # Allow out access to my ISP's DHCP server for cable/DSL configurations. $cmd 030 $skip udp from any to 172.19.17.22 67 out via $pif keep-state # Allow out non-secure standard www function $cmd 040 $skip tcp from any to any 80 out via $pif setup keep-state # Allow out secure www function https over TLS SSL $cmd 050 $skip tcp from any to any 443 out via $pif setup keep-state # Allow out send get email function $cmd 060 $skip tcp from any to any 25 out via $pif setup keep-state $cmd 061 $skip tcp from any to any 110 out via $pif setup keep-state # Allow out FBSD (make install CVSUP) functions # Basically give user root GOD privileges. $cmd 070 $skip tcp from me to any out via $pif setup keep-state uid root # Allow out ping $cmd 080 $skip icmp from any to any out via $pif keep-state # Allow out Time $cmd 090 $skip tcp from any to any 37 out via $pif setup keep-state # Allow out nntp news (IE: news groups) $cmd 100 $skip tcp from any to any 119 out via $pif setup keep-state # Allow out secure
Re: Firewall Rule Set not allowing access to DNS servers?
On 2004-07-31 12:08, James A. Coulter [EMAIL PROTECTED] wrote: My LAN is configured with static IP addresses, 192.168.1.x. I have no problems communicating within the LAN. I have full connectivity with the internet from every machine on my LAN when the firewall is open. When I use the rule set in question, I can ping and send mail but I cannot access the DNS servers listed in resolv.conf. There are many ways in which your ruleset might break. Two of the most important comments I wanted to make when I first saw the posts of this thread are: a) Why do you use static rule numbers? You'd only have to use static rule numbers if your ruleset had more than 65536/100 = 655 rules. This limit is relatively hard to hit in a SOHO installation (Small Office, Home Office). If you do reach such limits, there's definitely something weird going on with the way your ruleset is written ;-) b) Why do you use so many rules that 'filter' outgoing traffic? I saw smtp, pop3, time, http, https and many others. You don't need to explicitly allow outgoing connections unless the users in the internal LAN are not to be trusted at all and even then IPFW is most of the time not the right way to do it. I'd probably just use something of this form in the /etc/ipfw.rules file and let rc.firewall find it by setting firewall_type=/etc/ipfw.rules in my rc.conf file: # First clean up all the rules of ipfw. flush # Packets should be passed to natd *before* any other rule as # mentioned in the natd(8) manpage, unlike your current script. add divert natd all from any to any via dc1 # Allow only lo0 interface to use the 127.0.0.1 address. add allow ip from 127.0.0.1 to 127.0.0.1 via lo0 add deny ip from 127.0.0.1 to any add deny ip from any to 127.0.0.1 # Add only the dc0 interface to receive or send packets in the # 192.168.0.0/16 address range. add allow ip from 192.168.0.0/16 to 192.168.0.0/16 via dc0 add deny ip from 192.168.0.0/16 to any add deny ip from any to 192.168.0.0/16 # Block packets with addresses that are used in private networks # and should not appear in any of our interfaces below this point. add deny ip from 10.0.0.0/8 to any add deny ip from any to 10.0.0.0/8 add deny ip from 172.16.0.0/12 to any add deny ip from any to 172.16.0.0/12 # Allow DNS and NTP through. add allow udp from any to any 53,123 keep-state out # Pass all ICMP messages through. They're rate limited by the # kernel if sysctl net.inet.icmp.icmplim is enabled, so this is # not very unsafe to do. add allow icmp from any to any # # Stateful tcp filtering. # add check-state add deny tcp from any to any established # All outgoing and incoming connections are allowed in dc0 (private iface). # Only outgoing connections are allowed on dc1 (external iface). add allow tcp from any to any keep-state out xmit dc0 setup add allow tcp from any to any keep-state in recv dc0 setup add allow tcp from any to any keep-state out xmit dc1 setup # Only selected services are allowed to pass through external iface. add allow tcp from any to any 22 keep-state in recv dc1 setup add allow tcp from any to any 113 keep-state in recv dc1 setup # The default firewall policy. add deny log logamount 0 ip from any to any No inline numbers, a simpler layout and a logic that you can hopefully extend at the second from last paragraph to allow more services through your external interface (the `in recv dc1 setup' rules). Note that I haven't tested this, so it might contain syntax errors because it's based on the ruleset I'm using at home but it also includes some modifications. Instead of untangling the ruleset you're now trying to use which seemed unnecessarily complex to me, I'm posting this just in case it's useful but it's up to you to bring it to shape for your setup if it doesn't Just Work(TM) when you load it. - Giorgos ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: [OT] Firewall Rule Set not allowing access to DNS servers?
There are many ways in which your ruleset might break. Two of the most important comments I wanted to make when I first saw the posts of this thread are: a) Why do you use static rule numbers? You'd only have to use static rule numbers if your ruleset had more than 65536/100 = 655 rules. This limit is relatively hard to hit in a SOHO installation (Small Office, Home Office). If you do reach such limits, there's definitely something weird going on with the way your ruleset is written ;-) Giorgos, I am interested in where I can get more information about this. Are you suggesting that IPFW reads the ruleset and formulates a rule number according to position in the script? (I always use custom scripts). If this is true, how does this ``dynamic'' feature get affected when one houses multiple rule _sets_? Can you please provide any links to information that I can gain valuable information on this? This would certainly make ruleset creation much easier ;o) Also, links to any information on how/what/why on the 16b/100 limit on the dynamic rules, so I (we) can learn more about this? I must admit, I've never even come within 1/15 of this number, but it is interesting. All my rules have always been simply, allow, allow, allow, DENY. Tks much, Steve b) Why do you use so many rules that 'filter' outgoing traffic? I saw smtp, pop3, time, http, https and many others. You don't need to explicitly allow outgoing connections unless the users in the internal LAN are not to be trusted at all and even then IPFW is most of the time not the right way to do it. I'd probably just use something of this form in the /etc/ipfw.rules file and let rc.firewall find it by setting firewall_type=/etc/ipfw.rules in my rc.conf file: # First clean up all the rules of ipfw. flush # Packets should be passed to natd *before* any other rule as # mentioned in the natd(8) manpage, unlike your current script. add divert natd all from any to any via dc1 # Allow only lo0 interface to use the 127.0.0.1 address. add allow ip from 127.0.0.1 to 127.0.0.1 via lo0 add deny ip from 127.0.0.1 to any add deny ip from any to 127.0.0.1 # Add only the dc0 interface to receive or send packets in the # 192.168.0.0/16 address range. add allow ip from 192.168.0.0/16 to 192.168.0.0/16 via dc0 add deny ip from 192.168.0.0/16 to any add deny ip from any to 192.168.0.0/16 # Block packets with addresses that are used in private networks # and should not appear in any of our interfaces below this point. add deny ip from 10.0.0.0/8 to any add deny ip from any to 10.0.0.0/8 add deny ip from 172.16.0.0/12 to any add deny ip from any to 172.16.0.0/12 # Allow DNS and NTP through. add allow udp from any to any 53,123 keep-state out # Pass all ICMP messages through. They're rate limited by the # kernel if sysctl net.inet.icmp.icmplim is enabled, so this is # not very unsafe to do. add allow icmp from any to any # # Stateful tcp filtering. # add check-state add deny tcp from any to any established # All outgoing and incoming connections are allowed in dc0 (private iface). # Only outgoing connections are allowed on dc1 (external iface). add allow tcp from any to any keep-state out xmit dc0 setup add allow tcp from any to any keep-state in recv dc0 setup add allow tcp from any to any keep-state out xmit dc1 setup # Only selected services are allowed to pass through external iface. add allow tcp from any to any 22 keep-state in recv dc1 setup add allow tcp from any to any 113 keep-state in recv dc1 setup # The default firewall policy. add deny log logamount 0 ip from any to any No inline numbers, a simpler layout and a logic that you can hopefully extend at the second from last paragraph to allow more services through your external interface (the `in recv dc1 setup' rules). Note that I haven't tested this, so it might contain syntax errors because it's based on the ruleset I'm using at home but it also includes some modifications. Instead of untangling the ruleset you're now trying to use which seemed unnecessarily complex to me, I'm posting this just in case it's useful but it's up to you to bring it to shape for your setup if it doesn't Just Work(TM) when you load it. - Giorgos ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions
RE: Firewall Rule Set not allowing access to DNS servers?
