On 31 Jan eric wyzerski wrote:
The solution is to explicitly tell your FTP server what to report as its
IP address, and give it a range of ports to give out as well.
unix-server configuration file as follows: passive ports
0.0.0.0/0 32768 49151
passive address your.pub.IP.addr 0.0.0.0/0
eric wyzerski wrote:
My setup work wells with Active ftp but not with passive ftp. Your setup
doestnt work with passive ftp. From ipfilter faq:
# I have an FTP server behind an IPF firewall, and I'm having problems
serving passive FTP.
Sorry, from your original post it was not clear to me
Hi,
For a whole day I tried to make an ftp who is behind the firewall to work
but Im not able. My ipf rules are:
pass in quick from any to any
pass out quick from any to any
So it is not a ipf problem. My ipnat rules are:
map rl0 10.0.0.0/8 - 0/32
rdr rl0 X.X.X.X/32 port 21 - 10.1.1.6 port 21
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of eric wyzerski
Sent: Monday, January 31, 2005 2:11 PM
To: freebsd-questions@freebsd.org
Subject: Ftp behind firewall/nat
Hi,
For a whole day I tried to make an ftp who is behind the firewall to work
: Monday, January 31, 2005 12:11 PM
Subject: Ftp behind firewall/nat
Hi,
For a whole day I tried to make an ftp who is behind the firewall to work
but Im not able. My ipf rules are:
pass in quick from any to any
pass out quick from any to any
So it is not a ipf problem. My ipnat rules are:
map rl0
of me
routeur via ipnat command?
Thanks!
Eric
From: Thomas Foster [EMAIL PROTECTED]
To: eric wyzerski
[EMAIL PROTECTED],freebsd-questions@freebsd.org
Subject: Re: Ftp behind firewall/nat
Date: Mon, 31 Jan 2005 14:24:15 -0800
You also might want to pass and redirect tcp port 20 (ftp data
Andras Kende wrote:
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of eric wyzerski
Sent: Monday, January 31, 2005 2:11 PM
To: freebsd-questions@freebsd.org
Subject: Ftp behind firewall/nat
Hi,
For a whole day I tried to make an ftp who is behind
Hi,
My setup work wells with Active ftp but not with passive ftp. Your setup
doestnt work with passive ftp. From ipfilter faq:
# I have an FTP server behind an IPF firewall, and I'm having problems
serving passive FTP.
The IPF How-To gives a good explanation of this. The client will try
Andy Firman wrote:
First, if one were to deploy FreeBSD 5.3 as a standard
web and email server, would it need a firewall?
I don't see the point because only ports like 25 for
smtp, 110 for pop, 80 for http, etc... will be listening
and open for connections with or without a firewall.
You always
First, if one were to deploy FreeBSD 5.3 as a standard
web and email server, would it need a firewall?
I don't see the point because only ports like 25 for
smtp, 110 for pop, 80 for http, etc... will be listening
and open for connections with or without a firewall.
Second, I would like
Andy Firman wrote:
First, if one were to deploy FreeBSD 5.3 as a standard
web and email server, would it need a firewall?
I don't see the point because only ports like 25 for
smtp, 110 for pop, 80 for http, etc... will be listening
and open for connections with or without a firewall.
Second, I
Andy Firman wrote:
Second, I would like to replace my Linux gateway running
Shorewall. Shorewall is a nice package for managing the
netfilter firewall capabilities of the Linux kernel.
Is there something similar for FreeBSD?
personally i don't like Shorewall at all
but.. imho m0n0wall rocks
Having a firewall prevents rogue programs from opening up other ports
on your machine. You have to worry about services you don't install
and configure just as much (maybe even more so) as the services you do
install.
On Sat, 29 Jan 2005 12:50:51 -0900, Andy Firman [EMAIL PROTECTED] wrote
For FreeBSD.. I highly recommend PF
http://www.section6.net/help/pf.php
Hope this helps
T
- Original Message -
From: Andy Firman [EMAIL PROTECTED]
To: freebsd-questions@freebsd.org
Sent: Saturday, January 29, 2005 1:50 PM
Subject: 2 quick firewall questions for FreBSD
First, if one were
On 01/10/05 01:34 PM, dave sat at the `puter and typed:
Hello,
For your setup of blacklisting IP's do you use any cron scripts for
procedure automation?
