[was Re: IPFILTER rule error]
Yes, that's it! Thanks! I've managed to miss somehow your message, Giorgos, and flooded a bit :-) Regards, Muxas ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: IPFILTER rule error
Hi! Thahks for your attention! First of all you really need to read the ipfilter section of the FreeBSD handbook... [EMAIL PROTECTED] I've read the handbook. Good starting point! :-) Given that I just _TEST_ ipf config ported from 5.4 to 6.0 on local LAN, I do not violate theoretical background of firewalling. Grouping is used to differentiate inbound\outbound traffic, probably I will use it to diff interfaces. I don't know if you posted the whole ruleset or if you cut out what seemed irrelevant to keep the post short... Erik Norgaard Yes, I do not show you the whole story about ipf.rules, only the skeleton and the problematic lines. The reason for that is that ipfilter works with basic ipf.rules, and ipfstat confirms that. But no logs as expected (but eventually I've found where log info went: it appeared at /var/log/messages, and not in /var/log/security as configured!). By the way, I prefer to use syslogd because it allows for log rotation, which is god! :-) Problem with no such process appeared when I added to ipf.rules line pass out quick on rl0 \ proto udp from any to any port = sunrpc keep state group 20 It doesn't matter whether port parameter is expressed as a name or a number. I have other lines written both types and all of that works! Again, the error is presented only when I insert the above line in ipf.rules. This is an outbound rule; I've had the inbound rule in basic setup (you can see it in my previous post) and it ran just well! Ok, in the attachment there is the whole story about ipf.rules as it is. As I've found from the handbook this way of firewalling is called inclusive %-). Regards, Muxas P.S. I apologize for my message timing, it's the second question i'll ask after ipf :-) # External interface - ppp0 # #%% Block-and-log everything that is not allowed explicitly #block in log on ppp0 all head 10 #block out log on ppp0 all head 15 #%% Allow DNS requests % #pass out quick on ppp0 \ # proto tcp/udp from any to any port = domain keep state group 15 #%% Allow outbound HTTP packets #pass out quick on ppp0 \ # proto tcp from any to any port = 80 keep state keep frags group 15 #%% Allow outbound FTP packets % #pass out quick on ppp0 \ # proto tcp from any to any port = 21 keep state group 15 #%% Allow inbound FTP-data packets % #pass in quick on ppp0 \ # proto tcp/udp from any port = 20 to any port 1024 keep state group 10 #%% Allow outbound Jabber connections %% #pass out quick on ppp0 \ # proto tcp from any to any port = 5222 keep state group 15 #%% Allow POP3 outgoing connections #pass out quick on ppp0 \ # proto tcp/udp from any to any port = 110 keep state group 15 #%% Allow SMTP outgoing connections #pass out quick on ppp0 \ # proto tcp/udp from any to any port = 25 keep state group 15 #%% Allow outgoing CVS connections % #pass out quick on ppp0 \ # proto tcp/udp from any to any port = 5999 keep state group 15 # Internal interface #1 - rl0 (10.0.1.0/29) # #% Block-and-log everything that is not allowed explicitly % block in log on rl0 all head 20 block out log on rl0 all head 25 #pass in on rl0 from 10.0.1.1/29 to any group 20 #pass out on rl0 from any to 10.0.1.1/29 group 25 #% Allow ping %% pass in quick on rl0 \ proto icmp all keep state group 20 pass out quick on rl0 \ proto icmp all keep state group 25 #% Allow DNS requests %% pass in quick on rl0 \ proto tcp/udp from any to any port = domain keep state group 20 #% Allow DHCP requests % pass in quick on rl0 \ proto tcp/udp from any port = 68 to any port = 67 group 20 #% Allow HTTP requests from local network %% pass in quick on rl0 \ proto tcp from any to any port = 80 keep state keep frags group 20 #% Allow FTP requests from local network %%% pass in quick on rl0 proto tcp from any to any port = 21 keep state group 20 #% Allow inbound FTP-data packets
Re: IPFILTER rule error
Maxim Vetrov wrote: # Internal interface #1 - rl0 (10.0.1.0/29) # #% Block-and-log everything that is not allowed explicitly % block in log on rl0 all head 20 block out log on rl0 all head 25 #% Allow Sun RPC incoming calls pass in quick on rl0 \ proto tcp/udp from any to any port = sunrpc keep state group 20 pass in quick on rl0 \ proto tcp/udp from any to any port = 717 keep state group 20 # the next line raise the error when uncommented #pass out quick on rl0 \ # proto udp from any to any port = 111 keep state group 20 I think someone else already pointed at this: You try to add a rule for outbound traffic to the inbound group in the offending line. Try correct to group 25. Cheers, Erik -- Ph: +34.666334818 web: www.locolomo.org S/MIME Certificate: www.daemonsecurity.com/ca/8D03551FFCE04F06.crt Subject ID: 9E:AA:18:E6:94:7A:91:44:0A:E4:DD:87:73:7F:4E:82:E7:08:9C:72 Fingerprint: 5B:D5:1E:3E:47:E7:EC:1C:4C:C8:3A:19:CC:AE:14:F5:DF:18:0F:B9 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: IPFILTER rule error