My LAN is configured with static IP addresses, 192.168.1.x. I have no problems communicating within the LAN. I have full connectivity with the internet from every machine on my LAN when the firewall is open. When I use the rule set in question, I can ping and send mail but I cannot access the DNS servers listed in resolv.conf. These are the same DNS servers placed in resolv.conf when the firewall is open. I'm sorry, but I never said dc1 was my inside nic. Again, I appreciate any help with this. The files you requested follow. Must admit, I'm in a hurry to leave for the day, so I haven't read the ruleset etc, but what happens if you use the following entries, just after the divert rule?: ...allow udp from any to any 53 keep-state ...allow udp from any 53 to any keep-state ...allow tcp from any to any 53 keep-state Steve Here's my ifconfig - a: sara# ifconfig -a dc0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500 inet 192.168.1.1 netmask 0xff00 broadcast 192.168.1.255 inet6 fe80::204:5aff:fe76:55f0%dc0 prefixlen 64 scopeid 0x1 ether 00:04:5a:76:55:f0 media: Ethernet autoselect (100baseTX full-duplex) status: active dc1: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500 inet6 fe80::2a0:ccff:fe33:e1f6%dc1 prefixlen 64 scopeid 0x2 inet 68.105.58.150 netmask 0xfe00 broadcast 68.105.59.255 ether 00:a0:cc:33:e1:f6 media: Ethernet autoselect (100baseTX full-duplex) status: active lp0: flags=8810POINTOPOINT,SIMPLEX,MULTICAST mtu 1500 lo0: flags=8049UP,LOOPBACK,RUNNING,MULTICAST mtu 16384 inet6 ::1 prefixlen 128 inet6 fe80::1%lo0 prefixlen 64 scopeid 0x4 inet 127.0.0.1 netmask 0xff00 ppp0: flags=8010POINTOPOINT,MULTICAST mtu 1500 sl0: flags=c010POINTOPOINT,LINK2,MULTICAST mtu 552 faith0: flags=8002BROADCAST,MULTICAST mtu 1500 Here's resolv.conf: sara# more /etc/resolv.conf search pn.at.cox.net nameserver 68.105.161.20 nameserver 68.1.18.25 nameserver 68.10.16.30 Here's the entire rule set I'm trying to use. I did follow the comments. Please note the variable pif is set to dc1, my outside nic. Start of IPFW rules file ### # Flush out the list before we begin. ipfw -q -f flush # Set rules command prefix cmd=ipfw -q add skip=skipto 800 pif=dc1 # public interface name of Nic card # facing the public internet # # No restrictions on Inside Lan Interface for private network # Change xl0 to your Lan Nic card interface name # $cmd 005 allow all from any to any via dc0 # # No restrictions on Loopback Interface # $cmd 010 allow all from any to any via lo0 # # check if packet is inbound and nat address if it is # $cmd 014 divert natd ip from any to any in via $pif # # Allow the packet through if it has previous been added to the # the dynamic rules table by a allow keep-state statement. # $cmd 015 check-state # # Interface facing Public internet (Outbound Section) # Interrogate session start requests originating from behind the # firewall on the private network or from this gateway server # destine for the public internet. # # Allow out access to my ISP's Domain name server. # x.x.x.x must be the IP address of your ISP's DNS # Dup these lines if your ISP has more than one DNS server # Get the IP addresses from /etc/resolv.conf file $cmd 020 $skip UDP from any to 68.105.161.20 53 out via $pif setup keep-state $cmd 021 $skip UDP from any to 68.1.18.25 53 out via $pif setup keep-state $cmd 022 $skip UDP from any to 68.10.16.30 53 out via $pif setup keep-state # Allow out access to my ISP's DHCP server for cable/DSL configurations. $cmd 030 $skip udp from any to 172.19.17.22 67 out via $pif keep-state # Allow out non-secure standard www function $cmd 040 $skip tcp from any to any 80 out via $pif setup keep-state # Allow out secure www function https over TLS SSL $cmd 050 $skip tcp from any to any 443 out via $pif setup keep-state # Allow out send get email function $cmd 060 $skip tcp from any to any 25 out via $pif setup keep-state $cmd 061 $skip tcp from any to any 110 out via $pif setup keep-state # Allow out FBSD (make install CVSUP) functions # Basically give user root GOD
RE: Firewall Rule Set not allowing access to DNS servers?