I'm assuming for your firewall block table that you store that in a
separate file? Can you send that file my way? I've tried to come
I apologize in advance if this question is pretty information-dense.
I'm using the kdc in the 5.3 base system as an authentication server for
my home LAN. I can use kinit to get a TGT from the server from machines
on the LAN and elsewhere on the Internet, and I can use SSH with the
Hello,
I was wondering is it possible to load ipf or pf via rc.conf with a
system in a securelevel of 1 or greater? Trying this thus far has been
unsuccessful, reading the man page suggests this is not possible but if
anyone has a workaround i'd appreciate it.
Thanks.
Dave.
:/root#
How are you setting the system securelevel and how do firewall rules
fail to load?
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]
On Mon, Nov 29, 2004 at 04:14:07PM +0100, Ruben de Groot wrote:
: : allow ip from ${INTERNAL_NET} to any keep-state out xmit tun0
: :
: : where INTERNAL_NET would be e.g. 192.168.0.0/24
I was checking out the man page, and I'm a little unclear on whether I want
'xmit' or 'via' in this rule.
a little unclear on whether I want
'xmit' or 'via' in this rule. Does it make much of a practical difference?
If you want to check your firewall with a scan from nmap, go to:
http://jeremino.homeunix.net/portscan.php
___
[EMAIL PROTECTED] mailing list
On Sun, Nov 28, 2004 at 02:27:41PM +0200, Giorgos Keramidas typed:
On 2004-11-28 04:48, Jonathon McKitrick [EMAIL PROTECTED] wrote:
On Sun, Nov 28, 2004 at 03:31:35AM +0200, Giorgos Keramidas wrote:
: AFAIK, rule 00300 will never be hit by packets going out tun0 as long as
: you also have
laptop packets out? Or does it
still leave the laptop exposed? I'd like to protect all the machines with
one firewall, while keeping it simple, if possible.
jm
--
___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd
always forget about ppp-nat.
So, then, is this the best way to allow my laptop packets out? Or does it
still leave the laptop exposed? I'd like to protect all the machines with
one firewall, while keeping it simple, if possible.
Your laptop won't be exposed by this. You could however finetune
that get nat'ed. I believe this is normal behaviour.
:
: Ah, yes. I always forget about ppp-nat.
:
: So, then, is this the best way to allow my laptop packets out? Or does it
: still leave the laptop exposed? I'd like to protect all the machines with
: one firewall, while keeping
? I'd like to protect all the machines with
: one firewall, while keeping it simple, if possible.
:
: Your laptop won't be exposed by this. You could however finetune your
: ruleset a little bit by modifying rule 300 to something like:
:
: allow ip from ${INTERNAL_NET} to any keep-state out
${INTERNAL_NET} to any keep-state out xmit tun0
:
: where INTERNAL_NET would be e.g. 192.168.0.0/24
Should I also run a firewall on the laptop then, since all traffic to the
laptop is allowed to pass?
Probably, irrelevant to the original question, but...
In general, it's not a bad idea. You won't have
it on the network at my job. They have a
firewall, but who knows how it's set up
jm
--
My other computer is your Windows box.
___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL
On 2004-11-28 04:48, Jonathon McKitrick [EMAIL PROTECTED] wrote:
On Sun, Nov 28, 2004 at 03:31:35AM +0200, Giorgos Keramidas wrote:
: AFAIK, rule 00300 will never be hit by packets going out tun0 as long as
: you also have rule 00200 in there.
