Re: ipf not working correctly???
Don't top-post, please. RYAN vAN GINNEKEN <[EMAIL PROTECTED]> writes: > Thanks but do you have any advice for me rather than fbsd_user Not much; your message was hard to follow, and the configuration didn't seem to match the behavior you observed (e.g., ipfilter wasn't even in the kernel configuration, but seemed to be stopping packets). Unless you have a specific reason otherwise, follow the other poster's advice and stick to one firewall configuration. When you are looking for DNS problems, check from the machine running the NAT, so that you can separate problems with NAT from problems with packet filtering. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: ipf not working correctly???
Thanks but do you have any advice for me rather than fbsd_user "fbsd_user" <[EMAIL PROTECTED]> writes: Your first problem is you have ipfw and ipf both turned on in kernel and rc.conf. You can only have one firewall on at a time. For the record, that is not true. They can coexist, and there are even some (unusual) situations where doing so is useful. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]" ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: ipf not working correctly???
Ok thank you for your reply I have followed the newest handbook to the letter did you read my email?? which part is incorrect the ipf stuff is comment out of my kernel and also turned off in rc.conf.I have had to re enable ipfw in the kernel to get natd and my server to work properly again. If i remove firewall and ipdivert options my server will no longer route packages to my LAN. I will recompile my kernel one more time with no firewall option at all and comment out all the natd and ipfw lines from rc.conf just to humor you and because i am desperate for this to work. Note i have already tried this but will try again. also you can have both enabled however i do only want ipf for now. fbsd_user wrote: Your first problem is you have ipfw and ipf both turned on in kernel and rc.conf. You can only have one firewall on at a time. Remove all "firewall" and ipf statements from the kernel and recompile or just use the generic kernel. Then remove all "firewall" and "natd' statements from rc.conf. Then go back and read the FreeBSD handbook section on firewalls it's been updated to give detailed instructions on what to do. Follow then to the letter and you will be all set. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of RYAN vAN GINNEKEN Sent: Tuesday, June 21, 2005 3:58 PM To: freebsd-questions@freebsd.org Subject: ipf not working correctly??? Hello all i use FreeBSD stable 4.11 and wish to use built in ipf version 3.x something.i have been using ipfw with type set to open however i have recently been attacked and need to beef up security. I have followed the basic setup that is in the freebsd handbook and read through the world famous ipf howto lots of times. Currently I have the below options compiled into my kernel the docs I have read say you do not need to compile ipfilter options into the kernel to use it. I was going to uncomment the ipfilter stuff and comment out the ipfirewall options when I got ipfilter working. Is it necessary to recompile the kernel without ipfirewall options to make ipfilter work. Kernel OPTIONS options IPFIREWALL options IPFIREWALL_VERBOSE options IPFIREWALL_VERBOSE_LIMIT=100 options IPDIVERT #optionsIPFILTER #optionsIPFILTER_LOG #optionsIPFILTER_DEFAULT_BLOCK IN MY /etc/rc.conf== #IPF & IPNAT ipfilter_enable="YES" # Start ipf firewall #ipfilter_rules="/etc/ipf.rules" # loads rules definition text file ipfilter_rules="/etc/ipfopen.rules" ipmon_enable="YES"# Start IP monitor log ipmon_flags="-Ds" # D = start as daemon, s = log to syslog, v = ipnat_enable="YES"# Start ipnat function ipnat_rules="/etc/ipnat.rules"# rules definition file for ipnat AS WELL AS THIS TO TURN OF IPFILTER AND NATD #IPFW & NATD firewall_enable="NO firewall_type="OPEN" firewall_quiet="NO" #firewall_scrYESt="/etc/rc.firewall" natd_enable="NO natd_interface="xl0" natd_flags="-f /etc/natd.conf" HERE IS /etc/ipnat.rules= # the rule that forwards everthing map xl0 192.168.0.0/16 -> 0/32 #VNC HOSTS #HOST 1 #java rdr xl0 0/32 port 5801 -> 192.168.0.1 port 5801 #no java rdr xl0 0/32 port 5901 -> 192.168.0.1 port 5901 #HOST 2 #java rdr xl0 0/32 port 5802 -> 192.168.0.1 port 5802 #no java rdr xl0 0/32 port 5902 -> 192.168.0.1 port 5902 === PLEASE FIND MY ipf.rules ATTACHED TO this email I have even tried to use the following rules set to see if I could get ipf to work as an open firewall but it still seems to block to much. === pass out quick on lo0 all pass in quick on lo0 all pass out quick on xl1 all pass in quick on xl1 all pass out quick on xl0 all pass in quick on xl0 all when I ping google.ca I get errors about unknown hostname. When I ping googles ipaddress I get permission denied over and over again. When I try to use lynx I get alert destination host unreachable. Seems like dns?? When I turn off ipf and use ipfw set to open everything works fine again. Please someone help what is going wrong. ipmon/ipfstat do not seem to help but mabey i need some guidance with these tools. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]" ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: ipf not working correctly???