On 2006-02-15 16:23, Erik Norgaard [EMAIL PROTECTED] wrote: Maxim Vetrov wrote: # Internal interface #1 - rl0 (10.0.1.0/29) # #% Block-and-log everything that is not allowed explicitly % block in log on rl0 all head 20 block out log on rl0 all head 25 #% Allow Sun RPC incoming calls pass in quick on rl0 \ proto tcp/udp from any to any port = sunrpc keep state group 20 pass in quick on rl0 \ proto tcp/udp from any to any port = 717 keep state group 20 # the next line raise the error when uncommented #pass out quick on rl0 \ # proto udp from any to any port = 111 keep state group 20 I think someone else already pointed at this: You try to add a rule for outbound traffic to the inbound group in the offending line. Try correct to group 25. That's true. I did post the relevant message: Date: Tue, 14 Feb 2006 17:13:33 +0200 From: Giorgos Keramidas [EMAIL PROTECTED] Subject: Re: IPFILTER rule error To: Maxim Vetrov [EMAIL PROTECTED] Cc: [EMAIL PROTECTED], [EMAIL PROTECTED] [...] Note that you have only set up a group numbered '25' for outgoing traffic, but then attempt to add a rule to an outgoing group of '20'. This is the cause of the error you're seeing. This ruleset should work fine: # block in log on rl0 all head 20 # block out log on rl0 all head 25 # # pass in quick on rl0 \ # proto tcp/udp from any to any port = sunrpc keep state group 20 # pass in quick on rl0 \ # proto tcp/udp from any to any port = 717 keep state group 20 # pass out quick on rl0 \ # proto udp from any to any port = 111 keep state group 25 [...] ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: IPFILTER rule error
Hi, Sorry, I really do not want you to guess! Here is what you asked: kernel conf: --- ... optionsIPFILTER optionsIPFILTER_LOG #optionsIPFILTER_DEFAULT_BLOCK #optionsIPSTEALTH ... --- rc.conf: --- ... ifconfig_rl0=inet 10.0.1.1 netmask 255.255.255.248 ... ipnat_enable=YES ipfilter_enable=YES ipmon_enable=YES ... --- services: --- ... sunrpc 111/tcprpcbind #SUN Remote Procedure Call sunrpc 111/udprpcbind #SUN Remote Procedure Call ... --- ipf.rules: --- block in log on rl0 all head 20 block out log on rl0 all head 25 pass in quick on rl0 \ proto tcp/udp from any to any port = sunrpc keep state group 20 pass in quick on rl0 \ proto tcp/udp from any to any port = 717 keep state group 20 pass out quick on rl0 \ proto udp from any to any port = 111 keep state group 20 Steps to load the rules: ipf -Fa ipf -f /etc/ipf.rules 1:ioctl (add/insert rule): No such process And there is one more problem - despite that I have packet logging enabled by default (-Ds) through syslogd, log is empty! syslog.conf: ... security.* /var/log/security ... That file exists and have root rw permissions. If this help: after I'd moved to 6.0 from 5.4 (backup-format-install-restore), this config stopped to work. I know that I'm doing something wrong but what exactly? Regards, Muxas ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: IPFILTER rule error
Maxim Vetrov wrote: Hi, kernel conf: --- ... optionsIPFILTER optionsIPFILTER_LOG #optionsIPFILTER_DEFAULT_BLOCK #optionsIPSTEALTH ... --- The rc scripts should load these modules if they are not compiled with the kernel, in that case they would show up with kldstat. Try use kldstat and sysctl -a to see what's in your kernel, grep for ipf. services: --- ... sunrpc 111/tcprpcbind #SUN Remote Procedure Call sunrpc 111/udprpcbind #SUN Remote Procedure Call ... --- ipf.rules: --- block in log on rl0 all head 20 block out log on rl0 all head 25 pass in quick on rl0 \ proto tcp/udp from any to any port = sunrpc keep state group 20 pass in quick on rl0 \ proto tcp/udp from any to any port = 717 keep state group 20 pass out quick on rl0 \ proto udp from any to any port = 111 keep state group 20 Steps to load the rules: ipf -Fa ipf -f /etc/ipf.rules 1:ioctl (add/insert rule): No such process 1st: IIRC, the number in the error line indicates the line the error occurred in - not sure though. That would be your first rule. I don't know if you posted the whole ruleset or if you cut out what seemed irrelevant to keep the post short. 2nd: Reading the ipf-howto I see no examples where port names are used, try using the port number to eliminate that posibility. And there is one more problem - despite that I have packet logging enabled by default (-Ds) through syslogd, log is empty! syslog.conf: ... security.* /var/log/security ... That file exists and have root rw permissions. If you want to log to a separate file, why not let ipmon do that directly? # ipmon -D /var/log/security Secondly, the empty log may not be that surprising in the first place if your ruleset is not loaded correctly. Cheers, Erik -- Ph: +34.666334818 web: www.locolomo.org S/MIME Certificate: www.daemonsecurity.com/ca/8D03551FFCE04F06.crt Subject ID: 9E:AA:18:E6:94:7A:91:44:0A:E4:DD:87:73:7F:4E:82:E7:08:9C:72 Fingerprint: 5B:D5:1E:3E:47:E7:EC:1C:4C:C8:3A:19:CC:AE:14:F5:DF:18:0F:B9 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