Hmmm here's a run after having the laptop
Here are my rules:
[EMAIL PROTECTED]:~# ipfw show
00100 0 0 check-state
00200 2 144 allow ip from me to any keep-state out xmit tun0
00300 0 0 allow ip from any to any keep-state out xmit tun0
00400 0 0 deny tcp from any to any in recv tun0 established
00500 0 0 allow ip from any to any
Jonathon McKitrick wrote:
Here are my rules:
[EMAIL PROTECTED]:~# ipfw show
00100 0 0 check-state
00200 2 144 allow ip from me to any keep-state out xmit tun0
00300 0 0 allow ip from any to any keep-state out xmit tun0
00400 0 0 deny tcp from any to any in recv tun0 established
00500 0 0
On 2004-11-27 21:56, Jonathon McKitrick [EMAIL PROTECTED] wrote:
[EMAIL PROTECTED]:~# ipfw show
00100 0 0 check-state
00200 2 144 allow ip from me to any keep-state out xmit tun0
00300 0 0 allow ip from any to any keep-state out xmit tun0
00400 0 0 deny tcp from any to any in recv tun0
On Sun, Nov 28, 2004 at 03:31:35AM +0200, Giorgos Keramidas wrote:
: AFAIK, rule 00300 will never be hit by packets going out tun0 as long as
: you also have rule 00200 in there.
Hmmm here's a run after having the laptop running for a bit. I don't
see why 200 doesn't cover the case either.
--- Darryl Hoar [EMAIL PROTECTED] wrote:
Does anyone have a pointer to or know of a good
tutorial for setting up a freebsd box as a firewall
using
IPFilter ?
In the past, I have used the tutorial at:
http://www.schlacter.net/
But it is for Freebsd 4.6-stable. I would need one
Does anyone have a pointer to or know of a good
tutorial for setting up a freebsd box as a firewall using
IPFilter ?
In the past, I have used the tutorial at:
http://www.schlacter.net/
But it is for Freebsd 4.6-stable. I would need one for the
stable version of Freebsd.
any help greatly
On Wednesday 17 November 2004 17:57, Darryl Hoar wrote:
Does anyone have a pointer to or know of a good
tutorial for setting up a freebsd box as a firewall using
IPFilter ?
In the past, I have used the tutorial at:
http://www.schlacter.net/
But it is for Freebsd 4.6-stable. I would
On Wednesday 17 November 2004 17:57, Darryl Hoar wrote:
Does anyone have a pointer to or know of a good
tutorial for setting up a freebsd box as a firewall using
IPFilter ?
In the past, I have used the tutorial at:
http://www.schlacter.net/
But it is for Freebsd 4.6-stable. I would
darryl,
take a look at /usr/share/examples/ipfilter/, it might be of some help,
good luck
El Miércoles 17 Noviembre 2004 17:57, Darryl Hoar escribió:
Does anyone have a pointer to or know of a good
tutorial for setting up a freebsd box as a firewall using
IPFilter ?
In the past, I have used
I'm using ipf as my firewall, and I can't figure out why OWA is being blocked
going to 172.20.0.11. Below is the current config file which works. But if I
removed the fourth line, my users can't access OWA externally. I would have
thought the lines: pass out quick from 172.20.0.0/24 to any
On Mon, 15 Nov 2004 15:21:47 -0500, Andrew Smith [EMAIL PROTECTED] wrote:
I'm using ipf as my firewall, and I can't figure out why OWA is being blocked
going to 172.20.0.11. Below is the current config file which works. But if
I removed the fourth line, my users can't access OWA externally
On Mon, 15 Nov 2004 15:21:47 -0500, Andrew Smith [EMAIL PROTECTED] wrote:
I'm using ipf as my firewall, and I can't figure out why OWA is being blocked
going to 172.20.0.11. Below is the current config file which works. But if
I removed the fourth line, my users can't access OWA externally
is there?
Well, there is a possible DoS attack as your system gets hit with a load
of TCP SYN packets which your system will respond with ICMP errors or
SYN-ACK depending on the port. A firewall could drop all incoming
packets not to TCP port 22 or part of an outgoing connection plus block
I've been using one for some time, but now that I have a mini network, it
has become a bit of a hassle updating the rules.
If I disable all services but ssh, stay STABLE, and do not have a broadband
connection, what danger is there?
jm
--
___
[EMAIL
a firewall.