"fbsd_user" <[EMAIL PROTECTED]> writes: > Your first problem is you have ipfw and ipf both turned on in kernel > and rc.conf. > You can only have one firewall on at a time. For the record, that is not true. They can coexist, and there are even some (unusual) situations where doing so is useful. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
RE: ipf not working correctly???
Your first problem is you have ipfw and ipf both turned on in kernel and rc.conf. You can only have one firewall on at a time. Remove all "firewall" and ipf statements from the kernel and recompile or just use the generic kernel. Then remove all "firewall" and "natd' statements from rc.conf. Then go back and read the FreeBSD handbook section on firewalls it's been updated to give detailed instructions on what to do. Follow then to the letter and you will be all set. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of RYAN vAN GINNEKEN Sent: Tuesday, June 21, 2005 3:58 PM To: freebsd-questions@freebsd.org Subject: ipf not working correctly??? Hello all i use FreeBSD stable 4.11 and wish to use built in ipf version 3.x something.i have been using ipfw with type set to open however i have recently been attacked and need to beef up security. I have followed the basic setup that is in the freebsd handbook and read through the world famous ipf howto lots of times. Currently I have the below options compiled into my kernel the docs I have read say you do not need to compile ipfilter options into the kernel to use it. I was going to uncomment the ipfilter stuff and comment out the ipfirewall options when I got ipfilter working. Is it necessary to recompile the kernel without ipfirewall options to make ipfilter work. Kernel OPTIONS options IPFIREWALL options IPFIREWALL_VERBOSE options IPFIREWALL_VERBOSE_LIMIT=100 options IPDIVERT #optionsIPFILTER #optionsIPFILTER_LOG #optionsIPFILTER_DEFAULT_BLOCK IN MY /etc/rc.conf== #IPF & IPNAT ipfilter_enable="YES" # Start ipf firewall #ipfilter_rules="/etc/ipf.rules" # loads rules definition text file ipfilter_rules="/etc/ipfopen.rules" ipmon_enable="YES"# Start IP monitor log ipmon_flags="-Ds" # D = start as daemon, s = log to syslog, v = ipnat_enable="YES"# Start ipnat function ipnat_rules="/etc/ipnat.rules"# rules definition file for ipnat AS WELL AS THIS TO TURN OF IPFILTER AND NATD #IPFW & NATD firewall_enable="NO firewall_type="OPEN" firewall_quiet="NO" #firewall_scrYESt="/etc/rc.firewall" natd_enable="NO natd_interface="xl0" natd_flags="-f /etc/natd.conf" HERE IS /etc/ipnat.rules= # the rule that forwards everthing map xl0 192.168.0.0/16 -> 0/32 #VNC HOSTS #HOST 1 #java rdr xl0 0/32 port 5801 -> 192.168.0.1 port 5801 #no java rdr xl0 0/32 port 5901 -> 192.168.0.1 port 5901 #HOST 2 #java rdr xl0 0/32 port 5802 -> 192.168.0.1 port 5802 #no java rdr xl0 0/32 port 5902 -> 192.168.0.1 port 5902 === PLEASE FIND MY ipf.rules ATTACHED TO this email I have even tried to use the following rules set to see if I could get ipf to work as an open firewall but it still seems to block to much. === pass out quick on lo0 all pass in quick on lo0 all pass out quick on xl1 all pass in quick on xl1 all pass out quick on xl0 all pass in quick on xl0 all when I ping google.ca I get errors about unknown hostname. When I ping googles ipaddress I get permission denied over and over again. When I try to use lynx I get alert destination host unreachable. Seems like dns?? When I turn off ipf and use ipfw set to open everything works fine again. Please someone help what is going wrong. ipmon/ipfstat do not seem to help but mabey i need some guidance with these tools. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
ipf not working correctly???
