Firewalls using a DNSbl (and distributed ssh attacks)
It's not a big issue, but I'm wondering if there is a DNSBl that lists IPs that are engaging in brute force ssh attacks. And if there is such a list, is there a way to integrate that information into a firewall or sshd. As I've said this really isn't a big issue for me, as the brute force attempts at sshd are nothing but an annoyance as I review logs. The attacks that I'm seeing appear to be coordinated and distributed. That is, there will be one attempt on username fred from one IP immediately followed by an attempt on freddy from another IP followed by an attempt on fredrick from a third source and so on. Cheers, -j -- Jeffrey Goldberghttp://www.goldmark.org/jeff/ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Firewalls using a DNSbl (and distributed ssh attacks)
On Wed, Dec 03, 2008 at 07:43:26PM -0600, Jeffrey Goldberg wrote: It's not a big issue, but I'm wondering if there is a DNSBl that lists IPs that are engaging in brute force ssh attacks. And if there is such a list, is there a way to integrate that information into a firewall or sshd. As I've said this really isn't a big issue for me, as the brute force attempts at sshd are nothing but an annoyance as I review logs. The attacks that I'm seeing appear to be coordinated and distributed. That is, there will be one attempt on username fred from one IP immediately followed by an attempt on freddy from another IP followed by an attempt on fredrick from a third source and so on. I don't know of any DNSbl type service, but I am using DenyHosts with very great success. Its synchronisation feature allows participating instances of the script to share IP addresses of misbehaving hosts, so as soon as an address hits the database, it's only a matter of an hour or so before your instance can start blocking it. The basic setup uses TCP wrappers to block offending hosts, but I am using the datafile it maintains as a file-based table in pf, which I reload periodically from a cronjob. Dan -- Daniel Bye _ ASCII ribbon campaign ( ) - against HTML, vCards and X - proprietary attachments in e-mail / \ pgpTYCn2NsJaz.pgp Description: PGP signature
Re: Firewalls using a DNSbl (and distributed ssh attacks)
On Wed, Dec 3, 2008 at 7:53 PM, Daniel Bye [EMAIL PROTECTED]wrote: On Wed, Dec 03, 2008 at 07:43:26PM -0600, Jeffrey Goldberg wrote: It's not a big issue, but I'm wondering if there is a DNSBl that lists IPs that are engaging in brute force ssh attacks. And if there is such a list, is there a way to integrate that information into a firewall or sshd. As I've said this really isn't a big issue for me, as the brute force attempts at sshd are nothing but an annoyance as I review logs. The attacks that I'm seeing appear to be coordinated and distributed. That is, there will be one attempt on username fred from one IP immediately followed by an attempt on freddy from another IP followed by an attempt on fredrick from a third source and so on. I don't know of any DNSbl type service, but I am using DenyHosts with very great success. Its synchronisation feature allows participating instances of the script to share IP addresses of misbehaving hosts, so as soon as an address hits the database, it's only a matter of an hour or so before your instance can start blocking it. The basic setup uses TCP wrappers to block offending hosts, but I am using the datafile it maintains as a file-based table in pf, which I reload periodically from a cronjob. Dan -- Daniel Bye _ ASCII ribbon campaign ( ) - against HTML, vCards and X - proprietary attachments in e-mail / \ Depending on the role of the machine, I've started to firewall off remote ssh connects to my machines except only the hosts I use. A dyndns hostname + pf querying DNS and the static IPs that I have at the office. All others don't need access, and if push comes to shove, I can update dyndns IP with anything I'm behind, allow DNS propogation, (hour?) and then connect. works quite well. pf example: block in on fxp0 all pass in on fxp0 inet proto tcp from { workIP, sub.dyndnsorg.tld } to port 22 keep state flags S/SA When you implement this, the firewall sees no existing state (I think) and will kill your connection. If you didn't typo the firewall rule, you can connect right back. --TJ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Firewalls in FreeBSD?
Jeremy Chadwick [EMAIL PROTECTED] writes: On Thu, Oct 30, 2008 at 06:34:31PM -0500, Jack Barnett wrote: Ok, I had some progress with this last night. Basically what I do is: in natd - redirect_port 1000 to 1 to the internal windows box. set ipfw to open file wall. Obviously this isn't prefect - but gives some idea of what's going on. What I'd like to do, is a) keep the nat redirects since that works pretty well. b) in ipfw, ONLY allow data back on these ports IF the windows box has established the connection out first then deny everything else. This is called port triggering in the residential router world. I don't know how to do this on FreeBSD. Stateful rules are the only way to do it. In fact, this is the main purpose of stateful rules. -- Lowell Gilbert, embedded/networking software engineer, Boston area http://be-well.ilk.org/~lowell/ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Firewalls in FreeBSD?
On Fri, Oct 31, 2008 at 12:05:28PM -0400, Lowell Gilbert wrote: Jeremy Chadwick [EMAIL PROTECTED] writes: On Thu, Oct 30, 2008 at 06:34:31PM -0500, Jack Barnett wrote: Ok, I had some progress with this last night. Basically what I do is: in natd - redirect_port 1000 to 1 to the internal windows box. set ipfw to open file wall. Obviously this isn't prefect - but gives some idea of what's going on. What I'd like to do, is a) keep the nat redirects since that works pretty well. b) in ipfw, ONLY allow data back on these ports IF the windows box has established the connection out first then deny everything else. This is called port triggering in the residential router world. I don't know how to do this on FreeBSD. Stateful rules are the only way to do it. In fact, this is the main purpose of stateful rules. Read this part of the thread, where I outline protocol flow (based on what the OP has stated about the protocol, which so far appears to be accurate): http://lists.freebsd.org/pipermail/freebsd-questions/2008-October/thread.html Stateful rules will not solve this problem. The OP wants a feature that tells ipfw or pf after the TCP handshake has completed, dynamically add a port forward for port X on interface Y to machine A on port Z; when the TCP session is FIN'd cleanly, or extinguishes, dynamically remove that port forward. -- | Jeremy Chadwickjdc at parodius.com | | Parodius Networking http://www.parodius.com/ | | UNIX Systems Administrator Mountain View, CA, USA | | Making life hard for others since 1977. PGP: 4BD6C0CB | ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Firewalls in FreeBSD?
Jeremy Chadwick [EMAIL PROTECTED] writes: On Fri, Oct 31, 2008 at 12:05:28PM -0400, Lowell Gilbert wrote: Jeremy Chadwick [EMAIL PROTECTED] writes: On Thu, Oct 30, 2008 at 06:34:31PM -0500, Jack Barnett wrote: Ok, I had some progress with this last night. Basically what I do is: in natd - redirect_port 1000 to 1 to the internal windows box. set ipfw to open file wall. Obviously this isn't prefect - but gives some idea of what's going on. What I'd like to do, is a) keep the nat redirects since that works pretty well. b) in ipfw, ONLY allow data back on these ports IF the windows box has established the connection out first then deny everything else. This is called port triggering in the residential router world. I don't know how to do this on FreeBSD. Stateful rules are the only way to do it. In fact, this is the main purpose of stateful rules. Read this part of the thread, where I outline protocol flow (based on what the OP has stated about the protocol, which so far appears to be accurate): http://lists.freebsd.org/pipermail/freebsd-questions/2008-October/thread.html Stateful rules will not solve this problem. The OP wants a feature that tells ipfw or pf after the TCP handshake has completed, dynamically add a port forward for port X on interface Y to machine A on port Z; when the TCP session is FIN'd cleanly, or extinguishes, dynamically remove that port forward. Okay, I guess I'm a little confused by the line about ONLY allow data back on these ports IF the windows box has established the connection out first then deny everything else. I read that as saying that the Windows box had sent a packet on the same connection (4-tuple, at least) that should be later accepted heading *to* the Windows box. That's just a stateful rule, and it seems to be at odds with what you wrote in your first message in the thread. The apparent disagreement was why I said anything in the first place; it sounds like there's more than one model of how the game works. -- Lowell Gilbert, embedded/networking software engineer, Boston area http://be-well.ilk.org/~lowell/ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Firewalls in FreeBSD?
On Fri, Oct 31, 2008 at 12:35:30PM -0400, Lowell Gilbert wrote: Jeremy Chadwick [EMAIL PROTECTED] writes: On Fri, Oct 31, 2008 at 12:05:28PM -0400, Lowell Gilbert wrote: Jeremy Chadwick [EMAIL PROTECTED] writes: On Thu, Oct 30, 2008 at 06:34:31PM -0500, Jack Barnett wrote: Ok, I had some progress with this last night. Basically what I do is: in natd - redirect_port 1000 to 1 to the internal windows box. set ipfw to open file wall. Obviously this isn't prefect - but gives some idea of what's going on. What I'd like to do, is a) keep the nat redirects since that works pretty well. b) in ipfw, ONLY allow data back on these ports IF the windows box has established the connection out first then deny everything else. This is called port triggering in the residential router world. I don't know how to do this on FreeBSD. Stateful rules are the only way to do it. In fact, this is the main purpose of stateful rules. Read this part of the thread, where I outline protocol flow (based on what the OP has stated about the protocol, which so far appears to be accurate): http://lists.freebsd.org/pipermail/freebsd-questions/2008-October/thread.html Stateful rules will not solve this problem. The OP wants a feature that tells ipfw or pf after the TCP handshake has completed, dynamically add a port forward for port X on interface Y to machine A on port Z; when the TCP session is FIN'd cleanly, or extinguishes, dynamically remove that port forward. Okay, I guess I'm a little confused by the line about ONLY allow data back on these ports IF the windows box has established the connection out first then deny everything else. I read that as saying that the Windows box had sent a packet on the same connection (4-tuple, at least) that should be later accepted heading *to* the Windows box. That's just a stateful rule, and it seems to be at odds with what you wrote in your first message in the thread. The apparent disagreement was why I said anything in the first place; it sounds like there's more than one model of how the game works. I understand the confusion. Here's the actual protocol that the game appears to be using (since the OP has stated forwarding a port range to his LAN PC solves the problem -- meaning, his original description of how the game protocol worked is accurate): windows= 192.168.x.x machine on the LAN natgwlan = private LAN-facing IP of FreeBSD box (e.g. gateway IP) natgwwan = public Internet-facing IP of FreeBSD box gameserver = game server (public Internet IP) * = randomly-allocated port number gameport = some static port # for the game (OP hasn't disclosed this) range = some specific range of port numbers (OP says 1000-1) This is what would happen if the windows machine was on the Internet directly (no NAT, no firewall): Step 1) windows:* -- gameserver:gameport Step 2) gameserver:* -- windows:range Note that the randomly-allocated port number is *not* identical between all of the above steps; literally each is a new port and unrelated to the previous -- hence why state tracking won't work. Now with NAT in the way, this is what happens for Step 1: windows:* -- natgwlan natgwwan:* -- gameserver:gameport Once the TCP handshake is completed for Step 1, the following happens as a result of Step 2 -- again, note this is a *brand new connection* being initiated from the gameserver: gameserver:* -- natgwwan:range The problem is that these are all brand new connections being initiated, and there's no way to cross-reference them, which is why state tracking won't work to solve the OPs problem. The port triggering method I described above, commonly available on residential routers, is configured so that once the TCP handshake is completed in Step 1, the router/natgw *immediately* adds a port forward and firewall allow/pass rule (you have to configure it to say what port range to forward, and what LAN IP to forward the packets to). Thus, the following would happen immediately after the TCP handshake was completed in Step 1: - natgw adds a firewall pass rule for natgwwan:range - natgw adds a forwarding rule for natgwwan:1000 -- windows, where the port number matches (e.g. natgwwan:1000 -- windows:1000) This pass/allow rule and the forward remains intact until the port triggered connection is severed (FIN or expired). It does not expire/close based upon the connection made in Step 1. This would allow Step to work, and would look like this with NAT in the way: gameserver:* -- natgwwan:range natgwlan -- windows:range This is as verbose as I can get, and based upon the forwarding and the firewall rules the OP added, this does appear to be the protocol the game uses. And yes, this is a *horrible* protocol, completely NAT- unfriendly. The only part that confuses me is how the gameserver knows what port number
Re: Firewalls in FreeBSD?
Jeremy Chadwick [EMAIL PROTECTED] writes: On Fri, Oct 31, 2008 at 12:35:30PM -0400, Lowell Gilbert wrote: Okay, I guess I'm a little confused by the line about ONLY allow data back on these ports IF the windows box has established the connection out first then deny everything else. I read that as saying that the Windows box had sent a packet on the same connection (4-tuple, at least) that should be later accepted heading *to* the Windows box. That's just a stateful rule, and it seems to be at odds with what you wrote in your first message in the thread. The apparent disagreement was why I said anything in the first place; it sounds like there's more than one model of how the game works. I understand the confusion. Here's the actual protocol that the game appears to be using (since the OP has stated forwarding a port range to his LAN PC solves the problem -- meaning, his original description of how the game protocol worked is accurate): I see. If that is the case, then the word connection in the line I quoted from Jack Barnett does *not* mean a TCP session, but something a little more nebulous. Game session might cover it. [I *was* aware of that possible confusion, which was why I specified an address/port tuple as the definition of connection.] Sorry for the distraction; I see that (short of a deep-inspection snooping of the protocol), what has already been done is as good as you can get. -- Lowell Gilbert, embedded/networking software engineer, Boston area http://be-well.ilk.org/~lowell/ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Firewalls in FreeBSD?
On Fri, Oct 31, 2008 at 01:27:40PM -0400, Lowell Gilbert wrote: Jeremy Chadwick [EMAIL PROTECTED] writes: On Fri, Oct 31, 2008 at 12:35:30PM -0400, Lowell Gilbert wrote: Okay, I guess I'm a little confused by the line about ONLY allow data back on these ports IF the windows box has established the connection out first then deny everything else. I read that as saying that the Windows box had sent a packet on the same connection (4-tuple, at least) that should be later accepted heading *to* the Windows box. That's just a stateful rule, and it seems to be at odds with what you wrote in your first message in the thread. The apparent disagreement was why I said anything in the first place; it sounds like there's more than one model of how the game works. I understand the confusion. Here's the actual protocol that the game appears to be using (since the OP has stated forwarding a port range to his LAN PC solves the problem -- meaning, his original description of how the game protocol worked is accurate): I see. If that is the case, then the word connection in the line I quoted from Jack Barnett does *not* mean a TCP session, but something a little more nebulous. Game session might cover it. [I *was* aware of that possible confusion, which was why I specified an address/port tuple as the definition of connection.] Sorry for the distraction; I see that (short of a deep-inspection snooping of the protocol), what has already been done is as good as you can get. Nah, it's cool -- the misunderstanding is... understandable. :-) I've never seen a game behave this way (specifically, the gameserver initiating a *brand new connection* rather than utilising an existing one, or having the client initiate a connection to the server -- in which case, a stateful firewall will work perfectly and no firewall rules are needed). -- | Jeremy Chadwickjdc at parodius.com | | Parodius Networking http://www.parodius.com/ | | UNIX Systems Administrator Mountain View, CA, USA | | Making life hard for others since 1977. PGP: 4BD6C0CB | ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Firewalls in FreeBSD?
Hi Jack! Right now I have a Windows machine a FreeBSD natd/firewall then a cable modem. This is working for web surfing. But I've been playing a lot of games lately and it doesn't work at all (for multiplayer/internet games). As a fellow gamer, I've found that PF with stateful filtering has been a good firewall for my needs. Usually with stateful ruleset the games work out of the box, just when outgoing traffic is allowed and state is kept. There are some special situations where PF shines though, Asherons Call (or any other game using bidirectional UDP traffic) can be made to work with following configuration: This to nat section: binat on $ext_if from my internal gaming IP to game server netblock or IP - $ext_if Which should do the trick with some of the silly games out there using standard defined, but really rare kind of traffic. -Reko ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Firewalls in FreeBSD?