Look back at the ipfw sample rule set and you will see that there are both udp and tcp protocol access to DSN. Also not that udp does not use setup keyword. # Allow out access to my ISP's Domain name server. # x.x.x.x must be the IP address of your ISP's DNS # Dup these lines if your ISP has more than one DNS server # Get the IP addresses from /etc/resolv.conf file $cmd 00110 allow tcp from any to x.x.x.x 53 out via $pif setup keep-state $cmd 00111 allow udp from any to x.x.x.x 53 out via $pif keep-state You DNS rules are # Allow out access to my ISP's Domain name server. # x.x.x.x must be the IP address of your ISP's DNS # Dup these lines if your ISP has more than one DNS server # Get the IP addresses from /etc/resolv.conf file $cmd 020 $skip UDP from any to 68.105.161.20 53 out via $pif setup keep-state $cmd 021 $skip UDP from any to 68.1.18.25 53 out via $pif setup keep-state $cmd 022 $skip UDP from any to 68.10.16.30 53 out via $pif setup keep-state As you can see you have no tcp protocol statements. Your udp rules use setup keyword which is only for tcp rules so your udp packets never match this rule and default to getting blocked which is why you get log error messages and you can not access public internet. Also if you look closely at the first 4 ipfw log messages you will see first message is about ip address 193.0.14.129 which is the primary dns server pointed to by url search pn.at.cox.net in /etc/resolv.conf Change your DNS rules to look like this # Allow out access to my ISP's Domain name server. # x.x.x.x must be the IP address of your ISP's DNS # Dup these lines if your ISP has more than one DNS server # Get the IP addresses from /etc/resolv.conf file $cmd 020 $skip udp from any to 193.0.14.129 53 out via $pif keep-state $cmd 021 $skip udp from any to 68.1.18.25 53 out via $pif keep-state $cmd 022 $skip udp from any to 68.10.16.30 53 out via $pif keep-state $cmd 023 $skip udp from any to 68.105.161.20 53 out via $pif keep-state $cmd 024 $skip tcp from any to 193.0.14.129 53 out via $pif setup keep-state $cmd 025 $skip tcp from any to 68.1.18.25 53 out via $pif setup keep-state $cmd 026 $skip tcp from any to 68.10.16.30 53 out via $pif setup keep-state $cmd 027 $skip tcp from any to 68.105.161.20 53 out via $pif setup keep-state -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of James A. Coulter Sent: Saturday, July 31, 2004 1:09 PM To: [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: RE: Firewall Rule Set not allowing access to DNS servers? My LAN is configured with static IP addresses, 192.168.1.x. I have no problems communicating within the LAN. I have full connectivity with the internet from every machine on my LAN when the firewall is open. When I use the rule set in question, I can ping and send mail but I cannot access the DNS servers listed in resolv.conf. These are the same DNS servers placed in resolv.conf when the firewall is open. I'm sorry, but I never said dc1 was my inside nic. Again, I appreciate any help with this. The files you requested follow. Here's my ifconfig - a: sara# ifconfig -a dc0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500 inet 192.168.1.1 netmask 0xff00 broadcast 192.168.1.255 inet6 fe80::204:5aff:fe76:55f0%dc0 prefixlen 64 scopeid 0x1 ether 00:04:5a:76:55:f0 media: Ethernet autoselect (100baseTX full-duplex) status: active dc1: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500 inet6 fe80::2a0:ccff:fe33:e1f6%dc1 prefixlen 64 scopeid 0x2 inet 68.105.58.150 netmask 0xfe00 broadcast 68.105.59.255 ether 00:a0:cc:33:e1:f6 media: Ethernet autoselect (100baseTX full-duplex) status: active lp0: flags=8810POINTOPOINT,SIMPLEX,MULTICAST mtu 1500 lo0: flags=8049UP,LOOPBACK,RUNNING,MULTICAST mtu 16384 inet6 ::1 prefixlen 128 inet6 fe80::1%lo0 prefixlen 64 scopeid 0x4 inet 127.0.0.1 netmask 0xff00 ppp0: flags=8010POINTOPOINT,MULTICAST mtu 1500 sl0: flags=c010POINTOPOINT,LINK2,MULTICAST mtu 552 faith0: flags=8002BROADCAST,MULTICAST mtu 1500 Here's resolv.conf: sara# more /etc/resolv.conf search pn.at.cox.net nameserver 68.105.161.20 nameserver 68.1.18.25 nameserver 68.10.16.30 Here's the entire rule set I'm trying to use. I did follow the comments. Please note the variable pif is set to dc1, my outside nic. Start of IPFW rules file ### # Flush out the list before we begin. ipfw -q -f flush # Set rules command prefix cmd=ipfw -q add skip=skipto 800 pif=dc1 # public interface name of Nic card # facing the public internet # # No restrictions on Inside Lan Interface for private network # Change xl0 to your Lan Nic card interface name # $cmd 005 allow all from any to any via dc0
RE: Firewall Rule Set not allowing access to DNS servers?
Rule numbers have to be hard coded in this ipfw rule set because of the skipto rule. How else can you identify the skipto target rule if you allow ipfw to auto assign rule numbers. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Steve Bertrand Sent: Saturday, July 31, 2004 2:03 PM To: James A. Coulter Cc: [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: RE: Firewall Rule Set not allowing access to DNS servers? My LAN is configured with static IP addresses, 192.168.1.x. I have no problems communicating within the LAN. I have full connectivity with the internet from every machine on my LAN when the firewall is open. When I use the rule set in question, I can ping and send mail but I cannot access the DNS servers listed in resolv.conf. These are the same DNS servers placed in resolv.conf when the firewall is open. I'm sorry, but I never said dc1 was my inside nic. Again, I appreciate any help with this. The files you requested follow. Must admit, I'm in a hurry to leave for the day, so I haven't read the ruleset etc, but what happens if you use the following entries, just after the divert rule?: ...allow udp from any to any 53 keep-state ...allow udp from any 53 to any keep-state ...allow tcp from any to any 53 keep-state Steve Here's my ifconfig - a: sara# ifconfig -a dc0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500 inet 192.168.1.1 netmask 0xff00 broadcast 192.168.1.255 inet6 fe80::204:5aff:fe76:55f0%dc0 prefixlen 64 scopeid 0x1 ether 00:04:5a:76:55:f0 media: Ethernet autoselect (100baseTX full-duplex) status: active dc1: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500 inet6 fe80::2a0:ccff:fe33:e1f6%dc1 prefixlen 64 scopeid 0x2 inet 68.105.58.150 netmask 0xfe00 broadcast 68.105.59.255 ether 00:a0:cc:33:e1:f6 media: Ethernet autoselect (100baseTX full-duplex) status: active lp0: flags=8810POINTOPOINT,SIMPLEX,MULTICAST mtu 1500 lo0: flags=8049UP,LOOPBACK,RUNNING,MULTICAST mtu 16384 inet6 ::1 prefixlen 128 inet6 fe80::1%lo0 prefixlen 64 scopeid 0x4 inet 127.0.0.1 netmask 0xff00 ppp0: flags=8010POINTOPOINT,MULTICAST mtu 1500 sl0: flags=c010POINTOPOINT,LINK2,MULTICAST mtu 552 faith0: flags=8002BROADCAST,MULTICAST mtu 1500 Here's resolv.conf: sara# more /etc/resolv.conf search pn.at.cox.net nameserver 68.105.161.20 nameserver 68.1.18.25 nameserver 68.10.16.30 Here's the entire rule set I'm trying to use. I did follow the comments. Please note the variable pif is set to dc1, my outside nic. Start of IPFW rules file ### # Flush out the list before we begin. ipfw -q -f flush # Set rules command prefix cmd=ipfw -q add skip=skipto 800 pif=dc1 # public interface name of Nic card # facing the public internet # # No restrictions on Inside Lan Interface for private network # Change xl0 to your Lan Nic card interface name # $cmd 005 allow all from any to any via dc0 # # No restrictions on Loopback Interface # $cmd 010 allow all from any to any via lo0 # # check if packet is inbound and nat address if it is # $cmd 014 divert natd ip from any to any in via $pif # # Allow the packet through if it has previous been added to the # the dynamic rules table by a allow keep-state statement. # $cmd 015 check-state # # Interface facing Public internet (Outbound Section) # Interrogate session start requests originating from behind the # firewall on the private network or from this gateway server # destine for the public internet. # # Allow out access to my ISP's Domain name server. # x.x.x.x must be the IP address of your ISP's DNS # Dup these lines if your ISP has more than one DNS server # Get the IP addresses from /etc/resolv.conf file $cmd 020 $skip UDP from any to 68.105.161.20 53 out via $pif setup keep-state $cmd 021 $skip UDP from any to 68.1.18.25 53 out via $pif setup keep-state $cmd 022 $skip UDP from any to 68.10.16.30 53 out via $pif setup keep-state # Allow out access to my ISP's DHCP server for cable/DSL configurations. $cmd 030 $skip udp from any to 172.19.17.22 67 out via $pif keep-state # Allow out non-secure standard www function
RE: Firewall Rule Set not allowing access to DNS servers?
