Re: ipfirewall tricks
On second look PF has some definite improvements over IPFilter. My rule set file is half as long for one thing. I like the macros and tables. I'm still reading throught he documentation, but, I have not figured out why the log doesnt seem to be working yet. I have all the required entries in rc.conf. pf_enable=YES # Enable PF (load module if required) pf_rules=/etc/pf.conf # rules definition file for pf pf_flags= # additional flags for pfctl startup pflog_enable=YES # start pflogd(8) pflog_logfile=/var/log/pflog # where pflogd should store the logfile pflog_flags= # additional flags for pflogd startup Handbook at http://www.openbsd.org/faq/pf/. seems to indicate I need a device named pflog0 which I do not have. Also pflogd does not start on boot even tough it is listed in rc.conf. Perhaps the start up script did not get installed into the correct location. My installatin was from the 6.0 release ISO. so I would naturally assume it is correct. Thanks for the reminder of this program. I think I will like it better than the others for my purposes and administrative skill level. On 5/2/06, Atom Powers [EMAIL PROTECTED] wrote: On 5/2/06, Bryan Curl [EMAIL PROTECTED] wrote: I want to limit time my kids spend on the internet. The way I am doing it is to make varying, seperate ipf.rules files and install them from cron at the appropriate time. Problem is, if I make a change to one file, I generally have to update all the others accordingly. Is there a better way? I have read man ipf but didnt come out with any ideas. I would use pf and have something like this: pf.conf block out all from kids to any crontab pfctl -t kids -T add kids.ip.to.block pfctl -t kids -T del kids.ip.to.allow You can also keep the IPs in a flat file and just tell pf to re-read the file (or read a different file) to update the table. I love pf. -- -- Perfection is just a word I use occasionally with mustard. --Atom Powers-- -- -- Bryan bc3910 'at' gmail 'dot' com ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: ipfirewall tricks
Unlike pf, pflog does not have a loadable module. You have to build it into the kernel. On 5/5/06, Bryan Curl [EMAIL PROTECTED] wrote: On second look PF has some definite improvements over IPFilter. My rule set file is half as long for one thing. I like the macros and tables. I'm still reading throught he documentation, but, I have not figured out why the log doesnt seem to be working yet. I have all the required entries in rc.conf. pf_enable=YES # Enable PF (load module if required) pf_rules=/etc/pf.conf # rules definition file for pf pf_flags= # additional flags for pfctl startup pflog_enable=YES # start pflogd(8) pflog_logfile=/var/log/pflog # where pflogd should store the logfile pflog_flags= # additional flags for pflogd startup Handbook at http://www.openbsd.org/faq/pf/. seems to indicate I need a device named pflog0 which I do not have. Also pflogd does not start on boot even tough it is listed in rc.conf. Perhaps the start up script did not get installed into the correct location. My installatin was from the 6.0 release ISO. so I would naturally assume it is correct. Thanks for the reminder of this program. I think I will like it better than the others for my purposes and administrative skill level. On 5/2/06, Atom Powers [EMAIL PROTECTED] wrote: On 5/2/06, Bryan Curl [EMAIL PROTECTED] wrote: I want to limit time my kids spend on the internet. The way I am doing it is to make varying, seperate ipf.rules files and install them from cron at the appropriate time. Problem is, if I make a change to one file, I generally have to update all the others accordingly. Is there a better way? I have read man ipf but didnt come out with any ideas. I would use pf and have something like this: pf.conf block out all from kids to any crontab pfctl -t kids -T add kids.ip.to.block pfctl -t kids -T del kids.ip.to.allow You can also keep the IPs in a flat file and just tell pf to re-read the file (or read a different file) to update the table. I love pf. -- -- Perfection is just a word I use occasionally with mustard. --Atom Powers-- -- -- Bryan bc3910 'at' gmail 'dot' com -- -- Perfection is just a word I use occasionally with mustard. --Atom Powers-- ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: ipfirewall tricks
