implementing ipv6 into my ipfw ruleset...
I have a fairly simple ipfw ruleset, which looks like: 100 allow tcp from any to any established 110 allow icmp from any to any icmptypes 0,3,8,11 120 deny icmp from any to any 130 allow ip from any to any via lo0 200 allow udp from me to any 53 210 allow udp from any 53 to me 220 allow udp from any to me 33433-33499 230 allow tcp from any to 82.197.184.219 22,80,443 setup 65000 deny log ip from any to me 65001 deny log ip from any to me6 What I am wondering is, am I blocking all ipv6 traffic by not explicitly allowing ipv6 in (for the established rule 100, icmp rule 110, and the entire block of 200-230) ? Or, since that is all tcp/udp/icmp, it doesn't matter, and I am properly allowing in ipv6 traffic, but ONLY for the tcp/udp ports I specify, and then blocking the rest ? Basically: how is my ruleset treating ipv6 traffic (other than the fact that, at the end of the set, I deny all ipv6 that has gotten to that point) thank you. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Please check my IPFW ruleset
[resending, doesn't seem to have gotten through] I'm making some ipfw rules, and I would appreciate if someone could check these for me. My intention is to create a replacement for a hardware router, which basically works by allowing all outbound traffic, blocking all unauthorized/unrequested inbound traffic, and has a setting (the so called DMZ) to redirect all the unauthorized/unrequested packets to a local computer. Plus I want to add something like remote telnet/ssh capabilities to override the DMZ. | ipfw.rules | #!/bin/sh dns=195.228.240.249,195.228.242.180 lan=192.168.123.0/24 ext=tun0 int=rl0 ipfw=ipfw -q add=$ipfw add allow=$add allow block=$add deny nat=$add divert natd check=$add check-state pipe=$add pipe fa=from any ta=to any fata=$fa $ta reserved=192.168.0.0/16,172.16.0.0/12,10.0.0.0/8,127.0.0.0/8,0.0.0.0/8,169.254.0.0/16,192.0.2.0/24,204.152.64.0/23,224.0.0.0/3 $ipfw -f flush $allow all $fata via lo0 $allow all $fata via $int # INBOUND # $block all $fa to $reserved in via $ext # ISP fuckup? $nat all $fata in via $ext $check $block all $fata frag in via $ext $block tcp $fata established in via $ext $block all from $reserved in via $ext # :: DEFINE SOME INBOUND SERVICES HERE :: #$allow tcp $fa to me 80 in via $ext setup limit src-addr 4 #$allow tcp $fa to me 22 in via $ext setup limit src-addr 4 #$allow tcp $fa to me 23 in via $ext setup limit src-addr 4 $block all $fata in via $ext # OUTBOUND # # :: DEFINE SOME RESTRICTIONS HERE ? :: $nat tcp $fata out via $ext setup keep-state $nat all $fata out via $ext keep-state $allow all $fata out via $ext $block $fata | eof ipfw.rules | OK, questions... # ISP fuckup? - does it make sense to defend against my ISP hacking me? What does divert natd actually do? Does it only change the IP header? Can I move the three lines $block all $fata frag in via $ext $block tcp $fata established in via $ext $block all from $reserved in via $ext to ahead of $nat all $fata in via $ext ? I'm curious about this one: $nat tcp $fata out via $ext setup keep-state $nat all $fata out via $ext keep-state $allow all $fata out via $ext For an outbound packet, rules should be keep-state, divert, allow, in this order, as far as I know. What about these lines? Uhm, ed0 is my network card doing PPPoE. How do I allow it to do PPPoE traffic only? Did I miss anything? Some other IPFW questions: deny ip == deny all? Why do I have to write from any to any all the time, when it just means independently of source and destination? Why can't I write just drop all? Thank you very very much in advance :) ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Please check my IPFW ruleset