If you had read the start of the thread you would have read the new handbook firewall section rewrite which explains in detail why there are rules to control access to the public internet from LAN users. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Giorgos Keramidas Sent: Saturday, July 31, 2004 1:36 PM To: James A. Coulter Cc: [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: Re: Firewall Rule Set not allowing access to DNS servers? On 2004-07-31 12:08, James A. Coulter [EMAIL PROTECTED] wrote: My LAN is configured with static IP addresses, 192.168.1.x. I have no problems communicating within the LAN. I have full connectivity with the internet from every machine on my LAN when the firewall is open. When I use the rule set in question, I can ping and send mail but I cannot access the DNS servers listed in resolv.conf. There are many ways in which your ruleset might break. Two of the most important comments I wanted to make when I first saw the posts of this thread are: a) Why do you use static rule numbers? You'd only have to use static rule numbers if your ruleset had more than 65536/100 = 655 rules. This limit is relatively hard to hit in a SOHO installation (Small Office, Home Office). If you do reach such limits, there's definitely something weird going on with the way your ruleset is written ;-) b) Why do you use so many rules that 'filter' outgoing traffic? I saw smtp, pop3, time, http, https and many others. You don't need to explicitly allow outgoing connections unless the users in the internal LAN are not to be trusted at all and even then IPFW is most of the time not the right way to do it. I'd probably just use something of this form in the /etc/ipfw.rules file and let rc.firewall find it by setting firewall_type=/etc/ipfw.rules in my rc.conf file: # First clean up all the rules of ipfw. flush # Packets should be passed to natd *before* any other rule as # mentioned in the natd(8) manpage, unlike your current script. add divert natd all from any to any via dc1 # Allow only lo0 interface to use the 127.0.0.1 address. add allow ip from 127.0.0.1 to 127.0.0.1 via lo0 add deny ip from 127.0.0.1 to any add deny ip from any to 127.0.0.1 # Add only the dc0 interface to receive or send packets in the # 192.168.0.0/16 address range. add allow ip from 192.168.0.0/16 to 192.168.0.0/16 via dc0 add deny ip from 192.168.0.0/16 to any add deny ip from any to 192.168.0.0/16 # Block packets with addresses that are used in private networks # and should not appear in any of our interfaces below this point. add deny ip from 10.0.0.0/8 to any add deny ip from any to 10.0.0.0/8 add deny ip from 172.16.0.0/12 to any add deny ip from any to 172.16.0.0/12 # Allow DNS and NTP through. add allow udp from any to any 53,123 keep-state out # Pass all ICMP messages through. They're rate limited by the # kernel if sysctl net.inet.icmp.icmplim is enabled, so this is # not very unsafe to do. add allow icmp from any to any # # Stateful tcp filtering. # add check-state add deny tcp from any to any established # All outgoing and incoming connections are allowed in dc0 (private iface). # Only outgoing connections are allowed on dc1 (external iface). add allow tcp from any to any keep-state out xmit dc0 setup add allow tcp from any to any keep-state in recv dc0 setup add allow tcp from any to any keep-state out xmit dc1 setup # Only selected services are allowed to pass through external iface. add allow tcp from any to any 22 keep-state in recv dc1 setup add allow tcp from any to any 113 keep-state in recv dc1 setup # The default firewall policy. add deny log logamount 0 ip from any to any No inline numbers, a simpler layout and a logic that you can hopefully extend at the second from last paragraph to allow more services through your external interface (the `in recv dc1 setup' rules). Note that I haven't tested this, so it might contain syntax errors because it's based on the ruleset I'm using at home but it also includes some modifications. Instead of untangling the ruleset you're now trying to use which seemed unnecessarily complex to me, I'm posting this just in case it's useful but it's up to you to bring it to shape for your setup if it doesn't Just Work(TM) when you load it. - Giorgos ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED
Re: Firewall Rule Set not allowing access to DNS servers?
[-- Message reformatted to fix Outlook format --] On 2004-07-31 14:17, JJB [EMAIL PROTECTED] wrote: Giorgos Keramidas wrote on July 31, 2004 1:36 PM On 2004-07-31 12:08, James A. Coulter [EMAIL PROTECTED] wrote: My LAN is configured with static IP addresses, 192.168.1.x. I have no problems communicating within the LAN. I have full connectivity with the internet from every machine on my LAN when the firewall is open. When I use the rule set in question, I can ping and send mail but I cannot access the DNS servers listed in resolv.conf. There are many ways in which your ruleset might break. Two of the most important comments I wanted to make when I first saw the posts of this thread are: [...] b) Why do you use so many rules that 'filter' outgoing traffic? I saw smtp, pop3, time, http, https and many others. You don't need to explicitly allow outgoing connections unless the users in the internal LAN are not to be trusted at all and even then IPFW is most of the time not the right way to do it. If you had read the start of the thread you would have read the new handbook firewall section rewrite which explains in detail why there are rules to control access to the public internet from LAN users. I've read a very detailed guide that you wrote, linked by one of your posts and available online at: http://freebsd.a1poweruser.com:6088/FBSD_firewall/ This guide contains a great deal of useful information and it would be cool if it was somehow incorporated to the Handbook. It's not yet, but I like most of the text so I hope it gets converted to SGML and added to the Handbook either in parts or as a whole. If by ... which explains in detail why... you refer to this particular quote from that document, I'm not sure that it is always a good idea but that's my own opinion: The Outbound section in the following rule set only contains `pass' rules which contain selection values that uniquely identify the service that is authorized for public internet access. In a corporate environment, where access to the Internet has to be limited and/or controlled in a more or less strict manner, it looks like a great idea. At home, where a couple of machines share a single Internet connection through a dialup or DSL line, this might be a bit too limiting ;-) - Giorgos ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: [OT] Firewall Rule Set not allowing access to DNS servers?
