Re: Firewall, blocking POP3
At 07:18 PM 5/30/2012, Robert Bonomi wrote: From jbiq...@intranet.com.mx Wed May 30 13:48:05 2012 Date: Wed, 30 May 2012 13:47:34 -0500 To: Robert Bonomi bon...@mail.r-bonomi.com From: Jorge Biquez jbiq...@intranet.com.mx Subject: Re: Firewall, blocking POP3 Cc: freebsd-questions@freebsd.org Hello. Thanks a lot!. Simple an elegant solution. I just did that and of course it worked I just was wondering... what if I need to have the service working BUT want to block those break attemps? IN this and other services. ? My guess is that it is a never ending process? I mean, block one, block another, another, etc? If one knows the address-blocks that legitimate customers will be using, one can block off access from 'everywhere else'. What the people who has big servers running for hosting services are doing? Or you just have a policy of strng passworrds, server up-todate and let the attemps to try forever? There are tools like 'fail2ban' that can be used to lock out persistant doorknob-rattlers. Also, one can do things like allow mail access (POP, IMAP, 'whatever') only via a port that is 'tunneled' through an SSH/SSL connection. This eliminates almost all doorknob rattling on the mail access ports, but gets lots of attempts on the SSH port. Which is generally not a problem, since the SSH keyspace is vastly larger, and more evenly distributed, than that for plaintext passwords. To eliminate virtually all the 'noise' from SSH doorknob-rattling, run it on a non-standard port. This does =not= increase the actual security of the system, but it does greatly reduce the 'noise' in the logs -- so any actual attack attempt is much more obvious. You can use /etc/hosts.allow to list your friendly IP's allowed by protocol. This provides an easy way to block all foreign users. You can use wildcards in this file, so if you need to allow users in for POP access from an ISP, you can do that. Also, if you do have wide array of addresses you need to let in, you may want to put the email services in a jail. -Derek -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Firewall, blocking POP3
From owner-freebsd-questi...@freebsd.org Wed May 30 13:16:37 2012 Date: Wed, 30 May 2012 13:08:30 -0500 To: freebsd-questions@freebsd.org From: Jorge Biquez jbiq...@intranet.com.mx Cc: Subject: Firewall, blocking POP3 Hello all. I am sorry if the question is too basic. I have a personal small machine running FreeBSD 7.3-PRERELEASE #0: It runs as my web and email server for a cuple of domains. NO clients no other users have access to it. Is there any , easy/faster way to stop POP3 from being working. I am running qpopper to be able to download emailes. I decided to use sendmail since only a few accounts are there and I do not need more but in the last days the server has been under a big attack where people is trying to guess users and passwords. I am using a strong schema of passwords so no problem on that but I rather to be sure . The mail -server- you use is irrelevant to how users retrieve mail. you can use sendmail and qpopper, or sendmail and an IMAP server, or sendmail and webmail app, or postix and qpopper, or exim and qpopper, etc. All you have to do to disable qpopper is edit comment out the line in /etc/inetd.conf, and SIGHUP inetd. To re-enable when you need it, uncomment the line, and SIGHUP inetd again. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Firewall, blocking POP3
Hello. Thanks a lot!. Simple an elegant solution. I just did that and of course it worked I just was wondering... what if I need to have the service working BUT want to block those break attemps? IN this and other services. ? My guess is that it is a never ending process? I mean, block one, block another, another, etc? What the people who has big servers running for hosting services are doing? Or you just have a policy of strng passworrds, server up-todate and let the attemps to try forever? Thanks for the solution Mr Robert. Jorge Biquez At 01:32 p.m. 30/05/2012, Robert Bonomi wrote: From owner-freebsd-questi...@freebsd.org Wed May 30 13:16:37 2012 Date: Wed, 30 May 2012 13:08:30 -0500 To: freebsd-questions@freebsd.org From: Jorge Biquez jbiq...@intranet.com.mx Cc: Subject: Firewall, blocking POP3 Hello all. I am sorry if the question is too basic. I have a personal small machine running FreeBSD 7.3-PRERELEASE #0: It runs as my web and email server for a cuple of domains. NO clients no other users have access to it. Is there any , easy/faster way to stop POP3 from being working. I am running qpopper to be able to download emailes. I decided to use sendmail since only a few accounts are there and I do not need more but in the last days the server has been under a big attack where people is trying to guess users and passwords. I am using a strong schema of passwords so no problem on that but I rather to be sure . The mail -server- you use is irrelevant to how users retrieve mail. you can use sendmail and qpopper, or sendmail and an IMAP server, or sendmail and webmail app, or postix and qpopper, or exim and qpopper, etc. All you have to do to disable qpopper is edit comment out the line in /etc/inetd.conf, and SIGHUP inetd. To re-enable when you need it, uncomment the line, and SIGHUP inetd again. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Firewall, blocking POP3
See /usr/ports/security/py-fail2ban (http://www.fail2ban.org/). Used in conjunction with FreeBSD's ipfw or pf firewall facility, you can ban an attacking IP address for a set period of time after a configurable amount of failed attempts. Fail2ban watches your log files for you and then triggers some sort of action -- which can really be anything you can conceive of. Patrick On Wed, May 30, 2012 at 11:47 AM, Jorge Biquez jbiq...@intranet.com.mx wrote: Hello. Thanks a lot!. Simple an elegant solution. I just did that and of course it worked I just was wondering... what if I need to have the service working BUT want to block those break attemps? IN this and other services. ? My guess is that it is a never ending process? I mean, block one, block another, another, etc? What the people who has big servers running for hosting services are doing? Or you just have a policy of strng passworrds, server up-todate and let the attemps to try forever? Thanks for the solution Mr Robert. Jorge Biquez At 01:32 p.m. 30/05/2012, Robert Bonomi wrote: From owner-freebsd-questi...@freebsd.org Wed May 30 13:16:37 2012 Date: Wed, 30 May 2012 13:08:30 -0500 To: freebsd-questions@freebsd.org From: Jorge Biquez jbiq...@intranet.com.mx Cc: Subject: Firewall, blocking POP3 Hello all. I am sorry if the question is too basic. I have a personal small machine running FreeBSD 7.3-PRERELEASE #0: It runs as my web and email server for a cuple of domains. NO clients no other users have access to it. Is there any , easy/faster way to stop POP3 from being working. I am running qpopper to be able to download emailes. I decided to use sendmail since only a few accounts are there and I do not need more but in the last days the server has been under a big attack where people is trying to guess users and passwords. I am using a strong schema of passwords so no problem on that but I rather to be sure . The mail -server- you use is irrelevant to how users retrieve mail. you can use sendmail and qpopper, or sendmail and an IMAP server, or sendmail and webmail app, or postix and qpopper, or exim and qpopper, etc. All you have to do to disable qpopper is edit comment out the line in /etc/inetd.conf, and SIGHUP inetd. To re-enable when you need it, uncomment the line, and SIGHUP inetd again. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Firewall, blocking POP3
From jbiq...@intranet.com.mx Wed May 30 13:48:05 2012 Date: Wed, 30 May 2012 13:47:34 -0500 To: Robert Bonomi bon...@mail.r-bonomi.com From: Jorge Biquez jbiq...@intranet.com.mx Subject: Re: Firewall, blocking POP3 Cc: freebsd-questions@freebsd.org Hello. Thanks a lot!. Simple an elegant solution. I just did that and of course it worked I just was wondering... what if I need to have the service working BUT want to block those break attemps? IN this and other services. ? My guess is that it is a never ending process? I mean, block one, block another, another, etc? If one knows the address-blocks that legitimate customers will be using, one can block off access from 'everywhere else'. What the people who has big servers running for hosting services are doing? Or you just have a policy of strng passworrds, server up-todate and let the attemps to try forever? There are tools like 'fail2ban' that can be used to lock out persistant doorknob-rattlers. Also, one can do things like allow mail access (POP, IMAP, 'whatever') only via a port that is 'tunneled' through an SSH/SSL connection. This eliminates almost all doorknob rattling on the mail access ports, but gets lots of attempts on the SSH port. Which is generally not a problem, since the SSH keyspace is vastly larger, and more evenly distributed, than that for plaintext passwords. To eliminate virtually all the 'noise' from SSH doorknob-rattling, run it on a non-standard port. This does =not= increase the actual security of the system, but it does greatly reduce the 'noise' in the logs -- so any actual attack attempt is much more obvious. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Firewall with bridged interfaces and captive portal
Olivier Nicole wrote: I need to implement a firewall with bridged interfaces that offers captive portal (authentication before opening the traffic). We are using a combination of squid+ipfw. Although we are NATing the users, that really just introduces needless complexity that could be avoided with a bridging solution. Our web-app/captive portal/authentication program is written in-house; it's very tightly integrated with several existing pieces of infrastructure. I don't know if there are any solutions that will work out-of-the-box. I can get you more technical details if this is a direction you'd be interested in moving. Long time ago I have been toying with ipf (for the genral firewall) and NoCat+ipfw for the captive portal. But that did not work too well, so any technical information will be appreciated :) My long term vision is a quite integrated thing, where users that read their email and authenticate to POP3/IMAP would be granted the access without the need to authenticate to the web portal. Hi, Sorry it's taken a while to get back to you on this. You're going to want to get squid up and running as a transparent proxy. You will probably want to write a redirect script [1]. Mine checks against a small set of always-authorized URLs that squid is allowed to proxy for; any other HTTP request will receive a redirect: printf 302:%s%s\n ${default_url} $suffix The URL points to the webserver running on the aux-router (as we call it). The www user has passwordless sudo rules that allow the web code to call scripts for adding and removing a client to and from ipfw tables [2]. You're also going to need to get ipfw to play with bridging. For this, you'll need to `sysctl -w net.link.bridge.ipfw=1` [3]. The portion of your ruleset is going to look something like this: TABLE_AUTH='table(10)' $cmd allow all from $TABLE_AUTH to any bridged $cmd allow all from any to $TABLE_AUTH bridged $cmd fwd 127.0.0.1,3128 tcp from $MY_SUBNET to any http bridged $cmd deny all from any to any bridged NB: you may need IPFIREWALL_FORWARD enabled to get full use of the fwd action. You'll also probably need to poke holes for or deal with DNS, any remote webserver your authentication process may require access to, etc. Also note, I haven't actually done this with bridging, so your mileage my vary. I found 2 tools to be invaluable when working on this project: 1) tcpdump (use -i for interface, and watch the traffic in order to profile exactly what you need to allow, fwd, etc.). 2) ipfw logging. I found that on any deny rule, especially when troubleshooting, I'd do something like: $cmd deny log logamount 0 all from any to any bridged Or, just as useful, but you can stick anywhere in the middle without affecting packet flow: $cmd count log logamount 0 all from any to any bridged NB: AFAIK, requires kernel option IPFIREWALL_VERBOSE I might be able to give you some more pointers if you get stumped, but I hope this helps you get well on your way. [1] http://wiki.squid-cache.org/SquidFaq/SquidRedirectors [2] ipfw(8) /LOOKUP TABLES [3] ipfw(8) /PACKET FLOW -- Chris Cowart Network Technical Lead Network Infrastructure Services, RSSP-IT UC Berkeley pgpPfbyITHbVi.pgp Description: PGP signature
Re: Firewall with bridged interfaces and captive portal
Olivier Nicole wrote: I need to implement a firewall with bridged interfaces that offers captive portal (authentication before opening the traffic). [...] Is there any solution that exists? I looked at pfSense, but captive portal does not work on bridged interfaces; it's one or the other. Any other suggestion? Hello, We are using a combination of squid+ipfw. Although we are NATing the users, that really just introduces needless complexity that could be avoided with a bridging solution. Our web-app/captive portal/authentication program is written in-house; it's very tightly integrated with several existing pieces of infrastructure. I don't know if there are any solutions that will work out-of-the-box. I can get you more technical details if this is a direction you'd be interested in moving. -- Chris Cowart Network Technical Lead Network Infrastructure Services, RSSP-IT UC Berkeley pgpLZMO2kRw0d.pgp Description: PGP signature
Re: Firewall with bridged interfaces and captive portal
Hi Chris, I need to implement a firewall with bridged interfaces that offers captive portal (authentication before opening the traffic). We are using a combination of squid+ipfw. Although we are NATing the users, that really just introduces needless complexity that could be avoided with a bridging solution. Our web-app/captive portal/authentication program is written in-house; it's very tightly integrated with several existing pieces of infrastructure. I don't know if there are any solutions that will work out-of-the-box. I can get you more technical details if this is a direction you'd be interested in moving. Long time ago I have been toying with ipf (for the genral firewall) and NoCat+ipfw for the captive portal. But that did not work too well, so any technical information will be appreciated :) My long term vision is a quite integrated thing, where users that read their email and authenticate to POP3/IMAP would be granted the access without the need to authenticate to the web portal. Best regards, Olivier ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Firewall with bridged interfaces and captive portal
