Re: Dumb IPFW Question

[Ian Smith]

On Wed, 26 Sep 2007 20:46:29 +0100 Chris Yocum [EMAIL PROTECTED] wrote:

   Just to explain a bit, I have installed a FreeBSD 6.2 system on a
  machine to act as a natd router.  I turned on the firewall and set the
  firewall rule script to the one from the handbook
  (http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/firewalls-ipfw.html)
  (Example Ruleset #2 at the bottom).

Despite lots of useful tips, especially regarding stateful rules, there
are a number of problems with some of the information on that page, and
I wouldn't rely on it as a substitute for a thorough study of ipfw(8). 
At the risk of being called on to submit a PR and diff, be particularly
wary of the sections in which the word 'mandatory' appears, and perhaps
compare those rulesets with those in /etc/rc.firewall.  But anyway ..

   After some investigation when I could not get www, I discovered
  that somehow port 53 is blocked even when I explicitly open it.  This
  happens when I uncomment the rule # Reject  Log all unauthorized out
  going connections to the public Internet
  $cmd 450 deny log all from any to any out via $pif.  So essentially,
  when I use that line, I loose my DNS and my www will not work anymore.

I see Chuck already caught your use of 'setup' with udp, which was the
immediate problem.  In fact, the ruleset #2 you used as basis has a rule
for TCP port 53 (needed if you need to transfer zone/s with an outside
DNS server) but had entirely omitted UDP 53 (though the earlier examples
included it), which it seems you must have already noticed.

   Otherwise, it all works great and I could not be happier.  Thank
  you in advance for any help that you may be able to provide.  I am
  sure that it is some small blunder on my part.

One thing lacking in that ruleset is stopping of _outbound_ spoofing of
RFC 1918 etc addresses; refer to the 'simple' section of rc.firewall,
particularly the placement of anti-spoofing rules wrt NATD diversion. 

  # Dup these lines if your ISP has more than one DNS server

Or use an address list in one rule, like addr1,addr2,addr3

  # Get the IP addresses from /etc/resolv.conf file
  $cmd 023 $skip udp from any to isp dns ip 53 out via $pif setup keep-state
  $cmd 024 $skip udp from any to isp dns ip 53 out via $pif setup keep-state
  $cmd 025 $skip udp from any to isp dns ip 53 out via $pif setup keep-state

As you've found, dropping 'setup' will make these work.

  # Allow out ping
  $cmd 080 $skip icmp from any to any out via $pif keep-state

I'm not sure if this is sufficient to allow icmptypes needed by TCP for
MTU discovery? but I allow these types specifically and not statefully. 
  
  # Deny all Netbios service. 137=name, 138=datagram, 139=session
  # Netbios is MS/Windows sharing services.
  # Block MS/Windows hosts2 name server requests 81
  $cmd 320 deny tcp from any to any 137 in via $pif
  $cmd 321 deny tcp from any to any 138 in via $pif
  $cmd 322 deny tcp from any to any 139 in via $pif
  $cmd 323 deny tcp from any to any 81  in via $pif

I've noticed other people just copying these rules from this example,
but 137 and 138 are on UDP, not TCP, while 139 is a TCP service.  Still,
unless you wanted to count these individually, the 'deny everything not
specifically allowed' rule will catch these anyhow.  And if you've got
windows boxes NAT'd on the inside you should block these going OUT too.

eg for TCP:
#% first take out the VAST bulk of TCP bogons / background noise:
crap=135,139,445,1433,2967,2968,4899,5900
crap=${crap},8000,8080,3128
${fwadd} deny log $afew tcp from any to any ${crap} in via ${ext_if} 
setup
# RejectLog all other setup of incoming connections from the outside
${fwadd} deny log $lots tcp from any to any in via ${ext_if} setup
and for UDP:
#% first cut out most of the heavy duty noise (incl broken insiders)
junk=137,138,1433,1434
junk=${junk},3544 # XP home calls home? MS ipV6 'Toredo'
${fwadd} deny udp from any to any ${junk} via ${ext_if}

  #allow in information from the ISP's DNS
  $cmd 361 allow udp from ip dns ip 53 to any in via $pif keep-state
  $cmd 362 allow udp from ip dns ip 53 to any in via $pif keep-state

These are not useful, since you're using outbound UDP keep-state on 53.
If you're running a public DNS server, you'd need to allow inbound DNS
in from anyone, not (just) your ISP.

HTH, Ian

___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

Re: Dumb IPFW Question

[Chuck Swiger]

On Sep 26, 2007, at 12:46 PM, Chris Yocum wrote:
[ ... ]

 I also get Sep 26 20:09:17 routy kernel: ipfw: 450 Deny UDP my
router outside IP:53 my isp dns ip:53 out via sis0 in my
/var/log/security file.  I have appended the ipfw rules below so you
can see all the changes that I made from the original.


The setup keyword should only be used with TCP packets; trying to use  
it with UDP traffic will cause your pass-through rules (#23-25) to  
not match the traffic you want them to match...


--
-Chuck

___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

Re: Dumb IPFW Question

[Chris Yocum]

Hi,
 Yep, it was a blunder by me.  Thank you very much!

Chris

On 9/26/07, Chuck Swiger [EMAIL PROTECTED] wrote:
 On Sep 26, 2007, at 12:46 PM, Chris Yocum wrote:
 [ ... ]
   I also get Sep 26 20:09:17 routy kernel: ipfw: 450 Deny UDP my
  router outside IP:53 my isp dns ip:53 out via sis0 in my
  /var/log/security file.  I have appended the ipfw rules below so you
  can see all the changes that I made from the original.

 The setup keyword should only be used with TCP packets; trying to use
 it with UDP traffic will cause your pass-through rules (#23-25) to
 not match the traffic you want them to match...

 --
 -Chuck


___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

Dumb IPFW Question

[Chris Yocum]

Hi Everyone,
 Just to explain a bit, I have installed a FreeBSD 6.2 system on a
machine to act as a natd router.  I turned on the firewall and set the
firewall rule script to the one from the handbook
(http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/firewalls-ipfw.html)
(Example Ruleset #2 at the bottom).
 After some investigation when I could not get www, I discovered
that somehow port 53 is blocked even when I explicitly open it.  This
happens when I uncomment the rule # Reject  Log all unauthorized out
going connections to the public Internet
$cmd 450 deny log all from any to any out via $pif.  So essentially,
when I use that line, I loose my DNS and my www will not work anymore.
 I also get Sep 26 20:09:17 routy kernel: ipfw: 450 Deny UDP my
router outside IP:53 my isp dns ip:53 out via sis0 in my
/var/log/security file.  I have appended the ipfw rules below so you
can see all the changes that I made from the original.
 Otherwise, it all works great and I could not be happier.  Thank
you in advance for any help that you may be able to provide.  I am
sure that it is some small blunder on my part.

Thanks!,
Chris

#!/bin/sh
cmd=ipfw -q add
skip=skipto 800
pif=sis0 # public interface name of NIC
  # facing the public Internet

#
# No restrictions on Inside LAN Interface for private network
# Change xl0 to your LAN NIC interface name
#
$cmd 005 allow all from any to any via xl0

#
# No restrictions on Loopback Interface
#
$cmd 010 allow all from any to any via lo0

#
# check if packet is inbound and nat address if it is
#
$cmd 014 divert natd ip from any to any in via $pif

#
# Allow the packet through if it has previous been added to the
# the dynamic rules table by a allow keep-state statement.
#
$cmd 015 check-state

#
# Interface facing Public Internet (Outbound Section)
# Interrogate session start requests originating from behind the
# firewall on the private network or from this gateway server
# destine for the public Internet.
#

# Allow out access to my ISP's Domain name server.
# x.x.x.x must be the IP address of your ISP's DNS
# Dup these lines if your ISP has more than one DNS server
# Get the IP addresses from /etc/resolv.conf file
$cmd 023 $skip udp from any to isp dns ip 53 out via $pif setup keep-state
$cmd 024 $skip udp from any to isp dns ip 53 out via $pif setup keep-state
$cmd 025 $skip udp from any to isp dns ip 53 out via $pif setup keep-state

# Allow out access to my ISP's DHCP server for cable/DSL configurations.
$cmd 030 $skip udp from any to isp dhcp 67 out via $pif keep-state

# Allow out non-secure standard www function
$cmd 040 $skip tcp from any to any 80 out via $pif setup keep-state

# Allow out secure www function https over TLS SSL
$cmd 050 $skip tcp from any to any 443 out via $pif setup keep-state

# Allow out send  get email function
$cmd 060 $skip tcp from any to any 25 out via $pif setup keep-state
$cmd 061 $skip tcp from any to any 110 out via $pif setup keep-state
#for some reason this is the university's IMAP setting
$cmd 062 $skip tcp from any to any 993 out via $pif setup keep-state

# Allow out FreeBSD (make install  CVSUP) functions
# Basically give user root GOD privileges.
$cmd 070 $skip tcp from me to any out via $pif setup keep-state uid root

# Allow out ping
$cmd 080 $skip icmp from any to any out via $pif keep-state

# Allow out Time
$cmd 090 $skip tcp from any to any 37 out via $pif setup keep-state

# Allow out nntp news (i.e. news groups)
$cmd 100 $skip tcp from any to any 119 out via $pif setup keep-state

# Allow out secure FTP, Telnet, and SCP
# This function is using SSH (secure shell)
$cmd 110 $skip tcp from any to any 22 out via $pif setup keep-state

# Allow out whois
$cmd 120 $skip tcp from any to any 43 out via $pif setup keep-state

# Allow ntp time server
$cmd 130 $skip udp from any to any 123 out via $pif keep-state

# allow out VPN
$cmd 140 $skip tcp from any to any 1723 out via $pif keep-state

#
# Interface facing Public Internet (Inbound Section)
# Interrogate packets originating from the public Internet
# destine for this gateway server or the private network.
#

# Deny all inbound traffic from non-routable reserved address spaces
$cmd 300 

Silly IPFW question.

[Grant Peel]

Hi all,

I am sorry if this is a no-brainer 

Is there anyway to make a rule in IPFW that will match MAC addresses instead 
of IP or port numnbers (and no, I didnt see anything in the docs :-))


-Grant 


___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

Re: Silly IPFW question.

[Jeff Mohler]

Well..where is the mac you want to firewall from/against?