--- On Wed, 10/29/08, Jeremy Chadwick [EMAIL PROTECTED] wrote: From: Jeremy Chadwick [EMAIL PROTECTED] Subject: Re: Firewalls in FreeBSD? To: Terry Sposato [EMAIL PROTECTED] Cc: [EMAIL PROTECTED], Polytropon [EMAIL PROTECTED], Freebsd questions freebsd-questions@freebsd.org Date: Wednesday, October 29, 2008, 11:25 PM On Thu, Oct 30, 2008 at 01:36:58PM +1100, Terry Sposato wrote: It is most likely caused by your ruleset not being stateful. If packets are going out certain sessions and your firewall isn't then allowing back in you would see the issue you are seeing. I am not sure how this is accomplished via ipfw as I use pf but there would be a tonne of documentation out there on how to make your rules stateful. Are you sure about that? Read his statement once more: For example, I load up a client (game) and it connects out on XYZ port. The server will send data back on ABC. I assume based on this, the following is happening: - 192.168.x.x:a sends packet to gameserver:xyz - NAT gateway translates packet (where natgw is a public WAN IP) 192.168.x.x:a -- natgw:b -- gameserver:xyz - gameserver sees packet to port xyz, and initiates new connection to natgw:abc - NAT gateway drops packet destined to WAN IP port abc, because the gameserver:abc connection is *new*, and does not relate to the previous NAT'd gameserver:xyz connection. If this is **truly** how the protocol works (the OP will need to be absolutely 100% positive of that fact; I recommend he reconfirm how it works), then the only solution is to set up a port forward on the NAT gateway for port abc to point to 192.168.x.x. This also means that only one computer on the LAN will be capable of playing this game. Not much one can do about that, other than write the authors of the game and explain that their protocol is absolutely disgusting. Does the game support IPv6? This may be a work-around for you, since you can get a relatively large chunk of IPs for free via any one of a number of tunnel brokers. If possible, ask your IP provider if they provide native IPv6 transport first. A few do, in North America and Europe, and a surprising lot do in Asia, especially Japan and South Korea. If you're on a North American consumer ISP, chances are a tunnel broker is your only option for v6 connectivity, however. If the game doesn't support IPv6, however, then you are likely stuck with playing with port forwarding from the public routable address, however. It stinks, so feel free to lobby your ISP, the game's designers, and any other involved parties, about supporting IPv6 connectivity. In essence, a problem like the one Mr. Chadwick is eluding to is one of the primary motivating forces behind the adoption of IPv6 to begin with. - mdh ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Firewalls in FreeBSD?
Ok, I had some progress with this last night. Basically what I do is: in natd - redirect_port 1000 to 1 to the internal windows box. set ipfw to open file wall. Obviously this isn't prefect - but gives some idea of what's going on. What I'd like to do, is a) keep the nat redirects since that works pretty well. b) in ipfw, ONLY allow data back on these ports IF the windows box has established the connection out first then deny everything else. I tried this, but it didn't work for anything (tried 5-6 differant games): ${fwcmd} add allow tcp from any to any out via x10 setup keep-state ${fwcmd} add allow udp from any to any out via xl0 keep-state ${fwcmd} add allow icmp from any to any out via xl0 keep-state ${fwcmd} add 100 check-state mdh wrote: --- On Wed, 10/29/08, Jeremy Chadwick [EMAIL PROTECTED] wrote: From: Jeremy Chadwick [EMAIL PROTECTED] Subject: Re: Firewalls in FreeBSD? To: Terry Sposato [EMAIL PROTECTED] Cc: [EMAIL PROTECTED], Polytropon [EMAIL PROTECTED], Freebsd questions freebsd-questions@freebsd.org Date: Wednesday, October 29, 2008, 11:25 PM On Thu, Oct 30, 2008 at 01:36:58PM +1100, Terry Sposato wrote: It is most likely caused by your ruleset not being stateful. If packets are going out certain sessions and your firewall isn't then allowing back in you would see the issue you are seeing. I am not sure how this is accomplished via ipfw as I use pf but there would be a tonne of documentation out there on how to make your rules stateful. Are you sure about that? Read his statement once more: For example, I load up a client (game) and it connects out on XYZ port. The server will send data back on ABC. I assume based on this, the following is happening: - 192.168.x.x:a sends packet to gameserver:xyz - NAT gateway translates packet (where natgw is a public WAN IP) 192.168.x.x:a -- natgw:b -- gameserver:xyz - gameserver sees packet to port xyz, and initiates new connection to natgw:abc - NAT gateway drops packet destined to WAN IP port abc, because the gameserver:abc connection is *new*, and does not relate to the previous NAT'd gameserver:xyz connection. If this is **truly** how the protocol works (the OP will need to be absolutely 100% positive of that fact; I recommend he reconfirm how it works), then the only solution is to set up a port forward on the NAT gateway for port abc to point to 192.168.x.x. This also means that only one computer on the LAN will be capable of playing this game. Not much one can do about that, other than write the authors of the game and explain that their protocol is absolutely disgusting. Does the game support IPv6? This may be a work-around for you, since you can get a relatively large chunk of IPs for free via any one of a number of tunnel brokers. If possible, ask your IP provider if they provide native IPv6 transport first. A few do, in North America and Europe, and a surprising lot do in Asia, especially Japan and South Korea. If you're on a North American consumer ISP, chances are a tunnel broker is your only option for v6 connectivity, however. If the game doesn't support IPv6, however, then you are likely stuck with playing with port forwarding from the public routable address, however. It stinks, so feel free to lobby your ISP, the game's designers, and any other involved parties, about supporting IPv6 connectivity. In essence, a problem like the one Mr. Chadwick is eluding to is one of the primary motivating forces behind the adoption of IPv6 to begin with. - mdh ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Firewalls in FreeBSD?
On Thu, Oct 30, 2008 at 06:34:31PM -0500, Jack Barnett wrote: Ok, I had some progress with this last night. Basically what I do is: in natd - redirect_port 1000 to 1 to the internal windows box. set ipfw to open file wall. Obviously this isn't prefect - but gives some idea of what's going on. What I'd like to do, is a) keep the nat redirects since that works pretty well. b) in ipfw, ONLY allow data back on these ports IF the windows box has established the connection out first then deny everything else. This is called port triggering in the residential router world. I don't know how to do this on FreeBSD. -- | Jeremy Chadwickjdc at parodius.com | | Parodius Networking http://www.parodius.com/ | | UNIX Systems Administrator Mountain View, CA, USA | | Making life hard for others since 1977. PGP: 4BD6C0CB | ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Firewalls in FreeBSD?
Right now I have a Windows machine a FreeBSD natd/firewall then a cable modem. This is working for web surfing. But I've been playing a lot of games lately and it doesn't work at all (for multiplayer/internet games). Basically the games send/receive data on random ports, and I think it's going out fine - but doesn't come back in. Is this a problem with nat or because I have a stateless firewall? I've played around with this on and off for the last while and haven't gotten any where with it. Do you think this would work better or at least be easier to configure/debug if I moved to pf instead? Do I need to run natd if I run pf? FreeBSD fire2 6.3-STABLE FreeBSD 6.3-STABLE #32: Tue Jan 22 22:21:30 CST 2008 gateway_enable=YES #firewall_enable=YES #firewall_type=open firewall_type=simple #firewall_type=open firewall_logging=YES ## PF #pf_enable=NO # Enable PF (load module if required) #pf_rules=/etc/pf.conf # rules definition file for pf #pf_flags= # additional flags for pfctl startup #pflog_enable=YES # start pflogd(8) #pflog_logfile=/var/log/pflog # where pflogd should store the logfile #pflog_flags= # additional flags for pflogd startup ## NATD natd_enable=YES natd_interface=xl0 natd_flags= -f /etc/natd.conf ifconfig_xl0=DHCP ifconfig_dc0=inet 192.168.17.1 netmask 255.255.255.0 ifconfig_dc1=inet 192.168.18.1 netmask 255.255.255.0 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Firewalls in FreeBSD?
If I understood you correctly, your setting is: (Modem/Router)---DHCP---(FreeBSD)---(Windows) I may respond directly on your configuration settings: On Wed, 29 Oct 2008 20:19:31 -0500, Jack Barnett [EMAIL PROTECTED] wrote: gateway_enable=YES #firewall_enable=YES #firewall_type=open firewall_type=simple #firewall_type=open firewall_logging=YES Use instead: gateway_enable=YES natd_enable=YES natd_interface=xl0 You may add special redirect directives to NATD's settings, such as natd_flags=-redirect_port tcp 192.168.1.2:5900 5900 natd_flags=-redirect_port tcp 192.168.1.5:23 or natd_flags=-redirect_address 192.168.1.2 141.44.165.58 \ -redirect_address 192.168.1.5 141.44.165.58 Examples taken from a very old configuration. :-) Then, firewall_enable=YES firewall_type=/etc/ipfw.conf Then, be sure to have nice firewall settings, you can use things similar to this, enabling just the services you really need and want, it's easy to write your own one or to rewrite this: -f flush add divert natd ip from any to any via xl0 add allow tcp from any to any ftp in recv xl0 add allow tcp from any to any ssh in recv xl0 add allow tcp from any to any authin recv xl0 add allow udp from any to any ntp in recv xl0 add allow udp from any to any ntalk in recv xl0 add denyudp from any to any x11 in recv xl0 add reset tcp from any to any x11 in recv xl0 add allow ipencap from any to any add allow ip from any to any This should work fine. NB to use the correct interface names. -- Polytropon From Magdeburg, Germany Happy FreeBSD user since 4.0 Andra moi ennepe, Mousa, ... ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Firewalls in FreeBSD?
yes, that is my setup. hrm... well, I disabled the firewall completely, restarted, but still doesn't work. I have gateway and natd both enabled. x10 is the external interface (the one that is dhcp and connects to the cable modem). I don't want to redirect anything to my windows box. I just want anything that connects out from my windows box to be able to connect or send data back in. For example, I load up a client (game) and it connects out on XYZ port. The server will send data back on ABC. The problem, from what I can tell; is that I can get a connection out - but when the server tries to send data back on ABC it is discarded. Polytropon wrote: If I understood you correctly, your setting is: (Modem/Router)---DHCP---(FreeBSD)---(Windows) I may respond directly on your configuration settings: On Wed, 29 Oct 2008 20:19:31 -0500, Jack Barnett [1][EMAIL PROTECTED] wro te: gateway_enable=YES #firewall_enable=YES #firewall_type=open firewall_type=simple #firewall_type=open firewall_logging=YES Use instead: gateway_enable=YES natd_enable=YES natd_interface=xl0 You may add special redirect directives to NATD's settings, such as natd_flags=-redirect_port tcp 192.168.1.2:5900 5900 natd_flags=-redirect_port tcp 192.168.1.5:23 or natd_flags=-redirect_address 192.168.1.2 141.44.165.58 \ -redirect_address 192.168.1.5 141.44.165.58 Examples taken from a very old configuration. :-) Then, firewall_enable=YES firewall_type=/etc/ipfw.conf Then, be sure to have nice firewall settings, you can use things similar to this, enabling just the services you really need and want, it's easy to write your own one or to rewrite this: -f flush add divert natd ip from any to any via xl0 add allow tcp from any to any ftp in recv xl0 add allow tcp from any to any ssh in recv xl0 add allow tcp from any to any authin recv xl0 add allow udp from any to any ntp in recv xl0 add allow udp from any to any ntalk in recv xl0 add denyudp from any to any x11 in recv xl0 add reset tcp from any to any x11 in recv xl0 add allow ipencap from any to any add allow ip from any to any This should work fine. NB to use the correct interface names. References 1. mailto:[EMAIL PROTECTED] ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Firewalls in FreeBSD?
Quoting Jack Barnett [EMAIL PROTECTED]: yes, that is my setup. hrm... well, I disabled the firewall completely, restarted, but still doesn't work. I have gateway and natd both enabled. x10 is the external interface (the one that is dhcp and connects to the cable modem). I don't want to redirect anything to my windows box. I just want anything that connects out from my windows box to be able to connect or send data back in. For example, I load up a client (game) and it connects out on XYZ port. The server will send data back on ABC. The problem, from what I can tell; is that I can get a connection out - but when the server tries to send data back on ABC it is discarded. Polytropon wrote: If I understood you correctly, your setting is: (Modem/Router)---DHCP---(FreeBSD)---(Windows) I may respond directly on your configuration settings: On Wed, 29 Oct 2008 20:19:31 -0500, Jack Barnett [1][EMAIL PROTECTED] wro te: gateway_enable=YES #firewall_enable=YES #firewall_type=open firewall_type=simple #firewall_type=open firewall_logging=YES Use instead: gateway_enable=YES natd_enable=YES natd_interface=xl0 You may add special redirect directives to NATD's settings, such as natd_flags=-redirect_port tcp 192.168.1.2:5900 5900 natd_flags=-redirect_port tcp 192.168.1.5:23 or natd_flags=-redirect_address 192.168.1.2 141.44.165.58 \ -redirect_address 192.168.1.5 141.44.165.58 Examples taken from a very old configuration. :-) Then, firewall_enable=YES firewall_type=/etc/ipfw.conf Then, be sure to have nice firewall settings, you can use things similar to this, enabling just the services you really need and want, it's easy to write your own one or to rewrite this: -f flush add divert natd ip from any to any via xl0 add allow tcp from any to any ftp in recv xl0 add allow tcp from any to any ssh in recv xl0 add allow tcp from any to any authin recv xl0 add allow udp from any to any ntp in recv xl0 add allow udp from any to any ntalk in recv xl0 add denyudp from any to any x11 in recv xl0 add reset tcp from any to any x11 in recv xl0 add allow ipencap from any to any add allow ip from any to any This should work fine. NB to use the correct interface names. References 1. mailto:[EMAIL PROTECTED] ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] Jack, It is most likely caused by your ruleset not being stateful. If packets are going out certain sessions and your firewall isn't then allowing back in you would see the issue you are seeing. I am not sure how this is accomplished via ipfw as I use pf but there would be a tonne of documentation out there on how to make your rules stateful. Regards, Terry Sposato [EMAIL PROTECTED] Have you been sucked in? http://www.sucked-in.com - This message was sent from the Sucked In Webmail Interface - http://www.sucked-in.com ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Firewalls in FreeBSD?