Kent
--
Kent Stewart
Richland, WA
http://users.owt.com/kstewart/index.html
___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]
On Sat, Nov 13, 2004, Kent Stewart wrote:
On Saturday 13 November 2004 01:12 pm, Jonathon McKitrick wrote:
I've been using one for some time, but now that I have a mini network, it
has become a bit of a hassle updating the rules.
If I disable all services but ssh, stay STABLE, and do not have
all rools for the firewall with ipfw flush (the still
existing default rule enables all trafic because I compiled this in
my kernel, ipfw -c list told me that this is true.)
Anyway, nothing changes, all ports seem to be closed running nmap,
pings are successfull again!
1) What's wrong with my
to be down altough I was able
to ping the freebsd-host.
So I flushed all rools for the firewall with ipfw flush (the still
existing default rule enables all trafic because I compiled this in
my kernel, ipfw -c list told me that this is true.)
Anyway, nothing changes, all ports seem to be closed
On Fri, 2004-10-15 at 04:09, Vulpes Velox wrote:
Doesn't Portsentry ignore ports that have a service bound to them
like the SSH daemon? In that case, it wouldn't help Brian's problem,
since ssh is running, portsentry would ignore any attacks to port
22, right?
Move it and the like to a
Doesn't Portsentry ignore ports that have a service bound to them like
the SSH daemon? In that case, it wouldn't help Brian's problem, since
ssh is running, portsentry would ignore any attacks to port 22, right?
___
[EMAIL PROTECTED] mailing list
Frankly I hadn't thought of that. You can configure portsentry to monitor
any port *and* to ignore certain hosts, so I would think it could monitor
port 22 although I haven't tested it personally.
--On Thursday, October 14, 2004 02:07:24 PM -0500 Peter Pauly
[EMAIL PROTECTED] wrote:
Doesn't
On Thu, 14 Oct 2004 14:07:24 -0500
Peter Pauly [EMAIL PROTECTED] wrote:
Doesn't Portsentry ignore ports that have a service bound to them
like the SSH daemon? In that case, it wouldn't help Brian's problem,
since ssh is running, portsentry would ignore any attacks to port
22, right?
Move it
All,
This morning, I woke up to find one of my systems under hacker attack
(considerable multiple attempts to log in to ftp, ssh, etc., mostly using
system accounts). I loaded ipfw and set up a couple of quick rules to block
the point of origin. Unfortunately, the address appears to be
--On Wednesday, October 13, 2004 10:04:24 AM -0400 Brian J. McGovern
[EMAIL PROTECTED] wrote:
Rather than having to hang over my machine is there any software out
there that will monitor logs (e.g. /var/log/messages), parse out failed
logins like this, and run an ipfw command to block it?
Looking to use a FreeBSD server as a firewall for a modem pool. The theory
is we only want to give them access to HTTP and DNS (which we could do as
proxy on the FreeBSD box).
For accountability reasons, each modem will be assigned a specific IP
address. That way, I'll be able to use Radius
On Sun, 19 Sep 2004 06:45:28 -0700
Rob [EMAIL PROTECTED] wrote:
Seems to work with everything else incl. ftp. What am I doing wrong?
Thanks, Rob.
block in log all
pass out all
pass out on lo all
pass in on lo all
pass out quick on bfe0 proto tcp/udp from any to any port 1024
For
Seems to work with everything else incl. ftp. What am I doing wrong?
Thanks, Rob.
block in log all
pass out all
pass out on lo all
pass in on lo all
pass out quick on bfe0 proto tcp/udp from any to any port 1024
pass in quick on bfe0 proto icmp all icmp-type 0
pass in quick on bfe0 proto
I'm finding that configuring firewall/NAT rules on the gateway to my PPP
connection is too much of a headache.
Are there any FreeBSD based firewall distributions, something like
http://thewall.sourceforge.net/, but with some sort of wrapper (web
interface, curses interface, or whatever
[--]
I'm finding that configuring firewall/NAT rules on the gateway to my PPP
connection is too much of a headache.