On 9/24/07, Grant Peel [EMAIL PROTECTED] wrote:

 Hi all,

 I am sorry if this is a no-brainer 

 Is there anyway to make a rule in IPFW that will match MAC addresses
 instead
 of IP or port numnbers (and no, I didnt see anything in the docs :-))

 -Grant

 ___
 freebsd-questions@freebsd.org mailing list
 http://lists.freebsd.org/mailman/listinfo/freebsd-questions
 To unsubscribe, send any mail to 
 [EMAIL PROTECTED]

___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

Re: Silly IPFW question.

[Mel]

On Monday 24 September 2007 23:33:05 Grant Peel wrote:

 Is there anyway to make a rule in IPFW that will match MAC addresses
 instead of IP or port numnbers (and no, I didnt see anything in the docs
 :-))

Generally no, since IP FW works on IP level, not ethernet. That said, I just 
read about this:
http://www.openbsd.org/faq/pf/tagging.html#ethernet

I don't see a brconfig on FreeBSD though and don't know if there's something 
similar ported.
-- 
Mel
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

Re: Silly IPFW question.

[Chuck Swiger]

On Sep 24, 2007, at 2:33 PM, Grant Peel wrote:
Is there anyway to make a rule in IPFW that will match MAC  
addresses instead of IP or port numnbers (and no, I didnt see  
anything in the docs :-))


Search man ipfw for MAC.  Something like this will:

  ipfw add 10 deny MAC any 10:20:30:40:50:60

...block any traffic from that ethernet address.  Be aware of the  
net.link.ether.ipfw sysctl needed and advice in the section PACKET  
FLOW.


--
-Chuck

___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

Re: Silly IPFW question.

[Grant Peel]

Hi Jeff,

I have a client to wants access to mysql on port 3306, but none (4) of his 
computers have static IPs. So, answer your question, he wants to access from 
several hops down the (internet) pipe.

And I just DID find some talking about MAC address filtering in the IPFW docs. 
However, If I remember erthernet connections right, it would be the last MAC it 
came from ... and not the originating MAC.

Forgive me if I am wronge above, but I am not a 'level' 1, 2, or 3, guru`!

:-) 

-Grant
  - Original Message - 
  From: Jeff Mohler 
  To: Grant Peel 
  Cc: freebsd-questions@freebsd.org 
  Sent: Monday, September 24, 2007 5:34 PM
  Subject: Re: Silly IPFW question.


  Well..where is the mac you want to firewall from/against?



  On 9/24/07, Grant Peel [EMAIL PROTECTED] wrote:
Hi all,

I am sorry if this is a no-brainer 

Is there anyway to make a rule in IPFW that will match MAC addresses instead
of IP or port numnbers (and no, I didnt see anything in the docs :-))

-Grant 

___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]



--
Total Control Panel  Login  
To: [EMAIL PROTECTED]  Message Score:  10   High (60): Pass  
From: [EMAIL PROTECTED]  My Spam Blocking Level:  High  Medium (75): 
Pass  
 Low (90): Pass 
   Block messages from this sender (blacklist)
  
This message was delivered because the content filter score did not 
exceed your filter level.  
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

Re: Silly IPFW question.

[RW]

On Mon, 24 Sep 2007 17:33:05 -0400
Grant Peel [EMAIL PROTECTED] wrote:

 Hi all,
 
 I am sorry if this is a no-brainer 
 
 Is there anyway to make a rule in IPFW that will match MAC addresses
 instead of IP or port numnbers (and no, I didnt see anything in the
 docs :-))

man ipfw  and search for MAC

Note that you need to set a sysctl for layer 2 - which is also
covered in the man page.  
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

Re: Silly IPFW question.

[Mel]

On Monday 24 September 2007 23:44:07 Chuck Swiger wrote:
 On Sep 24, 2007, at 2:33 PM, Grant Peel wrote:
  Is there anyway to make a rule in IPFW that will match MAC
  addresses instead of IP or port numnbers (and no, I didnt see
  anything in the docs :-))

 Search man ipfw for MAC.  Something like this will:

ipfw add 10 deny MAC any 10:20:30:40:50:60

 ...block any traffic from that ethernet address.  Be aware of the
 net.link.ether.ipfw sysctl needed and advice in the section PACKET
 FLOW.

Ok, been too long since I played with IPFW obviously.

-- 
Mel
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

Re: Silly IPFW question.

[RW]

On Mon, 24 Sep 2007 17:47:31 -0400
Grant Peel [EMAIL PROTECTED] wrote:

 Hi Jeff,
 
 I have a client to wants access to mysql on port 3306, but none (4)
 of his computers have static IPs. So, answer your question, he wants
 to access from several hops down the (internet) pipe.
 
 And I just DID find some talking about MAC address filtering in the
 IPFW docs. However, If I remember erthernet connections right, it
 would be the last MAC it came from ... and not the originating MAC.

Yes, assuming the hops are routers. 

He probably should be using an ssh tunnel.
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

ipfw question (FreeBSD 4.11)

[Gerard Meijer]

I run apache webserver on my server with FreeBSD 4.11

I have a question about ipfw. I have the following rules in my /etc/ipfw.conf:

$cmd 00200 allow tcp from any to any 80 out via $pif setup keep-state
$cmd 00400 allow tcp from any to any 80 in via $pif setup keep-state

(with $pif being my NIC) Now, everything works fine for me, but I get a lot 
(and I mean a lot) of these kind of messages in my log:

[Date] [time] [host] /kernel: ipfw: 299 Deny TCP a.b.c.d:80 e.f.g.h:4472 out 
via em0
[Date] [time] [host] /kernel: ipfw: 499 Deny TCP e.f.g.h:1882 a.b.c.d:80 in via 
em0

(with a.b.c.d being my ip and e.f.g.h being somebody elses ip).

I guess these people are not surfing through port 80??? Correct me if I'm 
wrong. How can I change ipfw's rules so that these people aren't blocked 
anymore?

Thanks in advance!

___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

RE: ipfw question (FreeBSD 4.11)

[Andras Kende]

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Gerard Meijer
Sent: Monday, January 03, 2005 12:29 PM
To: freebsd-questions@freebsd.org
Subject: ipfw question (FreeBSD 4.11)

I run apache webserver on my server with FreeBSD 4.11

I have a question about ipfw. I have the following rules in my
/etc/ipfw.conf:

$cmd 00200 allow tcp from any to any 80 out via $pif setup keep-state
$cmd 00400 allow tcp from any to any 80 in via $pif setup keep-state

(with $pif being my NIC) Now, everything works fine for me, but I get a lot
(and I mean a lot) of these kind of messages in my log:

[Date] [time] [host] /kernel: ipfw: 299 Deny TCP a.b.c.d:80 e.f.g.h:4472 out
via em0
[Date] [time] [host] /kernel: ipfw: 499 Deny TCP e.f.g.h:1882 a.b.c.d:80 in
via em0

(with a.b.c.d being my ip and e.f.g.h being somebody elses ip).

I guess these people are not surfing through port 80??? Correct me if I'm
wrong. How can I change ipfw's rules so that these people aren't blocked
anymore?

Thanks in advance!

___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]



Hello,

Im not 100% sure, but if I remember correctly you need to put established
before the webserver rule :

# Allow TCP through if setup succeeded:
${fwcmd} add pass tcp from any to any established

# Allow setup of incoming http:
${fwcmd} add pass tcp from any to any 80 setup




[Cc][Ll][Ii][Ee][Nn][Tt])

# This is a prototype setup that will protect your system somewhat
# against people from outside your own network.


# set these to your network and netmask and ip
ip=aaa.bbb.ccc.ddd

setup_loopback

# Allow TCP through if setup succeeded
${fwcmd} add pass tcp from any to any established

# Allow IP fragments to pass through
${fwcmd} add pass all from any to any frag

# Allow setup of incoming services
${fwcmd} add pass tcp from any to ${ip}
21,22,25,53,80,110,143,443,993,1 setup

# Allow setup of PASV FTP
${fwcmd} add pass tcp from any to ${ip} 10001-10100 setup

# Allow setup of outgoing TCP connections only
${fwcmd} add pass log tcp from ${ip} to any setup

# Disallow setup of all other TCP connections
${fwcmd} add deny log tcp from any to any setup

# Allow DNS queries
${fwcmd} add pass udp from any to any 53
${fwcmd} add pass udp from any 53 to any

# Allow NTP
${fwcmd} add pass udp from any to any 123

#ICMP
${fwcmd} add pass log icmp from any to any icmptypes 3,4,11,12

# Everything else is denied by default, unless the
# IPFIREWALL_DEFAULT_TO_ACCEPT option is set in your kernel
# config file.
;;


Best regards,

Andras Kende
http://www.kende.com



___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

Re: ipfw question (FreeBSD 4.11)

[Gerard Meijer]

You are so the man!
That's it. You have no idea how long I've spend looking for this.
Thanks again!
- Original Message - 
From: Andras Kende [EMAIL PROTECTED]
To: 'Gerard Meijer' [EMAIL PROTECTED]; freebsd-questions@freebsd.org
Sent: Monday, January 03, 2005 7:59 PM
Subject: RE: ipfw question (FreeBSD 4.11)



-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Gerard Meijer
Sent: Monday, January 03, 2005 12:29 PM
To: freebsd-questions@freebsd.org
Subject: ipfw question (FreeBSD 4.11)
I run apache webserver on my server with FreeBSD 4.11
I have a question about ipfw. I have the following rules in my
/etc/ipfw.conf:
$cmd 00200 allow tcp from any to any 80 out via $pif setup keep-state
$cmd 00400 allow tcp from any to any 80 in via $pif setup keep-state
(with $pif being my NIC) Now, everything works fine for me, but I get a 
lot
(and I mean a lot) of these kind of messages in my log:

[Date] [time] [host] /kernel: ipfw: 299 Deny TCP a.b.c.d:80 e.f.g.h:4472 
out
via em0
[Date] [time] [host] /kernel: ipfw: 499 Deny TCP e.f.g.h:1882 a.b.c.d:80 
in
via em0

(with a.b.c.d being my ip and e.f.g.h being somebody elses ip).
I guess these people are not surfing through port 80??? Correct me if I'm
wrong. How can I change ipfw's rules so that these people aren't blocked
anymore?
Thanks in advance!
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to 
[EMAIL PROTECTED]


Hello,
Im not 100% sure, but if I remember correctly you need to put 
established
before the webserver rule :

# Allow TCP through if setup succeeded:
${fwcmd} add pass tcp from any to any established
# Allow setup of incoming http:
${fwcmd} add pass tcp from any to any 80 setup

[Cc][Ll][Ii][Ee][Nn][Tt])

# This is a prototype setup that will protect your system somewhat
# against people from outside your own network.

# set these to your network and netmask and ip
ip=aaa.bbb.ccc.ddd
setup_loopback
# Allow TCP through if setup succeeded
${fwcmd} add pass tcp from any to any established
# Allow IP fragments to pass through
${fwcmd} add pass all from any to any frag
# Allow setup of incoming services
${fwcmd} add pass tcp from any to ${ip}
21,22,25,53,80,110,143,443,993,1 setup
# Allow setup of PASV FTP
${fwcmd} add pass tcp from any to ${ip} 10001-10100 setup
# Allow setup of outgoing TCP connections only
${fwcmd} add pass log tcp from ${ip} to any setup
# Disallow setup of all other TCP connections
${fwcmd} add deny log tcp from any to any setup
# Allow DNS queries
${fwcmd} add pass udp from any to any 53
${fwcmd} add pass udp from any 53 to any
# Allow NTP
${fwcmd} add pass udp from any to any 123
#ICMP
${fwcmd} add pass log icmp from any to any icmptypes 3,4,11,12
# Everything else is denied by default, unless the
# IPFIREWALL_DEFAULT_TO_ACCEPT option is set in your kernel
# config file.
;;
Best regards,
Andras Kende
http://www.kende.com

___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to 
[EMAIL PROTECTED]

___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

ipfw question

[adrian kok]

Dear all

I have 2 questions

1/ Recently, my mrtg graph showed many spikes
Incoming in outer interface of the router.

ls it possible to log them and check?