On 2006-05-02 20:41, Atom Powers [EMAIL PROTECTED] wrote: On 5/2/06, Bryan Curl [EMAIL PROTECTED] wrote: I want to limit time my kids spend on the internet. The way I am doing it is to make varying, seperate ipf.rules files and install them from cron at the appropriate time. Problem is, if I make a change to one file, I generally have to update all the others accordingly. Is there a better way? I have read man ipf but didnt come out with any ideas. I would use pf and have something like this: pf.conf block out all from kids to any crontab pfctl -t kids -T add kids.ip.to.block pfctl -t kids -T del kids.ip.to.allow You can also keep the IPs in a flat file and just tell pf to re-read the file (or read a different file) to update the table. Ah, neat trick. This is exactly why tables are so cool :) ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
RE: ipfirewall tricks
man ipa-conf is your friend .. mind you it is a large chunk.. here is the home page for IPA ... http://ipa-system.sourceforge.net/ it is capable ... and large ... also ipastat could be used to feed a web page maybe ? HTH Murray Taylor Special Projects Engineer Bytecraft Systems P: +61 3 8710 2555 F: +61 3 8710 2599 D: +61 3 9238 4275 E: [EMAIL PROTECTED] -- Any intelligent fool can make things bigger and more complex... It takes a touch of genius - and a lot of courage to move in the opposite direction. Albert Einstein -- -Original Message- From: Shawn Guillemette [mailto:[EMAIL PROTECTED] Sent: Thursday, 4 May 2006 1:49 AM To: Murray Taylor Subject: RE: ipfirewall tricks I am researching away to do this as well. I went to the ipa port location and did the make install and cleaned up the mess. The install completed with out an issue and now Im a little stumped as to how to configure it. I am also looking for an application that will monitor the traffic and plot data to a web interface for the wife to have a look at. Similar to ntop. I'm currently running 4.11 on an alpha platform. Thanks for your thoughts, Shawn -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Murray Taylor Sent: Tuesday, May 02, 2006 8:34 PM To: Bryan Curl; freebsd-questions Subject: RE: ipfirewall tricks -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bryan Curl Sent: Wednesday, 3 May 2006 9:35 AM To: freebsd-questions Subject: ipfirewall tricks I want to limit time my kids spend on the internet. The way I am doing it is to make varying, seperate ipf.rules files and install them from cron at the appropriate time. Problem is, if I make a change to one file, I generally have to update all the others accordingly. Is there a better way? I have read man ipf but didnt come out with any ideas. -- -- Bryan bc3910 'at' gmail 'dot' com try ipa from ports... it is an 'accounting' packege that monitors the firewall, and can activate/deactivate rules based on usage, time-of-day etc (if I remember correctly) Murray Taylor Special Projects Engineer Bytecraft Systems P: +61 3 8710 2555 F: +61 3 8710 2599 D: +61 3 9238 4275 E: [EMAIL PROTECTED] -- Any intelligent fool can make things bigger and more complex... It takes a touch of genius - and a lot of courage to move in the opposite direction. Albert Einstein -- --- The information transmitted in this e-mail is for the exclusive use of the intended addressee and may contain confidential and/or privileged material. Any review, re-transmission, dissemination or other use of it, or the taking of any action in reliance upon this information by persons and/or entities other than the intended recipient is prohibited. If you received this in error, please inform the sender and/or addressee immediately and delete the material. E-mails may not be secure, may contain computer viruses and may be corrupted in transmission. Please carefully check this e-mail (and any attachment) accordingly. No warranties are given and no liability is accepted for any loss or damage caused by such matters. --- ***This Email has been scanned for Viruses by MailMarshal.*** ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] ***This Email has been scanned for Viruses by MailMarshal.*** --- The information transmitted in this e-mail is for the exclusive use of the intended addressee and may contain confidential and/or privileged material. Any review, re-transmission, dissemination or other use of it, or the taking of any action in reliance upon this information by persons and/or entities other than the intended recipient is prohibited. If you received this in error, please inform the sender and/or addressee immediately and delete the material. E-mails may not be secure, may contain computer viruses and may be corrupted in transmission. Please carefully check this e-mail (and any attachment) accordingly. No warranties are given and no liability is accepted for any loss or damage caused by such matters. --- ***This Email has been scanned for Viruses by MailMarshal.*** ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: ipfirewall tricks
On 2006-05-02 17:35, Bryan Curl [EMAIL PROTECTED] wrote: I want to limit time my kids spend on the internet. The way I am doing it is to make varying, seperate ipf.rules files and install them from cron at the appropriate time. Sounds like a good plan. Problem is, if I make a change to one file, I generally have to update all the others accordingly. Which files? You can use symlinks to your advantage. For example, if you have two sets of rules, named `ipf.conf.allow' and `ipf.conf.block', you can set your `/etc/rc.conf' to reference `/etc/ipf.conf' and then use a cron job or two to symlink to one of the two :-) 00 08 * * * /root/scripts/ipf-allow.sh 00 20 * * * /root/scripts/ipf-block.sh The scripts could be something as simple as: | #!/bin/sh | # | # ipf-allow.sh - Reload IP Filter from /etc/ipf.conf.allow | # | | # If anything goes wrong, fall back to a slightly paranoid ruleset | # that disallows almost *ALL* network access, letting only ICMP, DNS | # and SSH through. | paranoid_rules() { | { echo 'pass in quick on lo0 all' ; | echo 'pass out quick on lo0 all' ; | echo 'pass in quick proto icmp all' ; | echo 'pass out quick proto icmp all' ; | echo 'pass out quick proto udp from any to any port = 53 keep state' ; | echo 'pass out quick proto tcp from any to any port = 53 keep state' ; | echo 'pass in quick proto tcp from any to any port = 22 keep state' ; | echo 'pass out quick proto tcp from any to any port = 22 keep state' ; | echo 'block in all' ; | echo 'block out all' ; | } | ipf -Fa -f - | } | | ipf_allow_rules='/etc/ipf.conf.allow' | ipf_rules='/etc/ipf.conf' | | if test ! -f ${ipf_allow_rules} ; then | echo 2 ${ipf_allow_rules}: ruleset missing, blocking (almost) all network access. | paranoid_rules | exit 1 | fi | | /bin/rm -f ${ipf_rules} \ | ln -s ${ipf_allow_rules} ${ipf_rules} \ | ipf -Fa -f ${ipf_allow_rules} | | if test $? -ne 0 ; then | echo 2 ${ipf_load_rules}: ruleset failed to load, blocking (almost) all network access. | paranoid_rules | exit 1 | fi A similar script for ipf_deny_rules, and you're set. You can even join the two scripts in one and pass the ruleset file to load in the cronjob: 00 08 * * * /root/scripts/ipf-load.sh /etc/ipf.conf.allow 00 20 * * * /root/scripts/ipf-load.sh /etc/ipf.conf.block and then write your script as: | #!/bin/sh | # | # ipf-load.sh - Reload IP Filter from $1 | # | | # If anything goes wrong, fall back to a slightly paranoid ruleset | # that disallows almost *ALL* network access, letting only ICMP, DNS | # and SSH through. | paranoid_rules() { | { echo 'pass in quick on lo0 all' ; | echo 'pass out quick on lo0 all' ; | echo 'pass in quick proto icmp all' ; | echo 'pass out quick proto icmp all' ; | echo 'pass out quick proto udp from any to any port = 53 keep state' ; | echo 'pass out quick proto tcp from any to any port = 53 keep state' ; | echo 'pass in quick proto tcp from any to any port = 22 keep state' ; | echo 'pass out quick proto tcp from any to any port = 22 keep state' ; | echo 'block in all' ; | echo 'block out all' ; | } | ipf -Fa -f - | } | | if test $# -ne 1 ; then | echo 2 usage: ipf-load.sh ruleset-path | paranoid_rules | exit 1 | fi | | ipf_load_rules=$1 | ipf_rules='/etc/ipf.rules' | | if test ! -f ${ipf_load_rules} ; then | echo 2 ${ipf_load_rules}: ruleset missing, blocking (almost) all network access. | paranoid_rules | exit 1 | fi | | /bin/rm -f ${ipf_rules} \ | ln -s ${ipf_load_rules} ${ipf_rules} \ | ipf -Fa -f ${ipf_load_rules} | | if test $? -ne 0 ; then | echo 2 ${ipf_load_rules}: ruleset failed to load, blocking (almost) all network access. | paranoid_rules | exit 1 | fi Is there a better way? I have read man ipf but didnt come out with any ideas. Well, the 'best' way is the one you like the most, I guess :) ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