Are there any FreeBSD based firewall distributions, something like
http://thewall.sourceforge.net/, but with some sort of wrapper (web
interface, curses interface, or whatever
--- Björn Lindström [EMAIL PROTECTED] wrote:
I'm finding that configuring firewall/NAT rules on
the gateway to my PPP
connection is too much of a headache.
Are there any FreeBSD based firewall distributions,
something like
http://thewall.sourceforge.net/, but with some sort
of wrapper
If I use this setting on the DMZ firewall would it affect a web server
running in the DMZ behind the FW ? The web server IP/port would be
redirected into the DMZ by natd, or does this only break SYN+FIN if the
web server is running on the same box ?
As stated in LINT:
# TCP_DROP_SYNFIN adds
Hello There,
I currently am a running 5.2.1-Release which is
configured as a gateway with kernel firewall support.
I have installed Squid (Proxy) and Nylon (SOCKS) which
seem to be configured fine. However, I need help in
getting all http/https traffic to only route to the
proxy (Port 3128
Hello,
On Mon, 13 Sep 2004 16:26:15 -0700 (PDT), JP [EMAIL PROTECTED] wrote:
Hello There,
I currently am a running 5.2.1-Release which is
configured as a gateway with kernel firewall support.
I have installed Squid (Proxy) and Nylon (SOCKS) which
seem to be configured fine. However, I
On Tue, 14 Sep 2004 10:22:16 +0530, Subhro [EMAIL PROTECTED] wrote:
Hello,
On Mon, 13 Sep 2004 16:26:15 -0700 (PDT), JP [EMAIL PROTECTED] wrote:
Hello There,
I currently am a running 5.2.1-Release which is
configured as a gateway with kernel firewall support.
I have installed Squid
On Sat, 11 Sep 2004 22:48:50 -0700 (PDT), JP [EMAIL PROTECTED] wrote:
Hello Gang,
I am a novice at this so please bear with me. I have
successfully configured Squid, Nylon and my firewall,
my question is how do I disable any net traffic that
is not going through the proxy? It would
Thank you, I am using the standard firewall and
firewall script that came with FreeBSD. By default,
everything on the firewall is set to open. I
attempting what you suggested (disabling nat) and I
could no longer get ou to see the net. I could ping
the FreeBSD box just fine, but nothing beyond
) the required ports from the firewall.
Alternatively, as you say...PROXY, you wont be able to ping outside
and the clients have to explicitly configure their softwares to use
the proxy running on the BSD Box.
Regards
S.
On Sun, 12 Sep 2004 00:31:41 -0700 (PDT), JP [EMAIL PROTECTED] wrote:
Thank
Hello Gang,
I am a novice at this so please bear with me. I have
successfully configured Squid, Nylon and my firewall,
my question is how do I disable any net traffic that
is not going through the proxy? It would be best for
all LAN traffic (telnet, ftp, chat, socks, etc) to
pass through
Hi,
What are the best firewall - routing and proxy
packages for FreeBSD ?
Have only experience with debian/proxy/masquerading/iptables.
Thansks in advance for the help.
mess-mate
___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman
On Wed, 1 Sep 2004 17:08:04 +0200
messmate [EMAIL PROTECTED] spake thus:
Hi,
What are the best firewall - routing and proxy
packages for FreeBSD ?
Have only experience with debian/proxy/masquerading/iptables.
Thansks in advance for the help.
mess-mate
Google is your best pal. Try
Hi,
What are the best firewall - routing and proxy
packages for FreeBSD ?
FW/Routing: IPFW + natd (both have man pages)
Proxy: squid (/usr/ports/www/squid)
IMHO.
Steve
Have only experience with debian/proxy/masquerading/iptables.
Thansks in advance for the help.
mess-mate
are the best firewall - routing and proxy
packages for FreeBSD ?
FW/Routing: IPFW + natd (both have man pages)
Proxy: squid (/usr/ports/www/squid)
IMHO.
Steve
Have only experience with debian/proxy/masquerading/iptables.
Thansks in advance for the help.
mess-mate
it was said:
Hi,
What are the best firewall - routing and proxy packages for FreeBSD ?