Olivier Nicole wrote: Hi Chris, I need to implement a firewall with bridged interfaces that offers captive portal (authentication before opening the traffic). We are using a combination of squid+ipfw. Although we are NATing the users, that really just introduces needless complexity that could be avoided with a bridging solution. Our web-app/captive portal/authentication program is written in-house; it's very tightly integrated with several existing pieces of infrastructure. I don't know if there are any solutions that will work out-of-the-box. I can get you more technical details if this is a direction you'd be interested in moving. Long time ago I have been toying with ipf (for the genral firewall) and NoCat+ipfw for the captive portal. But that did not work too well, so any technical information will be appreciated :) My long term vision is a quite integrated thing, where users that read their email and authenticate to POP3/IMAP would be granted the access without the need to authenticate to the web portal. For squid have a look at the option auth_param You are able to use your own authorisation app/script that can check all kinds of places to see if that IP is allowed access. For example I have a client that has samba on his transparent proxy. Each user has a drive letter mapped to that share. The script defined by auth_param just greps the ip from 'smbstatus -p' and uses the username with that IP to tell squid what user it is for the logs. There would be nothing to stop the script to check ipfw, to see if there is rules for that ip to allow access and then if there isn't, add them. To remove the ipfw rules you could have a cron script that checks the last packet time (using -t or -T) and if its over a certain time then remove it (preferably with the checking of where you got the initial check to see if the user is valid or not). HTH cya Andrew Best regards, Olivier ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: firewall rules for bitlord, yahoo, limewire
On Thu, 27 Nov 2008 12:07:50 +0100 (CET) Wojciech Puchar [EMAIL PROTECTED] wrote: Yeah. Limewire is written in Java (iirc), which makes it extremely easy to port it to any system that can run java. for P2P sharing rtorrent (/usr/ports/net-p2p/rtorrent) works excellent if you only want BT ... didn't know rtorrent supported gnutella... _ {Beto|Norberto|Numard} Meijome I abhor a system designed for the 'user', if that word is a coded pejorative meaning 'stupid and unsophisticated'. Ken Thompson I speak for myself, not my employer. Contents may be hot. Slippery when wet. Reading disclaimers makes you go blind. Writing them is worse. You have been Warned. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: firewall rules for bitlord, yahoo, limewire
On Wed, 26 Nov 2008 23:25:21 -0600 Andrew Gould [EMAIL PROTECTED] wrote: The Limewire website says it has versions for Windows, Mac OS X, Linux and others, including OS/2 and Solaris. furthermore, you can just download the source and make it run from within Eclipse (with some tweaks regarding to the GUI toolkit...) B _ {Beto|Norberto|Numard} Meijome Ugly programs are like ugly suspension bridges: they're much more liable to collapse than pretty ones, because the way humans (especially engineer-humans) perceive beauty is intimately related to our ability to process and understand complexity. A language that makes it hard to write elegant code makes it hard to write good code. Eric Raymond I speak for myself, not my employer. Contents may be hot. Slippery when wet. Reading disclaimers makes you go blind. Writing them is worse. You have been Warned. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: firewall rules for bitlord, yahoo, limewire
because historically ISPs used those ports for throttling. +1 . skype does the same thing. and it's p2p too , although a lot less so than limewire. well ther are excellent method to block skype when using HTTP proxy not NAT ;) (skype can do through proxy) ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: firewall rules for bitlord, yahoo, limewire
Yeah. Limewire is written in Java (iirc), which makes it extremely easy to port it to any system that can run java. for P2P sharing rtorrent (/usr/ports/net-p2p/rtorrent) works excellent ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: firewall rules for bitlord, yahoo, limewire
Fbsd1 [EMAIL PROTECTED] escribió: These applications have predefined ports they use to start up the bi-directional packet conversation. But them unsolicited packeted come in from other pc nodes to share data using a wide range of high port numbers. IPFW, IPF, and PF don't seem to have a rule option to allow packs in/out based on program name that started the conversation. I thought i read in openbsd pf manual that pf state processing will allow applications like limewire to function normally by accepting the inbound high number port to pass through the firewall. I have inclusive firewall rule set which means only packets matching the rules are passed through. The inbound hight port numbers are blocked by design. How do other firewall users code rules to allow limewire to work? Hmmm. Isn't life interesting. I would like to know how to block them and others without causing strange secondary problems. Actually a default pf configuration will let them pass unless I'm forgetting something important. ed ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: firewall rules for bitlord, yahoo, limewire
On Wed, 26 Nov 2008 21:40:27 +0800 Fbsd1 [EMAIL PROTECTED] wrote: I have inclusive firewall rule set which means only packets matching the rules are passed through. The inbound hight port numbers are blocked by design. How do other firewall users code rules to allow limewire to work? I don't use limewire, but for other p2p I define pf macros that list the udp and tcp ports and and explicity allow incoming connections. If you want to know what ports an application is listening on try sockstat -l. I wouldn't expose them without tracking down what they do though in case they are http, telnet, etc. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: firewall rules for bitlord, yahoo, limewire
On Wed, Nov 26, 2008 at 8:13 AM, [EMAIL PROTECTED] wrote: Hmmm. Isn't life interesting. I would like to know how to block them and others without causing strange secondary problems. Actually a default pf configuration will let them pass unless I'm forgetting something important. ed I share your pain, Ed. I've had to perform 3 complete re-installations of computers in my household in the last year. Each time, I found a .limewire file in a user's application folder. The boys are now banned from my wife's computer. When the last culprit get's his computer back, he will find it running an operating system that is not supported by Limewire. The next time, he'll get it back without a network card. Andrew ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: firewall rules for bitlord, yahoo, limewire
Andrew Gould [EMAIL PROTECTED] escribió: On Wed, Nov 26, 2008 at 8:13 AM, [EMAIL PROTECTED] wrote: Hmmm. Isn't life interesting. I would like to know how to block them and others without causing strange secondary problems. Actually a default pf configuration will let them pass unless I'm forgetting something important. ed I share your pain, Ed. I've had to perform 3 complete re-installations of computers in my household in the last year. Each time, I found a .limewire file in a user's application folder. The boys are now banned from my wife's computer. When the last culprit get's his computer back, he will find it running an operating system that is not supported by Limewire. The next time, he'll get it back without a network card. Andrew :) I understand. Hopefully someone has a reasonably efficient pf or ipfw based solution. If it cuts some of the microsoft traffic that I am seeing much more of recently, I won't complain either. I have tried to control them by ip's and but domain names with limited success. Too many windows boxes at the office. have a great day, ed ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: firewall rules for bitlord, yahoo, limewire
sorry for asking but what are this limewire programs are? ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: firewall rules for bitlord, yahoo, limewire
On Wed, Nov 26, 2008 at 10:42 AM, Wojciech Puchar [EMAIL PROTECTED] wrote: sorry for asking but what are this limewire programs are? My unofficial take on it is that limewire is a peer-to-peer sharing application used by Windows, Mac OS X and Linux users to share files, usually music, often copyrighted, over the internet. It is one of the fastest, most effective ways to spread viruses, trojans, spyware, etc. The program does not use fixed ports, so the services are hard to block. In essence, the program gets the user to bypass security measures from the inside. If I am incorrect in my technical assessment, I welcome a correction. When people ask my advice about computers, I always include: Never use Limewire, or anything like it. Andrew ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: firewall rules for bitlord, yahoo, limewire
[EMAIL PROTECTED] writes: Andrew Gould [EMAIL PROTECTED] escribió: On Wed, Nov 26, 2008 at 8:13 AM, [EMAIL PROTECTED] wrote: Hmmm. Isn't life interesting. I would like to know how to block them and others without causing strange secondary problems. Actually a default pf configuration will let them pass unless I'm forgetting something important. ed I share your pain, Ed. I've had to perform 3 complete re-installations of computers in my household in the last year. Each time, I found a .limewire file in a user's application folder. The boys are now banned from my wife's computer. When the last culprit get's his computer back, he will find it running an operating system that is not supported by Limewire. The next time, he'll get it back without a network card. Andrew :) I understand. Hopefully someone has a reasonably efficient pf or ipfw based solution. If it cuts some of the microsoft traffic that I am seeing much more of recently, I won't complain either. I have tried to control them by ip's and but domain names with limited success. Too many windows boxes at the office. Regardless of what you do to control the unwanted applications, I'd monitoring the traffic on the network as well. I don't put many limits on what my kid can do on the network, but he knows I'm looking over his shoulder. Virtually speaking. -- Lowell Gilbert, embedded/networking software engineer, Boston area http://be-well.ilk.org/~lowell/ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: firewall rules for bitlord, yahoo, limewire
On Wed, 26 Nov 2008 10:54:43 -0600 Andrew Gould [EMAIL PROTECTED] wrote: On Wed, Nov 26, 2008 at 10:42 AM, Wojciech Puchar [EMAIL PROTECTED] wrote: sorry for asking but what are this limewire programs are? My unofficial take on it is that limewire is a peer-to-peer sharing application used by Windows, Mac OS X and Linux users to share files, usually music, often copyrighted, over the internet. It is one of the fastest, most effective ways to spread viruses, trojans, spyware, etc. Is this your FreeBSD POV or more windows oriented? The program does not use fixed ports, so the services are hard to block. In essence, the program gets the user to bypass security measures from the inside. I have never needed a block on limewire. Firstly, all main conmputers run solaris and therefore also limewire on solaris and secondly, all windows machines are virtual. So -IF- one of them is infected I just put a recent snapshot ;-) If I am incorrect in my technical assessment, I welcome a correction. Personally I'm not infected on windows machines recently by any limewire connections. But ymmv. When people ask my advice about computers, I always include: Never use Limewire, or anything like it. You can also say: use them but don't connect them to the net. I know, I'm cynical here, but limewire is not all bad! -- Dick Hoogendijk -- PGP/GnuPG key: 01D2433D + http://nagual.nl/ | SunOS sxce snv101 ++ + All that's really worth doing is what we do for others (Lewis Carrol) ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: firewall rules for bitlord, yahoo, limewire
On Wed, 26 Nov 2008 10:54:43 -0600 Andrew Gould [EMAIL PROTECTED] wrote: On Wed, Nov 26, 2008 at 10:42 AM, Wojciech Puchar [EMAIL PROTECTED] wrote: sorry for asking but what are this limewire programs are? My unofficial take on it is that limewire is a peer-to-peer sharing application used by Windows, Mac OS X and Linux users to share files, usually music, often copyrighted, over the internet. It's a Gnutella client written in Java. It is one of the fastest, most effective ways to spread viruses, trojans, spyware, etc. The program does not use fixed ports, so the services are hard to block. In essence, the program gets the user to bypass security measures from the inside. There's nothing remarkable about that, no p2p filesharing application uses fixed ports. Some have default ports, but they are widely ignored because historically ISPs used those ports for throttling. When people ask my advice about computers, I always include: Never use Limewire, or anything like it. They are as dangerous as you want to make them, I've been using bittorrent and eD2k for years and have never seem a single virus, trojan etc. I've seen a few on USENET but they've always been laughably obvious. People that end-up with that kind of thing are normally actively seeking executables. If anyone wants to discuss p2p blocking I'd suggest you start a new thread. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: firewall rules for bitlord, yahoo, limewire
dick hoogendijk wrote: I know, I'm cynical here, but limewire is not all bad! ...and, BTW, Limewire port is readily available for FreeBSD: http://cvsweb.freebsd.org/ports/net-p2p/limewire LimeWire is a fast, easy-to-use file sharing program that contains no spyware, adware or other bundled software. Compatible with all major platforms and running over the Gnutella network, LimeWire's open source code http://www.limewire.org/, is freely available to the public and developed in part by a devoted programmer community... http://www.limewire.com/about/ Greetings! O.K. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: firewall rules for bitlord, yahoo, limewire
My unofficial take on it is that limewire is a peer-to-peer sharing application used by Windows, Mac OS X and Linux users to share files, usually music, often copyrighted, over the internet. It is one of the fastest, most effective ways to spread viruses, trojans, spyware, etc. that's my client's problem not mine ;) viruses don't work under FreeBSD. The program does not use fixed ports, so the services are hard to block. In as all my LANs uses nat, and i actually don't want to block it, i use natd with lots of redirect_port options. i give 3 ports to every user, most of that programs allows to specify what ports are 1:1 mapped to outside. at least bittorrent compatible things. torrent-compatible P2P programs are most usable of them. IMHO the only usable. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: firewall rules for bitlord, yahoo, limewire
When people ask my advice about computers, I always include: Never use Limewire, or anything like it. just downloading/sharing files allows you to download viruses, but it's up to you to run them. well unless P2P program is really broken, or you are sharing executables. for sharing movies, pictures, music there is no danger. or maybe there are, i don't know windoze bugs, maybe it's movie/music players have bugs that allows to run code from somehow prepared mp3 ;) ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: firewall rules for bitlord, yahoo, limewire