On 2004-07-31 13:51, Steve Bertrand [EMAIL PROTECTED] wrote: There are many ways in which your ruleset might break. Two of the most important comments I wanted to make when I first saw the posts of this thread are: a) Why do you use static rule numbers? You'd only have to use static rule numbers if your ruleset had more than 65536/100 = 655 rules. This limit is relatively hard to hit in a SOHO installation (Small Office, Home Office). If you do reach such limits, there's definitely something weird going on with the way your ruleset is written ;-) Giorgos, I am interested in where I can get more information about this. Are you suggesting that IPFW reads the ruleset and formulates a rule number according to position in the script? (I always use custom scripts). The description of `rule number' in the ipfw(8) manpage explains the way ipfw chooses rule numbers automatically: rule_number Each rule is associated with a rule_number in the range 1..65535, with the latter reserved for the default rule. [...] If a rule is entered without specifying a number, the kernel will assign one in such a way that the rule becomes the last one before the default rule. Automatic rule numbers are assigned by incrementing the last non-default rule number by the value of the sysctl variable net.inet.ip.fw.autoinc_step which defaults to 100. This means that the largest number of rules you can add with unique numbers is 65534. The 65535 rule is the default firewall rule, either a deny rule or an allow if the kernel was compiled with the option IPFIREWALL_DEFAULT_TO_ACCEPT enabled. The autoincrement step is the number that is automatically added to rule numbers when you don't specify one. For example, note the numbers that get assigned to the rules below: [EMAIL PROTECTED]:49]/root# kldload ipfw [EMAIL PROTECTED]:49]/root# ipfw -q flush [EMAIL PROTECTED]:49]/root# ipfw add pass ip from 127.0.0.1 to 127.0.0.1 via lo0 00100 allow ip from 127.0.0.1 to 127.0.0.1 via lo0 [EMAIL PROTECTED]:49]/root# ipfw add deny ip from 127.0.0.1 to any 00200 deny ip from 127.0.0.1 to any [EMAIL PROTECTED]:49]/root# ipfw add deny ip from any to 127.0.0.1 00300 deny ip from any to 127.0.0.1 [EMAIL PROTECTED]:49]/root# ipfw show 00100 0 0 allow ip from 127.0.0.1 to 127.0.0.1 via lo0 00200 0 0 deny ip from 127.0.0.1 to any 00300 0 0 deny ip from any to 127.0.0.1 65535 0 0 deny ip from any to any [EMAIL PROTECTED]:49]/root# ipfw -q flush [EMAIL PROTECTED]:49]/root# kldunload ipfw [EMAIL PROTECTED]:49]/root# If this is true, how does this ``dynamic'' feature get affected when one houses multiple rule _sets_? If you have multiple sets of rules that you load at random times, and the rulesets do not explicitly specify a starting rule number they'll be ``stacked on top of each other'' as shown below: [EMAIL PROTECTED]:56]/root# ls -l ruleset* -rw-r--r-- 1 root wheel - 117 Aug 1 01:54 ruleset-lo0 -rw-r--r-- 1 root wheel - 61 Aug 1 01:55 ruleset-misc -rw-r--r-- 1 root wheel - 161 Aug 1 01:56 ruleset-tcp [EMAIL PROTECTED]:56]/root# cat ruleset-lo0 add allow ip from 127.0.0.1 to 127.0.0.1 via lo0 add deny ip from 127.0.0.1 to any add deny ip from any to 127.0.0.1 [EMAIL PROTECTED]:56]/root# cat ruleset-misc add allow udp from any to any add allow icmp from any to any [EMAIL PROTECTED]:56]/root# cat ruleset-tcp add check-state add deny tcp from any to any established add allow tcp from any to any out setup keep-state add allow tcp from any to any 22 in setup keep-state [EMAIL PROTECTED]:56]/root# kldload ipfw [EMAIL PROTECTED]:57]/root# ipfw -q flush [EMAIL PROTECTED]:57]/root# ipfw show 65535 0 0 deny ip from any to any [EMAIL PROTECTED]:57]/root# ipfw /root/ruleset-lo0 00100 allow ip from 127.0.0.1 to 127.0.0.1 via lo0 00200 deny ip from 127.0.0.1 to any 00300 deny ip from any to 127.0.0.1 [EMAIL PROTECTED]:57]/root# ipfw /root/ruleset-misc * 00400 allow udp from any to any 00500 allow icmp from any to any [EMAIL PROTECTED]:57]/root# ipfw /root/ruleset-tcp * 00600 check-state 00700 deny tcp from any to any established 00800 allow tcp from any to any out setup keep-state 00900 allow tcp from any to any dst-port 22 in setup keep-state [EMAIL PROTECTED]:57]/root# ipfw show 00100 0 0 allow ip from 127.0.0.1 to 127.0.0.1 via lo0 00200 0 0 deny ip from 127.0.0.1 to any 00300 0 0 deny ip from any to 127.0.0.1 00400 0 0 allow udp from any to any 00500 0 0 allow icmp from any to any 00600 0 0 check-state 00700 0 0 deny tcp from any to any established 00800 0 0 allow tcp from any to any out setup keep-state 00900 0 0 allow tcp from any to any dst-port 22 in setup keep
RE: Firewall Rule Set not allowing access to DNS servers?
Giorgos Thank you for your opinion about my rewrite of the handbook firewall section. It has been turned over to the FreeBSD doc group and they are sanitizing the English and getting it prepared for update to the handbook. To address your opinion that the rule set may be to limiting for a home user is covered by the following section from the document. * Firewall Rule Set Types Constructing a software application firewall rule set may seem to be trivial, but most people get it wrong. The most common mistake is to create an exclusive firewall rather than an inclusive firewall. An exclusive firewall allows all services through except for those matching a set of rules that block certain services. An inclusive firewall does the reverse. It only allows services matching the rules through and blocks everything else. This way you can control what services can originate behind the firewall destined for the public internet and also control which services originating from the public internet may access your network. Inclusive firewalls are far more secure than exclusive firewalls. * Now many home LAN environments have ms/windows boxes and that system is the target of all the adware and spyware programs. These unauthorized programs all most always use non-standard ports to phone home and report on your activity. The only way to defend against the 'report home action' is to block all outbound ports except for those explicitly allowed by firewall rules. Sure the ipfw firewall rule set you posted will work, but it's so less secure then the ones contained in the document I wrote. Why have a poorly defined firewall rule set that leaves a wide open doorway to the public internet when just a few more rules will result in the maximum protection possible. My document is written to give the reader the maximum protection possible by just using the included samples. This removes the trial and error testing the user have to go through now using the current handbook as a guide. New subject. I see from your post, what looks like you have an automated way to reformat MS/outlook top post to Unix Bottom post format. I sure would like to know how you are doing this. I have been on this list for 4 years and I have never seen this before. Would you please share with me and the other readers how you do this. Thanks Joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Giorgos Keramidas Sent: Saturday, July 31, 2004 6:43 PM To: JJB Cc: [EMAIL PROTECTED] Subject: Re: Firewall Rule Set not allowing access to DNS servers? [-- Message reformatted to fix Outlook format --] On 2004-07-31 14:17, JJB [EMAIL PROTECTED] wrote: Giorgos Keramidas wrote on July 31, 2004 1:36 PM On 2004-07-31 12:08, James A. Coulter [EMAIL PROTECTED] wrote: My LAN is configured with static IP addresses, 192.168.1.x. I have no problems communicating within the LAN. I have full connectivity with the internet from every machine on my LAN when the firewall is open. When I use the rule set in question, I can ping and send mail but I cannot access the DNS servers listed in resolv.conf. There are many ways in which your ruleset might break. Two of the most important comments I wanted to make when I first saw the posts of this thread are: [...] b) Why do you use so many rules that 'filter' outgoing traffic? I saw smtp, pop3, time, http, https and many others. You don't need to explicitly allow outgoing connections unless the users in the internal LAN are not to be trusted at all and even then IPFW is most of the time not the right way to do it. If you had read the start of the thread you would have read the new handbook firewall section rewrite which explains in detail why the re are rules to control access to the public internet from LAN users. I've read a very detailed guide that you wrote, linked by one of your posts and available online at: http://freebsd.a1poweruser.com:6088/FBSD_firewall/ This guide contains a great deal of useful information and it would be cool if it was somehow incorporated to the Handbook. It's not yet, but I like most of the text so I hope it gets converted to SGML and added to the Handbook either in parts or as a whole. If by ... which explains in detail why... you refer to this particular quote from that document, I'm not sure that it is always a good idea but that's my own opinion: The Outbound section in the following rule set only contains `pass' rules which contain selection values that uniquely identify the service that is authorized for public internet access. In a corporate environment, where access to the Internet has to be limited and/or controlled in a more or less strict manner, it looks like a great idea. At home, where a couple of machines share a single Internet connection through a dialup or DSL
Re: Firewall Rule Set not allowing access to DNS servers?