If I log everthing, I am afraid to slow down the
network. What is the best way to do it?


2/ I read some firewall docs. they said that it is
good to allow 5% bandwidth for icmp only

ls it true?

how can I do it?

Thank you

___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

Re: ipfw question

[Giorgos Keramidas]

On 2004-09-20 22:43, adrian kok [EMAIL PROTECTED] wrote:

 1/ Recently, my mrtg graph showed many spikes
 Incoming in outer interface of the router.

 ls it possible to log them and check?

It is.  A better approach is to block everything that you don't really
need and then start logging legitimate connections only if the problems
with ``traffic spikes'' continue.

 If I log everthing, I am afraid to slow down the
 network. What is the best way to do it?

Don't do it.  It will truly slow down things a lot.

 2/ I read some firewall docs. they said that it is
 good to allow 5% bandwidth for icmp only
 ls it true?

I don't know what docs you read about firewalls.  The Handbook has a
fairly good section on firewalls.  Have you read that?  If not, you
should definitely give it a look.

For an early chance to read what the ``Firewalls'' section will soon be
replaced with, you might also want to read this:

http://freebsd.so14k.com/firewall/firewalls.html

I'm working with a few other guys to get this into the Handbook as the
new ``Firewalls'' section before 5.3-RELEASE, but if it does help you
should definitely read it.  Joseph J. Barbish has written a couple of
excellent firewall tutorials and guides that I've read so far, and this
one is really worth a careful read.

Just note that the text at the above URL is probably going to change a
bit during the next couple of days, so be patient if you see changes
going in :-)

 how can I do it?

See above.

Giorgos

___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

Re: ipfw question

[Giorgos Keramidas]

Hi Reuben,

Sorry for taking so long to reply.  My workstation at work which still
runs Fedora Core RC3 and not a real OS, like FreeBSD, decided to throw
away all outgoing email this morning.  Here's a repost extracted from
my =posted mailbox in Mutt [...]

On 2004-06-16 17:04, Reuben A. Popp [EMAIL PROTECTED] wrote:
 I believe that what I have is correct, and everything seems to be
 working well, with a few exceptions.  For instance, ftp and ssh still
 don't seem to make it into the logs, although the mail, web and
 web-ssl do with no problems.  Again, following this message is my
 revised ruleset.

Strange.  All incoming they should be logged.  Unless, of course, you
mean ftp and ssh connections that *you* start to the outside world, in
which case by reading the ruleset you will note that they are allowed
unconditionally, without logging, by a rule higher up the chain:

# Add all TCP connections that originate from us
ipfw add allow tcp from any to any out setup keep-state
# Pass and log all incoming ftp-data connections.
ipfw add allow log tcp from any 20 to any in setup keep-state
# Pass and log all incoming connections to: ftp, ssh, mail and www.
ipfw add allow log tcp from any to any 21,22,25,80,443 in setup keep-state

Since this doesn't log anything, all connections that your machine
starts towards another machine are passed through without logging.

If you want to log specific connections, you should use something like
this instead:

# Log ftp and ssh connections that we make.
ipfw add allow log tcp from any to any 21,22 out setup keep-state
# Let any other outgoing connections through, unlogged.
ipfw add allow tcp from any to any out setup keep-state

Note that you also have some rules that are useless in there.
Trim your ruleset a bit ;-)

The general idea with stateful filtering is that you set up a few
connections that are allowed to pass through and then let the packets
related to those connections pass too, but *nothing* else.  This is why
the general form of a stateful firewall with IPFW should be:

 rules that check states first 
 rules that selectively pass connections *and* create states 
 everything else blocked 

This way only the packets related to one of the states will pass
through.  Any other packets that require special handling (for instance,
ICMP packets) can be handled by other rules.

In your ruleset you have this:

# First of all state checking.  This will allow through any packet
# that is marked as legitimate by one of the following rules.
ipfw add check-state
ipfw add deny tcp from any to any established

# Add all TCP connections that originate from us
ipfw add allow tcp from any to any out setup keep-state

which should work without problems, and then you have:

# Allow TCP through if setup succeeded
ipfw add pass tcp from any to any established

This rule will never match with anything, since packets that could
possibly match are blocked by the 'established' rule right after
check-state above.  You can safely delete this rule.

Then you have this rule, that handles fragments in a special manner,
which is not very useful.

# Allow IP fragments to pass through
ipfw add pass all from any to any frag

AFAIK, any fragment that is related to an existing connection should
match with the check-state rule and will never reach this part of the
ruleset.  I think this can go too.

Finally, this rule is absolutely *not* good.  You've gone through all
the trouble to set up a stateful firewall so as NOT to be forced to
allow any incoming TCP connection through.  This single rule lets all
the connections through, effectively cancelling all of your filtering
rules :-(

# Allow setup of any other TCP connection
ipfw add pass tcp from any to any setup

You should definitely delete this one.  IMHO, it's a good idea to
replace it with a more strict rule like this:

# BLock everything else.
ipfw add deny ip from any to any

If you're too worried that this might break applications or protocols
that you're using now, try adding a log keyword to this last rule and
watch your system logs for dropped packets that are useful and should
have been allowed.  Then add special rules just for those packets.

Regards,

- Giorgos

___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

Re: ipfw question

[Reuben A. Popp]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Hi Giorgos,

Thanks so much for the quick response on my question :).  I more or less took your 
rules that you posted,
and tacked on a few more.  I belive that what I have is correct, and everything seems 
to be working well, 
with a few exceptions.  For instance, ftp and ssh still don't seem to make it into the 
logs, although the mail, web 
and web-ssl do with no problems.  Again, following this message is my revised ruleset.

Thanks again,
Reuben A. Popp

- ---%--

#!/bin/sh -

#
# Setup system for firewall service.
#

# Suck in the configuration variables.
if [ -z ${source_rc_confs_defined} ]; then
if [ -r /etc/defaults/rc.conf ]; then
. /etc/defaults/rc.conf
source_rc_confs
elif [ -r /etc/rc.conf ]; then
. /etc/rc.conf
fi
fi

# Flush the existing ruleset
echo Flushing the existing ruleset, stand by...
ipfw -f flush

# Setup Loopback
ipfw add pass all from any to any via lo0
ipfw add deny all from any to 127.0.0.0/8
ipfw add deny ip from 127.0.0.0/8 to any

# Stop RFC1918 nets on the outside interface
ipfw add deny all from 10.0.0.0/8 to any via em0
ipfw add deny all from 172.16.0.0/12 to any via em0
ipfw add deny all from 192.168.0.0/16 to any via em0

# Stop draft-manning-dsua-03.txt (1 May 2000) nets (includes RESERVED-1,
# DHCP auto-configuration, NET-TEST, MULTICAST (class D), and class E)
# on the outside interface
ipfw add deny all from 0.0.0.0/8 to any via em0
ipfw add deny all from 169.254.0.0/16 to any via em0
ipfw add deny all from 192.0.2.0/24 to any via em0
ipfw add deny all from 224.0.0.0/4 to any via em0
ipfw add deny all from 240.0.0.0/4 to any via em0

# Pass all ICMP messages through.
# Make sure they're rate-limited by setting `net.inet.icmp.icmplim'
ipfw add allow icmp from any to any

# First of all state checking.  This will allow through any packet
# that is marked as legitimate by one of the following rules.
ipfw add check-state
ipfw add deny tcp from any to any established

# Allow DNS or NTP sessions that originate from us.
ipfw add allow udp from any to any 53,123 out keep-state

# Add all TCP connections that originate from us
ipfw add allow tcp from any to any out setup keep-state

# Pass and log all incoming ftp-data connections.
ipfw add allow log tcp from any 20 to any in setup keep-state

# Pass and log all incoming connections to: ftp, ssh, mail and www.
ipfw add allow log tcp from any to any 21,22,25,80,443 in setup keep-state

# Allow TCP through if setup succeeded
ipfw add pass tcp from any to any established

# Allow IP fragments to pass through
ipfw add pass all from any to any frag

# Allow setup of any other TCP connection
ipfw add pass tcp from any to any setup

# Reject  Log all setup of incoming connections from the outside
ipfw add deny log tcp from any to any in via em0 setup

- --%---

Thanks again,
Reuben A. Popp


Giorgos Keramidas (Giorgos Keramidas [EMAIL PROTECTED]) translated a message on 
Wednesday 16 June 2004 12:35 am into a binary format and sent it out among the ether 
in the search of Reuben A. Popp [EMAIL PROTECTED].  Upon being retranslated into 
ascii, it was discovered that message read: 

 On 2004-06-15 18:31, Reuben A. Popp [EMAIL PROTECTED] wrote:
  I was tinkering around trying to get my firewall set the way I wanted
  it, but seem to be running into an issue.  I know that I have logging
  set in the kernel and in rc.conf, as well as in my ruleset, but for
  some odd reason, the firewall is not logging connections to the
  services I wanted watched (ftp, ssh, web, etc).
 