Hello,
Firewall: pf (/usr/ports/security/pf)
Routing: routed (man 8 routed)
Proxy: squid (/usr/ports/www/squid)
just my 2% of your preferred currency's base unit,
Stheg
- Original Message -
From: Eric Brunner-Williams in Portland Maine [EMAIL PROTECTED]
To: Steve Bertrand [EMAIL PROTECTED]
Cc: [EMAIL PROTECTED]; messmate [EMAIL PROTECTED];
freebsd-questions-en [EMAIL PROTECTED]
Sent: Wednesday, September 01, 2004 7:27 AM
Subject: Re: setup firewall
It's been a long time since I've played with Linux in general, last
one was
RH. If Mandrake has ipchains or ipfw, I'd say go with either and still
use
squid. It's popular, easy to configure, works well and has support. It
shouldn't need any routing daemon as long as none of the advanced
+++ Joe Kraft [freebsd] [24-08-04 22:49 +0100]:
|
|
| Chuck Swiger wrote:
| Joe Kraft wrote:
|
| I'm using a 4.10-STABLE based firewall, which is happily chugging
| along. It's sending it's daily messages to a local account via
| sendmail, which I check by logging in using an ssh connection
Chuck Swiger wrote:
Joe Kraft wrote:
I'm using a 4.10-STABLE based firewall, which is happily chugging
along. It's sending it's daily messages to a local account via
sendmail, which I check by logging in using an ssh connection.
[ ... ]
3) Is there a way to convince sendmail to send
Joe Kraft wrote:
I'm using a 4.10-STABLE based firewall, which is happily chugging along.
It's sending it's daily messages to a local account via sendmail, which
I check by logging in using an ssh connection.
[ ... ]
3) Is there a way to convince sendmail to send to something like
[EMAIL
I'm using a 4.10-STABLE based firewall, which is happily chugging along.
It's sending it's daily messages to a local account via sendmail,
which I check by logging in using an ssh connection.
I would like to have it send those mails to another mail server behind
the firewall, but I'm curious
Quick question, is there an Application Level firewall available to FreeBSD.
I understand IPFilter is a stateful packet filter, but has it or any other
packages moved to the next level - Application Level Inspection?
Sorry I am all googled out on this one.
Thanks
Paul
Paul Hillen wrote:
Quick question, is there an Application Level firewall available to FreeBSD.
For some definitions of that buzzword, sure.
I understand IPFilter is a stateful packet filter, but has it or any other
packages moved to the next level - Application Level Inspection?
Squid plus
I changed the DNS rules as you suggested, and the firewall works perfectly -
thanks very much.
This has been a great learning experience for me - thanks to all who
responded.
Jim C
-Original Message-
From: JJB [mailto:[EMAIL PROTECTED]
Sent: Saturday, July 31, 2004 1:08 PM
$skip tcp from any to 68.105.161.20 53 out via $pif setup
keep-state
$cmd 021 $skip tcp from any to 68.1.18.25 53 out via $pif setup keep-state
$cmd 022 $skip tcp from any to 68.10.16.30 53 out via $pif setup keep-state
Because security said the firewall was denying UDP packets, I changed the
rules
is correct.
Verify you have correct interface name coded in ipfw rules for NIC
connected to cable modem and that the same NIC interface name is the
one in rc.conf with DHCP option. When DHCP gets DNS info from ISP
/etc/resolv.conf will auto updated with correct info. Read comments
in sample firewall
My LAN is configured with static IP addresses, 192.168.1.x.
I have no problems communicating within the LAN.
I have full connectivity with the internet from every machine on my LAN when
the firewall is open.
When I use the rule set in question, I can ping and send mail but I cannot
access
On 2004-07-31 12:08, James A. Coulter [EMAIL PROTECTED] wrote:
My LAN is configured with static IP addresses, 192.168.1.x.
I have no problems communicating within the LAN.
I have full connectivity with the internet from every machine on my LAN when
the firewall is open.
When I use the rule
113 keep-state in recv dc1 setup
# The default firewall policy.
add deny log logamount 0 ip from any to any
No inline numbers, a simpler layout and a logic that you can hopefully
extend at the second from last paragraph to allow more services
through
your external interface
My LAN is configured with static IP addresses, 192.168.1.x.