dick hoogendijk wrote: My unofficial take on it is that limewire is a peer-to-peer sharing application used by Windows, Mac OS X and Linux users to share files, usually music, often copyrighted, over the internet. It is one of the fastest, most effective ways to spread viruses, trojans, spyware, etc. Is this your FreeBSD POV or more windows oriented? The program does not use fixed ports, so the services are hard to block. In essence, the program gets the user to bypass security measures from the inside. I have never needed a block on limewire. Firstly, all main conmputers run solaris and therefore also limewire on solaris and secondly, all windows machines are virtual. So -IF- one of them is infected I just put a recent snapshot ;-) Limewire is a windows only application. So how can you say it runs on solaris which is a flavor Unix? ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: firewall rules for bitlord, yahoo, limewire
On Wed, 26 Nov 2008 09:28:49 -0600 Andrew Gould [EMAIL PROTECTED] wrote: When the last culprit get's his computer back, he will find it running an operating system that is not supported by Limewire. DOS 6.0 ? :P it's java... The next time, he'll get it back without a network card. ouch, that's evil :D _ {Beto|Norberto|Numard} Meijome Unix gives you just enough rope to hang yourself -- and then a couple of more feet, just to be sure. Eric Allman I speak for myself, not my employer. Contents may be hot. Slippery when wet. Reading disclaimers makes you go blind. Writing them is worse. You have been Warned. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: firewall rules for bitlord, yahoo, limewire
On Wed, 26 Nov 2008 18:52:16 + RW [EMAIL PROTECTED] wrote: [..] It is one of the fastest, most effective ways to spread viruses, trojans, spyware, etc. The program does not use fixed ports, so the services are hard to block. In essence, the program gets the user to bypass security measures from the inside. There's nothing remarkable about that, no p2p filesharing application uses fixed ports. Some have default ports, but they are widely ignored because historically ISPs used those ports for throttling. +1 . skype does the same thing. and it's p2p too , although a lot less so than limewire. When people ask my advice about computers, I always include: Never use Limewire, or anything like it. They are as dangerous as you want to make them, I've been using bittorrent and eD2k for years and have never seem a single virus, trojan etc. I've seen a few on USENET but they've always been laughably obvious. People that end-up with that kind of thing are normally actively seeking executables. +1 - just the usual job of keeping an ear out for security holes ( including those in your users' behaviour :P ) _ {Beto|Norberto|Numard} Meijome Always do right. This will gratify some and astonish the rest. Mark Twain I speak for myself, not my employer. Contents may be hot. Slippery when wet. Reading disclaimers makes you go blind. Writing them is worse. You have been Warned. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: firewall rules for bitlord, yahoo, limewire
Fbsd1 wrote: [snip] Limewire is a windows only application. So how can you say it runs on solaris which is a flavor Unix? Limewire is a Java program. It will run on any platform which has a working Java run time environment installed. It is definitely not Windows only. -Jason ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: firewall rules for bitlord, yahoo, limewire
On Wed, 26 Nov 2008 21:40:27 +0800 Fbsd1 [EMAIL PROTECTED] wrote: I have inclusive firewall rule set which means only packets matching the rules are passed through. The inbound hight port numbers are blocked by design. How do other firewall users code rules to allow limewire to work? Hi, i think there are a few interesting posts in this thread (and several corrections about p2p 'evilness', which is good :P ). A thread that may be of interest was started on net@ earlier in the year - look for : From: Mike Makonnen [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: Application layer classifier for ipfw Date: Thu, 31 Jul 2008 13:02:29 +0300 - it refers to ipfw, not pf. - I think there was at least another thread following up on this with working code,etc. of course, DPI-style checks won't work (at all, or in a scalable fashion) as soon as users start encrypting their packets :P b _ {Beto|Norberto|Numard} Meijome I didn't attend the funeral, but I sent a nice letter saying I approved of it. Mark Twain I speak for myself, not my employer. Contents may be hot. Slippery when wet. Reading disclaimers makes you go blind. Writing them is worse. You have been Warned. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: firewall rules for bitlord, yahoo, limewire
On Wed, Nov 26, 2008 at 6:40 PM, Fbsd1 [EMAIL PROTECTED] wrote: dick hoogendijk wrote: My unofficial take on it is that limewire is a peer-to-peer sharing application used by Windows, Mac OS X and Linux users to share files, usually music, often copyrighted, over the internet. It is one of the fastest, most effective ways to spread viruses, trojans, spyware, etc. Is this your FreeBSD POV or more windows oriented? The program does not use fixed ports, so the services are hard to block. In essence, the program gets the user to bypass security measures from the inside. I have never needed a block on limewire. Firstly, all main conmputers run solaris and therefore also limewire on solaris and secondly, all windows machines are virtual. So -IF- one of them is infected I just put a recent snapshot ;-) Limewire is a windows only application. So how can you say it runs on solaris which is a flavor Unix? The Limewire website says it has versions for Windows, Mac OS X, Linux and others, including OS/2 and Solaris. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: firewall rules for bitlord, yahoo, limewire
On Thu, Nov 27, 2008 at 12:25 AM, Andrew Gould [EMAIL PROTECTED] wrote: On Wed, Nov 26, 2008 at 6:40 PM, Fbsd1 [EMAIL PROTECTED] wrote: dick hoogendijk wrote: My unofficial take on it is that limewire is a peer-to-peer sharing application used by Windows, Mac OS X and Linux users to share files, usually music, often copyrighted, over the internet. It is one of the fastest, most effective ways to spread viruses, trojans, spyware, etc. Is this your FreeBSD POV or more windows oriented? The program does not use fixed ports, so the services are hard to block. In essence, the program gets the user to bypass security measures from the inside. I have never needed a block on limewire. Firstly, all main conmputers run solaris and therefore also limewire on solaris and secondly, all windows machines are virtual. So -IF- one of them is infected I just put a recent snapshot ;-) Limewire is a windows only application. So how can you say it runs on solaris which is a flavor Unix? The Limewire website says it has versions for Windows, Mac OS X, Linux and others, including OS/2 and Solaris. Yeah. Limewire is written in Java (iirc), which makes it extremely easy to port it to any system that can run java. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
RE: Firewall and FreeBSD ports
On Behalf Of RW I don't normally do this as Watson is usually less impressed when Holmes reveals his working, but the clues were there. He wrote: install software with ports (i.e, the /usr/ports collection.) and FTP to grab source files from mirrors If you combine that with crediting the poster with enough common sense to mention he was using a version before 6.2, then it seemed unlikely to be a problem with active FTP. BTW neither of us actually answered the question. I know I forgot as I was in a hurry. I'm pretty sure you didn't either, but I don't have the time to read all of your reply in detail. The answer is: enable outgoing tcp connections to port 21 and to all ports above 1023. Is there a way to set up any firewall so that while there is an active outgoing connection on port 21, allow any incoming connections from the same IP address? Bob McConnell ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Firewall and FreeBSD ports
On Fri, Oct 10, 2008 at 12:45:04PM -0400, John Almberg wrote: I just set up a new server with a very restricted PF configuration. One problem: I can no longer install software with ports (i.e, the / usr/ports collection.) I have to disable PF to do so. Obviously not a great solution. Am I correct in guessing that ports uses FTP to grab source files from mirrors? I'm trying to figure out the smallest number of ports (the TCP/IP kind) that I need to open in my firewall. I don't want to enable incoming FTP requests, but do want to allow outgoing ftp requests, I believe. Am I on the right track, here? See the fetch(1) man page. Try this first: sh/bash: export FTP_PASSIVE_MODE=true csh: setenv FTP_PASSIVE_MODE true Chances are this will address the problem for you. -- | Jeremy Chadwickjdc at parodius.com | | Parodius Networking http://www.parodius.com/ | | UNIX Systems Administrator Mountain View, CA, USA | | Making life hard for others since 1977. PGP: 4BD6C0CB | ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Firewall and FreeBSD ports
On Fri, 10 Oct 2008 09:51:16 -0700 Jeremy Chadwick [EMAIL PROTECTED] wrote: On Fri, Oct 10, 2008 at 12:45:04PM -0400, John Almberg wrote: I just set up a new server with a very restricted PF configuration. One problem: I can no longer install software with ports (i.e, the / usr/ports collection.) I have to disable PF to do so. Obviously not a great solution. Am I correct in guessing that ports uses FTP to grab source files from mirrors? I'm trying to figure out the smallest number of ports (the TCP/IP kind) that I need to open in my firewall. I don't want to enable incoming FTP requests, but do want to allow outgoing ftp requests, I believe. Am I on the right track, here? See the fetch(1) man page. Try this first: sh/bash: export FTP_PASSIVE_MODE=true csh: setenv FTP_PASSIVE_MODE true passive ftp has been the default for long time, fetch is called with the -p option. If you have access to an http-proxy that supports ftp requests over http, fetch can use that. Alternately you can probably avoid ftp altogether by setting: MASTER_SORT_REGEX?= ^http: in make.conf ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Firewall and FreeBSD ports
On Fri, Oct 10, 2008 at 06:54:32PM +0100, RW wrote: On Fri, 10 Oct 2008 09:51:16 -0700 Jeremy Chadwick [EMAIL PROTECTED] wrote: On Fri, Oct 10, 2008 at 12:45:04PM -0400, John Almberg wrote: I just set up a new server with a very restricted PF configuration. One problem: I can no longer install software with ports (i.e, the / usr/ports collection.) I have to disable PF to do so. Obviously not a great solution. Am I correct in guessing that ports uses FTP to grab source files from mirrors? I'm trying to figure out the smallest number of ports (the TCP/IP kind) that I need to open in my firewall. I don't want to enable incoming FTP requests, but do want to allow outgoing ftp requests, I believe. Am I on the right track, here? See the fetch(1) man page. Try this first: sh/bash: export FTP_PASSIVE_MODE=true csh: setenv FTP_PASSIVE_MODE true passive ftp has been the default for long time, fetch is called with the -p option. Let's give the users some actual detail, not terse one-liners which will induce more questions/confusion. First off, libfetch (which is what fetch(1)) uses) itself DOES NOT default to using FTP passive mode. You have to either pass the -p option to the fetch(1) binary, or you have to set the FTP_PASSIVE_MODE environment variable (which affects anything using libfetch). Secondly, the ports framework (not pkg_* tools!), specifically ports/Mk/bsd.port.mk, defines FETCH_ARGS with the -p argument to force passive mode. This will be used for things like make fetch. It *will not* be used for things like pkg_add -r or pkg_add ftp://...; The addition of the -p argument to FETCH_ARGS in ports/Mk/bsd.port.mk was applied to HEAD on 2006/09/20. HEAD at that time is what became FreeBSD 6.2. Of course, anyone updating their ports tree after that date would also get the change; I'm just pointing it out so people know what the actual date was when -p was added to the default argument list. Now let's expand a bit on FTP_PASSIVE_MODE, because I'm absolutely sure someone will try to argue that's also been turned on by default for a long time; I know how people are... :-) FTP_PASSIVE_MODE being set by default on login shells was induced by an addition to login.conf(5) back in late 2001 (around the time of RELENG_6). See revision 1.45 (not 1.44!) of src/etc/login.conf in cvsweb. But I'll remind people that login.conf only applies to login shells; logging in on the console, or logging in to an account via ssh [EMAIL PROTECTED]. Most people I know of *do not* SSH into their servers as root; they SSH in as themselves and use sudo. Some use su2, and some use su. Let's examine the behaviours: $ env | grep FTP FTP_PASSIVE_MODE=YES As you can see here, the machine I've SSH'd into as myself does apply login.conf's defaults. But... $ sudo -s # env | grep FTP # exit $ sudo -i # env | grep FTP # The above scenario (as root) fails, since the FTP_PASSIVE_MODE environment variable isn't being handed down from the login shell (my user account) to the root shell spawned by sudo[1]. su, on the other hand, does it a little differently: $ su Password: # env | grep FTP FTP_PASSIVE_MODE=YES And likewise, su -l behaves the same way. The OP did not disclose how he was installing ports. A lot of users think that packages == ports, so for all we know, he could be pkg_add'ing things while using sudo and running into this. If make fetch in an actual port is timing out, then he's either doing it on a machine with a ports tree prior to 2006/09/20 (see above), or his outbound pf rules are so strict that the machine is absurdly limited. I've advocated in another thread my displeasure for filtering outbound traffic *solely* because of this exact scenario. Network admins seem to think that oh, HTTP is always going to use port 80, and likewise, oh, FTP is always going to use ports 20-21. Bzzzt. Nothing stops a MASTER_SITE from being http://lelele.com:9382/. [1]: The problem with sudo can be addressed; FTP_PASSIVE_MODE needs to be added to the env_keep list in the default sudoers file. I know the port maintainer, so I'll take this up with him so that users (including myself) don't keep getting bit by forgetting to set FTP_PASSIVE_MODE after doing a sudo. -- | Jeremy Chadwickjdc at parodius.com | | Parodius Networking http://www.parodius.com/ | | UNIX Systems Administrator Mountain View, CA, USA | | Making life hard for others since 1977. PGP: 4BD6C0CB | ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Firewall and FreeBSD ports