On Thu, Oct 30, 2008 at 01:36:58PM +1100, Terry Sposato wrote: Quoting Jack Barnett [EMAIL PROTECTED]: yes, that is my setup. hrm... well, I disabled the firewall completely, restarted, but still doesn't work. I have gateway and natd both enabled. x10 is the external interface (the one that is dhcp and connects to the cable modem). I don't want to redirect anything to my windows box. I just want anything that connects out from my windows box to be able to connect or send data back in. For example, I load up a client (game) and it connects out on XYZ port. The server will send data back on ABC. The problem, from what I can tell; is that I can get a connection out - but when the server tries to send data back on ABC it is discarded. Polytropon wrote: If I understood you correctly, your setting is: (Modem/Router)---DHCP---(FreeBSD)---(Windows) I may respond directly on your configuration settings: On Wed, 29 Oct 2008 20:19:31 -0500, Jack Barnett [1][EMAIL PROTECTED] wro te: gateway_enable=YES #firewall_enable=YES #firewall_type=open firewall_type=simple #firewall_type=open firewall_logging=YES Use instead: gateway_enable=YES natd_enable=YES natd_interface=xl0 You may add special redirect directives to NATD's settings, such as natd_flags=-redirect_port tcp 192.168.1.2:5900 5900 natd_flags=-redirect_port tcp 192.168.1.5:23 or natd_flags=-redirect_address 192.168.1.2 141.44.165.58 \ -redirect_address 192.168.1.5 141.44.165.58 Examples taken from a very old configuration. :-) Then, firewall_enable=YES firewall_type=/etc/ipfw.conf Then, be sure to have nice firewall settings, you can use things similar to this, enabling just the services you really need and want, it's easy to write your own one or to rewrite this: -f flush add divert natd ip from any to any via xl0 add allow tcp from any to any ftp in recv xl0 add allow tcp from any to any ssh in recv xl0 add allow tcp from any to any authin recv xl0 add allow udp from any to any ntp in recv xl0 add allow udp from any to any ntalk in recv xl0 add denyudp from any to any x11 in recv xl0 add reset tcp from any to any x11 in recv xl0 add allow ipencap from any to any add allow ip from any to any This should work fine. NB to use the correct interface names. References 1. mailto:[EMAIL PROTECTED] ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] Jack, It is most likely caused by your ruleset not being stateful. If packets are going out certain sessions and your firewall isn't then allowing back in you would see the issue you are seeing. I am not sure how this is accomplished via ipfw as I use pf but there would be a tonne of documentation out there on how to make your rules stateful. Are you sure about that? Read his statement once more: For example, I load up a client (game) and it connects out on XYZ port. The server will send data back on ABC. I assume based on this, the following is happening: - 192.168.x.x:a sends packet to gameserver:xyz - NAT gateway translates packet (where natgw is a public WAN IP) 192.168.x.x:a -- natgw:b -- gameserver:xyz - gameserver sees packet to port xyz, and initiates new connection to natgw:abc - NAT gateway drops packet destined to WAN IP port abc, because the gameserver:abc connection is *new*, and does not relate to the previous NAT'd gameserver:xyz connection. If this is **truly** how the protocol works (the OP will need to be absolutely 100% positive of that fact; I recommend he reconfirm how it works), then the only solution is to set up a port forward on the NAT gateway for port abc to point to 192.168.x.x. This also means that only one computer on the LAN will be capable of playing this game. Not much one can do about that, other than write the authors of the game and explain that their protocol is absolutely disgusting. -- | Jeremy Chadwickjdc at parodius.com | | Parodius Networking http://www.parodius.com/ | | UNIX Systems Administrator Mountain View, CA, USA | | Making life hard for others since 1977. PGP: 4BD6C0CB | ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Firewalls in FreeBSD?
Quoting Jeremy Chadwick [EMAIL PROTECTED]: On Thu, Oct 30, 2008 at 01:36:58PM +1100, Terry Sposato wrote: Quoting Jack Barnett [EMAIL PROTECTED]: yes, that is my setup. hrm... well, I disabled the firewall completely, restarted, but still doesn't work. I have gateway and natd both enabled. x10 is the external interface (the one that is dhcp and connects to the cable modem). I don't want to redirect anything to my windows box. I just want anything that connects out from my windows box to be able to connect or send data back in. For example, I load up a client (game) and it connects out on XYZ port. The server will send data back on ABC. The problem, from what I can tell; is that I can get a connection out - but when the server tries to send data back on ABC it is discarded. Polytropon wrote: If I understood you correctly, your setting is: (Modem/Router)---DHCP---(FreeBSD)---(Windows) I may respond directly on your configuration settings: On Wed, 29 Oct 2008 20:19:31 -0500, Jack Barnett [1][EMAIL PROTECTED] wro te: gateway_enable=YES #firewall_enable=YES #firewall_type=open firewall_type=simple #firewall_type=open firewall_logging=YES Use instead: gateway_enable=YES natd_enable=YES natd_interface=xl0 You may add special redirect directives to NATD's settings, such as natd_flags=-redirect_port tcp 192.168.1.2:5900 5900 natd_flags=-redirect_port tcp 192.168.1.5:23 or natd_flags=-redirect_address 192.168.1.2 141.44.165.58 \ -redirect_address 192.168.1.5 141.44.165.58 Examples taken from a very old configuration. :-) Then, firewall_enable=YES firewall_type=/etc/ipfw.conf Then, be sure to have nice firewall settings, you can use things similar to this, enabling just the services you really need and want, it's easy to write your own one or to rewrite this: -f flush add divert natd ip from any to any via xl0 add allow tcp from any to any ftp in recv xl0 add allow tcp from any to any ssh in recv xl0 add allow tcp from any to any authin recv xl0 add allow udp from any to any ntp in recv xl0 add allow udp from any to any ntalk in recv xl0 add denyudp from any to any x11 in recv xl0 add reset tcp from any to any x11 in recv xl0 add allow ipencap from any to any add allow ip from any to any This should work fine. NB to use the correct interface names. References 1. mailto:[EMAIL PROTECTED] ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] Jack, It is most likely caused by your ruleset not being stateful. If packets are going out certain sessions and your firewall isn't then allowing back in you would see the issue you are seeing. I am not sure how this is accomplished via ipfw as I use pf but there would be a tonne of documentation out there on how to make your rules stateful. Are you sure about that? Read his statement once more: For example, I load up a client (game) and it connects out on XYZ port. The server will send data back on ABC. Ahh yes correct, I was going on the assumption that the traffic is trying to return using the same session details. This is usually how it is with gaming traffic and the non stateful ruleset is usually the cause of why this sort of traffic get's blocked. Would like to see if the OP has actually sniffed the traffic and can say without a shadow of a doubt that different ports are being used ingoing outgoing. I assume based on this, the following is happening: - 192.168.x.x:a sends packet to gameserver:xyz - NAT gateway translates packet (where natgw is a public WAN IP) 192.168.x.x:a -- natgw:b -- gameserver:xyz - gameserver sees packet to port xyz, and initiates new connection to natgw:abc - NAT gateway drops packet destined to WAN IP port abc, because the gameserver:abc connection is *new*, and does not relate to the previous NAT'd gameserver:xyz connection. If this is **truly** how the protocol works (the OP will need to be absolutely 100% positive of that fact; I recommend he reconfirm how it works), then the only solution is to set up a port forward on the NAT gateway for port abc to point to 192.168.x.x. This also means that only one computer on the LAN will be capable of playing this game. Not much one can do about that, other than write the authors of the game and explain that their protocol is absolutely disgusting. -- | Jeremy Chadwickjdc at parodius.com | | Parodius Networking http://www.parodius.com/ |
Re: Firewalls
On Tue, 29 Apr 2008 09:51:29 -0700 perikillo [EMAIL PROTECTED] wrote: On Mon, Apr 28, 2008 at 12:50 PM, Bruce Cran [EMAIL PROTECTED] wrote: Doug Hardie wrote: FreeBSD supports 3 firewalls: IPF, IPFW, and PF. Some time ago (perhaps years) I seem to recall some discussion that one or more of those was better maintained and higher quality than the others. I don't see any indications of this in the handbook. Several years ago I needed to do traffic shaping and used IPFW with dummynet. It worked but the need eventually went away. More recently I needed to incorporate spamd which defaults to PF so I used that. However, now I am back to needing traffic shaping again. I suspect trying to use both PF and IPFW simultaneously will not be a good approach. In addition, there now are instructions for using spamd with IPFW so it appears that either PF or IPFW will do what I need. Is there any additional information available to assist in selecting between those? Thanks. As I understand it pf is often found to be easiest to use and has lots of features like altq and os fingerprinting but is quite a bit slower than ipfw. -- Bruce ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] Reading this post, i have some doubt, how is IPFW support for VoIP packets, can do traffic shaping?, i read that PF can do that, I'm right? What exactly are you looking to do in this area? ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Firewalls
On Mon, 28 Apr 2008 20:50:06 +0100 Bruce Cran [EMAIL PROTECTED] wrote: Doug Hardie wrote: FreeBSD supports 3 firewalls: IPF, IPFW, and PF. Some time ago (perhaps years) I seem to recall some discussion that one or more of those was better maintained and higher quality than the others. I don't see any indications of this in the handbook. Several years ago I needed to do traffic shaping and used IPFW with dummynet. It worked but the need eventually went away. More recently I needed to incorporate spamd which defaults to PF so I used that. However, now I am back to needing traffic shaping again. I suspect trying to use both PF and IPFW simultaneously will not be a good approach. In addition, there now are instructions for using spamd with IPFW so it appears that either PF or IPFW will do what I need. Is there any additional information available to assist in selecting between those? Thanks. As I understand it pf is often found to be easiest to use and has lots of features like altq and os fingerprinting but is quite a bit slower than ipfw. There is one thing that IPFW has that PF does not that I have found to be very handy at times. It can be used to setup firewall rules that only affect a specific group or user. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Firewalls
On Fri, 2 May 2008, Zane C.B. wrote: On Mon, 28 Apr 2008 20:50:06 +0100 Bruce Cran [EMAIL PROTECTED] wrote: Doug Hardie wrote: FreeBSD supports 3 firewalls: IPF, IPFW, and PF. Some time ago (perhaps years) I seem to recall some discussion that one or more of those was better maintained and higher quality than the others. I don't see any indications of this in the handbook. Several years ago I needed to do traffic shaping and used IPFW with dummynet. It worked but the need eventually went away. More recently I needed to incorporate spamd which defaults to PF so I used that. However, now I am back to needing traffic shaping again. I suspect trying to use both PF and IPFW simultaneously will not be a good approach. In addition, there now are instructions for using spamd with IPFW so it appears that either PF or IPFW will do what I need. Is there any additional information available to assist in selecting between those? Thanks. As I understand it pf is often found to be easiest to use and has lots of features like altq and os fingerprinting but is quite a bit slower than ipfw. There is one thing that IPFW has that PF does not that I have found to be very handy at times. It can be used to setup firewall rules that only affect a specific group or user. PF can do this too. There were threading/locking/crashing issues when last I tried to use that feature of PF back in FreeBSD 5.x, but that was a very long time ago. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Firewalls
On Mon, Apr 28, 2008 at 12:50 PM, Bruce Cran [EMAIL PROTECTED] wrote: Doug Hardie wrote: FreeBSD supports 3 firewalls: IPF, IPFW, and PF. Some time ago (perhaps years) I seem to recall some discussion that one or more of those was better maintained and higher quality than the others. I don't see any indications of this in the handbook. Several years ago I needed to do traffic shaping and used IPFW with dummynet. It worked but the need eventually went away. More recently I needed to incorporate spamd which defaults to PF so I used that. However, now I am back to needing traffic shaping again. I suspect trying to use both PF and IPFW simultaneously will not be a good approach. In addition, there now are instructions for using spamd with IPFW so it appears that either PF or IPFW will do what I need. Is there any additional information available to assist in selecting between those? Thanks. As I understand it pf is often found to be easiest to use and has lots of features like altq and os fingerprinting but is quite a bit slower than ipfw. -- Bruce ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] Reading this post, i have some doubt, how is IPFW support for VoIP packets, can do traffic shaping?, i read that PF can do that, I'm right? Thanks!!! ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Firewalls
of this in the handbook. Several years ago I needed to do traffic shaping and used IPFW with dummynet. and use it again. for me most logic, most clear and gives what i need. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Firewalls
Doug Hardie wrote: FreeBSD supports 3 firewalls: IPF, IPFW, and PF. Some time ago (perhaps years) I seem to recall some discussion that one or more of those was better maintained and higher quality than the others. I don't see any indications of this in the handbook. Several years ago I needed to do traffic shaping and used IPFW with dummynet. It worked but the need eventually went away. More recently I needed to incorporate spamd which defaults to PF so I used that. However, now I am back to needing traffic shaping again. I suspect trying to use both PF and IPFW simultaneously will not be a good approach. In addition, there now are instructions for using spamd with IPFW so it appears that either PF or IPFW will do what I need. Is there any additional information available to assist in selecting between those? Thanks. As I understand it pf is often found to be easiest to use and has lots of features like altq and os fingerprinting but is quite a bit slower than ipfw. -- Bruce ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Firewalls
FreeBSD supports 3 firewalls: IPF, IPFW, and PF. Some time ago (perhaps years) I seem to recall some discussion that one or more of those was better maintained and higher quality than the others. I don't see any indications of this in the handbook. Several years ago I needed to do traffic shaping and used IPFW with dummynet. It worked but the need eventually went away. More recently I needed to incorporate spamd which defaults to PF so I used that. However, now I am back to needing traffic shaping again. I suspect trying to use both PF and IPFW simultaneously will not be a good approach. In addition, there now are instructions for using spamd with IPFW so it appears that either PF or IPFW will do what I need. Is there any additional information available to assist in selecting between those? Thanks. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Firewalls
On Sun, Apr 27, 2008 at 8:14 PM, Doug Hardie [EMAIL PROTECTED] wrote: FreeBSD supports 3 firewalls: IPF, IPFW, and PF. Some time ago (perhaps years) I seem to recall some discussion that one or more of those was better maintained and higher quality than the others. I don't see any indications of this in the handbook. Several years ago I needed to do traffic shaping and used IPFW with dummynet. It worked but the need eventually went away. More recently I needed to incorporate spamd which defaults to PF so I used that. However, now I am back to needing traffic shaping again. I suspect trying to use both PF and IPFW simultaneously will not be a good approach. In addition, there now are instructions for using spamd with IPFW so it appears that either PF or IPFW will do what I need. Is there any additional information available to assist in selecting between those? Thanks. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] PF supports traffic shaping via ALTQ. -- efk ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Firewalls
On Sun, 27 Apr 2008 21:44:35 -0500 Eric Humphries [EMAIL PROTECTED] wrote: PF supports traffic shaping via ALTQ. I've been meaning to try this. does it support 'pipes' in the same sense as ipfw ? if so, it seems another reason use ipfw is gone... B _ {Beto|Norberto|Numard} Meijome With COBOL, the job description of 'computer programmer' will be a thing of the past. Everybody will program. The boss will dictate a program to his secretary, who will keypunch it for him. 1960's quote about the upcoming COBOL language (thx. Lance N!) I speak for myself, not my employer. Contents may be hot. Slippery when wet. Reading disclaimers makes you go blind. Writing them is worse. You have been Warned. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Suggestions for OS to use behind freebsd pf firewalls.
Quoting Chad Gross [EMAIL PROTECTED]: On Mar 1, 2008, at 10:13 PM, Rico Secada wrote: On Sat, 01 Mar 2008 19:45:14 -0600 eculp [EMAIL PROTECTED] wrote: I have installed freebsd server in a small company that has approx 30 pc's of all sizes, shapes, brands, etc. They have just realized that a large part of the problems that they had before the firewall was caused by the 30 windows pc's that were connected directly to the ISP's wireless router. They would like to change the PC's to unix desktops. I would like to install FreeBSD or any other bsd but don't feel that we have the drivers available to substitute such a wide variety of hardware. I would love to be proven wrong. Therefore I am considering a linux version with a graphic installer that will make it easier to train someone to install on any new machines that they add later. My problem is that I haven't done a linux install since before FreeBSD 2.2 IIRC and have no idea which version would be the most versatile and has an installer that is basically brain dead simple with most all drivers. I suspect that I am asking the impossible but you never know. I'm sure that I'm not the only person to run into this situation and I would sure appreciate any suggestions. In my experience from similar situations I would recommend OpenSUSE from Novell, since it has to be as windows like as possible. OpenSUSE is very well supported and since it is Novell who is behind the distro, the company can provide professional support. In general I recommend Debian over any distro, but in some rare cases like this one, I would rather recommend OpenSUSE. I would recommend investigating Ubuntu or one of it's clones (e.g. Xubuntu, Kubuntu). The install is brainless, they offer commercial support through the parent company Canonical, and they are Debian-based. Hi Chad, Thanks a lot, I just tried the latest and greatest Ubuntu on my PITA laptop, acer 5520-5679, that is running FreeBSD current amd64 and was unable to get to the next step after the X configuration on the graphic installer. I got no error so maybe I should have waited longer and something would have happened. I think I dislike graphic installers unless maybe they were verbose and give an indication of the problem. Another option would be PC-BSD or DesktopBSD as they both have very easy installations and will support most things that the above support. The only stipulation that I have run into is the standard trouble of Flash on BSD operating systems. Very true. Windows folks, have a hardtime not just clicking on the you must update to the latest version of the flash player or something like that and expecting it to just work. Thanks again, ed Thanks, ed ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Suggestions for OS to use behind freebsd pf firewalls.