On 2004-07-31 20:07, JJB [EMAIL PROTECTED] wrote: Now many home LAN environments have ms/windows boxes and that system is the target of all the adware and spyware programs. These unauthorized programs all most always use non-standard ports to phone home and report on your activity. The only way to defend against the 'report home action' is to block all outbound ports except for those explicitly allowed by firewall rules. Ah, yes. This makes much more sense. I never thought of this because the computers I have at home run only UNIX variants now. In such cases, you're right that outbound traffic needs to be controlled to in some way. New subject. I see from your post, what looks like you have an automated way to reformat MS/outlook top post to Unix Bottom post format. I sure would like to know how you are doing this. I have been on this list for 4 years and I have never seen this before. Would you please share with me and the other readers how you do this. `Manually' is the short answer. I don't usually spend the time to hit the right keys in Emacs to reformat the message. Your message is one of the few exceptions, because I really wanted to reply. Most of the time, when I see text that Outlook has converted magically to garbage I hit DEL. The tricks I use in Emacs are simple -- not really automated stuff. `C-x .' sets the fill-prefix and a few RET lines will quickly separate the message in sections like these: When I use the rule set in question, I can ping and send mail but I cannot access the DNS servers listed in resolv.conf. There are many ways in which your ruleset might break. Two of the most important comments I wanted to make when I first saw the posts of this thread are: [...] I've read a very detailed guide that you wrote, linked by one of your posts and available online at: http://freebsd.a1poweruser.com:6088/FBSD_firewall/ This guide contains a great deal of useful information and it would be cool if it was somehow incorporated to the Handbook. It's not yet, but I like most of the text so I hope it gets converted to SGML and added to the Handbook either in parts or as a whole. Moving the pointer just past the ortext that I want to use as the quotation mark and hitting `C-x .' sets the fill-prefix and then `M-q' (or ESC-q) refills the paragraph. Some lines like the ones that Outlook has wrapped in weird ways, i.e. like this: When I use the rule set in question, I can ping and send mail but might need a bit of editing before M-q filling works correctly, but these are usually very few after I've trimmed the text. - Giorgos ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Firewall Rule Set not allowing access to DNS servers?
I am using FreeBSD 4.10 as a gateway/router for a small home LAN. My outside interface (dc1) is connected to a cable modem and is configured for DHCP. I have compiled and installed a custome kernel with IPFIREWALL and IPDIVERT options and with a rule set allowing any to any with no problems I am in the process of adding a proper rule set to provide security. I was referred to http://freebsd.a1poweruser.com:6088/FBSD_firewall/ and installed the Stateful + NATD Rule Set modified for my outside interface, domain name servers, and DHCP server. I can ping IP addresses and pass SMTP mail back and forth from the gateway/router and all machines on the LAN, but I cannot ping URLs - I am getting ping: cannot resolve www.freebsd.org: Host name lookup failure errors. This is what ipfw -a list looks like: sara# ipfw -a list 5 0 0 allow ip from any to any via xl0 00010 52 3640 allow ip from any to any via lo0 00014 0 0 divert 8668 ip from any to any in recv dc1 00015 0 0 check-state 00020 0 0 skipto 800 tcp from any to 68.105.161.20 53 keep-state out xmit dc1 setup 00021 0 0 skipto 800 tcp from any to 68.1.18.25 53 keep-state out xmit dc1 setup 00022 0 0 skipto 800 tcp from any to 68.10.16.30 53 keep-state out xmit dc1 setup 00030 0 0 skipto 800 udp from any to 172.19.17.22 67 keep-state out xmit dc1 00040 0 0 skipto 800 tcp from any to any 80 keep-state out xmit dc1 setup 00050 0 0 skipto 800 tcp from any to any 443 keep-state out xmit dc1 setup 00060 0 0 skipto 800 tcp from any to any 25 keep-state out xmit dc1 setup 00061 0 0 skipto 800 tcp from any to any 110 keep-state out xmit dc1 setup 00070 0 0 skipto 800 tcp from me to any uid root keep-state out xmit dc1 setup 00080 0 0 skipto 800 icmp from any to any keep-state out xmit dc1 00090 0 0 skipto 800 tcp from any to any 37 keep-state out xmit dc1 setup 00100 0 0 skipto 800 tcp from any to any 119 keep-state out xmit dc1 setup 00110 0 0 skipto 800 tcp from any to any 22 keep-state out xmit dc1 setup 00120 0 0 skipto 800 tcp from any to any 43 keep-state out xmit dc1 setup 00130 0 0 skipto 800 udp from any to any 123 keep-state out xmit dc1 00300 0 0 deny ip from 192.168.0.0/16 to any in recv dc1 00301 0 0 deny ip from 172.16.0.0/12 to any in recv dc1 00302 0 0 deny ip from 10.0.0.0/8 to any in recv dc1 00303 0 0 deny ip from 127.0.0.0/8 to any in recv dc1 00304 0 0 deny ip from 0.0.0.0/8 to any in recv dc1 00305 0 0 deny ip from 169.254.0.0/16 to any in recv dc1 00306 0 0 deny ip from 192.0.2.0/24 to any in recv dc1 00307 0 0 deny ip from 204.152.64.0/23 to any in recv dc1 00308 0 0 deny ip from 224.0.0.0/3 to any in recv dc1 00315 0 0 deny tcp from any to any 113 in recv dc1 00320 0 0 deny tcp from any to any 137 in recv dc1 00321 0 0 deny tcp from any to any 138 in recv dc1 00322 0 0 deny tcp from any to any 139 in recv dc1 00323 0 0 deny tcp from any to any 81 in recv dc1 00330 0 0 deny ip from any to any in recv dc1 frag 00332 0 0 deny tcp from any to any in recv dc1 established 00360 0 0 allow udp from 172.19.17.22 to any 68 keep-state in recv dc1 00370 0 0 allow tcp from any to me 80 limit src-addr 2 in recv dc1 setup 00370 0 0 allow tcp from any to me limit src-addr 2 in recv dc1 setup 00380 0 0 allow tcp from any to me 22 limit src-addr 2 in recv dc1 setup 00400 0 0 deny log logamount 10 ip from any to any in recv dc1 00450 81 5288 deny log logamount 10 ip from any to any out xmit dc1 00800 0 0 divert 8668 ip from any to any out xmit dc1 00801 645 59255 allow ip from any to any 00999 0 0 deny log logamount 10 ip from any to any 65535 1 347 deny ip from any to any This is what my /etc/rc.conf looks like: hostname=sara.mshome.net ifconfig_dc1=DHCP ifconfig_dc0=inet 192.168.1.1 netmask 255.255.255.0 firewall_enable=YES firewall_script=/etc/ipfw.rules firewall_logging=YES kern_securelevel_enable=NO linux_enable=YES moused_enable=YES named_enable=YES nfs_client_enable=YES nfs_reserved_port_only=YES nfs_server_enable=YES sendmail_enable=YES sshd_enable=YES usbd_enable=YES ntpd_enable=YES inetd_enable=YES gateway_enable=YES natd_enable=YES natd_interface=dc1 natd_flags=-dynamic Finally, this is what /etc/resolv.conf looks like: sara# more /etc/resolv.conf search pn.at.cox.net nameserver 68.105.161.20 nameserver 68.1.18.25 nameserver 68.10.16.30 Any ideas? Thanks, Jim C. ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
RE: Firewall Rule Set not allowing access to DNS servers?