 That's because your ruleset uses the following rule:
 
 # Allow TCP through if setup succeeded
 ipfw add 1200 pass tcp from any to any established
 
 before any of the other rules are reached.  This lets every TCP packet
 through without logging and you never get a chance of picking out what
 to log or what to block :)
 
 A simplified version of your ruleset could be this one.  Notice that
 I've removed all explicit rule numbers.  IPFW does a pretty good job at
 automatically numbering the rules and you don't have too many rules for
 it to work.  On the other hand, having hardcoded numbers means that you
 might miss some reordering of the rules and waste hours upon hours
 trying to find out why it doesn't work like it's supposed to.  Not a
 good possibility...  Anyway, here's a ruleset very similar to yours:
 
 #
 # Part 1. Semi-standard stuff copied from rc.firewall.
 #
 
 # Flush the existing ruleset
 echo Flushing the existing ruleset, stand by...
 ipfw -f flush
 
 # Only allow lo0 to send packets as 127.0.0.1
 ipfw add pass all from 127.0.0.1/32 to 127.0.0.1/32 via lo0
 ipfw add deny all from any to 127.0.0.0/8
 ipfw add deny ip from 127.0.0.0/8 to any
 
 # Stop RFC1918 nets on the 

ipfw question

[Reuben A. Popp]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Good afternoon all,

I was tinkering around trying to get my firewall set the way I wanted it, but seem to 
be running into an issue.
I know that I have logging set in the kernel and in rc.conf, as well as in my ruleset, 
but for some odd reason,
the firewall is not logging connections to the services I wanted watched (ftp, ssh, 
web, etc).  I'm enclosing
a copy of my ruleset along with this message in case anyone has any ideas.  Any help 
or suggestions would
be greatly appreciated.

Thanks in advance,
Reuben A. Popp

My ruleset:

#!/bin/sh -

#
# Setup system for firewall service.
#

# Suck in the configuration variables.
if [ -z ${source_rc_confs_defined} ]; then
if [ -r /etc/defaults/rc.conf ]; then
. /etc/defaults/rc.conf
source_rc_confs
elif [ -r /etc/rc.conf ]; then
. /etc/rc.conf
fi
fi

# Flush the existing ruleset
echo Flushing the existing ruleset, stand by...
ipfw -f flush

# Setup Loopback
ipfw add 100 pass all from any to any via lo0
ipfw add 200 deny all from any to 127.0.0.0/8
ipfw add 300 deny ip from 127.0.0.0/8 to any

# Stop RFC1918 nets on the outside interface
ipfw add 400 deny all from 10.0.0.0/8 to any via em0
ipfw add 500 deny all from 172.16.0.0/12 to any via em0
ipfw add 600 deny all from 192.168.0.0/16 to any via em0

# Stop draft-manning-dsua-03.txt (1 May 2000) nets (includes RESERVED-1,
# DHCP auto-configuration, NET-TEST, MULTICAST (class D), and class E)
# on the outside interface
ipfw add 700 deny all from 0.0.0.0/8 to any via $em0
ipfw add 800 deny all from 169.254.0.0/16 to any via $em0
ipfw add 900 deny all from 192.0.2.0/24 to any via $em0
ipfw add 1000 deny all from 224.0.0.0/4 to any via $em0
ipfw add 1100 deny all from 240.0.0.0/4 to any via $em0

# Allow TCP through if setup succeeded
ipfw add 1200 pass tcp from any to any established

# Allow IP fragments to pass through
ipfw add 1300 pass all from any to any frag

ipfw add 1400 check-state
ipfw add 1401 deny tcp from any to any in established
ipfw add 1402 allow tcp from any to any out setup keep-state

# Allow DNS
ipfw add 1403 allow udp from xx.xx.xxx.xxx 53 to any in recv em0
ipfw add 1404 allow udp from xxx.xxx.x.x 53 to any in recv em0
ipfw add 1405 allow udp from xxx.xxx.x.x 53 to any in recv em0
ipfw add 1406 allow udp from any to any out

# Allow ftp and log it
ipfw add 1407 allow log tcp from any to xx.xx.xxx.xxx 20,21
ipfw add 1408 allow log udp from any to xx.xx.xxx.xxx 20,21

# Allow ssh and log it
ipfw add 1409 allow log tcp from any to xx.xx.xxx.xxx 22

# Allow mail and log it
ipfw add 1410 allow log tcp from any to xx.xx.xxx.xxx 25

# Allow www and log it
ipfw add 1411 allow log tcp from any to xx.xx.xxx.xxx keep-state
ipfw add 1412 allow log tcp from any to xx.xx.xxx.xxx 443 keep-state
ipfw add 1413 allow log udp from any to xx.xx.xxx.xxx 443 keep-state

# RejectLog all setup of incoming connections from the outside
ipfw add 1414 deny log tcp from any to any in via em0 setup

# Allow setup of any other TCP connection
ipfw add 1415 pass tcp from any to any setup

# Allow DNS queries out in the world
ipfw add 1416 pass udp from xx.xx.xxx.xxx to any 53 keep-state

# Allow NTP queries out in the world
ipfw add 1417 pass udp from xx.xx.xxx.xxx to any 123 keep-state
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.2.4 (FreeBSD)

iD8DBQFAz4b5d1N/Kyhy5tIRAqJ9AJ9iEqOXjagPqWalaksbQ+f3NwPjbQCgngUx
EQQ6jITdKYJRpN6NWcsakvo=
=AwhC
-END PGP SIGNATURE-
___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

Re: ipfw question

[Giorgos Keramidas]

On 2004-06-15 18:31, Reuben A. Popp [EMAIL PROTECTED] wrote:
 I was tinkering around trying to get my firewall set the way I wanted
 it, but seem to be running into an issue.  I know that I have logging
 set in the kernel and in rc.conf, as well as in my ruleset, but for
 some odd reason, the firewall is not logging connections to the
 services I wanted watched (ftp, ssh, web, etc).

That's because your ruleset uses the following rule:

# Allow TCP through if setup succeeded
ipfw add 1200 pass tcp from any to any established

before any of the other rules are reached.  This lets every TCP packet
through without logging and you never get a chance of picking out what
to log or what to block :)

A simplified version of your ruleset could be this one.  Notice that
I've removed all explicit rule numbers.  IPFW does a pretty good job at
automatically numbering the rules and you don't have too many rules for
it to work.  On the other hand, having hardcoded numbers means that you
might miss some reordering of the rules and waste hours upon hours
trying to find out why it doesn't work like it's supposed to.  Not a
good possibility...  Anyway, here's a ruleset very similar to yours:

#
# Part 1. Semi-standard stuff copied from rc.firewall.
#

# Flush the existing ruleset
echo Flushing the existing ruleset, stand by...
ipfw -f flush

# Only allow lo0 to send packets as 127.0.0.1
ipfw add pass all from 127.0.0.1/32 to 127.0.0.1/32 via lo0
ipfw add deny all from any to 127.0.0.0/8
ipfw add deny ip from 127.0.0.0/8 to any

# Stop RFC1918 nets on the outside interface
ipfw add deny all from 10.0.0.0/8 to any via em0
ipfw add deny all from 172.16.0.0/12 to any via em0
ipfw add deny all from 192.168.0.0/16 to any via em0

# Stop draft-manning-dsua-03.txt (1 May 2000) nets (includes RESERVED-1,
# DHCP auto-configuration, NET-TEST, MULTICAST (class D), and class E)
# on the outside interface
ipfw add deny all from 0.0.0.0/8 to any via $em0
ipfw add deny all from 169.254.0.0/16 to any via $em0
ipfw add deny all from 192.0.2.0/24 to any via $em0
ipfw add deny all from 224.0.0.0/4 to any via $em0
ipfw add deny all from 240.0.0.0/4 to any via $em0

#
# Part 2.  Local rules that allow and log selected TCP services.
#

# Pass all ICMP messages through.
# Make sure they're rate-limited by setting `net.inet.icmp.icmplim'
add allow icmp from any to any

# First of all state checking.  This will allow through any packet
# that is marked as legitimate by one of the following rules.
ipfw add check state
ipfw add deny tcp from any to any established

# Allow DNS or NTP sessions that originate from us.
ipfw add allow udp from any to any 53,123 out keep-state

# Add all TCP connections that originate from us
ipfw add allow tcp from any to any out setup keep-state

# Pass and log all incoming ftp-data connections.
ipfw add allow tcp from any 20 to any in setup keep-state

# Pass and log all incoming connections to: ftp, ssh, mail and www.
ipfw add allow tcp from any to any 21,22,25,80,443 to in setup keep-state

AFAIK, anything else can be blocked without stopping you from doing your
real work.

- Giorgos

___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

ipfw: question about keep-state on icmp

[Geert Hendrickx]

Hi, 

this is a fragment of my ipfw-config which should allow me to ping 
others, but not allow others to ping me: 

00092 allow icmp from me to any keep-state
65535 deny ip from any to any

Indeed, other hosts can't ping me... UNLESS I am pinging them at the 
same time!  This is of course a result of keeping the state of icmp-
traffic between these two hosts, and I can avoid this by changing it to:

00091 deny icmp from any to me icmptype 8-- deny ping request to me
00092 allow icmp from me to any keep-state

(icmptype 8 = ping request) 

But then I don't see the use for keep-state in 00092 anymore...  The
following seems equally valid to me: 

00091 allow icmp from me to any
00092 allow icmp from any to me icmptype 0   -- allow ping reply to me

So what am I missing?  

And are errors as in the first example also possible with
tcp-connections, e.g. ssh?  

GH
___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

RE: ipfw: question about keep-state on icmp

[JJB]

I think if you read closely you will find out the keep-state option
does not work on the icmp protocol because icmp is stateless
protocol.  This does not mean that ipfw will give coding error if
you code it.

You have to have an icmp stateless rule to allow it out and another
to allow it in.

allow icmp from me to any out  via xl0

allow icmp from any to me icmptype 0   in  via xl0


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Geert
Hendrickx
Sent: Sunday, June 13, 2004 7:23 AM
To: [EMAIL PROTECTED]
Subject: ipfw: question about keep-state on icmp

Hi,

this is a fragment of my ipfw-config which should allow me to ping
others, but not allow others to ping me:

00092 allow icmp from me to any keep-state
65535 deny ip from any to any

Indeed, other hosts can't ping me... UNLESS I am pinging them at the
same time!  This is of course a result of keeping the state of icmp-
traffic between these two hosts, and I can avoid this by changing it
to:

00091 deny icmp from any to me icmptype 8-- deny ping request
to me
00092 allow icmp from me to any keep-state

(icmptype 8 = ping request)

But then I don't see the use for keep-state in 00092 anymore...  The
following seems equally valid to me:

00091 allow icmp from me to any
00092 allow icmp from any to me icmptype 0   -- allow ping reply to
me

So what am I missing?