I have no problems communicating within the LAN.
I have full connectivity with the internet from every machine on my
LAN when
the firewall is open.
When I use the rule set in question, I can ping and send mail but I
cannot
A.
Coulter
Sent: Saturday, July 31, 2004 1:09 PM
To: [EMAIL PROTECTED]; [EMAIL PROTECTED]
Subject: RE: Firewall Rule Set not allowing access to DNS servers?
My LAN is configured with static IP addresses, 192.168.1.x.
I have no problems communicating within the LAN.
I have full connectivity
: Saturday, July 31, 2004 2:03 PM
To: James A. Coulter
Cc: [EMAIL PROTECTED]; [EMAIL PROTECTED]
Subject: RE: Firewall Rule Set not allowing access to DNS servers?
My LAN is configured with static IP addresses, 192.168.1.x.
I have no problems communicating within the LAN.
I have full connectivity
If you had read the start of the thread you would have read the new
handbook firewall section rewrite which explains in detail why there
are rules to control access to the public internet from LAN users.
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf
communicating within the LAN.
I have full connectivity with the internet from every machine on
my LAN when the firewall is open.
When I use the rule set in question, I can ping and send mail but
I cannot access the DNS servers listed in resolv.conf.
There are many ways in which your ruleset
.
This means that the largest number of rules you can add with unique
numbers is 65534. The 65535 rule is the default firewall rule, either
a deny rule or an allow if the kernel was compiled with the option
IPFIREWALL_DEFAULT_TO_ACCEPT enabled.
The autoincrement step is the number
Giorgos
Thank you for your opinion about my rewrite of the handbook firewall
section. It has been turned over to the FreeBSD doc group and they
are sanitizing the English and getting it prepared for update to the
handbook.
To address your opinion that the rule set may be to limiting for a
home
way to defend
against the 'report home action' is to block all outbound ports
except for those explicitly allowed by firewall rules.
Ah, yes. This makes much more sense. I never thought of this because
the computers I have at home run only UNIX variants now.
In such cases, you're right
I am using FreeBSD 4.10 as a gateway/router for a small home LAN. My
outside interface (dc1) is connected to a cable modem and is configured for
DHCP.
I have compiled and installed a custome kernel with IPFIREWALL and IPDIVERT
options and with a rule set allowing any to any with no problems
I
them on each LAN PC
or you have to run isc-dhcp-server on your Gateway box to auto
assign ip address to LAN PCs.
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of James A.
Coulter
Sent: Friday, July 30, 2004 10:56 AM
To: [EMAIL PROTECTED]
Subject: Firewall
Want to thank you guys for your help; I setup my first firewall last night.
Granted it is basic, and have a lot of work to do yet, but it's a start. It
is routing and letting my test machines access the web.
Hopefully the last question (yeah right)
I decided to use IPFILTER and appears
:51, Paul Hillen wrote:
Want to thank you guys for your help; I setup my first firewall last night.
Granted it is basic, and have a lot of work to do yet, but it's a start. It
is routing and letting my test machines access the web.
Hopefully the last question (yeah right)
I decided to use
to connect 3 more remote sites into the
picture within the next 6 months, so this needs to be scalable to handle the
load..
My question is, what is the best way to set this up. Here are my thoughts,
but not sure what is the best way.
* Setup one FreeBSD box that contains FIREWALL, SQUID
to handle
the
load..
My question is, what is the best way to set this up. Here are my thoughts,
but not sure what is the best way.
* Setup one FreeBSD box that contains FIREWALL, SQUID and OPENVPN or
* Setup 3 separate boxes to break up the work load.
What will the load requirements
;
Site 1 - 25 users
Site 2 - 5 users
Site 3 - 12 users
Our site VPN users are Apprx 25, and about 50% of them are connected at any
given time.
My first thought is to put up a Firewall box that can the load of publishing
many internal boxes and publish a box with OpenVPN and another for SQUID
and just
601 - 700 of 1122 matches
Mail list logo