problem: I can no longer install software with ports (i.e, the /usr/ports collection.) I have to disable PF to do so. Obviously not a great solution. Am I correct in guessing that ports uses FTP to grab source files from FTP or HTTP. if you have http proxy like squid in your network do export http_proxy=http://yourproxy:port export ftp_proxy=http://yourproxy:port ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Firewall and FreeBSD ports
On Fri, 10 Oct 2008 11:41:40 -0700 Jeremy Chadwick [EMAIL PROTECTED] wrote: On Fri, Oct 10, 2008 at 06:54:32PM +0100, RW wrote: On Fri, 10 Oct 2008 09:51:16 -0700 Jeremy Chadwick [EMAIL PROTECTED] wrote: passive ftp has been the default for long time, fetch is called with the -p option. Let's give the users some actual detail, not terse one-liners which will induce more questions/confusion. Snip some facts used as a blunt instrument The OP did not disclose how he was installing ports. A lot of users think that packages == ports, I don't normally do this as Watson is usually less impressed when Holmes reveals his working, but the clues were there. He wrote: install software with ports (i.e, the /usr/ports collection.) and FTP to grab source files from mirrors If you combine that with crediting the poster with enough common sense to mention he was using a version before 6.2, then it seemed unlikely to be a problem with active FTP. BTW neither of us actually answered the question. I know I forgot as I was in a hurry. I'm pretty sure you didn't either, but I don't have the time to read all of your reply in detail. The answer is: enable outgoing tcp connections to port 21 and to all ports above 1023. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Firewall and FreeBSD ports
sh/bash: export FTP_PASSIVE_MODE=true csh: setenv FTP_PASSIVE_MODE true First off, this did solve the problem. Thank you, Jeremy. Now, as to the why... That's odd, because if you are running 7.x with a default settings, FTP_PASSIVE_MODE should be irrelevant to fetching distfiles - even if it's set to no. Do you have any FETCH_* variables defined? No What happens if you cd to a port directory and type: make -V FETCH_CMD ? [EMAIL PROTECTED]:~] cd /usr/ports/shells/zsh '[EMAIL PROTECTED]:zsh] make -V FETCH_CMD /usr/bin/fetch -ApRr [EMAIL PROTECTED]:zsh] I then wanted to install NTP: cd /usr/ports/net/ntp make config; make install clean This failed because the mirrors were not accessible. I just tried this port myself and it failed on all four servers configured in the Makefile, only succeeding on the fallback Freebsd server, (Freebsd's own cache for package building). Unless you turn-up something odd for FETCH_CMD, I think there's a good chance that you never had an FTP firewall problem in the first place, and that the file has simply been added to ftp.freebsd.org since you got the original failure. I just removed the FTP_PASSIVE_MODE variable from .bash_profile, logged out, and logged back in. I then tried to install another port and it installed without problem. -- John ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: firewall high-load performance
Woj, another of the few joys of -digests: two birds with one stone: is there a way to check on running system how much CPU time is used to perform firewalling/traffic manager - be it pf or ipfw? Sure, compare ping times / traffic throughput with firewall turned off and on? I recall that a FreeBSD 2.2.6 P166 with about 1000 ipfw rules added up to ~2ms to ping times through - on a local 10Mbps network :) On Wed, 11 Jun 2008 00:35:14 +0200 (CEST) Wojciech Puchar [EMAIL PROTECTED] wrote: (quoting Matthew Seaman) High load may or may not be a problem depending on your traffic patterns. I've seen pf firewalls suffer by running out of state-table space in situations where there are a lot of fairly short-lived but low volume network connections. The default is 10,000 states. If your firewall machine is this state-table a hash table or something similar. if so - making it much bigger than CPU cache may actually slow down things because DRAM access latency is huge on modern machines. There was some discussion of the efficiency of ipfw stateful rules in recent weeks, over on -net IIRC. As someone else mentioned, that's the place to be if you're interested in net stuff, and are prepared to sit back and read some real expertise before saying too much for a while :) ipfw hashes src.ip ^ dst.ip ^ src.port ^ dst.port for connections in a default of 256 buckets, which is very fast when there are no collisions; duplicates however are added to a linked list, which gets slow if large, such as for raw IP or ICMP where 'port' numbers = 0. I'm not sure what stateful rules really mean in those contexts anyway, but there was talk of increasing both the (default) no. of buckets and maximum stetes kept, the memory penalty being pretty insignificant on today's hardware. I tend to doubt that processor caching is an issue one way or the other. On the whole I'd go with pf every time simply based on how much more manageable it is compared to ipfw -- you have to try, hard, to lock yourself out when reloading a new pf ruleset. i already learned well locking myself after making mistake in ipfw rules now i run screen and do something like that cd /etc cp firewall firewall.old cp firewall firewall.new edit firewall.new cp firewall.new firewall;/etc/rc.d/ipfw restart;sleep 100;cp firewall.old firewall;/etc/rc.d/ipfw restart then i have 100 seconds to quickly test new rules, at least to make sure i'm not locked. Yeah that'll work, as suggested in the manual's example. I also wouldn't mind seeing some proper empirical comparisons between ipfw and pf. Many of the reasons sometimes offered to prefer pf have been addressed in ipfw more recently (like in-kernel NAT for 7.x) and development of both is always ongoing, so it's still largely personal preference. I've been using ipfw for just over 10 years and am fairly familiar with it, and there are plenty of options I've not yet tried. Anyone reading the handbook these days would think ipfw was deprecated, and one day I hope to do a number on the ipfw section there; it contains out and out factual errors, some misconceptions and poor examples, still the author does declare his familiarity is otherwise, ipf as I recall. BTW I'm not dissing pf in any way, I've just never tried it. ipfw plus dummynet has done everything well that I've needed to do so far, mostly on networks smaller even than yours :) cheers, Ian ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: firewall high-load performance
is there a way to check on running system how much CPU time is used to perform firewalling/traffic manager - be it pf or ipfw? Sure, compare ping times / traffic throughput with firewall turned off and on? this will not measure CPU load but delays. delays are unnoticable and doesn't look like a problem. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: firewall high-load performance
Chad Perrin wrote: My preferred firewall these days, for general use, is pf. I seem to recall someone who has used it in high-load scenarios that it can kinda choke at high loads, though I don't recall whether that was due to pf itself or the fact he was running it on OpenBSD. Until now, this has not been a concern for me. I may be getting involved in a commercial project in the near future that could very well involve handling very large numbers of connections dealing with potentially high bandwidth demands, however. The circumstances would require some QOS, and I'm thinking of using pf/ALTQ for this project, but I don't want to discover after we're well underway that large numbers of connections would cause problems. Should I consider ipfw or ipfilter instead, or are my concerns with relation to pf's ability to handle extremely high loads of legitimate traffic unfounded? pf will perform very well. I don't know if anyone has benchmarked it against ipfw, but I suspect that any difference in performance is pretty minimal. If you're just doing packet filtering and using a fairly run of the mill modern machine, you should be able to keep up with Gb wire speed without problems. If performance is a limiting factor, then review your rule sets carefully: arranging things so that the most popular traffic types are handled as early as possible, knowing when to use tables vs. use address-list macros and judicious use of quick rules can make quite a difference. Also, /stateful/ rules are generally faster than stateless once you've got beyond the initial packet that establishes the state. Looking stuff up in the state table is quicker and takes place earlier in the processing sequence than traversing the rulesets. High load may or may not be a problem depending on your traffic patterns. I've seen pf firewalls suffer by running out of state-table space in situations where there are a lot of fairly short-lived but low volume network connections. The default is 10,000 states. If your firewall machine is dedicated to running pf and it has hundreds of MB if not GB of RAM, then upping the size of some of those parameters by an order of magnitude is feasible, and works well. On the whole I'd go with pf every time simply based on how much more manageable it is compared to ipfw -- you have to try, hard, to lock yourself out when reloading a new pf ruleset. Cheers, Matthew -- Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard Flat 3 PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate Kent, CT11 9PW signature.asc Description: OpenPGP digital signature
re: firewall high-load performance
Matthew Seaman wrote: pf will perform very well. I don't know if anyone has benchmarked it against ipfw, but I suspect that any difference in performance is pretty minimal. If you're just doing packet filtering and using a fairly run of the mill modern machine, you should be able to keep up with Gb wire speed without problems. Actually, I tracked down the guy who had originally given a poor review of pf performance, and it turns out that the missing part of his review was related to use of dummynet for bandwidth management. Since I'm not planning to use dummynet for bandwidth management, that's not really a factor we need to consider. It looks like, at this point, pf is a good choice. If performance is a limiting factor, then review your rule sets carefully: arranging things so that the most popular traffic types are handled as early as possible, knowing when to use tables vs. use address-list macros and judicious use of quick rules can make quite a difference. Also, /stateful/ rules are generally faster than stateless once you've got beyond the initial packet that establishes the state. Looking stuff up in the state table is quicker and takes place earlier in the processing sequence than traversing the rulesets. High load may or may not be a problem depending on your traffic patterns. I've seen pf firewalls suffer by running out of state-table space in situations where there are a lot of fairly short-lived but low volume network connections. The default is 10,000 states. If your firewall machine is dedicated to running pf and it has hundreds of MB if not GB of RAM, then upping the size of some of those parameters by an order of magnitude is feasible, and works well. Thanks for the further elaboration. I'll keep all this in mind as I investigate the suitability of pf for this project. On the whole I'd go with pf every time simply based on how much more manageable it is compared to ipfw -- you have to try, hard, to lock yourself out when reloading a new pf ruleset. Just one more reason pf is my favorite firewall. Thanks for the informative reply. By the way, apologies if this doesn't thread properly. I never got any messages from this thread in my inbox, and had to copy everything from the archive: http://lists.freebsd.org/pipermail/freebsd-questions/2008-June/176542.html For some reason, mutt doesn't seem to want me to alter headers to make it thread properly, and keeps throwing away my edits. -- Chad Perrin [ content licensed PDL: http://pdl.apotheon.org ] Dr. Ron Paul: Liberty has meaning only if we still believe in it when terrible things happen and a false government security blanket beckons. pgp5YCXSbeSg8.pgp Description: PGP signature
Re: firewall high-load performance
My preferred firewall these days, for general use, is pf. I seem to recall someone who has used it in high-load scenarios that it can kinda choke at high loads, though I don't recall whether that was due to pf itself or the fact he was running it on OpenBSD. Until now, this has not been a concern for me. it would be good to check out ipfw. at least it's IMHO much cleaner and easier to make rules i need, but it is fast. but please check, i don't have any side-to-side comparision. of course it depends how you rules are complicated and how good/bad you will define them. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
re: firewall high-load performance
Actually, I tracked down the guy who had originally given a poor review of pf performance, and it turns out that the missing part of his review was related to use of dummynet for bandwidth management. Since I'm not planning to use dummynet for bandwidth management, that's not really a factor we need to consider. It looks like, at this point, pf is a good choice. is there a way to check on running system how much CPU time is used to perform firewalling/traffic manager - be it pf or ipfw? ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: firewall high-load performance
High load may or may not be a problem depending on your traffic patterns. I've seen pf firewalls suffer by running out of state-table space in situations where there are a lot of fairly short-lived but low volume network connections. The default is 10,000 states. If your firewall machine is this state-table a hash table or something similar. if so - making it much bigger than CPU cache may actually slow down things because DRAM access latency is huge on modern machines. On the whole I'd go with pf every time simply based on how much more manageable it is compared to ipfw -- you have to try, hard, to lock yourself out when reloading a new pf ruleset. i already learned well locking myself after making mistake in ipfw rules now i run screen and do something like that cd /etc cp firewall firewall.old cp firewall firewall.new edit firewall.new cp firewall.new firewall;/etc/rc.d/ipfw restart;sleep 100;cp firewall.old firewall;/etc/rc.d/ipfw restart then i have 100 seconds to quickly test new rules, at least to make sure i'm not locked. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Firewall Redirect
Lucas Neves Martins wrote: 422 ipfw add 950 divert 8082 tcp from any to any 80 via em0 Hi! I do something similar, except with a small home-grown server used to serve 'You are banned' pages to people who insist on driving my poor little webserver into swap. The directive you're looking for is 'fwd'. ipfw add 44001 fwd 127.0.0.44 tcp from ${luser} to any 80 in recv fxp0 -- Fuzzy love, -CyberLeo Technical Administrator CyberLeo.Net Webhosting http://www.CyberLeo.Net [EMAIL PROTECTED] Furry Peace! - http://.fur.com/peace/ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Firewall Redirect