Change this ipfw rule from 5 allow ip from any to any via xl0 To 5 allow ip from any to any via dc0 because dc0 is the lan interface name and not xl0. Change these statement in rc.conf because you have interface name backwards. Dc1 is the NIC connected to your cable modem and you want to get DHCP info from your ISP. Dc0 is the NIC connected to your LAN. From ifconfig_dc1=DHCP ifconfig_dc0=inet 192.168.1.1 netmask 255.255.255.0 to ifconfig_dc0=DHCP ifconfig_dc1=inet 192.168.1.1 netmask 255.255.255.0 You do not say how your LAN PCs get their ip address. You can hard code them on each LAN PC or you have to run isc-dhcp-server on your Gateway box to auto assign ip address to LAN PCs. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of James A. Coulter Sent: Friday, July 30, 2004 10:56 AM To: [EMAIL PROTECTED] Subject: Firewall Rule Set not allowing access to DNS servers? I am using FreeBSD 4.10 as a gateway/router for a small home LAN. My outside interface (dc1) is connected to a cable modem and is configured for DHCP. I have compiled and installed a custome kernel with IPFIREWALL and IPDIVERT options and with a rule set allowing any to any with no problems I am in the process of adding a proper rule set to provide security. I was referred to http://freebsd.a1poweruser.com:6088/FBSD_firewall/ and installed the Stateful + NATD Rule Set modified for my outside interface, domain name servers, and DHCP server. I can ping IP addresses and pass SMTP mail back and forth from the gateway/router and all machines on the LAN, but I cannot ping URLs - I am getting ping: cannot resolve www.freebsd.org: Host name lookup failure errors. This is what ipfw -a list looks like: sara# ipfw -a list 5 0 0 allow ip from any to any via xl0 00010 52 3640 allow ip from any to any via lo0 00014 0 0 divert 8668 ip from any to any in recv dc1 00015 0 0 check-state 00020 0 0 skipto 800 tcp from any to 68.105.161.20 53 keep-state out xmit dc1 setup 00021 0 0 skipto 800 tcp from any to 68.1.18.25 53 keep-state out xmit dc1 setup 00022 0 0 skipto 800 tcp from any to 68.10.16.30 53 keep-state out xmit dc1 setup 00030 0 0 skipto 800 udp from any to 172.19.17.22 67 keep-state out xmit dc1 00040 0 0 skipto 800 tcp from any to any 80 keep-state out xmit dc1 setup 00050 0 0 skipto 800 tcp from any to any 443 keep-state out xmit dc1 setup 00060 0 0 skipto 800 tcp from any to any 25 keep-state out xmit dc1 setup 00061 0 0 skipto 800 tcp from any to any 110 keep-state out xmit dc1 setup 00070 0 0 skipto 800 tcp from me to any uid root keep-state out xmit dc1 setup 00080 0 0 skipto 800 icmp from any to any keep-state out xmit dc1 00090 0 0 skipto 800 tcp from any to any 37 keep-state out xmit dc1 setup 00100 0 0 skipto 800 tcp from any to any 119 keep-state out xmit dc1 setup 00110 0 0 skipto 800 tcp from any to any 22 keep-state out xmit dc1 setup 00120 0 0 skipto 800 tcp from any to any 43 keep-state out xmit dc1 setup 00130 0 0 skipto 800 udp from any to any 123 keep-state out xmit dc1 00300 0 0 deny ip from 192.168.0.0/16 to any in recv dc1 00301 0 0 deny ip from 172.16.0.0/12 to any in recv dc1 00302 0 0 deny ip from 10.0.0.0/8 to any in recv dc1 00303 0 0 deny ip from 127.0.0.0/8 to any in recv dc1 00304 0 0 deny ip from 0.0.0.0/8 to any in recv dc1 00305 0 0 deny ip from 169.254.0.0/16 to any in recv dc1 00306 0 0 deny ip from 192.0.2.0/24 to any in recv dc1 00307 0 0 deny ip from 204.152.64.0/23 to any in recv dc1 00308 0 0 deny ip from 224.0.0.0/3 to any in recv dc1 00315 0 0 deny tcp from any to any 113 in recv dc1 00320 0 0 deny tcp from any to any 137 in recv dc1 00321 0 0 deny tcp from any to any 138 in recv dc1 00322 0 0 deny tcp from any to any 139 in recv dc1 00323 0 0 deny tcp from any to any 81 in recv dc1 00330 0 0 deny ip from any to any in recv dc1 frag 00332 0 0 deny tcp from any to any in recv dc1 established 00360 0 0 allow udp from 172.19.17.22 to any 68 keep-state in recv dc1 00370 0 0 allow tcp from any to me 80 limit src-addr 2 in recv dc1 setup 00370 0 0 allow tcp from any to me limit src-addr 2 in recv dc1 setup 00380 0 0 allow tcp from any to me 22 limit src-addr 2 in recv dc1 setup 00400 0 0 deny log logamount 10 ip from any to any in recv dc1 00450 81 5288 deny log logamount 10 ip from any to any out xmit dc1 00800 0 0 divert 8668 ip from any to any out xmit dc1 00801 645 59255 allow ip from any to any 00999 0 0 deny log logamount 10 ip from any to any 65535 1 347 deny ip from any to any This is what my /etc/rc.conf looks like: hostname=sara.mshome.net ifconfig_dc1=DHCP ifconfig_dc0=inet 192.168.1.1 netmask 255.255.255.0 firewall_enable=YES firewall_script=/etc/ipfw.rules firewall_logging
RE: Firewall, OpenVPN and Squid question
Want to thank you guys for your help; I setup my first firewall last night. Granted it is basic, and have a lot of work to do yet, but it's a start. It is routing and letting my test machines access the web. Hopefully the last question (yeah right) I decided to use IPFILTER and appears to be easy enough - just have to get use to the syntax. Does anyone know if IPFILTER can pass/block based on MAC ADDRESS instead of just IP address. I can not find anything on Goggle unless I am simply doing an incorrect query. Thanks again Paul ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
RE: Firewall, OpenVPN and Squid question
If you run your own DHCP server then you can lock IP numbers via their MAC id there for the machines you trust. Then allow them appropriate access via ipf and corral the rest. (In DCHP create a 'pool' for others that uses a different section of your ip range) HTH mjt On Thu, 2004-07-22 at 23:51, Paul Hillen wrote: Want to thank you guys for your help; I setup my first firewall last night. Granted it is basic, and have a lot of work to do yet, but it's a start. It is routing and letting my test machines access the web. Hopefully the last question (yeah right) I decided to use IPFILTER and appears to be easy enough - just have to get use to the syntax. Does anyone know if IPFILTER can pass/block based on MAC ADDRESS instead of just IP address. I can not find anything on Goggle unless I am simply doing an incorrect query. Thanks again Paul ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] This Email has been scanned for Viruses by MailMarshal. -- Murray Taylor Special Projects Engineer - Bytecraft Systems Entertainment P: +61 3 8710 2555 F: +61 3 8710 2599 D: +61 3 9238 4275 M: +61 417 319 256 E: [EMAIL PROTECTED] or visit us on the web http://www.bytecraftsystems.com http://www.bytecraftentertainment.com --- The information transmitted in this e-mail is for the exclusive use of the intended addressee and may contain confidential and/or privileged material. Any review, re-transmission, dissemination or other use of it, or the taking of any action in reliance upon this information by persons and/or entities other than the intended recipient is prohibited. If you received this in error, please inform the sender and/or addressee immediately and delete the material. E-mails may not be secure, may contain computer viruses and may be corrupted in transmission. Please carefully check this e-mail (and any attachment) accordingly. No warranties are given and no liability is accepted for any loss or damage caused by such matters. --- This Email has been scanned for Viruses by MailMarshal. ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Firewall, OpenVPN and Squid question