Quoting Mehul Ved [EMAIL PROTECTED]: On Sun, Mar 2, 2008 at 7:15 AM, eculp [EMAIL PROTECTED] wrote: My problem is that I haven't done a linux install since before FreeBSD 2.2 IIRC and have no idea which version would be the most versatile and has an installer that is basically brain dead simple with most all drivers. I suspect that I am asking the impossible but you never know. Maybe PC-BSD or Sabayon Linux. Sabayon is based on gentoo and contains lots of proprietory drivers built in. So, if you have no problem with that maybe you could look at Sabayon Linux too. I've never heard of Sabayon but will definitely give it a shot on my laptop first and take a good look at the licensing. I really like the idea of PC-BSD but the Flash thing, holds me back a bit. ed ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Suggestions for OS to use behind freebsd pf firewalls.
Ed, If flash is bothering you, its quite easy to just install the linux version of firefox on FreeBSD. Sabayon linux is a multimedia powerhouse. Definately needs some good spec hardware to run even after most of the xgl services have been disabled. The sabayon image is around 4.2GB which gives you an indication. Ezat. eculp wrote: Quoting Mehul Ved [1][EMAIL PROTECTED]: On Sun, Mar 2, 2008 at 7:15 AM, eculp [2][EMAIL PROTECTED] wrote: My problem is that I haven't done a linux install since before FreeBSD 2.2 IIRC and have no idea which version would be the most versatile and has an installer that is basically brain dead simple with most all drivers. I suspect that I am asking the impossible but you never know. Maybe PC-BSD or Sabayon Linux. Sabayon is based on gentoo and contains lots of proprietory drivers built in. So, if you have no problem with that maybe you could look at Sabayon Linux too. I've never heard of Sabayon but will definitely give it a shot on my laptop first and take a good look at the licensing. I really like the idea of PC-BSD but the Flash thing, holds me back a bit. ed ___ [EMAIL PROTECTED] mailing list [4]http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [5][EMAIL PROTECTED] References 1. mailto:[EMAIL PROTECTED] 2. mailto:[EMAIL PROTECTED] 3. mailto:freebsd-questions@freebsd.org 4. http://lists.freebsd.org/mailman/listinfo/freebsd-questions 5. mailto:[EMAIL PROTECTED] ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Suggestions for OS to use behind freebsd pf firewalls.
Quoting Predrag Punosevac [EMAIL PROTECTED]: eculp wrote: I have installed freebsd server in a small company that has approx 30 pc's of all sizes, shapes, brands, etc. They have just realized that a large part of the problems that they had before the firewall was caused by the 30 windows pc's that were connected directly to the ISP's wireless router. They would like to change the PC's to unix desktops. I would like to install FreeBSD or any other bsd but don't feel that we have the drivers available to substitute such a wide variety of hardware. I would love to be proven wrong. Therefore I am considering a linux version with a graphic installer that will make it easier to train someone to install on any new machines that they add later. My problem is that I haven't done a linux install since before FreeBSD 2.2 IIRC and have no idea which version would be the most versatile and has an installer that is basically brain dead simple with most all drivers. I suspect that I am asking the impossible but you never know. I'm sure that I'm not the only person to run into this situation and I would sure appreciate any suggestions. Thanks, ed PC-BSD would be a good choice but stay away from PBI. You may try also DesktopBSD, TrueBSD, or RoFreeSBIE. Something like the above would be my choice except for potential driver availability and FLASH9 that hold me back. I've not looked at TrueBSD or ROFreeSBIE although I have used FreeSBIE 6.0 IIRC. Thanks, ed ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Suggestions for OS to use behind freebsd pf firewalls.
Quoting Rico Secada [EMAIL PROTECTED]: On Sat, 01 Mar 2008 19:45:14 -0600 eculp [EMAIL PROTECTED] wrote: I have installed freebsd server in a small company that has approx 30 pc's of all sizes, shapes, brands, etc. They have just realized that a large part of the problems that they had before the firewall was caused by the 30 windows pc's that were connected directly to the ISP's wireless router. They would like to change the PC's to unix desktops. I would like to install FreeBSD or any other bsd but don't feel that we have the drivers available to substitute such a wide variety of hardware. I would love to be proven wrong. Therefore I am considering a linux version with a graphic installer that will make it easier to train someone to install on any new machines that they add later. My problem is that I haven't done a linux install since before FreeBSD 2.2 IIRC and have no idea which version would be the most versatile and has an installer that is basically brain dead simple with most all drivers. I suspect that I am asking the impossible but you never know. I'm sure that I'm not the only person to run into this situation and I would sure appreciate any suggestions. In my experience from similar situations I would recommend OpenSUSE from Novell, since it has to be as windows like as possible. OpenSUSE is very well supported and since it is Novell who is behind the distro, the company can provide professional support. In general I recommend Debian over any distro, but in some rare cases like this one, I would rather recommend OpenSUSE. Hey Rico, That really makes a lot of sense, I'll give it a try in a few minutes, Thanks a lot. ed ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Suggestions for OS to use behind freebsd pf firewalls.
Quoting Schiz0 [EMAIL PROTECTED]: On Sat, Mar 1, 2008 at 8:45 PM, eculp [EMAIL PROTECTED] wrote: I have installed freebsd server in a small company that has approx 30 pc's of all sizes, shapes, brands, etc. They have just realized that a large part of the problems that they had before the firewall was caused by the 30 windows pc's that were connected directly to the ISP's wireless router. They would like to change the PC's to unix desktops. I would like to install FreeBSD or any other bsd but don't feel that we have the drivers available to substitute such a wide variety of hardware. I would love to be proven wrong. Therefore I am considering a linux version with a graphic installer that will make it easier to train someone to install on any new machines that they add later. My problem is that I haven't done a linux install since before FreeBSD 2.2 IIRC and have no idea which version would be the most versatile and has an installer that is basically brain dead simple with most all drivers. I suspect that I am asking the impossible but you never know. I'm sure that I'm not the only person to run into this situation and I would sure appreciate any suggestions. Thanks, ed Ubuntu Linux. It's very windows-users friendly, and has a graphical installer. It's based on Debian Linux. It also is a LiveCD, so you can test hardware before actually installing it to the HDD. Thanks, I'm going to give it another try after SUSE. ed ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Suggestions for OS to use behind freebsd pf firewalls.
Quoting Ezat - Ezatech [EMAIL PROTECTED]: Ed, If flash is bothering you, its quite easy to just install the linux version of firefox on FreeBSD. Sabayon linux is a multimedia powerhouse. Definately needs some good spec hardware to run even after most of the xgl services have been disabled. The sabayon image is around 4.2GB which gives you an indication. Ezat. Ezat, thanks for the suggestion and the heads up on needed resources. I doubt it can be worse that Windows VISTA. Are you able to use Flashplayer9 with linux firefox. My Flash 7 works fine on both linux and freebsd firefox but I can not get Flash 9 to run reliably. Hopefully, I am behind on the latest flash info on FreeBSD. Thanks, ed eculp wrote: Quoting Mehul Ved [1][EMAIL PROTECTED]: On Sun, Mar 2, 2008 at 7:15 AM, eculp [2][EMAIL PROTECTED] wrote: My problem is that I haven't done a linux install since before FreeBSD 2.2 IIRC and have no idea which version would be the most versatile and has an installer that is basically brain dead simple with most all drivers. I suspect that I am asking the impossible but you never know. Maybe PC-BSD or Sabayon Linux. Sabayon is based on gentoo and contains lots of proprietory drivers built in. So, if you have no problem with that maybe you could look at Sabayon Linux too. I've never heard of Sabayon but will definitely give it a shot on my laptop first and take a good look at the licensing. I really like the idea of PC-BSD but the Flash thing, holds me back a bit. ed ___ [EMAIL PROTECTED] mailing list [4]http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [5][EMAIL PROTECTED] References 1. mailto:[EMAIL PROTECTED] 2. mailto:[EMAIL PROTECTED] 3. mailto:freebsd-questions@freebsd.org 4. http://lists.freebsd.org/mailman/listinfo/freebsd-questions 5. mailto:[EMAIL PROTECTED] ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Suggestions for OS to use behind freebsd pf firewalls.
eculp wrote: Quoting Mehul Ved [EMAIL PROTECTED]: On Sun, Mar 2, 2008 at 7:15 AM, eculp [EMAIL PROTECTED] wrote: My problem is that I haven't done a linux install since before FreeBSD 2.2 IIRC and have no idea which version would be the most versatile and has an installer that is basically brain dead simple with most all drivers. I suspect that I am asking the impossible but you never know. Maybe PC-BSD or Sabayon Linux. Sabayon is based on gentoo and contains lots of proprietory drivers built in. So, if you have no problem with that maybe you could look at Sabayon Linux too. I've never heard of Sabayon but will definitely give it a shot on my laptop first and take a good look at the licensing. I really like the idea of PC-BSD but the Flash thing, holds me back a bit. They have a hack for Flush. If can use PBI to install Wine+Windows Firefox + Windows Flash so their flash just works like on Windows. They also have PBI for JDK Java. As I mentioned earlier I do not trust PBI very much but will take PC-BSD with PBI any day over the Windows. You should look again at Ubuntu which is Debian based if you want Linux. Mint is also another distro based on Ubuntu with more proprietary drivers. PC-Linux another distro to be aware. Sebayon based on Gentoo is excellent Linux distro easy to work and with lots of proprietary drivers. Personally if I had to chose Linux I would stick with Debian based distro because of the package management and the largest number of packages available. Cheers, Predrag ed ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Suggestions for OS to use behind freebsd pf firewalls.
I have installed freebsd server in a small company that has approx 30 pc's of all sizes, shapes, brands, etc. They have just realized that a large part of the problems that they had before the firewall was caused by the 30 windows pc's that were connected directly to the ISP's wireless router. They would like to change the PC's to unix desktops. I would like to install FreeBSD or any other bsd but don't feel that we have the drivers available to substitute such a wide variety of hardware. I would love to be proven wrong. Therefore I am considering a linux version with a graphic installer that will make it easier to train someone to install on any new machines that they add later. My problem is that I haven't done a linux install since before FreeBSD 2.2 IIRC and have no idea which version would be the most versatile and has an installer that is basically brain dead simple with most all drivers. I suspect that I am asking the impossible but you never know. I'm sure that I'm not the only person to run into this situation and I would sure appreciate any suggestions. Thanks, ed ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Suggestions for OS to use behind freebsd pf firewalls.
On Sat, Mar 1, 2008 at 8:45 PM, eculp [EMAIL PROTECTED] wrote: I have installed freebsd server in a small company that has approx 30 pc's of all sizes, shapes, brands, etc. They have just realized that a large part of the problems that they had before the firewall was caused by the 30 windows pc's that were connected directly to the ISP's wireless router. They would like to change the PC's to unix desktops. I would like to install FreeBSD or any other bsd but don't feel that we have the drivers available to substitute such a wide variety of hardware. I would love to be proven wrong. Therefore I am considering a linux version with a graphic installer that will make it easier to train someone to install on any new machines that they add later. My problem is that I haven't done a linux install since before FreeBSD 2.2 IIRC and have no idea which version would be the most versatile and has an installer that is basically brain dead simple with most all drivers. I suspect that I am asking the impossible but you never know. I'm sure that I'm not the only person to run into this situation and I would sure appreciate any suggestions. Thanks, ed Ubuntu Linux. It's very windows-users friendly, and has a graphical installer. It's based on Debian Linux. It also is a LiveCD, so you can test hardware before actually installing it to the HDD. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Suggestions for OS to use behind freebsd pf firewalls.
eculp wrote: I have installed freebsd server in a small company that has approx 30 pc's of all sizes, shapes, brands, etc. They have just realized that a large part of the problems that they had before the firewall was caused by the 30 windows pc's that were connected directly to the ISP's wireless router. They would like to change the PC's to unix desktops. I would like to install FreeBSD or any other bsd but don't feel that we have the drivers available to substitute such a wide variety of hardware. I would love to be proven wrong. Therefore I am considering a linux version with a graphic installer that will make it easier to train someone to install on any new machines that they add later. My problem is that I haven't done a linux install since before FreeBSD 2.2 IIRC and have no idea which version would be the most versatile and has an installer that is basically brain dead simple with most all drivers. I suspect that I am asking the impossible but you never know. I'm sure that I'm not the only person to run into this situation and I would sure appreciate any suggestions. Thanks, ed ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] PC-BSD would be a good choice but stay away from PBI. You may try also DesktopBSD, TrueBSD, or RoFreeSBIE. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Suggestions for OS to use behind freebsd pf firewalls.
On Sat, 01 Mar 2008 19:45:14 -0600 eculp [EMAIL PROTECTED] wrote: I have installed freebsd server in a small company that has approx 30 pc's of all sizes, shapes, brands, etc. They have just realized that a large part of the problems that they had before the firewall was caused by the 30 windows pc's that were connected directly to the ISP's wireless router. They would like to change the PC's to unix desktops. I would like to install FreeBSD or any other bsd but don't feel that we have the drivers available to substitute such a wide variety of hardware. I would love to be proven wrong. Therefore I am considering a linux version with a graphic installer that will make it easier to train someone to install on any new machines that they add later. My problem is that I haven't done a linux install since before FreeBSD 2.2 IIRC and have no idea which version would be the most versatile and has an installer that is basically brain dead simple with most all drivers. I suspect that I am asking the impossible but you never know. I'm sure that I'm not the only person to run into this situation and I would sure appreciate any suggestions. In my experience from similar situations I would recommend OpenSUSE from Novell, since it has to be as windows like as possible. OpenSUSE is very well supported and since it is Novell who is behind the distro, the company can provide professional support. In general I recommend Debian over any distro, but in some rare cases like this one, I would rather recommend OpenSUSE. Thanks, ed ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Suggestions for OS to use behind freebsd pf firewalls.
On Sun, Mar 2, 2008 at 7:15 AM, eculp [EMAIL PROTECTED] wrote: My problem is that I haven't done a linux install since before FreeBSD 2.2 IIRC and have no idea which version would be the most versatile and has an installer that is basically brain dead simple with most all drivers. I suspect that I am asking the impossible but you never know. Maybe PC-BSD or Sabayon Linux. Sabayon is based on gentoo and contains lots of proprietory drivers built in. So, if you have no problem with that maybe you could look at Sabayon Linux too. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Suggestions for OS to use behind freebsd pf firewalls.