On Nov 30, 2007 5:59 AM, Lucas Neves Martins [EMAIL PROTECTED] wrote: Hello guys, I´m having the following problem: Redirect requests from the port 80, to the port 8082. - for apache tomcat. I´m new on freeBSD, Of course, I had looked out on google, and read the firewall section on the Handbook. snipping some ipfw rules... PS: I´m trying to do this, to make the user tomcat run the apache-tomcat, opening the port 8082, and make it transparent to users who access the domain by the common port 80. another method to achieve this that may be interesting for you is to use mod_jk to redirect requests coming in on your priv'd port 80 apache daemon to your tomcat processes on an unpriv'd port: http://tomcat.apache.org/connectors-doc/ I won't go into the whole configuration here - but going this route may give you more flexibility than using a packetfilter ruleset and will allow you take advantage of load balancing etc. with mod_jk as well. i currently use this setup for a site that serves both static content from httpd and .jsp pages from tomcat all on the same box. HTH -pete -- ~~o0OO0o~~ Pete Wright www.nycbug.org NYC's *BSD User Group ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Firewall Redirect
On 11/30/07, Lucas Neves Martins [EMAIL PROTECTED] wrote: Hello guys, I´m having the following problem: Redirect requests from the port 80, to the port 8082. - for apache tomcat. I´m new on freeBSD, Of course, I had looked out on google, and read the firewall section on the Handbook. But only found missed things, and nothing worked. I have tried this commands: #history | grep divert H 422 ipfw add 950 divert 8082 tcp from any to any 80 via em0 425 ipfw add 950 divert 8082 tcp from any to any 80 via em0 428 ipfw add 950 divert 80 tcp from any to any 8082 via em0 432 ipfw add 950 divert 8082 tcp from any to any 80 via em0 435 ipfw add 950 divert 8082 tcp from any to any 80 via em0 I know how works the number 950, I know it is on the right position, but I dont know how works the divert, and even what it is. I dont know if divert 8082 makes the requests come from 80, or go to 80. damn... Any help will be useful. AFAIK, divert in ipfw diverts to unix-domain sockets. i think you might pull it off with ipnat + /etc/ipnat.conf: rdr em0 0.0.0.0/0 port 80 - 0.0.0.0/0 port 8082 regards, usleep ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Firewall Redirect
Lucas Neves Martins wrote: Redirect requests from the port 80, to the port 8082. - for apache tomcat. [[snip]] 422 ipfw add 950 divert 8082 tcp from any to any 80 via em0 425 ipfw add 950 divert 8082 tcp from any to any 80 via em0 428 ipfw add 950 divert 80 tcp from any to any 8082 via em0 It's not as clean as doing it with ipfw, but there a port redirect utilty in ports/net/redir that might do might accomplish what you want. -RW ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: firewall is blocking our access
Rodrigo Moura Bittencourt [EMAIL PROTECTED] wrote: Prazado Bill Moran, Take a bit of advice -- wildly CCing dozens of people is just going to piss people off and cause them to start ignoring you. You'll get much more helpful results if you take the time to understand who you need to be contacting, and contact only that person. I understand that in the business world it's normal to CC everyone and all of their managers as well, but that's because in the business world, politics is more important than getting things done. The reason we believe to be problems of a firewall is to make the connection through a proxy, we managed to connect to your server. I've no idea how that symptom would lead to that conclusion. Another problem that could consider is to have rules in our firewall bloquendo access to your pages, but checking the rules found that there is no restriction on our firewall rules regarding communication with your server. I assumed you checked that first. Here the annexed traceroute, stressing that the earlier steps are our internal equipment: 7 ansp.ptta.ansp.br (200.136.37.1) 6,820 ms 8,215 ms 8,370 ms 8 143 to 108-254-130.ansp.br (143,108,254,130) 8,614 ms 8,271 ms 10,004 ms 9 g-1 - 1-0.ar1.GRU2.gblx.net (64.209.93.237) 9,704 ms 8,685 ms 8,206 ms 10 te3-1-10G.ar2.DCA3.gblx.net (67.16.128.1) 128,309 ms 127,803 ms 128,290 ms 11 yahoo - 6.ar2.DCA3.gblx.net (64,215,195,110) 140,091 ms 140,141 ms 138,295 ms 12 so-0 - 0-0.pat2.pao.yahoo.com (216,115,101,130) 193,000 ms 192,656 ms 190,878 ms 13 g-1-0 - 0-p141.msr1.sp1.yahoo.com (216.115.107.55) 190,711 ms 193,645 ms 193,119 ms 14 ge-1-42.bas - b1.sp1.yahoo.com (209.131.32.27) 191,713 ms ge-1-48.bas - b1.sp1.yahoo.com (209.131.32.47) 190,836 ms 190,406 ms It certainly does look like Yahoo is blocking you for some reason. This lends credence to my earlier statement about contacting the correct person: there's little the FreeBSD team can do about this, you'll have to contact Yahoo directly. Here also attached the ping in your server: PING www.freebsd.org (69.147.83.33) 56 (84) bytes of data. --- Www.freebsd.org ping statistics --- 33 packets transmitted, 0 received, 100% packet loss, time 32015ms Unfortunately, ping results are nearly useless in this day and age, because so many people block ICMP at firewalls as if it's the plague. I am the provision of any other information nescessaria, Are you unable to reach the mirror sites in Brazil?: http://www.br.freebsd.org/ This could be a workaround while you sort out the issue with Yahoo. Actually, it may be preferable on an ongoing basis. -- Bill Moran http://www.potentialtech.com ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: firewall is blocking our access
Rodrigo Moura Bittencourt [EMAIL PROTECTED] wrote: Dear Gentlemen, We INPE / CPTEC an institution of meteorology government of Brazil, we are having trouble accessing the servers of FreeBSD, we believe that your firewall is blocking our access. While this is possible, I find it unlikely. What evidence do you have to show that it's a firewall blocking communication? Furthermore, what evidence do you have to show that it's a firewall under the control of the FreeBSD project. I (and I'm sure others on this list) will be happy to help, but you're going to have to provide more details of the problem. What, exactly, are you trying to do, and how, exactly, is it failing. Please provide exact commands and responses (error messages). Additionally, the output of traceroute www.freebsd.org from the problematic server would be helpful. I've removed various emails from the return message, as there's no reason to spam them with troubleshooting on the questions mailing list. -- Bill Moran http://www.potentialtech.com ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Firewall rules / Proper directory
I've made a /etc/rc.firewall.local I may rename it in the future to stand out more, but we'll see how it goes for now. Neat. Have fun with the new firewall ruleset then. Thanks. I wish it wasn't necessary, but the server runs MySQL and if I turn TCPwrappers on, someone just trying to connect a few times creates a DOS on it. I've tried before to bring this up with the MySQL people with no luck. Thanks, Tuc ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Firewall rules / Proper directory
On 2007-08-02 14:49, Tuc at T-B-O-H.NET [EMAIL PROTECTED] wrote: Giorgos Keramidas wrote: On 2007-08-02 12:36, Tuc at T-B-O-H.NET [EMAIL PROTECTED] wrote: Hi, I'm developing firewall rules for a machine, and I'm wondering what the standard is for putting my version of an ipfw firewall_script? I usually save my rules in '/etc/pf.conf' or '/etc/ipfw.rules'. It's not like the '/etc' directory is a please do not touch area. Thanks... I always DO try to keep things out of /etc if at all possible, I regard that as system space, and if I do trespass into it its usually a file or directory previously allocated for that (/etc/rc.conf, /etc/mail/*). That's ok, but it's not like the world is going to end if you add a bit of customization to '/etc' files. We have mergemaster(8) to make sure these local updates and customizations are not lost when you upgrade :-) I've made a /etc/rc.firewall.local I may rename it in the future to stand out more, but we'll see how it goes for now. Neat. Have fun with the new firewall ruleset then. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Firewall rules / Proper directory
On Thu, 2 Aug 2007 12:36:51 -0400 (EDT) Tuc at T-B-O-H.NET [EMAIL PROTECTED] wrote: Hi, I'm developing firewall rules for a machine, and I'm wondering what the standard is for putting my version of an ipfw firewall_script? I'd normally drop it onto /usr/local/etc somewhere, but my /u/l/e is an NFS filesystem, and according to rcorder it starts ipfw WAY before the nfsclient. I don't want to stomp on /etc/rc.firewall, I like having it as a reference and one less thing to have to worry about mergemaster overwriting. cp /etc/rc.firewall /etc/my.firewall add to rc.conf: firewall_script=/etc/my.firewall ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Firewall question
On Thu, Aug 02, 2007 at 10:04:20AM -0400, [EMAIL PROTECTED] wrote: It might not be as challenging as rolling your own... but have you considered using one of the ready-to-install BSD firewall/router packages like m0n0wall ? http://m0n0.ch/wall/ I have thinked about it. I have tried monowall just with firewall router and it's a good choice. The down-thing is that you can't setup the dhcp as freely as I wan to do (e.g. setup the dhcpd for pxeboot for diskless for example). And there is not so much to do to secure the firewall further than the monowall group already have done. I don't know if it supports the 3rd interface, but it does run on Soekris hardware. Well, it does. And there is a good description for a dmz also. /Regards ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Firewall rules / Proper directory
On 2007-08-02 12:36, Tuc at T-B-O-H.NET [EMAIL PROTECTED] wrote: Hi, I'm developing firewall rules for a machine, and I'm wondering what the standard is for putting my version of an ipfw firewall_script? I usually save my rules in '/etc/pf.conf' or '/etc/ipfw.rules'. It's not like the '/etc' directory is a please do not touch area. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Firewall rules / Proper directory
On 2007-08-02 12:36, Tuc at T-B-O-H.NET [EMAIL PROTECTED] wrote: Hi, I'm developing firewall rules for a machine, and I'm wondering what the standard is for putting my version of an ipfw firewall_script? I usually save my rules in '/etc/pf.conf' or '/etc/ipfw.rules'. It's not like the '/etc' directory is a please do not touch area. Thanks... I always DO try to keep things out of /etc if at all possible, I regard that as system space, and if I do trespass into it its usually a file or directory previously allocated for that (/etc/rc.conf, /etc/mail/*). I've made a /etc/rc.firewall.local I may rename it in the future to stand out more, but we'll see how it goes for now. Thanks, Tuc ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Firewall
Hèrvé Simplice van der Eijk wrote: on 1 machine I set up a freebsd 5.4 server with dhcp, dns, ldap running on it. on an other machine I set up apachy webserver and both are working fine. when I'm making an http request on a windows client (internet explore) it shows my web site. but since I install ipfw firewall on my freebsd 5.4 (dhcp, dns ldap server) my windows client cant reach my webserver anymore. Please can somebody tell me wich port I have to open up in my firewall. 80? 8080? 443? Depends on your Apache configuration. Default is 80. Check which port(s) your httpd process is listening on. # sockstat | grep httpd -- Greg Barniskis, Computer Systems Integrator South Central Library System (SCLS) Library Interchange Network (LINK) gregb at scls.lib.wi.us, (608) 266-6348 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Firewall
Hèrvé Simplice van der Eijk wrote: on 1 machine I set up a freebsd 5.4 server with dhcp, dns, ldap running on it. on an other machine I set up apachy webserver and both are working fine. when I'm making an http request on a windows client (internet explore) it shows my web site. but since I install ipfw firewall on my freebsd 5.4 (dhcp, dns ldap server) my windows client cant reach my webserver anymore. Please can somebody tell me wich port I have to open up in my firewall. Assuming that you did not change Apache's default, port 80 -- -wittig http://www.robertwittig.com/ . http://robertwittig.net/ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Firewall
On 09/21/2006 16:13, Robert C Wittig wrote: Hèrvé Simplice van der Eijk wrote: on 1 machine I set up a freebsd 5.4 server with dhcp, dns, ldap running on it. on an other machine I set up apachy webserver and both are working fine. when I'm making an http request on a windows client (internet explore) it shows my web site. but since I install ipfw firewall on my freebsd 5.4 (dhcp, dns ldap server) my windows client cant reach my webserver anymore. Please can somebody tell me wich port I have to open up in my firewall. Assuming that you did not change Apache's default, port 80 Not sure I follow you Apache is on a machine *other* than the firewalled machine? Is your Windows machine attempting to reach the machine by name? Thus requiring Windows to use the DNS server on the firewalled machine? If so... port 53 is the one of interest. -- Regards, Eric ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Firewall
Hèrvé Simplice van der Eijk wrote: on 1 machine I set up a freebsd 5.4 server with dhcp, dns, ldap running on it. on an other machine I set up apachy webserver and both are working fine. when I'm making an http request on a windows client (internet explore) it shows my web site. but since I install ipfw firewall on my freebsd 5.4 (dhcp, dns ldap server) my windows client cant reach my webserver anymore. Please can somebody tell me wich port I have to open up in my firewall. You don't only need to open a port, you also need to enable routing, I assume your setup is like this: Client FBSD Apache You need to open port 80 (default) for the destination ip (the Apache host) and enable routing in the kernel: # sysctl net.inet.ip.forwarding=1 set this in /etc/sysctl.conf to enable on reboot. How to do the routing with ipfw I don't know, I use packet filter. Cheers, Erik -- Ph: +34.666334818 web: http://www.locolomo.org X.509 Certificate: http://www.locolomo.org/crt/8D03551FFCE04F0C.crt Key ID: 69:79:B8:2C:E3:8F:E7:BE:5D:C3:C3:B1:74:62:B8:3F:9F:1F:69:B9 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Firewall with 3 NIC (1 wireless) problem