And are errors as in the first example also possible with
tcp-connections, e.g. ssh?

GH
___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to
[EMAIL PROTECTED]

___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

ipfw question...

[Xpression]

Hi list, I've this network configuration:

router (169.158.120.177)
server1 (169.158.120.178) running bind (named), tacacs+, exim, and a pop3
server
server2 (169.158.120.179) running squid, apache2, mysql, proftpd (is acting
as a GATEWAY)

I've a LAN (192.168.1.0/24) and a breaking apart LAN (192.168.2.0/8,
192.168.2.8/8, 192.168.2.16/8), my question is: I want to protect my LAN,
LAN and servers from the outside, I want to use ipfw, I have compiled a
kernel in server2 (FreeBSD-4.8 on both servers) and I'm blocked (in  out),
I've some doubts about adding rules 'cause I've been seeing so many samples
on the net and I'm a little bit confused...any suggestion about
configuration ???

___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

Re: ipfw question...

[whizkid]

 Hi list, I've this network configuration:

 router (169.158.120.177)
 server1 (169.158.120.178) running bind (named), tacacs+, exim, and a pop3
 server
 server2 (169.158.120.179) running squid, apache2, mysql, proftpd (is
 acting
 as a GATEWAY)

 I've a LAN (192.168.1.0/24) and a breaking apart LAN (192.168.2.0/8,
 192.168.2.8/8, 192.168.2.16/8), my question is: I want to protect my LAN,
 LAN and servers from the outside, I want to use ipfw, I have compiled a
 kernel in server2 (FreeBSD-4.8 on both servers) and I'm blocked (in 
 out),
 I've some doubts about adding rules 'cause I've been seeing so many
 samples
 on the net and I'm a little bit confused...any suggestion about
 configuration ???

one thing that I learned was to make sure when you start opening ports (IE
you have DENY ALL as default) that you start with the lowest port number..
 I for the life of me could not get SMTP working, so I moved it from the
bottom of my IPFW rules to the top, and walla it worked.  If you would
like I can post my IPFW rules.  They are extemly simple for my SSH, POP3,
SMTP, NTP, IMAP, BIND8 setup...
___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

Re: ipfw question...

[W. D.]

At 12:40 3/19/2004, [EMAIL PROTECTED], wrote:
If you would
like I can post my IPFW rules.  They are extemly simple for my SSH, POP3,
SMTP, NTP, IMAP, BIND8 setup...

Please do!  Could you also include plain English comments as well?
There are a number of people that find these rules confusing.  Some
well documented descriptions would be very helpful.

Thanks!

Start Here to Find It Fast!™ - http://www.US-Webmasters.com/best-start-page/

___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

IPFW question

[Nagy Lszl Zsolt]

 Hi!

I'm using my own ip firewall (firewall_type=/etc/ipfw.conf) on my 
FreeBSD 5.2 system. My problem is, how can I reload the whole thing? The 
ipfw command is for creating and deleting individual rules. What I would 
like to do is to create profiles (different config files) and reload the 
whole firewall configuration anytime. Is there a command for this? What 
I do now is that I reboot my box every time I change firewall 
configuration. But of course this is clumsy and very bad. I may start 
services on the server which will not allow me to reboot daily. Thanks 
in advance.

  Laci 2.0

___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

Re: IPFW question

[Charles Swiger]

On Mar 10, 2004, at 1:52 PM, Nagy László Zsolt wrote:
I'm using my own ip firewall (firewall_type=/etc/ipfw.conf) on my 
FreeBSD 5.2 system. My problem is, how can I reload the whole thing?
Try sh /etc/rc.firewall, or ipfw -p /bin/cat /etc/ipfw.conf.  If 
you are not on the console of the machine, it might be advisable to use 
nohup or an  to background the command while running

--
-Chuck
___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

Re: IPFW question

[Thomas Vogt]

Hi

ipfw flush # deletes all
ipfw /etc/ipfw.conf # loads all
regards
Thomas
Nagy Lszl Zsolt wrote:
 Hi!

I'm using my own ip firewall (firewall_type=/etc/ipfw.conf) on my 
FreeBSD 5.2 system. My problem is, how can I reload the whole thing? The 
ipfw command is for creating and deleting individual rules. What I would 
like to do is to create profiles (different config files) and reload the 
whole firewall configuration anytime. Is there a command for this? What 
I do now is that I reboot my box every time I change firewall 
configuration. But of course this is clumsy and very bad. I may start 
services on the server which will not allow me to reboot daily. Thanks 
in advance.

  Laci 2.0

___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to 
[EMAIL PROTECTED]


___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

Re: IPFW question

[Martin Welk]

On Wed, Mar 10, 2004 at 07:52:06PM +0100, Nagy László Zsolt wrote:

 FreeBSD 5.2 system. My problem is, how can I reload the whole thing? The 


/sbin/ipfw -q /path/to/your/custom/rulesetfile

No RTFM intended - there are further options, plese have a look
at the ipfw(8) man page.

Regards,
Martin

-- 
  ,,Oh, there's a lot of opportunities, if you're knowing to take them,
  you know, there's a lot of opportunities, if there aren't
you can make them, make or break them!'' (Tennant/Lowe)

___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

Re: IPFW question

[MikeM]

Since I reload the firewall rules remotely, I need the -q option on the
ipfw command, e.g.:

 ipfw -q /etc/ipfw.conf

otherwise I lose my ssh connection to the box.

See man ipfw(8) for details on -q





On 3/10/2004 at 8:27 PM Thomas Vogt wrote:

|Hi
|
|ipfw flush # deletes all
|ipfw /etc/ipfw.conf # loads all
|
|regards
|Thomas
|
|Nagy Lszl Zsolt wrote:
|
|  Hi!
|
| I'm using my own ip firewall (firewall_type=/etc/ipfw.conf) on my
| FreeBSD 5.2 system. My problem is, how can I reload the whole thing? The

| ipfw command is for creating and deleting individual rules. What I would

| like to do is to create profiles (different config files) and reload the

| whole firewall configuration anytime. Is there a command for this? What
| I do now is that I reboot my box every time I change firewall
| configuration. But of course this is clumsy and very bad. I may start
| services on the server which will not allow me to reboot daily. Thanks
| in advance.
|
|   Laci 2.0
|
| ___
| [EMAIL PROTECTED] mailing list
| http://lists.freebsd.org/mailman/listinfo/freebsd-questions
| To unsubscribe, send any mail to
| [EMAIL PROTECTED]
|
|
|
|___
|[EMAIL PROTECTED] mailing list
|http://lists.freebsd.org/mailman/listinfo/freebsd-questions
|To unsubscribe, send any mail to
|[EMAIL PROTECTED]

 =



___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

Re: IPFW question

[Nagy Lszl Zsolt]

Thanks for all, it has been a great help.

MikeM wrote:

Since I reload the firewall rules remotely, I need the -q option on the 
ipfw command, e.g.:

ipfw -q /etc/ipfw.conf 

otherwise I lose my ssh connection to the box.

See man ipfw(8) for details on -q





On 3/10/2004 at 8:27 PM Thomas Vogt wrote:

|Hi
|
|ipfw flush # deletes all
|ipfw /etc/ipfw.conf # loads all
|
|regards
|Thomas
|
|Nagy Lszl Zsolt wrote:
| 
|  Hi!
| 
| I'm using my own ip firewall (firewall_type=/etc/ipfw.conf) on my 
| FreeBSD 5.2 system. My problem is, how can I reload the whole thing? The

| ipfw command is for creating and deleting individual rules. What I would

| like to do is to create profiles (different config files) and reload the

| whole firewall configuration anytime. Is there a command for this? What 
| I do now is that I reboot my box every time I change firewall 
| configuration. But of course this is clumsy and very bad. I may start 
| services on the server which will not allow me to reboot daily. Thanks 
| in advance.
| 
|   Laci 2.0
| 
| ___
| [EMAIL PROTECTED] mailing list
| http://lists.freebsd.org/mailman/listinfo/freebsd-questions
| To unsubscribe, send any mail to 
| [EMAIL PROTECTED]
| 
| 
|
|___
|[EMAIL PROTECTED] mailing list
|http://lists.freebsd.org/mailman/listinfo/freebsd-questions
|To unsubscribe, send any mail to
|[EMAIL PROTECTED]

=



___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]


 



___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

ipfw question - ICMP

[C. Kukulies]

I have setup my FreeBSD box with ASDL (pppoe) and ipfw (rc.firewall with 
type 'simple').

I have finetuned to allow ssh from certain addresses outside, sendmail works,
but I cannot ping either from inside or from outside.

What does the rule for ICMP look like?

--
Chris Christoph P. U. Kukulies kuku_at_physik.rwth-aachen.de
___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

Re: ipfw question - ICMP

[Jonathan Chen]

On Tue, Mar 02, 2004 at 10:39:42PM +0100, C. Kukulies wrote:
 I have setup my FreeBSD box with ASDL (pppoe) and ipfw (rc.firewall with 
 type 'simple').
 
 I have finetuned to allow ssh from certain addresses outside, sendmail works,
 but I cannot ping either from inside or from outside.
 
 What does the rule for ICMP look like?

Something like:

ipfw add allow icmp from any to any
or
ipfw add allow icmp from any to any icmptype 0,3,8,11,12

Cheers.
-- 
Jonathan Chen [EMAIL PROTECTED]
--
 Nyuck, nyuck, nyuck - Curly
___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

Re: ipfw question

[Simon Gray]

630000  0 deny log logamount 100 udp from any to any 119 via
sis0
63000   24   1152  deny log logamount 100 tcp from any to any 135 via sis0
630000  0 deny log logamount 100 udp from any to any 135 via
sis0

63000 is the rule number correct?
IM wondering what the other 2 places are..
24  and 1152
if you're getting 0 on the other rules, it probably means its not running
those rules.
So therefore it won't actually log if it isn't get to that rule.

also from the looks of things, if you're trying to block windows
filesharing/smb you
might want to block 135 - 139 both tcp/udp (instead of specifiying 135 in
the rule add '135-139')
 rather than just 135 tcp/udp

Are they inbound and outbound?
well depends (could be both yes), anything thats aimed at tcp 135 will be
denied and
logged

Do I make any sence?