On Mar 1, 2008, at 10:13 PM, Rico Secada wrote: On Sat, 01 Mar 2008 19:45:14 -0600 eculp [EMAIL PROTECTED] wrote: I have installed freebsd server in a small company that has approx 30 pc's of all sizes, shapes, brands, etc. They have just realized that a large part of the problems that they had before the firewall was caused by the 30 windows pc's that were connected directly to the ISP's wireless router. They would like to change the PC's to unix desktops. I would like to install FreeBSD or any other bsd but don't feel that we have the drivers available to substitute such a wide variety of hardware. I would love to be proven wrong. Therefore I am considering a linux version with a graphic installer that will make it easier to train someone to install on any new machines that they add later. My problem is that I haven't done a linux install since before FreeBSD 2.2 IIRC and have no idea which version would be the most versatile and has an installer that is basically brain dead simple with most all drivers. I suspect that I am asking the impossible but you never know. I'm sure that I'm not the only person to run into this situation and I would sure appreciate any suggestions. In my experience from similar situations I would recommend OpenSUSE from Novell, since it has to be as windows like as possible. OpenSUSE is very well supported and since it is Novell who is behind the distro, the company can provide professional support. In general I recommend Debian over any distro, but in some rare cases like this one, I would rather recommend OpenSUSE. I would recommend investigating Ubuntu or one of it's clones (e.g. Xubuntu, Kubuntu). The install is brainless, they offer commercial support through the parent company Canonical, and they are Debian-based. Another option would be PC-BSD or DesktopBSD as they both have very easy installations and will support most things that the above support. The only stipulation that I have run into is the standard trouble of Flash on BSD operating systems. Thanks, ed ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Review on Software Firewalls
Here is a great blog on seven Linux/BSD firewalls. http://linuxcult.blogspot.com/2007/11/seven-different-linuxbsd-firewalls.html The winner is PFSense which is (ta-da!), based on FreeBSD. I have been using PFSense for nearly a year now and totally agree with this blog's conclusions. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Little error in rules from handbook/firewalls-ipfw.html 28.6.5.7 An Example NAT and Stateful Ruleset
Section 28.6.5.7 An Example NAT and Stateful Ruleset Example Ruleset #2: .. $cmd 020 $skip tcp from any to x.x.x.x 53 out via $pif setup keep-state .. AFAIK dns use also udp, so tcp is not really correct here. I have changed the tcp-ip, but still was not work because of setup :) That mean tcpflags syn,!ack what I guess is inaplicable to UDP packets, so it will never pass. Hope you'll change this to something like: $cmd 020 $skip ip from any to x.x.x.x 53 out via $pif keep-state Thanks a lot. I spend on this smth. arround 5 hours, that's why I writing to you right now.. %) I also have added a rule like $cmd 070 $skip ip from me to any out via $pif setup keep-state But again that deamn setup %) That's a leson for a enitre life.. -- Best regards, Nicolae Namolovan. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Firewalls and RPC (was Re: Improvement to IPFilter / nfsd in FBSD (6.2+?))
Chuck Swiger wrote: On Jan 11, 2007, at 10:58 AM, Garrett Cooper wrote: Just wondering if anyone has IPFilter / nfsd setup properly on their boxes with any beta versions of FBSD. It is typically not useful to implement firewall rules between NFS servers and legitimate NFS clients. The large number of RPC services using randomly assigned ports needed by NFS and the fact that machines which trust each other enough to permit filesharing and generally utilize a common set of directory services to keep the user/group mappings synced mean that the NFS server clients should be considered in the same trust domain in most cases. Right, ok. I suppose I was just being lazy/trying to blanket support all machines on my subnet without having to delve into individual hosts, but that makes perfect sense. rpcbind (and RPC in general) strictly uses ports under 1023--assuming that there are enough allocatable ports available for each RPC service in the port range 1-1023--if running as root, does it not? Does the same rationale apply for Samba? That's part of the reason why I'm concerned with running a firewall.. I run smbd/nmbd on the server machine. Either that, or I could switch to another firewall setup (albeit it'd be sort of a pain). Does ipfw / pf work better with RPC than IPFilter? Also if you suggest 7-CURRENT, what's the CVS tag for that version? The HEAD of the CVS tree (aka .). Updating the 7-CURRENT won't have any affect upon firewall configuration for NFS, however. Right. I was just going to see if there was any improvement in how things were implemented in 7-CURRENT, because maybe the issues that I'm encountering had been 'solved' in 7-CURRENT (although I would probably have more issues with core kernel items as they're under heavy development it appears given traffic on the current@ list). Thanks Chuck! -Garrett ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Firewalls and RPC (was Re: Improvement to IPFilter / nfsd in FBSD (6.2+?))
On Jan 11, 2007, at 12:54 PM, Garrett Cooper wrote: It is typically not useful to implement firewall rules between NFS servers and legitimate NFS clients. The large number of RPC services using randomly assigned ports needed by NFS and the fact that machines which trust each other enough to permit filesharing and generally utilize a common set of directory services to keep the user/group mappings synced mean that the NFS server clients should be considered in the same trust domain in most cases. Right, ok. I suppose I was just being lazy/trying to blanket support all machines on my subnet without having to delve into individual hosts, but that makes perfect sense. rpcbind (and RPC in general) strictly uses ports under 1023--assuming that there are enough allocatable ports available for each RPC service in the port range 1-1023--if running as root, does it not? Actually, no. While rpcbind/portmap/portmapper is assigned to 111/ tcp udp, most other RPC services get assigned high port numbers in the 327xx range, but that varies considerably from platform to platform. Does the same rationale apply for Samba? That's part of the reason why I'm concerned with running a firewall.. I run smbd/nmbd on the server machine. Somewhat, yes. Samba/CIFS filesharing can require less trust between server and client as accessing a Samba share does not require superuser permissions, just limited user access, but Samba does require root access to start up and bind to the low ports it uses, and it also involves the network browse master (which nmbd can do) and so forth which involve subnet-oriented broadcast traffic. Samba/CIFS is a chatty protocol. Either that, or I could switch to another firewall setup (albeit it'd be sort of a pain). Does ipfw / pf work better with RPC than IPFilter? No, not really. What you probably want to focus on is protecting your entire subnet, including the fileserver and clients, from malicious traffic via your Internet link(s), and then worry about egress filtering, dividing your machines into a trusted internal LAN and a semi-trusted DMZ, and so forth. A firewall system should not be running any kind of filesharing; while you can run PF, IPFW, etc on your fileserver, that ought to be a secondary line of protection for defense in depth, and your Internet connection ought to have a dual-homed or multihomed firewall machine which is dedicated to that role and which runs zero services. -- -Chuck ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Firewalls and RPC (was Re: Improvement to IPFilter / nfsd in FBSD (6.2+?))
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Chuck Swiger wrote: Actually, no. While rpcbind/portmap/portmapper is assigned to 111/tcp udp, most other RPC services get assigned high port numbers in the 327xx range, but that varies considerably from platform to platform. True. NFS is port 2049 by default, anyhow.. Somewhat, yes. Samba/CIFS filesharing can require less trust between server and client as accessing a Samba share does not require superuser permissions, just limited user access, but Samba does require root access to start up and bind to the low ports it uses, and it also involves the network browse master (which nmbd can do) and so forth which involve subnet-oriented broadcast traffic. Samba/CIFS is a chatty protocol. No kidding. The funny thing is that smbclient (Xbox Media Center runs smbclient) I've learned requires more open ports than regular CIFS enabled Windows XP hosts to RPC services, which has caused more issues than it's worth in the past. No, not really. What you probably want to focus on is protecting your entire subnet, including the fileserver and clients, from malicious traffic via your Internet link(s), and then worry about egress filtering, dividing your machines into a trusted internal LAN and a semi-trusted DMZ, and so forth. A firewall system should not be running any kind of filesharing; while you can run PF, IPFW, etc on your fileserver, that ought to be a secondary line of protection for defense in depth, and your Internet connection ought to have a dual-homed or multihomed firewall machine which is dedicated to that role and which runs zero services. Right. However, I don't trust the rest of the clients on my subnet other than the ones I maintain, so that's why I have setup the firewall rules I have. Sorry for not more clearly defining the situation earlier, but here's the reasoning / rationale for what I'm doing.. IT nightmare - -I live in a house with a shared LAN with a total of around 50 hosts connected / disconnected at various times of the day. - -I don't trust any of the Windows clients devoid a small handful because I have had a variety of connectivity problems caused by improperly managed personal machines, virii, and spyware on machines here. - -There isn't a real means of properly controlling IP distribution and people are free to change their IP addresses to whatever they choose (host information is set statically, not dynamically). - -I have 5 machines which have access to the network--2 serving machines and 3 clients which aren't always attached to the network. I have set the IP addresses up so they all lie in a range, but I don't trust whether someone will IP squat my address and do whatever they want to my serving machines (whether they mean to or it happens by accident). - -Some of the machines on the network have access to the machine serving via Samba, but that's a limited number. /IT nightmare - -Garrett -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.1 (FreeBSD) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFFprE4EnKyINQw/HARAjwyAKCY9F8O2rkdet2/gxNNqCQXij0xgwCfSF3/ tswDC5ovt0A5r3Tg7s7BSqE= =iVhr -END PGP SIGNATURE- ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Firewalls and RPC (was Re: Improvement to IPFilter / nfsd in FBSD (6.2+?))
On Jan 11, 2007, at 1:50 PM, Garrett Cooper wrote: Actually, no. While rpcbind/portmap/portmapper is assigned to 111/ tcp udp, most other RPC services get assigned high port numbers in the 327xx range, but that varies considerably from platform to platform. True. NFS is port 2049 by default, anyhow.. Good example, yet this is true on some platforms but not on others. A firewall system should not be running any kind of filesharing; while you can run PF, IPFW, etc on your fileserver, that ought to be a secondary line of protection for defense in depth, and your Internet connection ought to have a dual-homed or multihomed firewall machine which is dedicated to that role and which runs zero services. Right. However, I don't trust the rest of the clients on my subnet other than the ones I maintain, so that's why I have setup the firewall rules I have. You really don't want to mix machines which are trusted with machines which are not trusted on the same subnet. If you can't control which client machines get which IPs, you pretty much cannot use firewall rules to restrict filesharing only to the legit clients. Sorry for not more clearly defining the situation earlier, but here's the reasoning / rationale for what I'm doing.. IT nightmare - -I live in a house with a shared LAN with a total of around 50 hosts connected / disconnected at various times of the day. - -I don't trust any of the Windows clients devoid a small handful because I have had a variety of connectivity problems caused by improperly managed personal machines, virii, and spyware on machines here. - -There isn't a real means of properly controlling IP distribution and people are free to change their IP addresses to whatever they choose (host information is set statically, not dynamically). - -I have 5 machines which have access to the network--2 serving machines and 3 clients which aren't always attached to the network. I have set the IP addresses up so they all lie in a range, but I don't trust whether someone will IP squat my address and do whatever they want to my serving machines (whether they mean to or it happens by accident). - -Some of the machines on the network have access to the machine serving via Samba, but that's a limited number. Perhaps you should consider setting up your own private subnet for your machines, and having a firewall guarding access to your machines which performs static NAT for the set of five IP addresses you've made claim to. -- -Chuck ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Firewalls and RPC (was Re: Improvement to IPFilter / nfsd in FBSD (6.2+?))
