Re: ipfw and tun0
> > Well, I am a little bit confused, because usually, I run machines with > > "real" NICs and if I activate firewall rules that drop packets from > > that NIC, I can run tcpdump on that NIC and will not see the dropped > > packets. > > Are you 100% certain of that? No, I now realize, that I was always inspecting ipfw's log messages and just assumed that dropped packets do not appear to tcpdump without ever verifying that assumption. Thanks for pointing that out. > > Does that mean, that there is no way, to inspect the network > > traffic from tun0 after it has been "cleaned up" by ipfw and that is > > not forwarded to the internal NIC? > > You can either add a log rule after your IPFW reject rules, and have the > firewall itself log the traffic which is permitted through, or you could use > another divert rule and force that traffic into a daemon which looks at the > packets (this is how natd works, after all). I guess, I will use ipfw's logging facility. Thanks again for clarification. Dirk ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: ipfw and tun0
Dirk GOUDERS wrote: [ ... ] If you are using PPPoE, the system de-encapsulates the IP traffic off of the PPP session via the tun0 interface. tun0 can be treated as your "external interface" when writing firewall rules, setting up NAT, etc. Well, I am a little bit confused, because usually, I run machines with "real" NICs and if I activate firewall rules that drop packets from that NIC, I can run tcpdump on that NIC and will not see the dropped packets. Are you 100% certain of that? What you've described does not match how tcpdump on a BSD system works here: nfw1# ipfw add 10 deny ip from any to any 321 00010 deny ip from any to any dst-port 321 nfw1# tcpdump -nt -i fxp0 port 321 tcpdump: listening on fxp0 68.161.54.113.2145 > 199.103.21.225.321: S 610825795:610825795(0) win 57344 (DF) 68.161.54.113.2145 > 199.103.21.225.321: S 610825795:610825795(0) win 57344 (DF) ^C 44 packets received by filter 0 packets dropped by kernel tcpdump sees the incoming SYN packets just fine, even if IPFW denies them in the very first rule. This is the naive view, I have about this: NIC device (e.g. xl0) - packets -> packets ->... packets -> packets -> - ^^ || Here, ipfw checks Here, tcpdump listens the packets against and doesn't see dropped its rules and probably packets drops packets There's a diagram in the IPFW manpage that has a better description of the packet flow. tcpdump runs sooner than you've shown, and traffic through most interfaces is bidirectional. Right. This implies that the firewall rules are working. If you want to see what the situation looks like to a client machine behind the firewall, either tcpdump on a client machine, or tcpdump on the internal interface of the firewall box... Does that mean, that there is no way, to inspect the network traffic from tun0 after it has been "cleaned up" by ipfw and that is not forwarded to the internal NIC? You can either add a log rule after your IPFW reject rules, and have the firewall itself log the traffic which is permitted through, or you could use another divert rule and force that traffic into a daemon which looks at the packets (this is how natd works, after all). -- -Chuck ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: ipfw and tun0
> >>> I just started to use an ADSL line with PPPoE and want run a firewall > >>> between it and my local network. What I am wondering about is that even > >>> if I only have the default everything-blocking rule (deny ip from any to > >>> any) I still see incoming packets on tun0 with tcpdump. > > If you are using PPPoE, the system de-encapsulates the IP traffic off of the > PPP session via the tun0 interface. tun0 can be treated as your "external > interface" when writing firewall rules, setting up NAT, etc. Well, I am a little bit confused, because usually, I run machines with "real" NICs and if I activate firewall rules that drop packets from that NIC, I can run tcpdump on that NIC and will not see the dropped packets. This is the naive view, I have about this: NIC device (e.g. xl0) - packets -> packets ->... packets -> packets -> - ^^ || Here, ipfw checks Here, tcpdump listens the packets against and doesn't see dropped its rules and probably packets drops packets In the case of tun0, this order seems to be reverse... > Right. This implies that the firewall rules are working. If you > want to see what the situation looks like to a client machine > behind the firewall, either tcpdump on a client machine, or tcpdump > on the internal interface of the firewall box... Does that mean, that there is no way, to inspect the network traffic from tun0 after it has been "cleaned up" by ipfw and that is not forwarded to the internal NIC? Dirk ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: ipfw and tun0
Dirk GOUDERS wrote: I just started to use an ADSL line with PPPoE and want run a firewall between it and my local network. What I am wondering about is that even if I only have the default everything-blocking rule (deny ip from any to any) I still see incoming packets on tun0 with tcpdump. If you are using PPPoE, the system de-encapsulates the IP traffic off of the PPP session via the tun0 interface. tun0 can be treated as your "external interface" when writing firewall rules, setting up NAT, etc. [ ... ] Another example is that I saw several SYN packets directed to unprivileged ports that got answered with a RST packet by my machine. When I block those SYN packets, I still see them on tun0 but the RST responses disappear. Also, ipfw's counters show that it recognizes those packets... Right. This implies that the firewall rules are working. If you want to see what the situation looks like to a client machine behind the firewall, either tcpdump on a client machine, or tcpdump on the internal interface of the firewall box... -- -Chuck ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: ipfw and tun0
> >I just started to use an ADSL line with PPPoE and want run a firewall > >between it and my local network. What I am wondering about is that > >even if I only have the default everything-blocking rule (deny ip from > >any to any) I still see incoming packets on tun0 with tcpdump. > > > >Is this, because the firewall rules get checked after the packets > >leave the tun0 interface? On what interface should I run tcpdump then > >to check if my rules are working as expected? > > Just a guess, here tun0 doesn't exist when the firewall rc > script is run, so you may have to explicity state the name > of the interface since it wouldn't be listed during device > polling at boot time? Well, it seems as if my firewall rules work as expected -- with just the default rule, I cannot do anything on the net. Another example is that I saw several SYN packets directed to unprivileged ports that got answered with a RST packet by my machine. When I block those SYN packets, I still see them on tun0 but the RST responses disappear. Also, ipfw's counters show that it recognizes those packets... Sorry for not mentioning that earlier. Dirk ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: ipfw and tun0
Dirk Gouders wrote: >Hello, > >I just started to use an ADSL line with PPPoE and want run a firewall >between it and my local network. What I am wondering about is that >even if I only have the default everything-blocking rule (deny ip from >any to any) I still see incoming packets on tun0 with tcpdump. > >Is this, because the firewall rules get checked after the packets >leave the tun0 interface? On what interface should I run tcpdump then >to check if my rules are working as expected? > >Dirk > Just a guess, here tun0 doesn't exist when the firewall rc script is run, so you may have to explicity state the name of the interface since it wouldn't be listed during device polling at boot time? Like I said, just grasping at straws. Maybe you've already tried that one Kevin Kinsey ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
ipfw and tun0
Hello, I just started to use an ADSL line with PPPoE and want run a firewall between it and my local network. What I am wondering about is that even if I only have the default everything-blocking rule (deny ip from any to any) I still see incoming packets on tun0 with tcpdump. Is this, because the firewall rules get checked after the packets leave the tun0 interface? On what interface should I run tcpdump then to check if my rules are working as expected? Dirk ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"