Not really :/ whats the question?

___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

Re: ipfw question

[Shawn Guillemette]

thank you..

Im realy only blocking 135 due to the MSBlaster and others... no Samba yet



- Original Message - 
From: Simon Gray [EMAIL PROTECTED]
To: Shawn Guillemette [EMAIL PROTECTED];
[EMAIL PROTECTED]
Sent: Tuesday, November 11, 2003 7:00 AM
Subject: Re: ipfw question


 630000  0 deny log logamount 100 udp from any to any 119 via
 sis0
 63000   24   1152  deny log logamount 100 tcp from any to any 135 via
sis0
 630000  0 deny log logamount 100 udp from any to any 135 via
 sis0

 63000 is the rule number correct?
 IM wondering what the other 2 places are..
 24  and 1152
 if you're getting 0 on the other rules, it probably means its not running
 those rules.
 So therefore it won't actually log if it isn't get to that rule.

 also from the looks of things, if you're trying to block windows
 filesharing/smb you
 might want to block 135 - 139 both tcp/udp (instead of specifiying 135 in
 the rule add '135-139')
  rather than just 135 tcp/udp

 Are they inbound and outbound?
 well depends (could be both yes), anything thats aimed at tcp 135 will be
 denied and
 logged

 Do I make any sence?

 Not really :/ whats the question?




___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

Re: ipfw question

[Kevin D. Kinsey, DaleCo, S.P.]

Shawn Guillemette wrote:

Looking at ipfw show 

630000  0 deny log logamount 100 udp from any to any 119 via sis0
63000   24   1152  deny log logamount 100 tcp from any to any 135 via sis0
630000  0 deny log logamount 100 udp from any to any 135 via sis0
63000 is the rule number correct?

Yes it is; but I'm not sure how ipfw reacts
when you have 3 rules that all have the same
number ... I'd test it thoroughly at the very least.
IM wondering what the other 2 places are.. 

24  and 1152

IIRC (and maybe I don't) that is the
number of packets received that
match this rule (24) and the total
size of those packets (in Bytes??)
Are they inbound and outbound?
 

No.

Do I make any sence?
 

Some  ;-)

There is no place like 127.0.0.1
 

Don't you mean There's no place like '~' ???

Kevin Kinsey
DaleCo, S.P.
___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

Re: ipfw question

[Sergey 'DoubleF' Zaharchenko]

On Tue, 11 Nov 2003 12:00:10 - Simon Gray [EMAIL PROTECTED] probably wrote:

 630000  0 deny log logamount 100 udp from any to any 119 via
 sis0
 63000   24   1152  deny log logamount 100 tcp from any to any 135 via sis0
 630000  0 deny log logamount 100 udp from any to any 135 via
 sis0
 
 63000 is the rule number correct?
 IM wondering what the other 2 places are..
 24  and 1152
 if you're getting 0 on the other rules, it probably means its not running
 those rules.
 So therefore it won't actually log if it isn't get to that rule.
 
 also from the looks of things, if you're trying to block windows
 filesharing/smb you
 might want to block 135 - 139 both tcp/udp (instead of specifiying 135 in
 the rule add '135-139')
  rather than just 135 tcp/udp
 
 Are they inbound and outbound?
 well depends (could be both yes), anything thats aimed at tcp 135 will be
 denied and
 logged

These are counts in packets and bytes.

 
 Do I make any sence?
 
 Not really :/ whats the question?
 
 ___
 [EMAIL PROTECTED] mailing list
 http://lists.freebsd.org/mailman/listinfo/freebsd-questions
 To unsubscribe, send any mail to [EMAIL PROTECTED]
 


-- 
DoubleF
BLISS is ignorance


pgp0.pgp
Description: PGP signature

ipfw question

[Shawn Guillemette]

Looking at ipfw show 

630000  0 deny log logamount 100 udp from any to any 119 via sis0
63000   24   1152  deny log logamount 100 tcp from any to any 135 via sis0
630000  0 deny log logamount 100 udp from any to any 135 via sis0

63000 is the rule number correct?
IM wondering what the other 2 places are.. 

24  and 1152

Are they inbound and outbound?

Do I make any sence?

There is no place like 127.0.0.1
___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

Re: ipfw question

[Dancho Penev]

On Fri, Mar 28, 2003 at 10:34:16AM -0500, Walter wrote:
Date: Fri, 28 Mar 2003 10:34:16 -0500
From: Walter [EMAIL PROTECTED]
To: Questions [EMAIL PROTECTED]
Subject: ipfw question
Hi all,

   I see a strange entry in my mail log from the
ipfw log output.  I don't really have a firm grasp
on ipfw yet and need help understanding how this
log entry came about (17 times), below:
 ipfw: 1700 Deny TCP 0.0.0.0:80 192.168.xxx.xxx:49339 in via fxp0

The output of ipfw list starts as:

00100 allow ip from any to any via lo0
00200 deny log logamount 100 ip from any to 127.0.0.0/8
00300 deny log logamount 100 ip from 192.168.1.0/24 to any in recv fxp0
00400 deny log logamount 100 ip from 24.170.166.0/24 to any in recv ep0
00500 deny log logamount 100 ip from any to 10.0.0.0/8 via fxp0
00600 deny log logamount 100 ip from any to 172.16.0.0/12 via fxp0
00700 deny log logamount 100 ip from any to 192.168.0.0/16 via fxp0
00800 deny log logamount 100 ip from any to 0.0.0.0/8 via fxp0
00900 deny log logamount 100 ip from any to 169.254.0.0/16 via fxp0
01000 deny log logamount 100 ip from any to 192.0.2.0/24 via fxp0
01100 deny log logamount 100 ip from any to 224.0.0.0/4 via fxp0
01200 deny log logamount 100 ip from any to 240.0.0.0/4 via fxp0
01300 divert 8668 ip from any to any via fxp0
01400 deny log logamount 100 ip from 10.0.0.0/8 to any via fxp0
01500 deny log logamount 100 ip from 172.16.0.0/12 to any via fxp0
01600 deny log logamount 100 ip from 192.168.0.0/16 to any via fxp0
01700 deny log logamount 100 ip from 0.0.0.0/8 to any via fxp0
01800 deny log logamount 100 ip from 169.254.0.0/16 to any via fxp0
01900 deny log logamount 100 ip from 192.0.2.0/24 to any via fxp0
02000 deny log logamount 100 ip from 224.0.0.0/4 to any via fxp0
02100 deny log logamount 100 ip from 240.0.0.0/4 to any via fxp0
remaining omitted
My question is how come rule 00700 did not kick out the
prober, rather falling to rule 01700??  I realize the log
Because the original packet was from 0.0.0.0 to YOUR_PUBLIC_IP
and natd (rule 1300) rewrite destination address YOUR_PUBLIC_IP
with your private IP address. You should have to find who sends
this kind of packets from your net to outside world, because
they are not very regular.
amounts are limited, but how did rule 01700 get activated
when rule 00700, seems to me, should have knocked out the
packet?  Is this evidence of someone having broken into my
FBSD router, as there are no other entries I've seen to
other possible internal IP's, or was someone just lucky?
Thanks.

Walter

___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]
--
Regards,
Dancho Penev
___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

ipfw question

[Walter]

Hi all,

   I see a strange entry in my mail log from the
ipfw log output.  I don't really have a firm grasp
on ipfw yet and need help understanding how this
log entry came about (17 times), below:
 ipfw: 1700 Deny TCP 0.0.0.0:80 192.168.xxx.xxx:49339 in via fxp0

The output of ipfw list starts as:

00100 allow ip from any to any via lo0
00200 deny log logamount 100 ip from any to 127.0.0.0/8
00300 deny log logamount 100 ip from 192.168.1.0/24 to any in recv fxp0
00400 deny log logamount 100 ip from 24.170.166.0/24 to any in recv ep0
00500 deny log logamount 100 ip from any to 10.0.0.0/8 via fxp0
00600 deny log logamount 100 ip from any to 172.16.0.0/12 via fxp0
00700 deny log logamount 100 ip from any to 192.168.0.0/16 via fxp0
00800 deny log logamount 100 ip from any to 0.0.0.0/8 via fxp0
00900 deny log logamount 100 ip from any to 169.254.0.0/16 via fxp0
01000 deny log logamount 100 ip from any to 192.0.2.0/24 via fxp0
01100 deny log logamount 100 ip from any to 224.0.0.0/4 via fxp0
01200 deny log logamount 100 ip from any to 240.0.0.0/4 via fxp0
01300 divert 8668 ip from any to any via fxp0
01400 deny log logamount 100 ip from 10.0.0.0/8 to any via fxp0
01500 deny log logamount 100 ip from 172.16.0.0/12 to any via fxp0
01600 deny log logamount 100 ip from 192.168.0.0/16 to any via fxp0
01700 deny log logamount 100 ip from 0.0.0.0/8 to any via fxp0
01800 deny log logamount 100 ip from 169.254.0.0/16 to any via fxp0
01900 deny log logamount 100 ip from 192.0.2.0/24 to any via fxp0
02000 deny log logamount 100 ip from 224.0.0.0/4 to any via fxp0
02100 deny log logamount 100 ip from 240.0.0.0/4 to any via fxp0
remaining omitted
My question is how come rule 00700 did not kick out the
prober, rather falling to rule 01700??  I realize the log
amounts are limited, but how did rule 01700 get activated
when rule 00700, seems to me, should have knocked out the
packet?  Is this evidence of someone having broken into my
FBSD router, as there are no other entries I've seen to
other possible internal IP's, or was someone just lucky?
Thanks.

Walter

___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

simple ipfw question

[Brian Davis]

Greetings,

I am attempting to build a dual-homed firewall using FreeBSD 4.7
RELEASE.  The PC is presently connected to a corporate LAN with DHCP and
DNS servers and a broadband connection to the Internet.

The outside interface (rl0) is configured as follows:
IP address: a.b.148.62 (dynamically assigned)
Subnet: 255.255.248.0
Gateway: a.b.144.254
DNS: a.b.144.1

The inside interface (rl1) is configured as follows:
IP address: 192.168.1.1
Subnet: 255.255.255.0

My private network consists of one workstation which is set up as
follows:
IP address: 192.168.1.2
Subnet: 255.255.255.0
Gateway: 192.168.168.1
DNS: a.b.144.1

When I use the open ruleset in /etc/rc.firewall, the workstation on my
private network can get through the firewall to the LAN and the
Internet.  When I switch to the simple ruleset, the firewall stops
forwarding packets.  From the console, I can ping the outside and inside
interfaces, but nothing else.  Everything looks normal in dmesg.
Additional info upon request!