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Chuck Swiger wrote: snip You really don't want to mix machines which are trusted with machines which are not trusted on the same subnet. If you can't control which client machines get which IPs, you pretty much cannot use firewall rules to restrict filesharing only to the legit clients. Excellent point. snip Perhaps you should consider setting up your own private subnet for your machines, and having a firewall guarding access to your machines which performs static NAT for the set of five IP addresses you've made claim to. I'm really starting to think that'd be a good idea. Thanks again for the comments--it really helps. - -Garrett -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.1 (FreeBSD) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFFprRBEnKyINQw/HARAo8cAJ4sHIowqgCRbFMv6JDufsowxEDGGACePLKj NqyrOFDj6gbTQscMws0q6zg= =mDqk -END PGP SIGNATURE- ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: firewalls' behavior help
Box:freeBSD 6.0, ipf: IP Filter: v4.1.8 (416), Kernel: IP Filter: v4.1.8 Network layout: --- other building [ PCs - 192.168.80.0/24 ] | g1 (ipf - vr0:192.168.80.2 - sis0:10.10.10.13) | My Lan ( 10.10.10.0/24 ) [ PCs (DefaultGw = g2) ] [ MailSrv (10.10.10.12) (pop3/smtp/ssh) (DefaultGw = g2) ] [ WebSrv (10.10.10.11) (http) (DefaultGw = g1) ] | g2 | Internet ipnat.rules --- map vr0 10.10.10.0/24 - 192.168.80.2/32 proxy port 21 ftp/tcp map vr0 10.10.10.0/24 - 192.168.80.2/32 rdr vr0 192.168.80.2/32 port 80 - 10.10.10.11 port 80 tcp rdr vr0 192.168.80.2/32 port 22 - 10.10.10.12 port 22 tcp rdr vr0 192.168.80.2/32 port 25 - 10.10.10.12 port 25 tcp rdr vr0 192.168.80.2/32 port 110 - 10.10.10.12 port 110 tcp ipf.rules - ### No restrictions inside LAN Interface ### pass out quick on sis0 all pass in quick on sis0 all ### No restrictions on Loopback Interface ### pass out quick on lo0 all pass in quick on lo0 all ### Allow out DNS queries ### pass out quick on vr0 proto tcp from any to 192.168.10.5 port = 53 flags S keep state pass out quick on vr0 proto udp from any to 192.168.10.5 port = 53 keep state ### Allow IE out ### pass out quick on vr0 proto tcp from any to any port = 80 flags S keep state ### Allow Squid Access out ### pass out quick on vr0 proto tcp from any to any port = 3128 flags S keep state pass out quick on vr0 proto tcp from any to any port = 3130 flags S keep state ### Allow FTP out ### pass out quick on vr0 proto tcp from any to any port = 21 flags S keep state ### Allow Remote Desktop to WinXP external PCs ### pass out quick on vr0 proto tcp from any to any port = 3389 flags S keep state ### Allow MailServer to Deliver mails ### pass out quick on vr0 proto tcp from any to any port = 25 flags S keep state ### Block and Log only first occurrence of everything ### block out log first quick on vr0 all ### Block all inbound traffic from non-routable or reserved address spaces ... ### Allow in ssh session from other building ### pass in quick on vr0 proto tcp from any to any port = 22 flags S keep state ### Allow in HTTP session from public to Internat MailServer ### pass in quick on vr0 proto tcp from any to any port = 80 flags S keep state ### Allow in SMTP access to Internal Mail Server ### pass in quick on vr0 proto tcp from any to any port = 25 flags S keep state ### Allow in POP3 access to Internal Mail Server ### pass in quick on vr0 proto tcp from any to any port = 110 flags S keep state ### Block and log anly first occurence of all remaining traffic ### block in log first quick on vr0 all The situation: -- ...if the server(MailSrv) is redirected to G1, the users are able to connect themselves to the services. To be sure about it I redirected the server(WebSrv) with apache that before was pointing to G1 to G2(internet) and the access was broken for the other building... Why happen this? If I understand your description, it could be mapped like this: net1 is the other building's network net1pc1 .. net1pcN net2 is your network net2pc1 .. net2pcN net2server1 .. net2server3 g1 == net1,net2 g2 == net2,Internet Assumptions: net1 and net2 are private the default gateway for g1 is g2 g1 is using a map rule to nat net1 hosts to net2 the default gateway for g2 is on the Internet g2 is using a map rule to nat net2 hosts to the Internet If a net1 PC connects through g1, it would be mapped as coming from g1. Since g1 is on net2, and g2 can route to net2, the servers using g2 as the default route should have no problem. My assumptions may be false. Would you post the g1 and g2 ipf.conf and ipnat.conf, and specify what the net1 and net2 CIDR? Thank you, Ben ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: firewalls' behavior help
Sorry, this mail was for the ipfilter's list... Box:freeBSD 6.0, ipf: IP Filter: v4.1.8 (416), Kernel: IP Filter: v4.1.8 Network layout: --- other building [ PCs - 192.168.80.0/24 ] | g1 (ipf - vr0:192.168.80.2 - sis0:10.10.10.13) | My Lan ( 10.10.10.0/24 ) [ PCs (DefaultGw = g2) ] [ MailSrv (10.10.10.12) (pop3/smtp/ssh) (DefaultGw = g2) ] [ WebSrv (10.10.10.11) (http) (DefaultGw = g1) ] | g2 | Internet ipnat.rules --- map vr0 10.10.10.0/24 - 192.168.80.2/32 proxy port 21 ftp/tcp map vr0 10.10.10.0/24 - 192.168.80.2/32 rdr vr0 192.168.80.2/32 port 80 - 10.10.10.11 port 80 tcp rdr vr0 192.168.80.2/32 port 22 - 10.10.10.12 port 22 tcp rdr vr0 192.168.80.2/32 port 25 - 10.10.10.12 port 25 tcp rdr vr0 192.168.80.2/32 port 110 - 10.10.10.12 port 110 tcp ipf.rules - ### No restrictions inside LAN Interface ### pass out quick on sis0 all pass in quick on sis0 all ### No restrictions on Loopback Interface ### pass out quick on lo0 all pass in quick on lo0 all ### Allow out DNS queries ### pass out quick on vr0 proto tcp from any to 192.168.10.5 port = 53 flags S keep state pass out quick on vr0 proto udp from any to 192.168.10.5 port = 53 keep state ### Allow IE out ### pass out quick on vr0 proto tcp from any to any port = 80 flags S keep state ### Allow Squid Access out ### pass out quick on vr0 proto tcp from any to any port = 3128 flags S keep state pass out quick on vr0 proto tcp from any to any port = 3130 flags S keep state ### Allow FTP out ### pass out quick on vr0 proto tcp from any to any port = 21 flags S keep state ### Allow Remote Desktop to WinXP external PCs ### pass out quick on vr0 proto tcp from any to any port = 3389 flags S keep state ### Allow MailServer to Deliver mails ### pass out quick on vr0 proto tcp from any to any port = 25 flags S keep state ### Block and Log only first occurrence of everything ### block out log first quick on vr0 all ### Block all inbound traffic from non-routable or reserved address spaces ... ### Allow in ssh session from other building ### pass in quick on vr0 proto tcp from any to any port = 22 flags S keep state ### Allow in HTTP session from public to Internat MailServer ### pass in quick on vr0 proto tcp from any to any port = 80 flags S keep state ### Allow in SMTP access to Internal Mail Server ### pass in quick on vr0 proto tcp from any to any port = 25 flags S keep state ### Allow in POP3 access to Internal Mail Server ### pass in quick on vr0 proto tcp from any to any port = 110 flags S keep state ### Block and log anly first occurence of all remaining traffic ### block in log first quick on vr0 all The situation: -- ...if the server(MailSrv) is redirected to G1, the users are able to connect themselves to the services. To be sure about it I redirected the server(WebSrv) with apache that before was pointing to G1 to G2(internet) and the access was broken for the other building... Why happen this? If I understand your description, it could be mapped like this: net1 is the other building's network net1pc1 .. net1pcN net2 is your network net2pc1 .. net2pcN net2server1 .. net2server3 g1 == net1,net2 g2 == net2,Internet Assumptions: net1 and net2 are private the default gateway for g1 is g2 g1 is using a map rule to nat net1 hosts to net2 the default gateway for g2 is on the Internet g2 is using a map rule to nat net2 hosts to the Internet If a net1 PC connects through g1, it would be mapped as coming from g1. Since g1 is on net2, and g2 can route to net2, the servers using g2 as the default route should have no problem. My assumptions may be false. Would you post the g1 and g2 ipf.conf and ipnat.conf, and specify what the net1 and net2 CIDR? Thank you, Ben ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] -- Efren Bravo Sistemas DHL-Cuba Telf-Pizarra: (537)-2041578 Ext 123 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
freebsd firewallS
Hi all, i'd like build a rules firewall 4 my machine on the internet and my lan. I see: IPFW, PF, IPF. I have a main server on the internet and several clients. Which firewall package i should use?(study) I known iptables (4 linux) and i wrote a rules for it, but i prefer use a native freebsd firewall :-) Anyone can i suggest me? Thanks very much :-) Pol ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: freebsd firewallS
Pol Hallen wrote: Hi all, i'd like build a rules firewall 4 my machine on the internet and my lan. I see: IPFW, PF, IPF. I have a main server on the internet and several clients. Which firewall package i should use?(study) I known iptables (4 linux) and i wrote a rules for it, but i prefer use a native freebsd firewall :-) Anyone can i suggest me? Thanks very much :-) ipfw is the native firewall. ipf is simple and historically precedes pf. pf is ported from OpenBSD and leaves nothing behind in terms of security controls. I don't know ipfw. If you expect a simple rule set, then ipf may be the easy solution. Otherwise I would go for pf. pf took some syntax from ipf so with some changes you can easily shift to pf later, if you don't use groups no changes should be needed. Cheers, Erik -- Ph: +34.666334818 web: www.locolomo.org S/MIME Certificate: www.daemonsecurity.com/ca/8D03551FFCE04F06.crt Subject ID: 9E:AA:18:E6:94:7A:91:44:0A:E4:DD:87:73:7F:4E:82:E7:08:9C:72 Fingerprint: 5B:D5:1E:3E:47:E7:EC:1C:4C:C8:3A:19:CC:AE:14:F5:DF:18:0F:B9 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
cvsup, portupgrade, installing ports, and firewalls
I've got the pf firewall installed, and every time I run cvsup, portupgrade or try to install ports, I have to disable it. What outgoing and incoming ports do I need to allow in order to run these without disabling the firewall? ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: cvsup, portupgrade, installing ports, and firewalls
On Sun, Mar 27, 2005 at 04:01:08PM -0700, Pat Maddox wrote: I've got the pf firewall installed, and every time I run cvsup, portupgrade or try to install ports, I have to disable it. What outgoing and incoming ports do I need to allow in order to run these without disabling the firewall? The cvsup(1) manpage describes exactly what ports need to be opened for cvsup to work. (Normally just outgoing TCP connections to port 5999 on the server.) Fetching distfiles for ports is usually done via either HTTP or FTP, so if you allow those out everyting should work. -- Insert your favourite quote here. Erik Trulsson [EMAIL PROTECTED] ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
moving to 5.3 and need help understanding firewalls
Hey all. I'm getting ready (again) to set up my new system with 5.3 RELEASE the moment the ISOs are published. One thing I need to understand better is the current firewall tool, and how to get my 4.10 firewall moved over from ipfw to pf. Seems there will be a few issues to work out. Another thing I want to work through is the issue of these hack attempts that everyone has been seeing from Asian (and a few Canadian) networks. Most of these attempts work with just the basic accounts, like root, guest, test, etc., but recently I've seen a few attempt accounts like nobody, www, operator, and a few userids like oracle, sybase, patrick john, pamela, backup, etc. This looks like a trend toward finding access through an unprivileged account. I only have a single account that should be able to log in remotely, but I don't want to provide any chances to find it (or one that I missed) and break the PW. A while back, someone named Chris provided the following snippet: ${fwcmd} add 090 pass log tcp from 123.123.123.123/xx to ${ip} 22 setup limit src-addr 4 I found this pretty interesting, but haven't been able to understand it that well. I assumed it was a way to shut an IP out if it failed to complete a login successfully 4 times, but I can't see how this works, so I'm pretty sure I don't understand it correctly. Is this maybe a limit on the concurrent setup requests from a given IP? I had thought about this one a bit though, and figured that it would be a simple translation to the external network: ${fwcmd} add pass log tcp from any to ${ip} 22 setup limit src-addr 4 But I never put it in because I don't understand exactly what it will do. The ipfw manpage is well written, but I kinda need an idiots guide to bridge whatever intellectual gap I'm running into. Any pointers to said idiots guide would be appreciated. Any newbie level explaination of the above snippet would be just as appreciated, as would any pointer to any conversion howto for the move to pf. TIA. Lou -- Louis LeBlanc [EMAIL PROTECTED] Fully Funded Hobbyist, KeySlapper Extrordinaire :) http://www.keyslapper.org Ô¿Ô¬ Green's Law of Debate: Anything is possible if you don't know what you're talking about. ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: moving to 5.3 and need help understanding firewalls
On Mon, Oct 25, 2004 at 12:14:03PM -0400, Louis LeBlanc wrote: I had thought about this one a bit though, and figured that it would be a simple translation to the external network: ${fwcmd} add pass log tcp from any to ${ip} 22 setup limit src-addr 4 But I never put it in because I don't understand exactly what it will do. What that does is limit you to having no more than 4 remote SSH sessions running concurrently from any particular source address. This can't stop probing of your port 22, but it might slow it down some. Hmmm... perhaps you might find something more like: ${fwcmd} add pass log tcp from any to ${ip} 22 setup limit dst-port 22 more effective. That limits you to no more than four incoming SSH sessions in total. However, the most effective defense is either to move the port sshd(8) listens on, or to prevent people logging in using passwords at all -- key based auth is a lot more secure all round, or use one-time passwords. See sshd_config(8) (particularly the description of the ChallengeResponseAuthentication and PasswordAuthentication commands), ssh-keygen(1), pam_unix(8) and opie(4). Cheers, Matthew -- Dr Matthew J Seaman MA, D.Phil. 26 The Paddocks Savill Way PGP: http://www.infracaninophile.co.uk/pgpkey Marlow Tel: +44 1628 476614 Bucks., SL7 1TH UK pgpzvnDvTpuD3.pgp Description: PGP signature
Re: firewalls, connecting, config apachetoolbox (was: Re: BigApache [..])
Hi Giorgos et al, thanks for your patience. I have enclosed the output of dsmeg, ps, XF86Config if it helps in understanding why my system runs slower than W2000 why I cannot connect to the net via my broadband connection. --- Giorgos Keramidas [EMAIL PROTECTED] wrote: Bearing this in mind you might, of course, find it a bit more reassuring to run a firewall like IPFW. But this doesn't *require* a kernel recompile. You can simply load the ipfw.ko module with kldload(8) and immediatelly start setting up the rules of your firewall ruleset. As root, you can load the ipfw module by: # kldload ipfw Thanks for that. I have ipfw loaded okay(I hope). After reading 14.8.3 from the handbook regarding IPFW, I was a little worried. 14.8.3 Enabling IPFW on FreeBSD As the main part of the IPFW system lives in the kernel, you will need to add one or more options to your kernel configuration file, depending on what facilities you want, and RECOMPILE your kernel. The default set of firewall packet inspection rules that ipfw loads will block *EVERYTHING* so you might want to do a bit of research on the available rulesets by reading about rc.firewall, rc.conf and/or browse the contents of the /etc/defaults/rc.conf file: If I understand it correctly after reading the handbook, if I add 'firewall_type=open' in my '/etc/rc.conf' file, will it make all incoming/outgoing ports open so I can connect to the net with sysinstall to download packages ??? The bad intepreter error means that the `install.sh' script (most likely) starts with a line like this: Edit `install.sh' and replace `/bin/bash' with `/usr/local/bin/bash' if you have bash installed. Legend. Got this script working now :)) ...Except...All modules seem to install okay Except for mod_perl. I get the error: --- [-] 16) -Mod Perl 1.29 Choice [?] 16 LWP::UserAgent not installed! HTML::HeadParser not installed! Type perl -MCPAN -e shell to start the perl CPAN shell, then install LWP::UserAgent to install the LWP::UserAgent module! Substitute LWP::UserAgent for any perl module. -- I don't understand what I am supposed to substitute (above) ??? Other problems(Doh!): 1) For automount, I edited /etc/fstab. It was easier more logical than the editing amd(/etc/amd.conf /etc/amd.map) Problem: There has to be a CD in the CD drive a floppy in the floppy drive otherwise the drives don't automount the bootup faulters !! - This is annoying. Is there a way around this so I can automount at bootup without a disk being in the drive ??? 2) I ran xf86config generated a new config file. It broke X I was not able to log in. Thankfully I saved a working one to floppy. Any suggestions as to what I can change in my XF86Config file(attached) so that all the hardware is being utilised that the screen is being used fully instead of only 80% ??? - My Monitor Specs(If this helps): viewsonic pf775 1600x1200 @ 77Hz 1280x1024 @ 90Hz 1024x768 @ 118Hz 800x600 @ 149Hz Frequency f h: 30~97kHz; f v: 50~180Hz --- 3) I tried to intstall the login client for my broadband connection so I can use sysinstall to download install packages. The program fails on make make install! Screen Output --- 127# make install Makefile error: there is no COMMENT variable defined for this port. Please, rectify this. *** Error code 1 Stop in /usr/ports/distfiles/login. --- Makefile - PORTNAME= login PORTVERSION= 2.0 CATEGORIES=net MASTER_SITES= http:// DISTNAME= login EXTRACT_SUFX= -2.0-unix-src.tar.gz GNU_CONFIGURE= yes USE_GMAKE= yes post-extract: $(CP) $(FILESDIR)/login.sh $(WRKSRC) .include bsd.port.mk --- Any suggestions as to what COMMENT variable it wants defined ??? 4) I am taking your advice am trying to connect to the net with sysinstall so I can download packages/ports hopefully find an easier way to install apps. However when I go through the steps to install a package select a freebsd ftp site, at the end, a prompt comes up saying something like cannot resolve ftp... name server, network needs to be configured..) ... or something like that Q: Do I need to get my broadband login client working to connect to the net OR can I login to my ISP from a terminal within BSD ??? Q: Do I need to login to my broadband ISP via my login client to enable sysinstall to be able to download packages etc ... ??? Q: Like tracert on W2000, is their a command I can use in BSD to see when I am connected to the net ??? Kind Regards, DK __ Do you Yahoo!? Yahoo! Mail Address AutoComplete - You start. We finish. http://promotions.yahoo.com/new_mail Section ServerLayout Identifier XFree86 Configured Screen 0 Screen0 0 0 InputDeviceMouse0 CorePointer
Re: firewalls, connecting, config apachetoolbox (was: Re: BigApache [..])