Hello all i use FreeBSD stable 4.11 and wish to use built in ipf version 3.x something.i have been using ipfw with type set to open however i have recently been attacked and need to beef up security. I have followed the basic setup that is in the freebsd handbook and read through the world famous ipf howto lots of times. Currently I have the below options compiled into my kernel the docs I have read say you do not need to compile ipfilter options into the kernel to use it. I was going to uncomment the ipfilter stuff and comment out the ipfirewall options when I got ipfilter working. Is it necessary to recompile the kernel without ipfirewall options to make ipfilter work. Kernel OPTIONS options IPFIREWALL options IPFIREWALL_VERBOSE options IPFIREWALL_VERBOSE_LIMIT=100 options IPDIVERT #optionsIPFILTER #optionsIPFILTER_LOG #optionsIPFILTER_DEFAULT_BLOCK IN MY /etc/rc.conf== #IPF & IPNAT ipfilter_enable="YES" # Start ipf firewall #ipfilter_rules="/etc/ipf.rules" # loads rules definition text file ipfilter_rules="/etc/ipfopen.rules" ipmon_enable="YES"# Start IP monitor log ipmon_flags="-Ds" # D = start as daemon, s = log to syslog, v = ipnat_enable="YES"# Start ipnat function ipnat_rules="/etc/ipnat.rules"# rules definition file for ipnat AS WELL AS THIS TO TURN OF IPFILTER AND NATD #IPFW & NATD firewall_enable="NO firewall_type="OPEN" firewall_quiet="NO" #firewall_scrYESt="/etc/rc.firewall" natd_enable="NO natd_interface="xl0" natd_flags="-f /etc/natd.conf" HERE IS /etc/ipnat.rules= # the rule that forwards everthing map xl0 192.168.0.0/16 -> 0/32 #VNC HOSTS #HOST 1 #java rdr xl0 0/32 port 5801 -> 192.168.0.1 port 5801 #no java rdr xl0 0/32 port 5901 -> 192.168.0.1 port 5901 #HOST 2 #java rdr xl0 0/32 port 5802 -> 192.168.0.1 port 5802 #no java rdr xl0 0/32 port 5902 -> 192.168.0.1 port 5902 === PLEASE FIND MY ipf.rules ATTACHED TO this email I have even tried to use the following rules set to see if I could get ipf to work as an open firewall but it still seems to block to much. === pass out quick on lo0 all pass in quick on lo0 all pass out quick on xl1 all pass in quick on xl1 all pass out quick on xl0 all pass in quick on xl0 all when I ping google.ca I get errors about unknown hostname. When I ping googles ipaddress I get permission denied over and over again. When I try to use lynx I get alert destination host unreachable. Seems like dns?? When I turn off ipf and use ipfw set to open everything works fine again. Please someone help what is going wrong. ipmon/ipfstat do not seem to help but mabey i need some guidance with these tools. # # No restrictions on Inside LAN Interface for private network # Not needed unless you have LAN # pass out quick on xl1 all pass in quick on xl1 all #fail safe open all on outside interface #pass out quick on x10 all #pass in quick on x10 all #pass out quick on xl0 from any to any all #pass in quick on xl0 from any to any all # # No restrictions on Loopback Interface # pass in quick on lo0 all pass out quick on lo0 all # # Interface facing Public Internet (Outbound Section) # Interrogate session start requests originating from behind the # firewall on the private network # or from this gateway server destine for the public Internet. # # Allow out access to my ISP's Domain name server. # xxx must be the IP address of your ISP's DNS. # Dup these lines if your ISP has more than one DNS server # Get the IP addresses from /etc/resolv.conf file #pass out quick on xl0 proto tcp from any to 192.168.0.202 port = 53 flags S keep state #pass out quick on xl0 proto udp from any to 192.168.0.202 port = 53 keep state #pass out quick on xl0 proto tcp from any to 64.59.135.133 port = 53 flags S keep state #pass out quick on xl0 proto udp from any to 64.59.135.135 port = 53 keep state pass out quick on xl0 proto tcp from any to any port = 53 flags S keep state pass out quick on xl0 proto udp from any to any port = 53 keep state # Allow out access to my ISP's DHCP server for cable or DSL networks. # This rule is not needed for 'user ppp' type connection to the # public Internet, so you can delete this whole group. # Use the following rule and check log f