Hi everyone, I am relatively new to the Unix world, have setup a couple TINYDNS server and a postfix relay server, so that is the extent of my FreeBSD knowledge. I have 2 Microsoft ISA servers in a BACK to BACK configuration providing a DMZ in-between that I would like to get rid of, way more trouble than what they are worth. They work well for about a month and then the performance goes south. There are 3 remote sites connecting to our network using GATEWAY to GATEWAY VPN and around 25 remote VPN users that must be dealt with also. Last item, there is a chance that I will have to connect 3 more remote sites into the picture within the next 6 months, so this needs to be scalable to handle the load.. My question is, what is the best way to set this up. Here are my thoughts, but not sure what is the best way. * Setup one FreeBSD box that contains FIREWALL, SQUID and OPENVPN or * Setup 3 separate boxes to break up the work load. Many thanks in advance for being patient with what I am sure is stupid beginner questions to most of you. When giving your choice of which setup, please point me in the direction of the best resource to put it all together and the hardware requirement you would recommend. I have a truck load of PII 300 - 450's due to upgrades, so if I can use them great, if not, time to go on a spending spree. Thanks again Paul ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Firewall, OpenVPN and Squid question
There are 3 remote sites connecting to our network using GATEWAY to GATEWAY VPN and around 25 remote VPN users that must be dealt with also. Last item, there is a chance that I will have to connect 3 more remote sites into the picture within the next 6 months, so this needs to be scalable to handle the load.. My question is, what is the best way to set this up. Here are my thoughts, but not sure what is the best way. * Setup one FreeBSD box that contains FIREWALL, SQUID and OPENVPN or * Setup 3 separate boxes to break up the work load. What will the load requirements be? (How many users will require the use of squid). I have a FBSD PIII 800 w/256M RAM as a firewall for one of our clients, with 3 OpenVPN instances running simultaneously (Two are site-site, and one is an XP-client-site). The box is also performing NAT (ipfw/natd) for the internal users, which when all are accounted for equal ~120, and I find it works great. There are about 30 users through the VPN's, though usually never on all at the same time. Depending on caching requirements though, you might be better off splitting that off onto it's own box, especially if you have the hardware readily available as you suggest. YMMV. Steve Many thanks in advance for being patient with what I am sure is stupid beginner questions to most of you. When giving your choice of which setup, please point me in the direction of the best resource to put it all together and the hardware requirement you would recommend. I have a truck load of PII 300 - 450's due to upgrades, so if I can use them great, if not, time to go on a spending spree. Thanks again Paul ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
RE: Firewall, OpenVPN and Squid question
I have around 100 users at our site that would require the use of squid, we house are own webserver, mail server, public DNS servers in the DMZ and 2 private DNS servers on the internal network, used by both Internal and VPN users. Sites connecting Gateway to Gateway, there are apprx as follows; Site 1 - 25 users Site 2 - 5 users Site 3 - 12 users Our site VPN users are Apprx 25, and about 50% of them are connected at any given time. My first thought is to put up a Firewall box that can the load of publishing many internal boxes and publish a box with OpenVPN and another for SQUID and just keep them all separate. Will this setup put to much strain on the FIREWALL box or will it have no problem handling the NAT/ROUTING in this configuration. Thanks in advance Paul -Original Message- From: Steve Bertrand [mailto:[EMAIL PROTECTED] Sent: Wednesday, July 21, 2004 2:10 PM To: Paul Hillen Cc: [EMAIL PROTECTED] Subject: Re: Firewall, OpenVPN and Squid question There are 3 remote sites connecting to our network using GATEWAY to GATEWAY VPN and around 25 remote VPN users that must be dealt with also. Last item, there is a chance that I will have to connect 3 more remote sites into the picture within the next 6 months, so this needs to be scalable to handle the load.. My question is, what is the best way to set this up. Here are my thoughts, but not sure what is the best way. * Setup one FreeBSD box that contains FIREWALL, SQUID and OPENVPN or * Setup 3 separate boxes to break up the work load. What will the load requirements be? (How many users will require the use of squid). I have a FBSD PIII 800 w/256M RAM as a firewall for one of our clients, with 3 OpenVPN instances running simultaneously (Two are site-site, and one is an XP-client-site). The box is also performing NAT (ipfw/natd) for the internal users, which when all are accounted for equal ~120, and I find it works great. There are about 30 users through the VPN's, though usually never on all at the same time. Depending on caching requirements though, you might be better off splitting that off onto it's own box, especially if you have the hardware readily available as you suggest. YMMV. Steve Many thanks in advance for being patient with what I am sure is stupid beginner questions to most of you. When giving your choice of which setup, please point me in the direction of the best resource to put it all together and the hardware requirement you would recommend. I have a truck load of PII 300 - 450's due to upgrades, so if I can use them great, if not, time to go on a spending spree. Thanks again Paul ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]