Mark Moellering wrote: I am attempting to add a wireless capabilities to an existing network / firewall structure. I added a wireless NIC card to the firewall (Netgear WPN311) and followed the wireless instructions. I also added a similar card to an existing computer (Netgear WG311T). The Firewall's internal wired network is on 192.168.1.1 and the Wireless card is set to 192.168.2.1 The client computer can find the wireless network and I can ping the wireless card (192.168.2.1) However, I can get nowhere else. I cannot get to the wired subnet nor outside access to the internet. I tried adding a bridge from the wired to the wireless network interfaces but that did nothing. I tried putting the wireless Nic to 192.168.1.249 but that made things worse. Any help would be greatly appreciated. Both client and firewall are running Freebsd 6.1 Relevant (that I can think of) files from the firewall are included... The bridge is not necessary. If you're trying to make all the traffic traverse the wireless network, you'll have to change the default gateway on the client. Otherwise the traffic will traverse bge0 as indicated in the client routing table. Otherwise, I would examine the firewall. Change it to allow all traffic and see if that makes a difference. Verify that your nat configuration is correct. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Firewall with 3 NIC (1 wireless) problem
Dennis, Thanks so much for your help. Here is the ifconfig -v and netstat (a variety) from both the client and firewall. Both the client and the firewall have an ath0 (192.168.2.1 for firewall, 192.168.2.5 for the client) and a bge0 (192.168.1.1 for firewall, 192.168.1.2 for client). After booting the client, I disconnect the ethernet cable on the bge0 interface to force traffic over the wireless ath0. I am by no means a professional, I may have missed something or be doing something fairly obviously wrong. Thanks Again, Mark Moellering On Thursday 25 May 2006 12:17 am, Dennis Olvany wrote: net.link.ether.bridge.enable=1 net.link.ether.bridge.config=bge0, ath0 Let's have a look at ifconfig and netstat -r. Whats with this bridge? Think you'd be better off without it. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] Script started on Thu May 25 22:19:06 2006 AlphaOne# ifconfig -v bge0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500 options=1bRXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING inet6 fe80::209:5bff:fe20:aa23%bge0 prefixlen 64 scopeid 0x1 inet 192.168.1.2 netmask 0xff00 broadcast 192.168.1.255 ether 00:09:5b:20:aa:23 media: Ethernet autoselect (none) status: no carrier ath0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500 inet6 fe80::214:6cff:fe2c:a8c0%ath0 prefixlen 64 scopeid 0x2 inet 192.168.2.5 netmask 0xff00 broadcast 192.168.2.255 ether 00:14:6c:2c:a8:c0 media: IEEE 802.11 Wireless Ethernet autoselect (OFDM/24Mbps) status: associated ssid psyberation channel 1 (2412) bssid 00:0f:b5:8a:77:44 authmode WPA privacy ON deftxkey UNDEF TKIP 2:128-bit TKIP 3:128-bit powersavemode OFF powersavesleep 100 txpowmax 37 txpower 63 rtsthreshold 2346 mcastrate 1 fragthreshold 2346 -pureg protmode CTS -wme burst roaming MANUAL bintval 100 -countermeasures plip0: flags=108810POINTOPOINT,SIMPLEX,MULTICAST,NEEDSGIANT mtu 1500 lo0: flags=8049UP,LOOPBACK,RUNNING,MULTICAST mtu 16384 inet6 ::1 prefixlen 128 inet6 fe80::1%lo0 prefixlen 64 scopeid 0x4 inet 127.0.0.1 netmask 0xff00 AlphaOne# exit exit Script done on Thu May 25 22:19:37 2006 Script started on Thu May 25 22:20:31 2006 AlphaOne# netstat Active UNIX domain sockets Address Type Recv-Q Send-QInode Conn Refs Nextref Addr c3e912bc stream 0 00 c3db97a800 /tmp/ksocket-Mark/kontactHOPVSF.slave-socket c3db97a8 stream 0 00 c3e912bc00 c3db9dac stream 0 00 c3db9c0800 /tmp/ksocket-Mark/kontactpn6RzM.slave-socket c3db9c08 stream 0 00 c3db9dac00 c3d2d7a8 stream 0 00 c3db9c9400 /tmp/.ICE-unix/dcop625-1148609162 c3db9c94 stream 0 00 c3d2d7a800 c3d2d834 stream 0 00 c3db9e3800 /tmp/.ICE-unix/646 c3db9e38 stream 0 00 c3d2d83400 c3db9af0 stream 0 00 c3db983400 /tmp/.X11-unix/X0 c3db9834 stream 0 00 c3db9af000 c3db9604 stream 0 00 c3db969000 /tmp/ksocket-Mark/klaunchersC8lmq.slave-socket c3db9690 stream 0 00 c3db960400 c3db98c0 stream 0 00 c3db994c00 /tmp/fam-Mark/fam- c3db994c stream 0 00 c3db98c000 c3e91348 stream 0 00 c3e913d400 /tmp/.ICE-unix/dcop625-1148609162 c3e913d4 stream 0 00 c3e9134800 c3e91460 stream 0 00 c3e914ec00 /tmp/.ICE-unix/dcop625-1148609162 c3e914ec stream 0 00 c3e9146000 c3e91578 stream 0 00 c3e9160400 /tmp/.ICE-unix/dcop625-1148609162 c3e91604 stream 0 00 c3e9157800 c3e91690 stream 0 00 c3e9171c00 /tmp/.ICE-unix/dcop625-1148609162 c3e9171c stream 0 00 c3e9169000 c3db9230 stream 0 00 c3db92bc00 /tmp/.ICE-unix/dcop625-1148609162 c3db92bc stream 0 00 c3db923000 c3d2dd20 stream 0 00 c3d2dc0800 /tmp/.ICE-unix/dcop625-1148609162 c3d2dc08 stream 0 00 c3d2dd2000 c3d2ddac stream 0 00 c3d2d71c00 /tmp/.ICE-unix/646 c3d2d71c stream 0 00 c3d2ddac00 c368dc94 stream 0 00 c368dc0800
RE: Firewall with 3 NIC (1 wireless) problem
This may be a wild shot in the dark. Netgear WPN311 WG311T are both CLIENT RangeMax Wireless PCI Adapter cards. Looks to me like you are missing hardware needed to make your wanted wireless network to work. On your wired LAN you cable a Nic card in your gateway box to a hub/router/switch through which all other PC's on the LAN are connected into. A wireless system works much the same way. Your gateway box should have a Nic cabled to an wireless base/router through which all other PC's on the wireless LAN broadcast/communicate with. You need a Netgear RangeMax Wireless Router WPN824 which is a stand-a-lone piece of equipment cabled to your gateway box. The Netgear WPN311 card you have in the gateway box is useless. Use it for some other PC you want on your wireless LAN. Please take note that the built in hardware wireless wep/wpa encryption security is a laugh. Any body with some free software off the internet can drive down your street and pick up your wireless base broadcast and gain access to your network and the public internet through you if you only rely on wep/wpa encryption for access security. There are many solutions out there. Review the questions list archives on wireless security for many suggestion on how to protect your wireless network. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Mark Moellering Sent: Wednesday, May 24, 2006 10:33 AM To: freebsd-questions@freebsd.org Subject: Firewall with 3 NIC (1 wireless) problem I am attempting to add a wireless capabilities to an existing network / firewall structure. I added a wireless NIC card to the firewall (Netgear WPN311) and followed the wireless instructions. I also added a similar card to an existing computer (Netgear WG311T). The Firewall's internal wired network is on 192.168.1.1 and the Wireless card is set to 192.168.2.1 The client computer can find the wireless network and I can ping the wireless card (192.168.2.1) However, I can get nowhere else. I cannot get to the wired subnet nor outside access to the internet. I tried adding a bridge from the wired to the wireless network interfaces but that did nothing. I tried putting the wireless Nic to 192.168.1.249 but that made things worse. Any help would be greatly appreciated. Both client and firewall are running Freebsd 6.1 Relevant (that I can think of) files from the firewall are included... Thanks in Advance. Mark ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Firewall with 3 NIC (1 wireless) problem
net.link.ether.bridge.enable=1 net.link.ether.bridge.config=bge0, ath0 Let's have a look at ifconfig and netstat -r. Whats with this bridge? Think you'd be better off without it. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Firewall Speed
On Thursday 18 May 2006 14:48, Chad Leigh -- Shire.Net LLC wrote: On May 18, 2006, at 12:39 PM, Giorgos Keramidas wrote: On 2006-05-18 11:03, bc [EMAIL PROTECTED] wrote: I want to run 6.1_RELEASE with Packet Filter(PF) configured as a gateway using 2 identical 10/100 nics, on an old 450mhz pentium with 256 meg ram and an 8 gig HD. In general, should I expect any speed performance issues with internet access base on the processor, ram and bus speeds of the MB? Would the PF config cause any speed performance deficiencies? I had same setup as above but with IPF firewall and received complaints about surfing speed so I put them back on a Linksys router firewall. We'd have to see the ruleset to be able to reply in an informed manner. I have seen firewalls doing both filtering NAT on a system, with almost no overhead at all though. This top output: http://keramida.serverhive.com/pixelshow-top.txt shows that a FreeBSD 5.X system with 256 MB of physical memory is happily filtering the traffic and doing NAT for more than 100 users, while still being 97% idle. I would think it is more than CPU speed. The speed of the PCI bus and the speed and efficiency of the two network cards being used and their drivers may have a bit to do with latency (surfing speed)... Just a guess Chad I had a dual pentium 100 with 96 megs of RAM that did ipf/ipnat for a 10mbps connection with a couple dozen users. CPU usage was usually around 1% and load averages .03 or so. Latency and throughput were both acceptable. The only reason I replaced the box was it was a single point of failure and the hardware was old enough that I was afraid there would be some sort of show stopper breakdown. -- Thanks, Josh Paetzel ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Firewall Speed
I have a Pentium III 600Mhz 720MB Ram running FreeBSD 4.10 with IPFW+Nat+Squid+Qmail with Clamav+dnscache, routing 4 internal networks (around 500 users), 3x 2Mbit/s links and a 1Mb internet link. Everything works perfect !! I will change the machine by the same problem that Josh said. Regards, Alexandre On 5/19/06, Josh Paetzel [EMAIL PROTECTED] wrote: On Thursday 18 May 2006 14:48, Chad Leigh -- Shire.Net LLC wrote: On May 18, 2006, at 12:39 PM, Giorgos Keramidas wrote: On 2006-05-18 11:03, bc [EMAIL PROTECTED] wrote: I want to run 6.1_RELEASE with Packet Filter(PF) configured as a gateway using 2 identical 10/100 nics, on an old 450mhz pentium with 256 meg ram and an 8 gig HD. In general, should I expect any speed performance issues with internet access base on the processor, ram and bus speeds of the MB? Would the PF config cause any speed performance deficiencies? I had same setup as above but with IPF firewall and received complaints about surfing speed so I put them back on a Linksys router firewall. We'd have to see the ruleset to be able to reply in an informed manner. I have seen firewalls doing both filtering NAT on a system, with almost no overhead at all though. This top output: http://keramida.serverhive.com/pixelshow-top.txt shows that a FreeBSD 5.X system with 256 MB of physical memory is happily filtering the traffic and doing NAT for more than 100 users, while still being 97% idle. I would think it is more than CPU speed. The speed of the PCI bus and the speed and efficiency of the two network cards being used and their drivers may have a bit to do with latency (surfing speed)... Just a guess Chad I had a dual pentium 100 with 96 megs of RAM that did ipf/ipnat for a 10mbps connection with a couple dozen users. CPU usage was usually around 1% and load averages .03 or so. Latency and throughput were both acceptable. The only reason I replaced the box was it was a single point of failure and the hardware was old enough that I was afraid there would be some sort of show stopper breakdown. -- Thanks, Josh Paetzel ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Firewall Speed
On 2006-05-18 11:03, bc [EMAIL PROTECTED] wrote: I want to run 6.1_RELEASE with Packet Filter(PF) configured as a gateway using 2 identical 10/100 nics, on an old 450mhz pentium with 256 meg ram and an 8 gig HD. In general, should I expect any speed performance issues with internet access base on the processor, ram and bus speeds of the MB? Would the PF config cause any speed performance deficiencies? I had same setup as above but with IPF firewall and received complaints about surfing speed so I put them back on a Linksys router firewall. We'd have to see the ruleset to be able to reply in an informed manner. I have seen firewalls doing both filtering NAT on a system, with almost no overhead at all though. This top output: http://keramida.serverhive.com/pixelshow-top.txt shows that a FreeBSD 5.X system with 256 MB of physical memory is happily filtering the traffic and doing NAT for more than 100 users, while still being 97% idle. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Firewall Speed
On May 18, 2006, at 12:39 PM, Giorgos Keramidas wrote: On 2006-05-18 11:03, bc [EMAIL PROTECTED] wrote: I want to run 6.1_RELEASE with Packet Filter(PF) configured as a gateway using 2 identical 10/100 nics, on an old 450mhz pentium with 256 meg ram and an 8 gig HD. In general, should I expect any speed performance issues with internet access base on the processor, ram and bus speeds of the MB? Would the PF config cause any speed performance deficiencies? I had same setup as above but with IPF firewall and received complaints about surfing speed so I put them back on a Linksys router firewall. We'd have to see the ruleset to be able to reply in an informed manner. I have seen firewalls doing both filtering NAT on a system, with almost no overhead at all though. This top output: http://keramida.serverhive.com/pixelshow-top.txt shows that a FreeBSD 5.X system with 256 MB of physical memory is happily filtering the traffic and doing NAT for more than 100 users, while still being 97% idle. I would think it is more than CPU speed. The speed of the PCI bus and the speed and efficiency of the two network cards being used and their drivers may have a bit to do with latency (surfing speed)... Just a guess Chad ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: firewall
On 2006-04-06 21:04, ilyana ramlan [EMAIL PROTECTED] wrote: hello, i have another question, Do i have to install IPTable before configuring hosts.allow file? There is no such thing as IPTable on FreeBSD. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
RE: firewall
You need to read the firewall section of the freebsd handbook. http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/firewalls. html -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of ilyana ramlan Sent: Friday, April 07, 2006 12:04 AM To: freebsd-questions@FreeBSD.org Subject: firewall hello, i have another question, Do i have to install IPTable before configuring hosts.allow file? thanks __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: firewall
ilyana ramlan wrote: hello, i have another question, Do i have to install IPTable before configuring hosts.allow file? thanks No; TCP wrappers are independent of your firewall. Also, and I'm ready to stand corrected, but iptable isn't a part of FreeBSD, and aren't even ported AFAIK. FreeBSD has ipfw, ipfilter, and ipf+altq, I believe. See the FreeBSD handbook, chapter 24. HTH, Kevin Kinsey -- Absence makes the heart grow frantic. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Firewall log unlimited - How to?
Rodrigo G. Tavares de Souza wrote: Hi, I was configuring the Firewall when I got this message: Mar 20 11:16:08 bsd-net kernel: ipfw: limit 100 reached on entry 835 And the firewall stoped to create log messages after this message. What I do need to do to IPFW do not stop writing the log file? If I change this option IPFIREWALL_VERBOSE_LIMIT on kernel to: IPFIREWALL_VERBOSE_LIMIT=0 I just comment the line out entirely. #optionsIPFIREWALL_VERBOSE_LIMIT=100#limit verbosity A limit of 0 might actually mean 0. --Alex ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Firewall log unlimited - How to?