I'm making some ipfw rules, and I would appreciate if someone could check these for me. My intention is to create a replacement for a hardware router, which basically works by allowing all outbound traffic, blocking all unauthorized/unrequested inbound traffic, and has a setting (the so called DMZ) to redirect all the unauthorized/unrequested packets to a local computer. Plus I want to add something like remote telnet/ssh capabilities to override the DMZ. | ipfw.rules | #!/bin/sh dns=195.228.240.249,195.228.242.180 lan=192.168.123.0/24 ext=tun0 int=rl0 ipfw=ipfw -q add=$ipfw add allow=$add allow block=$add deny nat=$add divert natd check=$add check-state pipe=$add pipe fa=from any ta=to any fata=$fa $ta reserved=192.168.0.0/16,172.16.0.0/12,10.0.0.0/8,127.0.0.0/8,0.0.0.0/8,169.254.0.0/16,192.0.2.0/24,204.152.64.0/23,224.0.0.0/3 $ipfw -f flush $allow all $fata via lo0 $allow all $fata via $int # INBOUND # $block all $fa to $reserved in via $ext # ISP fuckup? $nat all $fata in via $ext $check $block all $fata frag in via $ext $block tcp $fata established in via $ext $block all from $reserved in via $ext # :: DEFINE SOME INBOUND SERVICES HERE :: #$allow tcp $fa to me 80 in via $ext setup limit src-addr 4 #$allow tcp $fa to me 22 in via $ext setup limit src-addr 4 #$allow tcp $fa to me 23 in via $ext setup limit src-addr 4 $block all $fata in via $ext # OUTBOUND # # :: DEFINE SOME RESTRICTIONS HERE ? :: $nat tcp $fata out via $ext setup keep-state $nat all $fata out via $ext keep-state $allow all $fata out via $ext $block $fata | eof ipfw.rules | OK, questions... # ISP fuckup? - does it make sense to defend against my ISP hacking me? What does divert natd actually do? Does it only change the IP header? Can I move the three lines $block all $fata frag in via $ext $block tcp $fata established in via $ext $block all from $reserved in via $ext to ahead of $nat all $fata in via $ext ? I'm curious about this one: $nat tcp $fata out via $ext setup keep-state $nat all $fata out via $ext keep-state $allow all $fata out via $ext For an outbound packet, rules should be keep-state, divert, allow, in this order, as far as I know. What about these lines? Uhm, ed0 is my network card doing PPPoE. How do I allow it to do PPPoE traffic only? Did I miss anything? Some other IPFW questions: deny ip == deny all? Why do I have to write from any to any all the time, when it just means independently of source and destination? Why can't I write just drop all? Thank you very very much in advance :) ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: IPFW Ruleset Help
On Tue, Jun 01, 2004 at 09:57:12PM +, Lee Harr typed: Hello. Running FreeBSD 4.10. After I reboot with my new ipfw.rules I can't load any webpages. I didn't try by IP address cause I can't remember any off top at the moment. Is the firewall logging working? You need lines in your syslog.conf like ... !ipfw *.* /var/log/ipfw.log Why not just use the default line allready in syslog.conf ? security.* /var/log/security Ruben ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: IPFW Ruleset Help
On 2004-06-01 00:38, bryan cassidy [EMAIL PROTECTED] wrote: Hello. Running FreeBSD 4.10. After I reboot with my new ipfw.rules I can't load any webpages. I didn't try by IP address cause I can't remember any off top at the moment. Here is my following setup Looking at the mangled rules, that your mailer has awfully mutilated, I can't see any rule for allowing port 80 connections. No web surfing for you then :P But let's see what you're getting out of your firewall ruleset. [-- Cleaned up ruleset --] add 00300 deny log tcp from any to any 515 in recv xl0 add 00301 deny tcp from any to any 7101 in recv xl0 add 00302 deny log tcp from any to any 6000 in recv xl0 add 00303 allow log tcp from any to any 113 in recv xl0 setup # --- DNS add 00310 allow tcp from 205.152.133.254 to any in recv xl0 add 00311 allow tcp from 205.152.132.235 to any in recv xl0 add 00320 allow udp from 205.152.133.254 53 to any in recv xl0 add 00321 allow udp from 205.152.132.235 53 to any in recv xl0 # --- deny below port 1000 add 00399 deny log tcp from any to any 0-1000 in recv xl0 setup This should probably be 1024, if you want to protect all the privileged port numbers. # --- ntpdate add 00403 allow udp from 123 to any 123 in recv xl0 # --- deny UDP connections add 00499 deny log udp from any to any in recv xl0 Why? Let the default firewall rule (block all from any to any) catch these too. Special deny rules