Re: ipfw pipes + firewall
On Sat, Nov 29, 2003 at 02:29:13PM +0800, Khairil Yusof wrote: On Sat, 2003-11-29 at 06:45, Alex de Kruijff wrote: 00100 83 11350 pipe 1 ip from any to any out 00200 93 11266 pipe 2 ip from any to any in 00300 0 0 check-state 00400 0 0 deny tcp from any to any established 01400 103 14855 allow tcp from any to me dst-port 22 in setup keep-state ... more firewall rules which are being matched I find your 400 rule very strage. Rule 400 souldn't apply because they are passed by 300 (this one doens't have a counter :( ). I'm following the example given by ipfw(8). Rule 0400 is apparently supposed to block any non dynamic rules. Does rule 300 have a counter? I've followed both ipfw(8) and http://www.freebsd.org/doc/en_US.ISO8859-1/articles/dialup-firewall/rules.html Maybe i missed it but i didn't see rule 400. As you can see from the output it doesn't seem to do anything. That means it only takes up process time. I did see dst-port. Sorry for the confusion. I suppose that it being filled in for me; it not needed to write it down. Im using the example from the article for my pppoe connection at home. For rule 1400 the dst-port is wronly placed. Port are (or can be) given after the ip without any marker. I would replace 1400 with: allow tcp from any to me 22 in allow tcp from me 22 to any out No need to have dynamic rules here so place it before 300 This sounds right, it would cut down on overhead of additional dynamic rules. So making public ports rules without dynamic rules is better? No you use both. Dynamic rules are use so the computer seem unreacable from the out site (i.e. ftp, web, ect. server can not be reaced) and seems fully open from the inside (i.e. allowing you to surf the web). Digging in the archives, Matthew Seaman said that dynamic rules should be safer, but I'm not sure if it applies for my case. I'm no security expert, so thanks for the insight. This is how i would setup a basic firewall: 1 Reject spoofing out 2 Deny spoofing in 3 Allow wanted incomming traffic (and out again) (let say you like to ssh your computer from the internet or to have visitors to you website) 4 check-state 5 Allow traffic out and keep-state 6 Reject everyting out (proberbly doesn't gets any hits because of 5) 7 Deny everyting else -- Alex Articles based on solutions that I use: http://www.kruijff.org/alex/index.php?dir=docs/FreeBSD/ ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
ipfw pipes + firewall
I've read the man pages, and tested it out, and just want to confirm that what Im doing is right and that I didn't miss anything. Disable one_pass so that packets after matching pipe rule will continue on to other rules. Without this, packets matching pipes are not not applied again against firewall rules. net.inet.ip.fw.one_pass: 0 I then put the pipe rules before any firewall rules so that anything going in and out (in this case) go through the pipes first. They are then matched by normal firewall rules. 00100 83 11350 pipe 1 ip from any to any out 00200 93 11266 pipe 2 ip from any to any in 00300 0 0 check-state 00400 0 0 deny tcp from any to any established 01400 103 14855 allow tcp from any to me dst-port 22 in setup keep-state ... more firewall rules which are being matched From what I can see the pipe rules are being matched. I tested bandwidth controls, and they work. And I also could not access ports which I did have a dynamic rule for (as in 01400). -- FreeBSD 5.2-BETA i386 4:56pm up 20:23, 4 users, load averages: 0.99, 0.76, 0.66 signature.asc Description: This is a digitally signed message part
Re: ipfw pipes + firewall
On Fri, Nov 28, 2003 at 09:37:06PM +0800, Khairil Yusof wrote: I've read the man pages, and tested it out, and just want to confirm that what Im doing is right and that I didn't miss anything. Disable one_pass so that packets after matching pipe rule will continue on to other rules. Without this, packets matching pipes are not not applied again against firewall rules. net.inet.ip.fw.one_pass: 0 I then put the pipe rules before any firewall rules so that anything going in and out (in this case) go through the pipes first. They are then matched by normal firewall rules. 00100 83 11350 pipe 1 ip from any to any out 00200 93 11266 pipe 2 ip from any to any in 00300 0 0 check-state 00400 0 0 deny tcp from any to any established 01400 103 14855 allow tcp from any to me dst-port 22 in setup keep-state ... more firewall rules which are being matched From what I can see the pipe rules are being matched. I tested bandwidth controls, and they work. And I also could not access ports which I did have a dynamic rule for (as in 01400). I find your 400 rule very strage. Rule 400 souldn't apply because they are passed by 300 (this one doens't have a counter :( ). For rule 1400 the dst-port is wronly placed. Port are (or can be) given afther the ip without any marker. I would replace 1400 with: allow tcp from any to me 22 in allow tcp from me 22 to any out No need to have dynamic rules here so place it before 300 -- Alex Articles based on solutions that I use: http://www.kruijff.org/alex/index.php?dir=docs/FreeBSD/ ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: ipfw pipes + firewall
On Sat, 2003-11-29 at 06:45, Alex de Kruijff wrote: 00100 83 11350 pipe 1 ip from any to any out 00200 93 11266 pipe 2 ip from any to any in 00300 0 0 check-state 00400 0 0 deny tcp from any to any established 01400 103 14855 allow tcp from any to me dst-port 22 in setup keep-state ... more firewall rules which are being matched I find your 400 rule very strage. Rule 400 souldn't apply because they are passed by 300 (this one doens't have a counter :( ). I'm following the example given by ipfw(8). Rule 0400 is apparently supposed to block any non dynamic rules. Does rule 300 have a counter? I've followed both ipfw(8) and http://www.freebsd.org/doc/en_US.ISO8859-1/articles/dialup-firewall/rules.html Im using the example from the article for my pppoe connection at home. For rule 1400 the dst-port is wronly placed. Port are (or can be) given after the ip without any marker. I would replace 1400 with: allow tcp from any to me 22 in allow tcp from me 22 to any out No need to have dynamic rules here so place it before 300 This sounds right, it would cut down on overhead of additional dynamic rules. So making public ports rules without dynamic rules is better? Digging in the archives, Matthew Seaman said that dynamic rules should be safer, but I'm not sure if it applies for my case. I'm no security expert, so thanks for the insight. -- FreeBSD 5.2-BETA i386 2:24pm up 11:29, 3 users, load averages: 0.22, 0.44, 0.66 signature.asc Description: This is a digitally signed message part