On 20/3/06 14:57, Rodrigo G. Tavares de Souza [EMAIL PROTECTED] wrote: Hi, I was configuring the Firewall when I got this message: Mar 20 11:16:08 bsd-net kernel: ipfw: limit 100 reached on entry 835 And the firewall stoped to create log messages after this message. What I do need to do to IPFW do not stop writing the log file? If I change this option IPFIREWALL_VERBOSE_LIMIT on kernel to: IPFIREWALL_VERBOSE_LIMIT=0 Set the net.inet.ip.fw.verbose_limit sysctl to 0. Ceri -- That must be wonderful! I don't understand it at all. -- Moliere ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Firewall/Web server difficulties
Brian Bobowski wrote: Norberto Meijome wrote: Brian Bobowski wrote: I'm poking at that now, yes. I had difficulty getting it to work with virtual hosts... but I can at least reference it by the private-side IP address and get places. assuming you are using Apache, you can use * for Ip address and let it be name-based virt host. Already running thus. DNS seems to be the problem, then. (Which I'll poke at later assuming hosting alternatives don't work out.) (sorry for the delay in replying) One thing you want to make sure you have off is the reverse dns lookup setting in your httpd.conf - it's rather useless and it will add a dependency on DNS to your web services. WAN. People have tried pinging and browsing, with no success. then I would review the rules... Relevant rules text(and based on both startup text and behaviour of the firewall for other tasks, I know the rules file is being parsed) excerpted below: for proper diagnosing, it'd be better to have the whole thing :) hopefully it's already fixed... --- cmd=ipfw -q add pif=rl0 #Interface which opens to the WAN; NAT interface Is your NAT properly configured? prif=ed0 #LAN interface, private-side ks=keep-state # More stuff here... $cmd 400 allow udp from 24.226.1.121 to me 68 in via $pif # DHCP server $cmd 401 allow tcp from any to me 80 in via $pif # Apache $cmd 402 allow tcp from any to me 22 in via $pif # SSH $cmd 403 allow icmp from any to me in via $pif # For testing; low-traffic, not worried about ping floods at this time --- The firewall's DHCP requests are working fine, so #400 is working properly. ok Other machines, however, cannot see it. what do you mean by this? the fact that #400 is working doesnt mean that #401 will :) (there's nothing particularly wrong with #401..just saying you are making the wrong assumption) That's one problem. The other is DNS. I'm still looking through the named.conf file and poking at the settings given for a secondary server... all I really want is a caching server that will first look at my own /etc/hosts file (where the domain names which refer to this machine are specified by their private-facing address). hmm .. why would named.conf look into /etc/hosts ? If this is your main DNS server for your zone, then make sure that it's properly delegated, that all the relevant hosts are defined IN YOUR BIND config , (well, /etc/hosts can't hurt, but you are just adding extra variables that can muddle things up). There's lots of good docs on BIND out there. If you want a rather easy UI, why not install webmin from the ports? good luck, Beto ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Firewall/Web server difficulties
Brian Bobowski wrote: All right. I've got my firewall up and running, and my workstation can get almost anywhere it needs to just fine. you dont' say if you are using ipfw, ipf , pf I can access it by directly referencing the private-interface IP, but if my workstation tries to get to the public-interface IP, nothing happens. Can't even ping it. ICMP and port 80 TCP should both be allowed from anywhere... but they're not getting through. (Assuming all your rules are ok...) AFAIK, you can't access the external interface of a NAT'ed system from the LAN side. Simply use a DNS inside that resolves the name you try to access to the internal interface instead of the external. this is FAQ, i think... (So far as I can tell, it's not just me who's unable to access these.) meaning others in your LAN? or others in the WAN? Does NAT simply not allow for servers to be running on the machine that performs it? I know it's not ideal, but I don't have the room to install another machine even if that were in my budget. I've set up NAT and IPFW per the directions in the handbook, and aside from that one difficulty, everything seems to be working. Please reply off the list. CCing the list for the benefit of everyone else :) Beto ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Firewall/Web server difficulties
Norberto Meijome wrote: Brian Bobowski wrote: All right. I've got my firewall up and running, and my workstation can get almost anywhere it needs to just fine. you dont' say if you are using ipfw, ipf , pf Sure I do. IPFW; mentioned lower down. I can access it by directly referencing the private-interface IP, but if my workstation tries to get to the public-interface IP, nothing happens. Can't even ping it. ICMP and port 80 TCP should both be allowed from anywhere... but they're not getting through. (Assuming all your rules are ok...) AFAIK, you can't access the external interface of a NAT'ed system from the LAN side. Simply use a DNS inside that resolves the name you try to access to the internal interface instead of the external. this is FAQ, i think... I'm poking at that now, yes. I had difficulty getting it to work with virtual hosts... but I can at least reference it by the private-side IP address and get places. (So far as I can tell, it's not just me who's unable to access these.) meaning others in your LAN? or others in the WAN? WAN. People have tried pinging and browsing, with no success. Does NAT simply not allow for servers to be running on the machine that performs it? I know it's not ideal, but I don't have the room to install another machine even if that were in my budget. I've set up NAT and IPFW per the directions in the handbook, and aside from that one difficulty, everything seems to be working. Please reply off the list. CCing the list for the benefit of everyone else :) Beto Hope the clarifications help, -BB ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Firewall/Web server difficulties
Brian Bobowski wrote: Norberto Meijome wrote: Brian Bobowski wrote: All right. I've got my firewall up and running, and my workstation can get almost anywhere it needs to just fine. you dont' say if you are using ipfw, ipf , pf Sure I do. IPFW; mentioned lower down. sorry my bad I can access it by directly referencing the private-interface IP, but if my workstation tries to get to the public-interface IP, nothing happens. Can't even ping it. ICMP and port 80 TCP should both be allowed from anywhere... but they're not getting through. (Assuming all your rules are ok...) AFAIK, you can't access the external interface of a NAT'ed system from the LAN side. Simply use a DNS inside that resolves the name you try to access to the internal interface instead of the external. this is FAQ, i think... I'm poking at that now, yes. I had difficulty getting it to work with virtual hosts... but I can at least reference it by the private-side IP address and get places. assuming you are using Apache, you can use * for Ip address and let it be name-based virt host. (So far as I can tell, it's not just me who's unable to access these.) meaning others in your LAN? or others in the WAN? WAN. People have tried pinging and browsing, with no success. then I would review the rules... good luck B ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Firewall/Web server difficulties
Norberto Meijome wrote: Brian Bobowski wrote: I'm poking at that now, yes. I had difficulty getting it to work with virtual hosts... but I can at least reference it by the private-side IP address and get places. assuming you are using Apache, you can use * for Ip address and let it be name-based virt host. Already running thus. DNS seems to be the problem, then. (Which I'll poke at later assuming hosting alternatives don't work out.) WAN. People have tried pinging and browsing, with no success. then I would review the rules... Relevant rules text(and based on both startup text and behaviour of the firewall for other tasks, I know the rules file is being parsed) excerpted below: --- cmd=ipfw -q add pif=rl0 #Interface which opens to the WAN; NAT interface prif=ed0 #LAN interface, private-side ks=keep-state # More stuff here... $cmd 400 allow udp from 24.226.1.121 to me 68 in via $pif # DHCP server $cmd 401 allow tcp from any to me 80 in via $pif # Apache $cmd 402 allow tcp from any to me 22 in via $pif # SSH $cmd 403 allow icmp from any to me in via $pif # For testing; low-traffic, not worried about ping floods at this time --- The firewall's DHCP requests are working fine, so #400 is working properly. Other machines, however, cannot see it. These firewall rules are essentially a slightly-modified copy of the first example NAT ruleset in the handbook's IPFW section. The modifications consist of extending the 'good-tcpo' variable to a few more ports I want to use, putting more entries for my ISP's DNS servers, adding DHCP outbound and inbound permission 967 and 68) like the second example has, and adding port 22 and ICMP in the above set. That's one problem. The other is DNS. I'm still looking through the named.conf file and poking at the settings given for a secondary server... all I really want is a caching server that will first look at my own /etc/hosts file (where the domain names which refer to this machine are specified by their private-facing address). Any assistance, as always, appreciated. Especially with the first problem. (Off-list as I can't keep up with the volume of list delivery.) -BB ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: firewall messages to syslogd
On Oct 29, 2005, at 10:32 PM, Daniel Molina Wegener wrote: Hello, How can I add firewall log messages to syslogd, I have added the following lines to the syslog.conf: # router +router *.* /var/log/router.log Also, syslogd is running with the flag -a with the ip address of the firewall -- the mask, and service. The computer receive the packets to the 514 port -- I've used tcpdump to log the packets -- but the messages are not logged into the router.log file. Try the following in your /etc/syslog.conf file, assuming you're using ipfw as your firewall: #ipfw logging !ipfw *.*/var/log/router.log Now, perform the following command, assuming your running FreeBSD 5.x+: # touch /var/log/router.log chmod 0600 /var/log/router.log /etc/ rc.d/syslogd restart Let me know what happens - Eric F Crist Secure Computing Networks http://www.secure-computing.net ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: firewall messages to syslogd
On Sun, Oct 30, 2005 at 09:22:39AM -0600, Eric F Crist wrote: On Oct 29, 2005, at 10:32 PM, Daniel Molina Wegener wrote: Hello, How can I add firewall log messages to syslogd, I have added the following lines to the syslog.conf: # router +router *.* /var/log/router.log Also, syslogd is running with the flag -a with the ip address of the firewall -- the mask, and service. The computer receive the packets to the 514 port -- I've used tcpdump to log the packets -- but the messages are not logged into the router.log file. Try the following in your /etc/syslog.conf file, assuming you're using ipfw as your firewall: No, the problem was while I trying to retreive syslog messages from a firewall. #ipfw logging !ipfw *.*/var/log/router.log That's OK, and works well, the problem was with an external firewall/router sending messages to syslogd, port 514. This needs the use of +host_name to log messages from the host_name machine. Well, now it works... Now, perform the following command, assuming your running FreeBSD 5.x+: # touch /var/log/router.log chmod 0600 /var/log/router.log /etc/ rc.d/syslogd restart Let me know what happens Now syslogd is receiving messages from the firewall :) Thanks... - Eric F Crist Secure Computing Networks http://www.secure-computing.net [SNIP] Regards -- . 0 . | Daniel Molina Wegener . . 0 | dmw at unete dot cl 0 0 0 | FreeBSD Power User ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Firewall or not ...
--On Wednesday, September 21, 2005 21:05:36 +0200 Kiffin Gish [EMAIL PROTECTED] wrote: I have installed FreeBSD 5.4 on my Dell Inspiron 8200 using WiFi to access the Internet. My question is what are the pros and cons of running a firewall on my client, e.g. is it really necessary. I mean it's not like I am running Windows and have to bloat it with all McAfee, Zonealarm ad infinitum -- or do I? That depends entirely on how you've set the box up. If you have services running that are binding to internet-addressable ports, then you *may* want to firewall them off to minimize attack possibilities. E.g. you're running ssh - so you restrict access to it through the firewall config to a limited number of allowed external hosts. Paul Schmehl ([EMAIL PROTECTED]) Adjunct Information Security Officer University of Texas at Dallas AVIEN Founding Member http://www.utdallas.edu/ir/security/ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Firewall or not ...
On Wed, 21 Sep 2005 21:05:36 +0200 Kiffin Gish [EMAIL PROTECTED] wrote: I have installed FreeBSD 5.4 on my Dell Inspiron 8200 using WiFi to access the Internet. My question is what are the pros and cons of running a firewall on my client, e.g. is it really necessary. I mean it's not like I am running Windows and have to bloat it with all McAfee, Zonealarm ad infinitum -- or do I? Thanks alot in advance. The thumb rule is to disallow everything else than the services you want to be able to access from the outside. FreeBSD makes it easy with 3 firewalling systems avaliable and pretty decent scripts. Read /etc/defaults/rc.conf to find out more about the options to put to your /etc/rc.conf to enable and quickly configure your firewall. Cheers, Marcin ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Firewall or not ...
On Wed, 2005-09-21 at 19:20 +, Marcin Jessa wrote: On Wed, 21 Sep 2005 21:05:36 +0200 Kiffin Gish [EMAIL PROTECTED] wrote: I have installed FreeBSD 5.4 on my Dell Inspiron 8200 using WiFi to access the Internet. My question is what are the pros and cons of running a firewall on my client, e.g. is it really necessary. I mean it's not like I am running Windows and have to bloat it with all McAfee, Zonealarm ad infinitum -- or do I? Thanks alot in advance. I have a firewall set up on my laptop, as it is company policy. FreeBSD makes it fairly simple to set up and use with the options in /etc/rc.conf, and I rarely have any need to tweak it. I have a fairly lightly modified CLIENT type firewall. DHCP is an issue, but a quick script at boot can be used to grab the dynamic IP without too much trouble. Otherwise I really do not have performance issues, connectivity problems, etc, that are worth mentioning. I like to keep a decent eye on security, but to my knowledge I have never run into an occasion where someone has tried to hack me into my laptop through wireless or wired, in a way that would work. I have certainly seen attempted MS-Windows hacks, etc. But nothing that would actually effect FreeBSD. I keep the system fairly up to date, and rarely have any problems with security. (The problems I have had, a firewall would not fix anyway.) I highly suspect that I could stop using the firewall all together and it would not make that much of a difference.So do you need a firewall? Probably not. But since it is really not that hard to set up and manage on FreeBSD, I would advise anyone to use one if they can. -- Marius M. Rex Sr. System Admin. Community Connect Inc. [EMAIL PROTECTED] ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Firewall or not ...