RE: ipfirewall tricks
-Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bryan Curl Sent: Wednesday, 3 May 2006 9:35 AM To: freebsd-questions Subject: ipfirewall tricks I want to limit time my kids spend on the internet. The way I am doing it is to make varying, seperate ipf.rules files and install them from cron at the appropriate time. Problem is, if I make a change to one file, I generally have to update all the others accordingly. Is there a better way? I have read man ipf but didnt come out with any ideas. -- -- Bryan bc3910 'at' gmail 'dot' com try ipa from ports... it is an 'accounting' packege that monitors the firewall, and can activate/deactivate rules based on usage, time-of-day etc (if I remember correctly) Murray Taylor Special Projects Engineer Bytecraft Systems P: +61 3 8710 2555 F: +61 3 8710 2599 D: +61 3 9238 4275 E: [EMAIL PROTECTED] -- Any intelligent fool can make things bigger and more complex... It takes a touch of genius - and a lot of courage to move in the opposite direction. Albert Einstein -- --- The information transmitted in this e-mail is for the exclusive use of the intended addressee and may contain confidential and/or privileged material. Any review, re-transmission, dissemination or other use of it, or the taking of any action in reliance upon this information by persons and/or entities other than the intended recipient is prohibited. If you received this in error, please inform the sender and/or addressee immediately and delete the material. E-mails may not be secure, may contain computer viruses and may be corrupted in transmission. Please carefully check this e-mail (and any attachment) accordingly. No warranties are given and no liability is accepted for any loss or damage caused by such matters. --- ***This Email has been scanned for Viruses by MailMarshal.*** ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: ipfirewall tricks
in message [EMAIL PROTECTED], wrote Bryan Curl thusly... ... seperate ipf.rules files and And ipfirewall was listed in the subject. Please mind that ipfirewall refers to ipfw(8); ipfilter, ipf(8) ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ refers to, well, ipf. - Parv -- ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: ipfirewall tricks
Sorry, I belive I meant ipfilter. On 5/2/06, Parv [EMAIL PROTECTED] wrote: in message [EMAIL PROTECTED], wrote Bryan Curl thusly... ... seperate ipf.rules files and And ipfirewall was listed in the subject. Please mind that ipfirewall refers to ipfw(8); ipfilter, ipf(8) ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ refers to, well, ipf. - Parv -- -- -- Bryan bc3910 'at' gmail 'dot' com ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: ipfirewall tricks
On 5/2/06, Bryan Curl [EMAIL PROTECTED] wrote: I want to limit time my kids spend on the internet. The way I am doing it is to make varying, seperate ipf.rules files and install them from cron at the appropriate time. Problem is, if I make a change to one file, I generally have to update all the others accordingly. Is there a better way? I have read man ipf but didnt come out with any ideas. I would use pf and have something like this: pf.conf block out all from kids to any crontab pfctl -t kids -T add kids.ip.to.block pfctl -t kids -T del kids.ip.to.allow You can also keep the IPs in a flat file and just tell pf to re-read the file (or read a different file) to update the table. I love pf. -- -- Perfection is just a word I use occasionally with mustard. --Atom Powers-- ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]