Brian Davis


To Unsubscribe: send mail to [EMAIL PROTECTED]
with unsubscribe freebsd-questions in the body of the message

Re: simple ipfw question

[Bill Moran]

Brian Davis wrote:

Greetings,

I am attempting to build a dual-homed firewall using FreeBSD 4.7
RELEASE.  The PC is presently connected to a corporate LAN with DHCP and
DNS servers and a broadband connection to the Internet.

The outside interface (rl0) is configured as follows:
IP address: a.b.148.62 (dynamically assigned)
Subnet: 255.255.248.0
Gateway: a.b.144.254
DNS: a.b.144.1

The inside interface (rl1) is configured as follows:
IP address: 192.168.1.1
Subnet: 255.255.255.0

My private network consists of one workstation which is set up as
follows:
IP address: 192.168.1.2
Subnet: 255.255.255.0
Gateway: 192.168.168.1
DNS: a.b.144.1

When I use the open ruleset in /etc/rc.firewall, the workstation on my
private network can get through the firewall to the LAN and the
Internet.  When I switch to the simple ruleset, the firewall stops
forwarding packets.  From the console, I can ping the outside and inside
interfaces, but nothing else.  Everything looks normal in dmesg.
Additional info upon request!


Did you tweak the /etc/rc.firewall script to insert your IP address ranges
into it? (look for the simple section of the script and tweak the iif,
iip, oif, oip, etc ... values)
If that doesn't help, try posting the output of 'ipfw show' to the list.
It'll make it a lot easier for folks to diagnose.

--
Bill Moran
Potential Technologies
http://www.potentialtech.com


To Unsubscribe: send mail to [EMAIL PROTECTED]
with unsubscribe freebsd-questions in the body of the message

Re: simple ipfw question

[Brian Davis]

  Greetings,
 
  I am attempting to build a dual-homed firewall using FreeBSD 4.7
  RELEASE.  The PC is presently connected to a corporate LAN with DHCP
and
  DNS servers and a broadband connection to the Internet.
 
  The outside interface (rl0) is configured as follows:
  IP address: a.b.148.62 (dynamically assigned)
  Subnet: 255.255.248.0
  Gateway: a.b.144.254
  DNS: a.b.144.1
 
  The inside interface (rl1) is configured as follows:
  IP address: 192.168.1.1
  Subnet: 255.255.255.0
 
  My private network consists of one workstation which is set up as
  follows:
  IP address: 192.168.1.2
  Subnet: 255.255.255.0
  Gateway: 192.168.168.1
  DNS: a.b.144.1
 
  When I use the open ruleset in /etc/rc.firewall, the workstation
on my
  private network can get through the firewall to the LAN and the
  Internet.  When I switch to the simple ruleset, the firewall stops
  forwarding packets.  From the console, I can ping the outside and
inside
  interfaces, but nothing else.  Everything looks normal in dmesg.
  Additional info upon request!

 Did you tweak the /etc/rc.firewall script to insert your IP address
ranges
 into it? (look for the simple section of the script and tweak the
iif,
 iip, oif, oip, etc ... values)
 If that doesn't help, try posting the output of 'ipfw show' to the
list.
 It'll make it a lot easier for folks to diagnose.

 --
 Bill Moran
 Potential Technologies
 http://www.potentialtech.com

Hope this helps:

/etc/rc.firewall:

[simple section]
oif=rl0
onet=a.b.144.0
omask=255.255.248.0
oip=a.b.148.62
iif=rl1
inet=192.168.1.0
imask=255.255.255.0
iip=192.168.1.1

/etc/rc.conf:

gateway_enable=YES
hostname=(hostname.domain)
ifconfig_rl0=DHCP
kern_securelevel=2
kern_securelevel_enable=YES
moused_enable=YES
nfs_server_enable=NO
saver=green
sendmail_enable=NO
sshd_enable=NO
ifconfig_rl1=inet 192.168.1.1 netmask 255.255.255.0
firewall_enable=YES
firewall_type=simple
natd_enable=YES
natd_interface=rl0
defaultrouter=a.b.144.254
natd_flags=-dynamic

Compiled kernel with these options:

options   IPDIVERT
options   IPFIREWALL
options   IPFIREWALL_VERBOSE
options   IPFIREWALL_VERBOSE_LIMIT=10

ipfw show:

00100  00 allow ip from any to any via 1o0
00200  00 deny ip from any to 127.0.0.0/0
00300  00 deny ip from 127.0.0.0/8 to any
00400  00 deny ip from 192.168.1.0/24 to any in recv rl0
00500  00 deny ip from a.b.144.0/21 to any in recv rl1
00600  00 deny ip from any to 10.0.0.0/8 via rl0
00700  00 deny ip from any to 172.16.0.0/12 via rl0
00800  00 deny ip from any to 192.168.0.0/16 via rl0
00900  00 deny ip from any to 0.0.0.0/8 via rl0
01000  00 deny ip from any to 169.254.0.0/16 via rl0
01100  00 deny ip from any to 192.0.2.0/24 via rl0
01200  00 deny ip from any to 224.0.0.0/4 via rl0
01300  9  773 deny ip from any to 240.0.0.0/24 via rl0
01400 73 9535 divert 8668 ip from any to any via rl0
01500  00 deny ip from 10.0.0.0/8 to any via rl0
01600  00 deny ip from 172.16.0.0/12 to any via rl0
01700  00 deny ip from 192.168.0.0/16 to any via rl0
01800  00 deny ip 0.0.0.0/8 to any via rl0
01900  00 169.254.0.0/16 to any via rl0
02000  00 deny ip from 192.0.2.0/24 to any via rl0
02100  00 deny ip from 224.0.0.0/4 to any via rl0
02200  00 deny ip from 240.0.0.0/4 to any via rl0
02300  00 allow tcp form any to any established
02400  00 allow ip from any to any frag
02500  00 allow tcp from any to a.b.148.62 25 setup
02600  00 allow tcp from any to a.b.148.62 53 setup
02700  00 allow udp from any to a.b.148.62 53
02800  00 allow udp from a.b.148.62 53 to any
02900  00 allow tcp from any to a.b.148.62 80 setup
03000  00 deny log logamount 10 tcp from any to any in recv rl0
setup
03100  00 allow tcp from any to any setup
03200 26 1912 allow udp from a.b.148.62 to any 53 keep-state
03300  00 allow udp from a.b.148.62 to any 123 keep-state
65535 58 9215 deny ip from any to any

The counts for rules 1300, 1400, 3200 and 65535 keep incrementing.  All
other rules are goose eggs.

BTW, I run 'ifconfig rl0' occasionally to make sure my dynamic IP
address has
not changed.


To Unsubscribe: send mail to [EMAIL PROTECTED]
with unsubscribe freebsd-questions in the body of the message

IPFW question in 2.2.8 release?

[Orlando Reis]

Hi, I'm sorry to bother you all, but I have the following questions, I'm
using freebsd 2.2.8 with custom gated daemon that supports QoSR, I was
told to some tests with ipfw using dummynet extension all goes whell
when after 5 or 6  minutes of test and I thing IPFW fails,
 if I do ipfw -a l
I got this result:
00100   482 31538   pipe 1 tcp from any to any
00100   482 0   pipe 2 tcp from any to any
00100 84236 123463858   pipe 3 tcp from any to any
00100 83898 123450062   pipe 4 tcp from any
00100   794 31538   deny ip from any to any

My guess is the firewall queues are full and it stops forwarding packets?
I cannot upgrade the freebsd version on any off the machines :( can
someone give me some hint on how to resolve this?

I requested some help to Luigi Rizio but I still haven't received reply...

This was the message I sen't him(with a more elaborated question, but
still the same problem):

I'm testing a QoS Routing prototype that we have implemented in Gated.
I'm running five minutes test's, every five experiences of five minutes, I
change parameters in
our changed gated, without ipfw I've reached a pretty good solution. But
my problem is when
I use ipfw to simulate Wan effect's such as delay, bandwidth, loss, etc...
Until this point I'm solving the problem with following sequence of events
in my dummynet routers.
stop gated; clear all in ipfw(including the pipes); construct the ipfw
pipes, and then start gated again.
my problem is that after 10 minutes of testing the queues get to full in
ipfw and i stop communication between
dummynet routers and my normal routers(that's what I thinnk is happening).
Rx - means router x
DRy - means dummynet router y
On R1 and R5 I have 4 endpoint's attached each through a switch in each
one, which I use to generate and receive
the traffic for further study.



 / R2 - - - - DR1\
   /   \
 /   \
4 Endp's   - - - R1 - - - R3 - - - - DR2- R5 - - - - - 4 Endp's.
 \   /
   \/
 \ R4 - - - - DR3 /


I'm using the ipfw that comes with freebsd 2.2.8 , hosts are


DR1 - Intel celeron 333 , 128 Mg,  freebsd 2.2.8 , original gated 3.5.11
DR2 - Intel celeron 333 , 128 Mg,  freebsd 2.2.8 , original gated 3.5.11
DR3 - Intel celeron 333 , 128 Mg,  freebsd 2.2.8 , original gated 3.5.11
R1 - Intel celeron 466 , 128 Mg,  freebsd 2.2.8 , changed gated 3.5.11
R2 - Intel celeron 466 , 128 Mg,  freebsd 2.2.8 , changed gated 3.5.11
R3 - Intel celeron 466 , 128 Mg,  freebsd 2.2.8 , changed gated 3.5.11
R4 - Intel celeron 466 , 128 Mg,  freebsd 2.2.8 , changed gated 3.5.11
R5 - Intel celeron 466 , 128 Mg,  freebsd 2.2.8 , changed gated 3.5.11


ipfw rules are simple:
ipfw add pipe 1 ip from any to any via xl0
ipfw add pipe 2 ip from any to any
ipfw pipe 1 config delay 30ms
ipfw pipe 2 config delay 0ms


where xl0 connection is between(DR1-R5, DR2-R5, DR3-R5)


this is an example output of of ipfw show, after the failure:


00100  320097   475909018   pipe 1  ip from any to any via xl0
00200  319874   475892138   pipe 2  ip from any to any
65535 230   16756   deny ip from any to any

I'm saying that the problem is in ipfw, cause I'm figuring that it's not
working hat it's supposed too :(
I'm trying to say that after a while it stops bridging packets from on
interface to the other, or that it doesn't
forward the packets after some amount of traffic going by.