Honestly, you'll get much better response if you ask 1 question per email. An email this long with multiple questions in it forces someone to read the entire email just to see if there's something there they want to answer. DK [EMAIL PROTECTED] wrote: Hi Giorgos et al, thanks for your patience. I have enclosed the output of dsmeg, ps, XF86Config if it helps in understanding why my system runs slower than W2000 why I cannot connect to the net via my broadband connection. --- Giorgos Keramidas [EMAIL PROTECTED] wrote: Bearing this in mind you might, of course, find it a bit more reassuring to run a firewall like IPFW. But this doesn't *require* a kernel recompile. You can simply load the ipfw.ko module with kldload(8) and immediatelly start setting up the rules of your firewall ruleset. As root, you can load the ipfw module by: # kldload ipfw Thanks for that. I have ipfw loaded okay(I hope). After reading 14.8.3 from the handbook regarding IPFW, I was a little worried. 14.8.3 Enabling IPFW on FreeBSD As the main part of the IPFW system lives in the kernel, you will need to add one or more options to your kernel configuration file, depending on what facilities you want, and RECOMPILE your kernel. It _used_ to be this way ... it looks like it's time to update that page of the handbook. The default set of firewall packet inspection rules that ipfw loads will block *EVERYTHING* so you might want to do a bit of research on the available rulesets by reading about rc.firewall, rc.conf and/or browse the contents of the /etc/defaults/rc.conf file: If I understand it correctly after reading the handbook, if I add 'firewall_type=open' in my '/etc/rc.conf' file, will it make all incoming/outgoing ports open so I can connect to the net with sysinstall to download packages ??? Yes. The bad intepreter error means that the `install.sh' script (most likely) starts with a line like this: Edit `install.sh' and replace `/bin/bash' with `/usr/local/bin/bash' if you have bash installed. Legend. Got this script working now :)) ...Except...All modules seem to install okay Except for mod_perl. I get the error: --- [-] 16) -Mod Perl 1.29 Choice [?] 16 LWP::UserAgent not installed! HTML::HeadParser not installed! Type perl -MCPAN -e shell to start the perl CPAN shell, then install LWP::UserAgent to install the LWP::UserAgent module! Substitute LWP::UserAgent for any perl module. -- I don't understand what I am supposed to substitute (above) ??? With the name of the perl module. Apparently, that script is making assumptions about what is installed on your system, and is assuming wrong. Doesn't sound like a very good script. You'll have a better time of it if you look up the UserAgent and HeadParser packages for perl in the ports collection and install them from there, but the CPAN method will work as well. See the CPAN docs for details. Other problems(Doh!): 1) For automount, I edited /etc/fstab. It was easier more logical than the editing amd(/etc/amd.conf /etc/amd.map) Problem: There has to be a CD in the CD drive a floppy in the floppy drive otherwise the drives don't automount the bootup faulters !! - This is annoying. Is there a way around this so I can automount at bootup without a disk being in the drive ??? You're a little confused. I saw an email go by earlier with someone suggesting changes to /etc/fstab, and that was bad advice and probably what confused you. Putting those entries in /etc/fstab does not constitute automounting, it just causes them to be mounted. Although it's easier to set up, it's not a good idea to configure removable devices to mount automatically at boot up by adding entries to /etc/fstab (as you've discovered) The method using amd is the correct way to do it, it causes the amd program to check for media in the drive and mount it if available. This is the behaviour you're used to in Windows, and will not be accomplished by editing /etc/fstab. /etc/fstab is a list of filesystems that must be mounted at boot time, and would create unreasonable requirements for removable media. Additionally, when you switch media (i.e. change to a different CD) the new CD won't be remounted. amd can handle this. 4) I am taking your advice am trying to connect to the net with sysinstall so I can download packages/ports hopefully find an easier way to install apps. However when I go through the steps to install a package select a freebsd ftp site, at the end, a prompt comes up saying something like cannot resolve ftp... name server, network needs to be configured..) ... or something like that Q: Do I need to get my broadband login client working to connect to the net OR can I login to my ISP from a terminal within BSD ??? Depends on the connection system you use for your broadband access. If they're using standard TCP, then you just need to set
Re: firewalls, connecting, config apachetoolbox (was: Re: BigApache [..])
On 2004-08-04 08:15, DK [EMAIL PROTECTED] wrote: --- Giorgos Keramidas [EMAIL PROTECTED] wrote: The default set of firewall packet inspection rules that ipfw loads will block *EVERYTHING* so you might want to do a bit of research on the available rulesets by reading about rc.firewall, rc.conf and/or browse the contents of the /etc/defaults/rc.conf file: If I understand it correctly after reading the handbook, if I add 'firewall_type=open' in my '/etc/rc.conf' file, will it make all incoming/outgoing ports open so I can connect to the net with sysinstall to download packages ??? Yes, that's mostly true. Note that I very rarely use the open firewall type or others from rc.firewall. This is because I usually write my own firewall rulesets. The commands of rc.firewall though are hopefully easy to understand. Open the script with your favorite editor in read-only mode (don't make any changes unless you're very sure you know what you're doing). Read the sets of rules it loads and see for yourself which one you prefer ;-) The following manpages also contain useful stuff about firewall setup in your FreeBSD installation: % man 7 firewall % man 7 security Legend. Got this script working now :)) ...Except...All modules seem to install okay Except for mod_perl. Some problem with the bundle of installations no doubt :-) I get the error: --- [-] 16) -Mod Perl 1.29 Choice [?] 16 LWP::UserAgent not installed! HTML::HeadParser not installed! Type perl -MCPAN -e shell to start the perl CPAN shell, then install LWP::UserAgent to install the LWP::UserAgent module! Substitute LWP::UserAgent for any perl module. -- The installation depends on a Perl module called LWP. The error message tries to be helpful too. Read it carefully: Type perl -MCPAN -e shell to start the perl CPAN shell, then install LWP::UserAgent to install the LWP::UserAgent module! If you do as it says, the LWP::UserAgent module will be installed and then the installation will probably succeed. I'm deliberately using probably because this is a package-lookalike that is not an official part of FreeBSD so I don't know why, when or how it could fail without trying it out first. I don't understand what I am supposed to substitute (above) ??? CPAN is an acronym equivalent to Comprehensive Perl Archive Network. The CPAN collection of Perl modules is a vast library of Perl code that you can install as add-on modules over your existing Perl installation. If you want to install many modules, a single CPAN shell invocation of Perl can do it, using install MODULE_NAME. You'll have to substitute MODULE_NAME with the name of the module you want to install. Does the word substitute sound a bit more clear now? 1) For automount, I edited /etc/fstab. It was easier more logical than the editing amd(/etc/amd.conf /etc/amd.map) Problem: There has to be a CD in the CD drive a floppy in the floppy drive otherwise the drives don't automount the bootup faulters !! It obviously tries to mount a CD-ROM disk at boot time because you enabled the mount at boot time flag in fstab. - This is annoying. Is there a way around this so I can automount at bootup without a disk being in the drive ??? Not really. You asked your system to mount the CD-ROM at boot time and it did. I recall someone posting excellent references for the automount daemon some time ago. I even went ahead and read them an afternoon that I was feeling bored. Please, go back to the previous posts of these threads and read the help posted about amd. 2) I ran xf86config generated a new config file. It broke X [...] - My Monitor Specs(If this helps): viewsonic pf775 [snip mode - frequency table] Frequency f h: 30~97kHz; f v: 50~180Hz --- Yes it does help. You'd also have to find out what Video Adapter you have and instruct xf86cfg to generate an XF86Config file using the proper driver for your video adapter. 3) I tried to intstall the login client for my broadband connection so I can use sysinstall to download install packages. The program fails on make make install! What login client? The only port that I see whose name begins with login is x11/login.app and that's definitely nothing related to broadband connections. Screen Output --- 127# make install Makefile error: there is no COMMENT variable defined for this port. Please, rectify this. *** Error code 1 Stop in /usr/ports/distfiles/login. --- Are you honestly still trying to run make in /usr/ports/distfiles after I have asked you so many times to go and read the Handbook chapter about Ports and Packages? This is not going to work. 4) I am taking your advice am trying to connect to the net with sysinstall so I can download packages/ports hopefully find an easier way to install apps. You haven't provided any
Re: firewalls, xfce4 and apachetoolbox (was: Re: BigApache [..])
On 2004-08-01 20:33, DK [EMAIL PROTECTED] wrote: --- Giorgos Keramidas [EMAIL PROTECTED] wrote: You have lots of old (out of date) packages installed. Have you gotten your FreeBSD workstation to connect to the network yet? If yes, you can install `portupgrade' and use it to update all your packages/ports to their latest versions. I don't feel safe yet connecting my unsecured box to the net with the 5-10 hits a minute my W2000 box recieves on my broadband link. I have read the security section of the manual would like to get basics working before I rebuild the kernel to install the firewall(which doesn't seem that easy but I will give it try) The average FreeBSD system is vastly more secure than Windows workstations even without a firewall. You shouldn't worry too much about those Windows viruses trying to connect to your workstation, since they expect to find Windows-specific services/programs and will most certainly fail miserably when they hit a BSD machine. Bearing this in mind you might, of course, find it a bit more reassuring to run a firewall like IPFW. But this doesn't *require* a kernel recompile. You can simply load the ipfw.ko module with kldload(8) and immediatelly start setting up the rules of your firewall ruleset. As root, you can load the ipfw module by: # kldload ipfw The default set of firewall packet inspection rules that ipfw loads will block *EVERYTHING* so you might want to do a bit of research on the available rulesets by reading about rc.firewall, rc.conf and/or browse the contents of the /etc/defaults/rc.conf file: # man rc.firewall # man rc.conf # more /etc/defaults/rc.conf For details about the way the rules can be written, the ipfw manpage can provide useful information. # man ipfw Browsing the archives of this list for discussions about IPFW rulesets is also a good idea as a lot of people have posted questions on this topic and have received many helpful answers from knowledgeable list members. This is probably not why xfce doesn't work though. The sysutils/xfce4-utils package installs a command called startxfce4. AFAIK, this is the program that fires up xfce. When you install that package (as part of the dependency list of xfce4) you should be able to use xfce4 as your desktop by editing your ~/.xinitrc file and making sure that the last command it runs is: exec startxfce4 my .xinitrc file contains only the one line: -- exec startxfce4 -- it still won't start. Does the program `startxfce4' even exist on your system? As I mentioned, it's part of the sysutils/xfce4-utils package, so if you didn't install that package you won't have it. As I can't get it to start, I just delete this line using VI(I am getting better :) replace it with exec wmaker which starts OK. Heh. Cool :) I prefer Emacs most of the time, but that's clearly a matter of personal taste so it doesn't matter so much. Apachetoolbox is not an official freeBSD port/package (www.apachetoolbox.com). Its a script/ports pack that you run which creates all the scripts needed to install a large array of Apache other www stuff(eg. MySQL etc). The install file that comes with it says to install it by running install.sh. It says(further down) that BSD users, the script interpreter of install.sh is BASH (/bin/bash). - Thats why I started BASH - Do you know what the bad interpreter error means ??? --- bash-2.05# ./install bash: ./install: No such file or directory bash-2.05# ./install.sh bash: ./install.sh: bad interpreter: No such file or directory bash-2.05# ./install bash: ./install: No such file or directory -- The bad intepreter error means that the `install.sh' script (most likely) starts with a line like this: #!/bin/bash This is a special, somewhat magic line that, when present at the start of an executable file, instructs the UNIX kernel to fire up the program following #! and pass the rest of the script as input to this program. The program is then responsible to interpret the script as it sees fit. In this case, the program /bin/bash does not exist, because on FreeBSD bash is installed as /usr/local/bin/bash and not in /bin. The author of this program is most likely a Linux fan and has become accustomed to the Linuxism of expecting that bash is always in /bin :-) Edit `install.sh' and replace `/bin/bash' with `/usr/local/bin/bash' if you have bash installed. As the author of the package has noted below if you don't have bash and the script doesn't use some feature that is bash-specific, you might get away with /bin/sh instead of /bin/bash but this depends on the way the install script is written. ** Solaris/BSD users, the script interpreter of install.sh is BASH (/bin/bash). Bash should be used, YMMV if you change it to /bin/sh. The next
Dummynet, routing and firewalls - crazy idea
Problem: When downloading huge files from the server we can't use the client webbrowser. Setup: One firewall/DHCP/Gateway which all clients and the server routes through. The clients goes via no router when connecting to the server. The server is equipped with double NIC, however only one is used. The firewall is a hardware box meaning no software can be altered. Crazy idea: I have an idea about routing traffic through the server and then to the firewall. This would make it possible for the server to see that there's traffic on port 80 which should be prioritized over traffic on port 21, this part shouldn't be too hard I guess - lots of how-tos on the net for this. BUT, I would like the clients to go directly to the firewall without passing the server if they want to, this will mostly be the case when the server is down for maintenance or similar. This must mean that the servers both NICs actually must be on the same network, is that possible at all and how do I setup such an environment? It's 10:45pm and this idea just came out of my tired brain, if someone can give a better solution to the problem I would be very glad. ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
static NAT and firewalls
Hi, if have have configured static NAT on machine A do the TCP/IP-packeges get injectet into the firewall of the machine A or do they reach machine B unfiltered? Sebastian -- If you share pain there is less of it. If you share joy there is more of it. ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: static NAT and firewalls
- Original Message - From: Sebastian Kutsch [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Saturday, April 10, 2004 6:17 AM Subject: static NAT and firewalls Hi, if have have configured static NAT on machine A do the TCP/IP-packeges get injectet into the firewall of the machine A or do they reach machine B unfiltered? Sebastian Sebastian, Provided that you have an entry at the beginning of your firewall to divert to natd, all traffic will hit that rule, get passed to natd and then injected back into the firewall after the divert rule and then pass out through the firewall. -- Micheal Patterson Network Administration TSG Incorporated 405-917-0600 ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: FreeBSD has Two Firewalls?
Loren M. Lang [EMAIL PROTECTED] writes: I'm trying to learn how to configure my firewall on FreeBSD and there seems to be quite a few commands related to it. It looks like, though, that FreeBSD has two different implentations of firewalls. One uses ipfw to configure it and has natd for nat, the other uses ipf and has ipmon, ipnat, ipfs for controlling it. Is this true? Pretty much. There are some more firewall implementations in the ports, as well. Where are some good references for learning the packet filter on FreeBSD? The FreeBSD Handbook and the manual are usually plenty. ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: FreeBSD has Two Firewalls?
On Wed, Feb 11, 2004 at 08:43:26AM -0500, Lowell Gilbert wrote: Loren M. Lang [EMAIL PROTECTED] writes: I'm trying to learn how to configure my firewall on FreeBSD and there seems to be quite a few commands related to it. It looks like, though, that FreeBSD has two different implentations of firewalls. One uses ipfw to configure it and has natd for nat, the other uses ipf and has ipmon, ipnat, ipfs for controlling it. Is this true? Pretty much. There are some more firewall implementations in the ports, as well. It looks like ipfilter is a newer and more improved over ipfw, but I'm not sure. I'm looking for a good firewall with similar functionality to linux's netfilter. Previously I was doing some somewhat sophisticated things like disabling or limiting internet access for certain indivuals depending on the time of day, as well as using connection helpers for ftp, irc, etc. What's the best firewall to use for this? Where are some good references for learning the packet filter on FreeBSD? The FreeBSD Handbook and the manual are usually plenty. -- I sense much NT in you. NT leads to Bluescreen. Bluescreen leads to downtime. Downtime leads to suffering. NT is the path to the darkside. Powerful Unix is. Public Key: ftp://ftp.tallye.com/pub/lorenl_pubkey.asc Fingerprint: B3B9 D669 69C9 09EC 1BCD 835A FAF3 7A46 E4A3 280C pgp0.pgp Description: PGP signature
Re: FreeBSD has Two Firewalls?