On Wed, Sep 21, 2005 at 09:05:36PM +0200, Kiffin Gish wrote: I have installed FreeBSD 5.4 on my Dell Inspiron 8200 using WiFi to access the Internet. My question is what are the pros and cons of running a firewall on my client, e.g. is it really necessary. A pro would be that a firewall enables you to keep people from accessing your laptop remotely. WiFi connections aren't that secure, unless you encrypt the traffic. So if your laptop is not a server, use a firewall to disable all incoming packets except those related to connections you initiated. That way you can secure necessary services like mail and printing. I mean it's not like I am running Windows and have to bloat it with all McAfee, Zonealarm ad infinitum -- or do I? I've got pf on my workstation. I haven't noticed any performance or network speed loss while using it. So I can see few reasons not to use a firewall. If you're not running windows, don't bother with a virus scanner. Do filter your mail for spam, though. Roland -- R.F.Smith (http://www.xs4all.nl/~rsmith/) Please send e-mail as plain text. public key: http://www.xs4all.nl/~rsmith/pubkey.txt pgp96Um1BuSkP.pgp Description: PGP signature
Re: Firewall/NAT/Traffic Shapper
On 8/30/05, Ionut Anghel [EMAIL PROTECTED] wrote: Hi, I'm trying to setup a Firewall/NAT/Traffic Shapper server using FreeBSD 5.3 I install all the packages, including kernel sources...everything's ok. Then I activate ipnat and natd in rc.conf and all the clients behind the router can access the Internet. But, if I want to install dummynet (i add options dummynet and ipfirewall in kernel source) and recompile the kernel, after the reboot, nothing's working any more! Not even from the server! I can't even ping a NIC. I have read lots of tutorials, but nothing's helpfull... Please, tell me the correct steps I should follow in order to do what I want to do (or give me a good and complete tutorial) Thanks in advance! 1. Download m0n0wall: http://www.m0n0.ch/wall/download.php?file=generic-pc-1.2b9.img 2. Put the firewall boxes hard drive or CompactFlash card in/on your desktop PC. 3. Follow the guide on how to image the hard drive or CF card with the file you downloaded: http://www.m0n0.ch/wall/installation_generic.php 4. Insert HD or CF card back into the firewall PC, connect a monitor and keyboard, turn the unit on. 5. Follow the steps presented at the console, then reboot. 6. Disconnect the monitor and keyboard. 7. Point you web browser to the ip of your m0n0wall firewall box and login. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: firewall on FreeBSD
--On June 26, 2005 12:40:14 AM +0100 Alex Zbyslaw [EMAIL PROTECTED] wrote: Paul Schmehl wrote: --On June 25, 2005 8:42:24 AM +0200 mess-mate [EMAIL PROTECTED] wrote: I've a firewall/router/proxy with openbsd and think to replace it with freebsd 5.4 Do you mean freebsd's PF don't support the 'quick' keyword ?? Thought PF on freebsd and openbsd was identical, isn't ? pf on freebsd does support the quick keyword. The default firewall, ipfw, does not. This makes no sense to me. The two firewalls work very differently. In pf, each rule is always processed on every packet and the last rule matching determines the action. quick terminates the rule matching and forces the quick rule to be, in effect, the final rule (assuming the packet matched it). ipfw does not match every rule for every packet, rather is processes down the rules until the packet matches one with a terminating action such as accept or deny. No quick keyword is needed. Precisely. Paul Schmehl ([EMAIL PROTECTED]) Adjunct Information Security Officer University of Texas at Dallas AVIEN Founding Member http://www.utdallas.edu/ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: firewall on FreeBSD
* Paul Schmehl [EMAIL PROTECTED] [2005-06-24 12:58:51 -0500]: I've been using pf for a few years now, and I've never had problems understanding the syntax or how it works (but I also never do NAT, so that might be the reason it seems easy to me.) Yes, pf is great, but doing NAT with pf is also just as easy to understand. It depends on what you are doing, but for most people using NAT is as easy turning on ip forwarding via sysctl and adding a single line to your pf.conf configuration file (nat on $ext_if...). Thomas -- N.J. Thomas [EMAIL PROTECTED] Etiamsi occiderit me, in ipso sperabo ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: firewall on FreeBSD
Giorgos Keramidas wrote: On 2005-06-26 00:40, Alex Zbyslaw [EMAIL PROTECTED] wrote: Paul Schmehl wrote: pf on freebsd does support the quick keyword. The default firewall, ipfw, does not. This makes no sense to me. The two firewalls work very differently. [...] You describe very nicely the way rules are matched by two of the three different firewalls available on FreeBSD. The description, being very correct, *does* make sense. Why do you say that ``This makes no sense to you'' Maybe I'm misreading something, or taking it out of context, but the statement ipfw does not support the quick keyword makes no sense to me. For me, it implies that somehow ipfw could (or even should) support the quick keyword, and that is nonsensical. The way ipfw rules work there is not only no need to support a quick keyword, but no point in supporting one because all relevant matches are already quick, by definition. Maybe I'm being overly pedantic, but if I had stumbled across this message in an archive search, and knew nothing about FreeBSD firewalls, I could easily take it to mean that ipfw was lacking a feature with respect to pf when, in fact, it wasn't. (There may be plenty of other reasons for picking one firewall or the other, but the lack of a quick keyword in ipfw isn't one of them). Am *I* making any more sense, now? --Alex ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: firewall on FreeBSD
On 2005-06-26 22:15, Alex Zbyslaw [EMAIL PROTECTED] wrote: Giorgos Keramidas wrote: On 2005-06-26 00:40, Alex Zbyslaw [EMAIL PROTECTED] wrote: pf on freebsd does support the quick keyword. The default firewall, ipfw, does not. This makes no sense to me. The two firewalls work very differently. [...] You describe very nicely the way rules are matched by two of the three different firewalls available on FreeBSD. The description, being very correct, *does* make sense. Why do you say that ``This makes no sense to you'' Maybe I'm misreading something, or taking it out of context, but the statement ipfw does not support the quick keyword makes no sense to me. [...] Am *I* making any more sense, now? Yes, thank you :) ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: firewall on FreeBSD
-Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Khanh Cao Van Sent: Friday, June 24, 2005 9:33 AM To: freebsd-questions Subject: firewall on freebsd I'm going to learn about the freebsd firewall . In the handbook list some of them and I could not find out what is the best . So I decided to post here hoping to gain some of your opinion and experience . I would like to know what firewall was the most wanted ? I have used Linux several months and IP tables was a good statefull firewall . What about in freeBSD ? FreeBSD has m0n0wall and it just works. For example, yesterday I setup a site to site VPN using two m0n0wall boxes and it took me less then 5 minutes to reconfigure, in production use systems, the boxes to do it. I think I spent more time trying to generate a suitable 3DES shared key then it did to reconfigure the boxes ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: firewall on FreeBSD
...snip... | | Personally, I like the quick keyword of the OpenBSD firewall, (but not enough to bother | installing it.) | | Paul Schmehl ([EMAIL PROTECTED]) I've a firewall/router/proxy with openbsd and think to replace it with freebsd 5.4 Do you mean freebsd's PF don't support the 'quick' keyword ?? Thought PF on freebsd and openbsd was identical, isn't ? mess-mate -- What I tell you three times is true. -- Lewis Carroll ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: firewall on FreeBSD
On Sat, Jun 25, 2005 at 08:42:24AM +0200, mess-mate wrote: I've a firewall/router/proxy with openbsd and think to replace it with freebsd 5.4 Do you mean freebsd's PF don't support the 'quick' keyword ?? Thought PF on freebsd and openbsd was identical, isn't ? I don't know if they're identical, but PF does support the 'quick' keyword on FreeBSD. Roland -- R.F.Smith (http://www.xs4all.nl/~rsmith/) Please send e-mail as plain text. public key: http://www.xs4all.nl/~rsmith/pubkey.txt pgpf2HW9SdKtK.pgp Description: PGP signature
Re: firewall on FreeBSD
mess-mate wrote: I've a firewall/router/proxy with openbsd and think to replace it with freebsd 5.4 Do you mean freebsd's PF don't support the 'quick' keyword ?? Thought PF on freebsd and openbsd was identical, isn't ? It's a port, pf on FBSD 5.4 is the same as pf on OBSD 3.6, AFAIK. So if your OBSD is the latest or updated after 3.6, then you might have functionalities not supported yet on FBSD. The basic stuff is all the same, I don't think anyone could survive without 'quick', just as 'pass' and 'block' are supported on both platforms :-) Cheers, Erik -- Ph: +34.666334818 web: http://www.locolomo.org S/MIME Certificate: http://www.locolomo.org/crt/2004071206.crt Subject ID: A9:76:7A:ED:06:95:2B:8D:48:97:CE:F2:3F:42:C8:F2:22:DE:4C:B9 Fingerprint: 4A:E8:63:38:46:F6:9A:5D:B4:DC:29:41:3F:62:D3:0A:73:25:67:C2 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: firewall on FreeBSD
On Saturday 25 June 2005 05:19 am, Erik Nørgaard wrote: mess-mate wrote: I've a firewall/router/proxy with openbsd and think to replace it with freebsd 5.4 Do you mean freebsd's PF don't support the 'quick' keyword ?? Thought PF on freebsd and openbsd was identical, isn't ? It's a port, pf on FBSD 5.4 is the same as pf on OBSD 3.6, AFAIK. So if your OBSD is the latest or updated after 3.6, then you might have functionalities not supported yet on FBSD. The basic stuff is all the same, I don't think anyone could survive without 'quick', just as 'pass' and 'block' are supported on both platforms :-) Cheers, Erik Minor correction: pf is built into the kernel by default in FreeBSD 5.4. I think this started with FreeBSD 5.3. It may still be in the ports system; but that would be for use in FreeBSD 4* and earlier versions of 5*. Have a great weekend! Andrew Gould ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: firewall on FreeBSD
Andrew L. Gould [EMAIL PROTECTED] wrote: | On Saturday 25 June 2005 05:19 am, Erik Nørgaard wrote: | mess-mate wrote: | I've a firewall/router/proxy with openbsd and think to replace it | with freebsd 5.4 | Do you mean freebsd's PF don't support the 'quick' keyword ?? | Thought PF on freebsd and openbsd was identical, isn't ? | | It's a port, pf on FBSD 5.4 is the same as pf on OBSD 3.6, AFAIK. So | if your OBSD is the latest or updated after 3.6, then you might have | functionalities not supported yet on FBSD. | | The basic stuff is all the same, I don't think anyone could survive | without 'quick', just as 'pass' and 'block' are supported on both | platforms :-) | | Cheers, Erik | | Minor correction: pf is built into the kernel by default in FreeBSD | 5.4. I think this started with FreeBSD 5.3. It may still be in the | ports system; but that would be for use in FreeBSD 4* and earlier | versions of 5*. | | Have a great weekend! | | Andrew Gould | The openbsd version is 3.5. Can i porting the pf config file to freebsd ? great weekend to. mess-mate -- There is a 20% chance of tomorrow. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: firewall on FreeBSD
--On June 25, 2005 8:42:24 AM +0200 mess-mate [EMAIL PROTECTED] wrote: I've a firewall/router/proxy with openbsd and think to replace it with freebsd 5.4 Do you mean freebsd's PF don't support the 'quick' keyword ?? Thought PF on freebsd and openbsd was identical, isn't ? pf on freebsd does support the quick keyword. The default firewall, ipfw, does not. Paul Schmehl ([EMAIL PROTECTED]) Adjunct Information Security Officer University of Texas at Dallas AVIEN Founding Member http://www.utdallas.edu/ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: firewall on FreeBSD
Paul Schmehl wrote: --On June 25, 2005 8:42:24 AM +0200 mess-mate [EMAIL PROTECTED] wrote: I've a firewall/router/proxy with openbsd and think to replace it with freebsd 5.4 Do you mean freebsd's PF don't support the 'quick' keyword ?? Thought PF on freebsd and openbsd was identical, isn't ? pf on freebsd does support the quick keyword. The default firewall, ipfw, does not. This makes no sense to me. The two firewalls work very differently. In pf, each rule is always processed on every packet and the last rule matching determines the action. quick terminates the rule matching and forces the quick rule to be, in effect, the final rule (assuming the packet matched it). ipfw does not match every rule for every packet, rather is processes down the rules until the packet matches one with a terminating action such as accept or deny. No quick keyword is needed. --Alex ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: firewall on FreeBSD
On 2005-06-26 00:40, Alex Zbyslaw [EMAIL PROTECTED] wrote: Paul Schmehl wrote: pf on freebsd does support the quick keyword. The default firewall, ipfw, does not. This makes no sense to me. The two firewalls work very differently. In pf, each rule is always processed on every packet and the last rule matching determines the action. quick terminates the rule matching and forces the quick rule to be, in effect, the final rule (assuming the packet matched it). ipfw does not match every rule for every packet, rather is processes down the rules until the packet matches one with a terminating action such as accept or deny. No quick keyword is needed. You describe very nicely the way rules are matched by two of the three different firewalls available on FreeBSD. The description, being very correct, *does* make sense. Why do you say that ``This makes no sense to you''? ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]