Re: IPFW Firewall Question
Often discussed and adviced... On Thu, 4 Dec 2008 16:26:04 -0800 (PST), G magicman [EMAIL PROTECTED] wrote: here is part of the configuration file so far that the Co-lo people put in. [...] #!/usr/local/bin/bash When possible, use the STANDARD form: #!/bin/sh Declare #!/usr/local/bin/bash only if you're intentionally using BASH specifig functionalities that SH doesn't include. May save you lots of headache. 2. short of a reboot how do you start stop and restart the firewall You can use ipfw's rc.d script: # /etc/rc.d/ipfw start # /etc/rc.d/ipfw stop # /etc/rc.d/ipfw restart Just a small note, but I hope it will help you. -- Polytropon From Magdeburg, Germany Happy FreeBSD user since 4.0 Andra moi ennepe, Mousa, ... ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: IPFW Firewall Question
On Friday 05 December 2008 01:26:04 G magicman wrote: Why because of the following: 1. Hosts.access on freebsd works on the Application Layer instead of the Network Layer Therefore Hosts.allow/hosts.deny no longer works the way i want and i do not feel like running Sendmail and sshd out of Inetd which appearantly is the only way to be able to use hosts.allow/deny You're right about the application layer, but not about the rest. From sshd(8): /etc/hosts.allow /etc/hosts.deny Access controls that should be enforced by tcp-wrappers are defined here. Further details are described in hosts_access(5). 2. Next openssh doesnot have an AllowHosts directive like the Finnish one does it only has an AllowUsers directive so i need to protect the system from DDOS attacks Again, see above. and Hacking I already tried to block things using the Sendmail Access file but all that did was choak up the server with moronic shit. And i want to be able to use my sftp program but it opens random ports which can not be controlled so i need the Clearaddresses to be able to see all ports. For the firewall, pf user here, so others should help. ;) -- Mel Problem with today's modular software: they start with the modules and never get to the software part. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: IPFW Firewall Question
G magicman wrote: 1. I need help to reconfigure my firewall on the server using BSD's ipfw What part do you need to reconfigure? 2. short of a reboot how do you start stop and restart the firewall Very, very carefully. Until I gained some extensive experience with IPFW, I would wrap the firewall restart within a sleep/undo of some sort. That said, now I use table(s) and set(s), so I can update rules without having to restart the firewall entirely. Below is an example, that also will guide you in answering your next two questions. The man page and Google will explain how to use tables and sets. To answer your question however, depending on where your firewall script is, simply execute it at the command line, like this: # /etc/ipfw.rules Here is what i want : 1. i want all ports open to the ipaddresses in line 4 clearaddresses 2. I want to be able to control access to port 25 sendmail to be able to deny whole A B and C addresses #!/bin/sh flush=/sbin/ipfw -q flush cmd=/sbin/ipfw add table=/sbin/ipfw table $flush # Tables # Client/infrastructure IPs for allowing access $table 1 add 208.70.104.0/21 $table 1 add 64.39.160.0/19 $table 1 add 67.158.64.0/20 #...etc # SMTP ALLOWED OUTBOUND TABLE $table 2 add 208.70.104.202/32 $table 2 add 208.70.104.203/32 $table 2 add 208.70.104.205/32 #...etc # Block all inbound and outbound traffic for certain sites # ...review periodically to see if they are still valid $table 3 add 91.203.4.146/32# phishing # set 3 = specific deny/allow by ids # set 4 = SSH access # set 29 = for counting/testing traffic patterns # set 30 = forwarding # SET 3 # SQL $cmd 2 set 3 deny all from any to any 1433,1434 # NetBIOS $cmd 20100 set 3 allow tcp from 208.70.104.0/24 to 208.70.104.0/24 135,139,445,593 keep-state $cmd 20105 set 3 allow udp from 208.70.104.0/24 to 208.70.104.0/24 135,139,445,593 $cmd 20110 set 3 deny all from any to any 135,139,445,593 # SET 4 $cmd 4 set 4 allow tcp from table(1) to any 22 keep-state $cmd 40005 set 4 deny tcp from any to any 22 # SET 29 #$cmd 59000 set 29 count log logamount 100 tcp from any to any # SET 30 $cmd 6 set 30 fwd 208.70.104.3,53 all from any to 209.167.16.10 53 $cmd 60005 set 30 fwd 208.70.106.59,53 all from any to 209.167.16.30 53 $cmd 64998 deny all from table(3) to any $cmd 64999 deny all from any to table(3) ### end dummy ruleset ...if you want specific rule examples, just let me know. The above does pretty much what you want it to do. I've purposely left it up to you to do some further research. Tweaking a non-forgiving firewall remotely is not something you want to learn the hard way. The benefit of tables is that you can have one rule, but manually add/remove specific addresses or prefixes on the fly without having to reload the rule. With sets, you can disable an entire block of rules, modify it, and reload it without restarting IPFW, therefore destroying your existing established rules. Steve ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: IPFW Firewall Question
I have tried this it did not work and the Co-Lo people are convinced that sshd and sendmail need to be run out of inetd.conf for this to work As i said i am used to BSDI and the Finnish SSHD Also here they are using the combined hosts.allow/deny with the deny inside which i never liked Thank you for your help on this Garrett --- On Fri, 12/5/08, Mel [EMAIL PROTECTED] wrote: From: Mel [EMAIL PROTECTED] Subject: Re: IPFW Firewall Question To: freebsd-questions@freebsd.org, [EMAIL PROTECTED] Date: Friday, December 5, 2008, 6:02 AM On Friday 05 December 2008 01:26:04 G magicman wrote: Why because of the following: 1. Hosts.access on freebsd works on the Application Layer instead of the Network Layer Therefore Hosts.allow/hosts.deny no longer works the way i want and i do not feel like running Sendmail and sshd out of Inetd which appearantly is the only way to be able to use hosts.allow/deny You're right about the application layer, but not about the rest. From sshd(8): /etc/hosts.allow /etc/hosts.deny Access controls that should be enforced by tcp-wrappers are defined here. Further details are described in hosts_access(5). 2. Next openssh doesnot have an AllowHosts directive like the Finnish one does it only has an AllowUsers directive so i need to protect the system from DDOS attacks Again, see above. and Hacking I already tried to block things using the Sendmail Access file but all that did was choak up the server with moronic shit. And i want to be able to use my sftp program but it opens random ports which can not be controlled so i need the Clearaddresses to be able to see all ports. For the firewall, pf user here, so others should help. ;) -- Mel Problem with today's modular software: they start with the modules and never get to the software part. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