Loren M. Lang [EMAIL PROTECTED] writes: It looks like ipfilter is a newer and more improved over ipfw They're independent implementations. It looks like ipfilter is a newer and more improved over ipfw, but I'm not sure. I'm looking for a good firewall with similar functionality to linux's netfilter. Which, as I understand it, is a descendent of ipchains. ipchains is a descendent of an older version of ipfw. linux's netfilter. Previously I was doing some somewhat sophisticated things like disabling or limiting internet access for certain indivuals depending on the time of day, as well as using connection helpers for ftp, irc, etc. What's the best firewall to use for this? There's a lot of Linux-specific terminology in there, so I can't really unwind it very well. I don't know of any support for time-of-day modifications, but I'd expect that somebody out there has written it. Depending on the exact requirements, it may even be trivial. Connection helpers sounds like automatic proxy support, which I'm not crazy about but which I know ipfilter does somewhat more extensively than ipfw. The big advantage of ipfw is that dummynet(4) hooks in through it. Dummynet is a traffic shaper, as well as a framework that sort of resembles (as far as I understand) netfilter. Also note that it's perfectly possible and often quite convenient to use more than one firewall program... ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
proxies and firewalls
greetings all i often come across proxies and firewalls under the security section of tutorials and guides, i have read that one can create proxies of any internet service like ftp www etc. my question is what exactly is a proxy and how does it play a role in security, why and how does it replace NATing, and how does it play a role in security with regard to NAT. what services can be proxied, is it worth having and general advice. thanks all Hiren. ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: proxies and firewalls
When one is connected to a proxy server, the proxy server makes a connection to the outside world and transports the data to the computer who is requesting that information. So the client computer won't make a true connection to the outside world, but it only connects to the proxy server. In there the administrator can give several rules to the proxy server what to allow/dissalow. For example you can disable that clients connect to the MSN port. If you use a proxy server your internal IP address will almost always be shown on sites that show your IP address rather then your true external IP address. Also, a proxy server caches files it collects from the net, thus making it accessable faster. NAT (Network Address Translator) does nothing more then translating your internal IP address to an external one. So there is a direct connection to the internet like that, and there is no caching done by the NAT server NAT is handy for home use, since you don't have to really tight up your security as you do with your company. So if you got a big company then you should definitely use a proxy server to let your people connect to the outside world. Cheers, Jorn On Monday 02 February 2004 10:38, Hiren wrote: greetings all i often come across proxies and firewalls under the security section of tutorials and guides, i have read that one can create proxies of any internet service like ftp www etc. my question is what exactly is a proxy and how does it play a role in security, why and how does it replace NATing, and how does it play a role in security with regard to NAT. what services can be proxied, is it worth having and general advice. thanks all Hiren. ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
RE: proxies and firewalls
Friend Jorn Are you saying you know of an proxy server that does the nat function? Please point me to it. Thanks -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Jorn Argelo Sent: Monday, February 02, 2004 5:04 AM To: Hiren Cc: [EMAIL PROTECTED] Subject: Re: proxies and firewalls When one is connected to a proxy server, the proxy server makes a connection to the outside world and transports the data to the computer who is requesting that information. So the client computer won't make a true connection to the outside world, but it only connects to the proxy server. In there the administrator can give several rules to the proxy server what to allow/dissalow. For example you can disable that clients connect to the MSN port. If you use a proxy server your internal IP address will almost always be shown on sites that show your IP address rather then your true external IP address. Also, a proxy server caches files it collects from the net, thus making it accessable faster. NAT (Network Address Translator) does nothing more then translating your internal IP address to an external one. So there is a direct connection to the internet like that, and there is no caching done by the NAT server NAT is handy for home use, since you don't have to really tight up your security as you do with your company. So if you got a big company then you should definitely use a proxy server to let your people connect to the outside world. Cheers, Jorn On Monday 02 February 2004 10:38, Hiren wrote: greetings all i often come across proxies and firewalls under the security section of tutorials and guides, i have read that one can create proxies of any internet service like ftp www etc. my question is what exactly is a proxy and how does it play a role in security, why and how does it replace NATing, and how does it play a role in security with regard to NAT. what services can be proxied, is it worth having and general advice. thanks all Hiren. ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: proxies and firewalls
Are you saying you know of an proxy server that does the nat function? Actually, the point of having proxies is *not* having to route. Your proxy machine should not be able to forward packets. Roughly, there a two different sub-groups: Circuit layer and application layer proxies, names should be self explaining. Example for an app layer gateway: Port: fwtk-2.1 Path: /usr/ports/security/fwtk Info: A toolkit used for building firewalls based on proxy services Example for a circuit level proxy: Port: nylon-1.2 Path: /usr/ports/net/nylon Info: A Unix SOCKS 4 and 5 proxy server Socks5 is already app layer, too, IIRC. Cheers, J. ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
RE: proxies and firewalls
Thanks for your reply, But I must be thick headed this morning, because what you say below makes no sense to me. I checked out the 2 referenced descriptions and they say nothing about doing nat. I have Lan with private ip address that send packets to public internet. How does an proxy server solve the private ip address versus my public ip address problem? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of [EMAIL PROTECTED] Sent: Monday, February 02, 2004 11:28 AM To: JJB Cc: Jorn Argelo; [EMAIL PROTECTED] Subject: Re: proxies and firewalls Are you saying you know of an proxy server that does the nat function? Actually, the point of having proxies is *not* having to route. Your proxy machine should not be able to forward packets. Roughly, there a two different sub-groups: Circuit layer and application layer proxies, names should be self explaining. Example for an app layer gateway: Port: fwtk-2.1 Path: /usr/ports/security/fwtk Info: A toolkit used for building firewalls based on proxy services Example for a circuit level proxy: Port: nylon-1.2 Path: /usr/ports/net/nylon Info: A Unix SOCKS 4 and 5 proxy server Socks5 is already app layer, too, IIRC. Cheers, J. ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: proxies and firewalls
I have Lan with private ip address that send packets to public internet. How does an proxy server solve the private ip address versus my public ip address problem? Simply through not routing / NATting at all. Instead of just forwarding the packets rewriting the IP headers like a NAT device does, an application layer proxy does the connections to the outside world *INSTEAD* of the client. To use the popular example of HTTP: While a NAT device will just forward and rewrite your query to a server's port 80/TCP and then forward and rewrite the reply according to its connection table, an application layer proxy will do the query *itself*. It will then process the reply, identify whether it looks like HTML that matches its quality/security requirements and then give a friendly reply to the client that originally did the query. Again, the proxy itself plays client on the application layer. This of course means that all outgoing connections are also done with the external IP address of the application level proxy machine. Clear now? ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: proxies and firewalls
Proxy doesn't necessarily solve the privateIP-to-publicIP problem. NAT does: http://www.cablemodemhelp.com/proxy_vs_nat.htm Proxy is application level. NAT is address translation. HTH, Christopher Hollow JJB wrote: Thanks for your reply, But I must be thick headed this morning, because what you say below makes no sense to me. I checked out the 2 referenced descriptions and they say nothing about doing nat. I have Lan with private ip address that send packets to public internet. How does an proxy server solve the private ip address versus my public ip address problem? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of [EMAIL PROTECTED] Sent: Monday, February 02, 2004 11:28 AM To: JJB Cc: Jorn Argelo; [EMAIL PROTECTED] Subject: Re: proxies and firewalls Are you saying you know of an proxy server that does the nat function? Actually, the point of having proxies is *not* having to route. Your proxy machine should not be able to forward packets. Roughly, there a two different sub-groups: Circuit layer and application layer proxies, names should be self explaining. Example for an app layer gateway: Port: fwtk-2.1 Path: /usr/ports/security/fwtk Info: A toolkit used for building firewalls based on proxy services Example for a circuit level proxy: Port: nylon-1.2 Path: /usr/ports/net/nylon Info: A Unix SOCKS 4 and 5 proxy server Socks5 is already app layer, too, IIRC. Cheers, J. ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
RE: proxies and firewalls
Thanks for the detailed explanation. The light bulb has turned on in my head. I learn something new all the time on this list. So let me put this in my own words to verify I understand correctly. Lets say I have gateway box running 5 PCs on LAN behind it, with cable dhcp connection to ISP. The gateway box runs IPFILTER firewall and IPNAT to do NAT function. I can discontinue using IPNAT and install an application level proxy server on my gateway box and it will by default intercept all LAN and gateway originating packet traffic destine for the public internet after it's processed by my firewall and handle the bi-directional traffic transparently? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Monday, February 02, 2004 12:02 PM To: JJB Cc: Jorn Argelo; [EMAIL PROTECTED] Subject: Re: proxies and firewalls I have Lan with private ip address that send packets to public internet. How does an proxy server solve the private ip address versus my public ip address problem? Simply through not routing / NATting at all. Instead of just forwarding the packets rewriting the IP headers like a NAT device does, an application layer proxy does the connections to the outside world *INSTEAD* of the client. To use the popular example of HTTP: While a NAT device will just forward and rewrite your query to a server's port 80/TCP and then forward and rewrite the reply according to its connection table, an application layer proxy will do the query *itself*. It will then process the reply, identify whether it looks like HTML that matches its quality/security requirements and then give a friendly reply to the client that originally did the query. Again, the proxy itself plays client on the application layer. This of course means that all outgoing connections are also done with the external IP address of the application level proxy machine. Clear now? ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: proxies and firewalls
On Monday 02 February 2004 19:04, you wrote: Thanks for the detailed explanation. The light bulb has turned on in my head. I learn something new all the time on this list. So let me put this in my own words to verify I understand correctly. Lets say I have gateway box running 5 PCs on LAN behind it, with cable dhcp connection to ISP. The gateway box runs IPFILTER firewall and IPNAT to do NAT function. I can discontinue using IPNAT and install an application level proxy server on my gateway box and it will by default intercept all LAN and gateway originating packet traffic destine for the public internet after it's processed by my firewall and handle the bi-directional traffic transparently? Well, at home I'm using both NAT and a proxy server, but that's because I can't play some online games by means of the proxy server, and the MSN clients are refusing to work my proxy server as well, but for browsing all four the computers are using the proxy server. I'm not running a firewall, because the proxy server provides decent security for home use here. All the ports are closed except those which are needed. (Webserver, Mail server etc) If you're at a small company then the current situation you describe seems just fine to me. If you're at home then you can use this as well, but if you got a gamer at home he isn't going to be happy since you can't really use a proxy for online gaming. So it depends a bit Hope this helped a bit. Cheers, Jorn ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
hardware ITX for firewalls etc.
email 1 On Fri, 21 Nov 2003 05:22 am, Francisco Reyes wrote: On Thu, 20 Nov 2003, paul van den bergen wrote: You can also get CF and similar solid stat memory chips to IDE connection adaptors for around AU$30... URL? Sounds like an interesting option for a Firewall I need to do myself very soon. and email 2 On Fri, 21 Nov 2003 05:30 am, Francisco Reyes wrote: On Thu, 20 Nov 2003, paul van den bergen wrote: I have a bunch of these (8000s actually) for a testbed network. work like a treat... go fanless if you can... Where did you get them from? How much? I did have some hassles with the onboard via network connection not coping with long vlan tagged packets. It seems most of these mini ITX network cards have issues with FreeBSD. As long as I can get two PCI slots I should be fine. reply to email 1: I'll have to dig up the specs from a friend... but it's probably cheaper to do the google thing... or one of the ITX mini board sites... miniitx.com??? there are some awesome casemods out there... we want to get some Commador 64s for our desktop machines... :-) reply to email 2: we got VIA EPIA mini ITX boards of a local supplier... (Melbourne Australia) I can give the details if helpful (i.e. of list and if you are local) but since we are a University, it is likely you will not get the same price we did :-( on the other hand, check out the swapmeets (see green guide or computertrader.com.au (URLspelling?) for details) they were around AU$220 each... the fanless is (was - this is 6 months ago or more) 600 MHz and the fan'd ones are 850 MHz or so... I expect they would be similar price for faster now... with more options... people on melbourne.wireless.org have been talking about the impending release of a board with on-board PCMCIA and etc... but not sure of the SotA... the vlan tag thing and some other bugs with the vr0 supported hardware have been around for a while... I suspect mostly they are fixed or well known for FreeBSD nowadays... the vlantag thing is a buffer size or otherwise a hardware support issue (i.e. not driver - as the man pages states, the vlan stuff can be done in software, but I have absolutely no idea what this involves anyone want to enlighten us? ditto the dual PCI splitter - no idea where to get it just know it exists... also rumour (one mention of suspicion... that counts as a rumour, right?) that there are issues with the dual pci thing... not sure what though... still, they're cheap... sub au$50?? maybe? I imagine a quick check of some of the mod-sites will show some interesting board configs... I suspect you can get dual PCI slot versions too. OK, here is my bookmark collection on hardware mods etc... pc104, review sites and itx sites... http://www.tri-m.com/ http://accpc.com/submicropc.htm http://www.littlepc.com/ http://www.viavpsd.com/product/index.jsp http://www.mini-itx.com/ http://www.tomshardware.com http://www.dansdata.com/ http://www.motherboards.org/ http://www.routerboard.com/ http://www.kontron.com/products/pdproductdetail.cfm?keyProduct=32980 http://www.frozencpu.com/cgi-bin/frozencpu/index.html http://www.freeswan.org/ http://leaf.sourceforge.net/ there are likely others, but that's what I have atm... :-) the last few are Open Source router/AP/firewall thingies... there are also sites around with FreeBSD (well, BSD) based implementations that are similarly compact cheap and reliable :-) good luck... and remember google is your friend... -- Dr Paul van den Bergen Centre for Advanced Internet Architectures caia.swin.edu.au [EMAIL PROTECTED] IM:bulwynkl2002 And some run up hill and down dale, knapping the chucky stones to pieces wi' hammers, like so many road makers run daft. They say it is to see how the world was made. Sir Walter Scott, St. Ronan's Well 1824 ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
How to set VPN over firewalls.
Hi All, How to set VPN over firewalls. Thanks in advance ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: High interrupt load on firewalls
On Wed, 9 Oct 2002, Christopher Smith wrote: We have two firewalls sitting on gigabit links. Each has 2 Netgear GA620 (ti driver) fibre cards with about 7 vlans spread across them. Both these machines run at *very* high interrupt loads (95 - 100% during business hours (mostly 100%), 80 - 90 % during off hours). They are 1GHz P3 machines (Dell 1550s) with 256MB of RAM. They're actually dual machines, but enabling the second CPU doesn't help in terms of load, it just halves the numbers top reports. What hardware are other people using to firewall high-volume gigabit links ? Sometime you need to get the right tool for the job. When the CPU is processing every packet, the CPU will always be a bottleneck. To solve this problem people starting putting the logic in hardware and creating ASICs, which are only limited by the speed of the wire. I believe Netscreen puts their firewall functionalty in ASICs and supports Gig interfaces. andy -- PGP Key Available at http://www.tigerteam.net/andy/pgp To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message
High interrupt load on firewalls
We have two firewalls sitting on gigabit links. Each has 2 Netgear GA620 (ti driver) fibre cards with about 7 vlans spread across them. Both these machines run at *very* high interrupt loads (95 - 100% during business hours (mostly 100%), 80 - 90 % during off hours). They are 1GHz P3 machines (Dell 1550s) with 256MB of RAM. They're actually dual machines, but enabling the second CPU doesn't help in terms of load, it just halves the numbers top reports. Obviously, these machines process a lot of traffic. However, the interrupt load seems to me to be very, very high and the main reason we are seeing such high rates of packet loss (up to 10%, constantly) through these machines - is there any way it can be lessened, either with a better driver, different network cards, or some other way ? We are currently testing with a dual 2.4GHz P4 (Dell 2650) using the same network cards, and are peaking at around 40% (really 80%). However, that doesn't seem to leave much room to grow, and it's a very expensive way to ease the load. Will FreeBSD 5.0 be able to spread the interrupts across both CPUs ? Is this high interrupt load a problem with the driver, the hardware, FreeBSD itself, or is it something that is normal ? What hardware are other people using to firewall high-volume gigabit links ? -- +- Christopher Smith, Systems Administrator --+ | Server Security Group, Information Technology Services | | The University of Queensland, Brisbane, Australia, 4072| +- Ph +61 7 3365 4046 | email [EMAIL PROTECTED] | Fax +61 7 3365 4065 -+ To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message