RE: IPFILTER rule error
First of all you really need to read the ipfilter section of the FreeBSD handbook. The correct solution is exampled in the handbook. You do not need to compile ipfilter in to the kernel to work. From your rules I see no need for that head/group stuff so remove it. I see rl0 being assigned to private ip address which means that Nic is facing your LAN which is behind your gateway box. That ip address range is not routable on the public internet. You have something mess up big time. Your firewall rules is suppose to be on the Nic facing the public internet. You nat the public ip address to you private LAN ip address. The reason you have no log records is because your firewall rules have syntax error and are never loaded. Only rules with log keyword will generate log records. Only use rules with quick option. Do not mix quick and non quick rules. You need pass in rules for you ISP's dns and dhcp servers to access your box. Explain in detail your network layout. Do you have LAN? How are you connected to the public internet? Again I strongly recommend you read the ipfilter section of the handbook your answers are there. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Maxim Vetrov Sent: Tuesday, February 14, 2006 7:57 PM To: freebsd-questions@FreeBSD.org Subject: Re: IPFILTER rule error Hi, Sorry, I really do not want you to guess! Here is what you asked: kernel conf: --- ... optionsIPFILTER optionsIPFILTER_LOG #optionsIPFILTER_DEFAULT_BLOCK #optionsIPSTEALTH ... --- rc.conf: --- ... ifconfig_rl0=inet 10.0.1.1 netmask 255.255.255.248 ... ipnat_enable=YES ipfilter_enable=YES ipmon_enable=YES ... --- services: --- ... sunrpc 111/tcprpcbind #SUN Remote Procedure Call sunrpc 111/udprpcbind #SUN Remote Procedure Call ... --- ipf.rules: --- block in log on rl0 all head 20 block out log on rl0 all head 25 pass in quick on rl0 \ proto tcp/udp from any to any port = sunrpc keep state group 20 pass in quick on rl0 \ proto tcp/udp from any to any port = 717 keep state group 20 pass out quick on rl0 \ proto udp from any to any port = 111 keep state group 20 Steps to load the rules: ipf -Fa ipf -f /etc/ipf.rules 1:ioctl (add/insert rule): No such process And there is one more problem - despite that I have packet logging enabled by default (-Ds) through syslogd, log is empty! syslog.conf: ... security.* /var/log/security ... That file exists and have root rw permissions. If this help: after I'd moved to 6.0 from 5.4 (backup-format-install-restore), this config stopped to work. I know that I'm doing something wrong but what exactly? Regards, Muxas ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
IPFILTER rule error
Hi, I'm running FreeBSD 6.0, IPFilter 4.1.8(416). Setting line for rpc outbound calls pass out quick on rl0 \ proto udp from any to any port = sunrpc keep state group 20 gives me this error: ioctl (add/insert rule): No such process What is the process i'm missing? Regards, muxas ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: IPFILTER rule error
On 2006-02-14 10:09, Maxim Vetrov [EMAIL PROTECTED] wrote: Hi, I'm running FreeBSD 6.0, IPFilter 4.1.8(416). Setting line for rpc outbound calls pass out quick on rl0 \ proto udp from any to any port = sunrpc keep state group 20 gives me this error: ioctl (add/insert rule): No such process What is the process i'm missing? Don't copy/paste just one line. Show us the exact options you used in your `/etc/rc.conf' file, and be *very* specific about the steps you took to enable that rule. Otherwise, we can only guess what's wrong. You don't want us to guess wrong, do you? - Giorgos ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: IPFILTER rule error
Maxim Vetrov wrote: Hi, I'm running FreeBSD 6.0, IPFilter 4.1.8(416). Setting line for rpc outbound calls pass out quick on rl0 \ proto udp from any to any port = sunrpc keep state group 20 gives me this error: ioctl (add/insert rule): No such process What is the process i'm missing? Do you have that group? or maybe sunrpc is not in /etc/services - better try to write the port number. It will help to show the whole ruleset. Cheers, Erik ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: IPFILTER rule error
Hi, I'm running FreeBSD 6.0, IPFilter 4.1.8(416). Setting line for rpc outbound calls pass out quick on rl0 \ proto udp from any to any port = sunrpc keep state group 20 gives me this error: ioctl (add/insert rule): No such process What is the process i'm missing? Regards, muxas ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] Hello, By default freebsd doesn't have any firewall's compiled into the kernel or loaded as kernel mod's so you need to add ipfilter_enable=YES to rc.conf and type in kldload ipl so you dont have to reboot the machine and also make sure you add a simple rules to allow all or youll look yourself out as it defaults to deny all hope this help a bit. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]