I think I'm using all the modules that I need, I read your documentation
carefully and more than once, although
I think that the documentation you have online is for a more recent
freedbsd version(the option bridged only works
in freebsd 4.0 or higher).


Any help will be great, and once again sorry to bother you :(

P.S. I'm generating traffic with netiq tool chariot.
I have tools for checking the traffic in routers R1,R3,R4 and R5
I see traffic arriving/leaving on R1,R3,R4 but it doesn't reach R5.


To Unsubscribe: send mail to [EMAIL PROTECTED]
with unsubscribe freebsd-questions in the body of the message

Re: IPFW question in 2.2.8 release?

[Gregory Bond]

IPFW question in 2.2.8 release? 

Ouch!  Dummynet was very new and probably best classed as experimental in
2.2.8, and even in most of the 3.x line it was a bit flakey.  I'm not surprised
you are having trouble with it and I'm also not surprised Luigi is unwilling or
unable to debug obsolete code.  2.2.8 was EOL'd ages ago and you will be
unlikely get any help from anyone without upgrading to a recent 4.x version.

Greg.



To Unsubscribe: send mail to [EMAIL PROTECTED]
with unsubscribe freebsd-questions in the body of the message

ipfw question (was: Re[2]: Question)

[Alex]

Dear/Beste Steve,

Monday, January 13, 2003, 3:07:53 AM, you wrote:

Dear/Beste Steve,

Monday, January 13, 2003, 12:23:09 AM, you wrote:

 Hey people,

 I'm having trouble limiting users to certain services on my LAN.

 Here's what im trying to do.

 Based on group membership, allow or deny certain users access to certain
 outgoing services (www, telnet, ftp, ssh, ping, traceroute, etc). Again
 this
 is not IP based, but based on group membership. Everyone can log into any
 PC
 on the LAN. I've seen something like this done in Novell, where based on
 a
 users group context, their access is limited to certain services.

 Can it be done based on groups? These people don't have static ips

Yes but you use the account on the server machine. Just check out the
'man ipfw'. I'm not an expert on this; just try it out.


-- 
Best regards/Met vriendelijke groet,
Alex


To Unsubscribe: send mail to [EMAIL PROTECTED]
with unsubscribe freebsd-questions in the body of the message

Re: NAT + IPFW question

[Flemming Frøkjær]

Alvaro Rosales R. wrote:
 Hi fellows I have setup natd in my freeBSD BOX (using firewall =OPEN) 
 and it is working fine.
 Now I want to close my firewall so that the only computer that is using 
 NATD would the the only one that could accept connections from the 
 internet.But when I try to telnet to the natd box I cant connect to it.What 
 Am I doing wrong?
 Those are   my  ipfw rules
 10.10.1.91 (natd box)
 10.10.1.2 (my box)
 
 00050   5816  2829686 divert 8668 ip from any to any via rl1
 00100   2412   168334 allow ip from any to any via lo0
 00200  00 deny ip from any to 127.0.0.0/8
 00300  00 deny ip from 127.0.0.0/8 to any
 00800   5609  6342173 allow ip from 10.10.1.91 to 130.102.1.2
 00801   3580   143970 allow ip from 10.10.1.2 to 130.102.1.91
 01000 430772 59326512 deny ip from any to any
 65000  00 allow ip from any to 10.10.1.2
 65535  17161  5967606 allow ip from any to any
 
 To Unsubscribe: send mail to [EMAIL PROTECTED]
 with unsubscribe freebsd-questions in the body of the message

You need to tell natd to forward port 23 (telnet) to 10.10.1.2
man natd

\Flemming

To Unsubscribe: send mail to [EMAIL PROTECTED]
with unsubscribe freebsd-questions in the body of the message

Re: NAT + IPFW question

[Drew Tomlinson]

- Original Message -
From: Flemming Frøkjær [EMAIL PROTECTED]
To: Alvaro Rosales R. [EMAIL PROTECTED]
Cc: [EMAIL PROTECTED]
Sent: Tuesday, November 26, 2002 8:29 AM
Subject: Re: NAT + IPFW question


 Alvaro Rosales R. wrote:
  Hi fellows I have setup natd in my freeBSD BOX (using firewall
=OPEN)
  and it is working fine.
  Now I want to close my firewall so that the only computer that is
using
  NATD would the the only one that could accept connections from the
  internet.But when I try to telnet to the natd box I cant connect to
it.What
  Am I doing wrong?
  Those are   my  ipfw rules
  10.10.1.91 (natd box)
  10.10.1.2 (my box)
 
  00050   5816  2829686 divert 8668 ip from any to any via rl1
  00100   2412   168334 allow ip from any to any via lo0
  00200  00 deny ip from any to 127.0.0.0/8
  00300  00 deny ip from 127.0.0.0/8 to any
  00800   5609  6342173 allow ip from 10.10.1.91 to 130.102.1.2
  00801   3580   143970 allow ip from 10.10.1.2 to 130.102.1.91
  01000 430772 59326512 deny ip from any to any
  65000  00 allow ip from any to 10.10.1.2
  65535  17161  5967606 allow ip from any to any
 
  To Unsubscribe: send mail to [EMAIL PROTECTED]
  with unsubscribe freebsd-questions in the body of the message

 You need to tell natd to forward port 23 (telnet) to 10.10.1.2
 man natd

This is only necessary if the poster wants to connect to his box.  As
I understand it, he wishes to telnet to the natd box which is
10.10.1.91.  In this case, no forward is required.

Cheers,

Drew

 \Flemming

 To Unsubscribe: send mail to [EMAIL PROTECTED]
 with unsubscribe freebsd-questions in the body of the message




To Unsubscribe: send mail to [EMAIL PROTECTED]
with unsubscribe freebsd-questions in the body of the message

NAT + IPFW question

[Alvaro Rosales R.]

Hi fellows I have setup natd in my freeBSD BOX (using firewall =OPEN) 
and it is working fine.
Now I want to close my firewall so that the only computer that is using 
NATD would the the only one that could accept connections from the 
internet.But when I try to telnet to the natd box I cant connect to it.What 
Am I doing wrong?
Those are   my  ipfw rules
10.10.1.91 (natd box)
10.10.1.2 (my box)

00050   5816  2829686 divert 8668 ip from any to any via rl1
00100   2412   168334 allow ip from any to any via lo0
00200  00 deny ip from any to 127.0.0.0/8
00300  00 deny ip from 127.0.0.0/8 to any
00800   5609  6342173 allow ip from 10.10.1.91 to 130.102.1.2
00801   3580   143970 allow ip from 10.10.1.2 to 130.102.1.91
01000 430772 59326512 deny ip from any to any
65000  00 allow ip from any to 10.10.1.2
65535  17161  5967606 allow ip from any to any

To Unsubscribe: send mail to [EMAIL PROTECTED]
with unsubscribe freebsd-questions in the body of the message

Re: NAT + IPFW question

[Drew Tomlinson]

- Original Message -
From: Alvaro Rosales R. [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Monday, November 25, 2002 2:42 PM
Subject: NAT + IPFW question


 Hi fellows I have setup natd in my freeBSD BOX (using firewall =OPEN)
 and it is working fine.
 Now I want to close my firewall so that the only computer that is
using
 NATD would the the only one that could accept connections from the
 internet.But when I try to telnet to the natd box I cant connect to
it.What
 Am I doing wrong?

By default, telent is disabled in recent versions of FBSD.  Have you
enabled (uncommented) it in inetd.conf?

Cheers,

Drew

 Those are   my  ipfw rules
 10.10.1.91 (natd box)
 10.10.1.2 (my box)

 00050   5816  2829686 divert 8668 ip from any to any via rl1
 00100   2412   168334 allow ip from any to any via lo0
 00200  00 deny ip from any to 127.0.0.0/8
 00300  00 deny ip from 127.0.0.0/8 to any
 00800   5609  6342173 allow ip from 10.10.1.91 to 130.102.1.2
 00801   3580   143970 allow ip from 10.10.1.2 to 130.102.1.91
 01000 430772 59326512 deny ip from any to any
 65000  00 allow ip from any to 10.10.1.2
 65535  17161  5967606 allow ip from any to any

 To Unsubscribe: send mail to [EMAIL PROTECTED]
 with unsubscribe freebsd-questions in the body of the message




To Unsubscribe: send mail to [EMAIL PROTECTED]
with unsubscribe freebsd-questions in the body of the message

Re: NAT + IPFW question

[Drew Tomlinson]

- Original Message -
From: Drew Tomlinson [EMAIL PROTECTED]
To: Alvaro Rosales R. [EMAIL PROTECTED];
[EMAIL PROTECTED]
Sent: Monday, November 25, 2002 3:01 PM
Subject: Re: NAT + IPFW question


 - Original Message -
 From: Alvaro Rosales R. [EMAIL PROTECTED]
 To: [EMAIL PROTECTED]
 Sent: Monday, November 25, 2002 2:42 PM
 Subject: NAT + IPFW question


  Hi fellows I have setup natd in my freeBSD BOX (using firewall
=OPEN)
  and it is working fine.
  Now I want to close my firewall so that the only computer that is
 using
  NATD would the the only one that could accept connections from the
  internet.But when I try to telnet to the natd box I cant connect to
 it.What
  Am I doing wrong?

 By default, telent is disabled in recent versions of FBSD.  Have you
 enabled (uncommented) it in inetd.conf?

 Cheers,

 Drew

  Those are   my  ipfw rules
  10.10.1.91 (natd box)
  10.10.1.2 (my box)
 
  00050   5816  2829686 divert 8668 ip from any to any via rl1
  00100   2412   168334 allow ip from any to any via lo0
  00200  00 deny ip from any to 127.0.0.0/8
  00300  00 deny ip from 127.0.0.0/8 to any
  00800   5609  6342173 allow ip from 10.10.1.91 to 130.102.1.2
  00801   3580   143970 allow ip from 10.10.1.2 to 130.102.1.91
  01000 430772 59326512 deny ip from any to any
  65000  00 allow ip from any to 10.10.1.2
  65535  17161  5967606 allow ip from any to any

OK, Telnet is enabled.  You have to allow port 23 open on your firewall.
Something like 'ipfw add 802 allow ip from any to your external
interface (i.e. ed0) 23'.

HTH,

Drew


To Unsubscribe: send mail to [EMAIL PROTECTED]
with unsubscribe freebsd-questions in the body of the message