aren't really necessary here, unless you really want to pessimize everything and all other protocols (by forcing them to be checked against yet another rule that they won't match with) just to get faster UDP connection drops of lots of stuff that you don't need anyway (you've already taken care of DNS, which is about the only thing that UDP is useful for these days for me). # --- Log netbus ( haha ) add 00500 deny log tcp from any to any 12345 in recv xl0 add 00501 deny log tcp from any to any 20034 in recv xl0 # --- Let my ISP ping me! add 00600 allow icmp from 205.152.133.254 to any in recv xl0 add 00601 allow icmp from 205.152.132.235 to any in recv xl0 # --- Log ICMP echos and dest add 00610 allow log icmp from any to any in recv xl0 icmptype 3 add 00610 allow log icmp from any to any in recv xl0 icmptype 8 Note, BTW, that you are mixing allow and deny rules in the same firewall. It's a good idea to pick one of the following styles of filtering and stick with it: open firewall - This allows everything except what is explicitly denied. The general look of the ruleset is something like this: block this block that block another allow all the rest closed firewall --- This blocks everything, except what is explicitly allowed. It looks like this: allow this allow that allow another block all the rest A short sample firewall of this style, one that I used to have on my dialup workstation at home when I still used ipfw can be seen here: http://students.ceid.upatras.gr/~keramida/ipfw/dialup.ipfw First. Things I will be running. I will be running Apache+PHP later on when I get my box more secure The question you should ask yourself when you're writing those rulesets is... Do you want these to be visible to the world? but for now I will be running Postfox for my MTA, It's Postfix, thanks :) I want to be able to send and recieve e-mails and any other *basic* things everyone would want on a everyday basis ya know? Just make sure you don't block any outgoing connection. That should take care of most protocols. Only FTP and DCC sends on IRC will need special care to work on your closed sort of firewall, but that's for another post to discuss if you're still interested. - Giorgos ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
IPFW Ruleset Help
Hello. Running FreeBSD 4.10. After I reboot with my new ipfw.rules I can't load any webpages. I didn't try by IP address cause I can't remember any off top at the moment. Here is my following setup In my kernel I have options IPFIREWALL options IPFIREWALL_VERBOSE options IPFIREWALL_VERBOSE_LIMIT=10 options IPSTEALTH In my rc.conf I have firewall_enable=YES firewall_script=/etc/rc.firewall firewall_type=OPEN firewall_quiet=NO firewall_logging_enable=YES icmp_drop_redirect=YES log_in_vain=YES tcp_drop_sysfin=YES tcp_restrict_rst=YES In my /etc/ipfw.rules I have add 00300 deny log tcp from any to any 515 in recv xl0 add 00301 deny tcp from any to any 7101 in recv xl0 add 00302 deny log tcp from any to any 6000 in recv xl0 add 00303 allow log tcp from any to any 113 inr ecv xl0 setup # DNS add 00310 allow tcp from 205.152.133.254 to any in recv xl0 add 00311 allow tcp from 205.152.132.235 to any in recv xl0 add 00320 allow udp from 205.152.133.254 53 to any in recv xl0 add 00321 allow udp from 205.152.132.235 53 to any in recv xl0 # Deny Below port 1000 add 00399 deny log tcp from any to any 0-1000 in recv xl0 setup # Ntpdate add 00403 allow udp from 123 to any 123 in recv xl0 # Deny UDP connections add 00499 deny log udp from any to any in recv xl0 # Log netbus ( haha ) add 00500 deny log tcp from any to any 12345 in recv xl0 add 00501 deny log tcp from any to any 20034 in recv xl0 # Let my ISP ping me! add 00600 allow icmp from 205.152.133.254 to any in recv xl0 add 00601 allow icmp from 205.152.132.235 to any in recv xl0 # Log ICMP echos and dest add 00610 allow log icmp from any to any in recv xl0 icmptype 3 add 00610 allow log icmp from any to any in recv xl0 icmptype 8 First. Things I will be running. I will be running Apache+PHP later on when I get my box more secure but for now I will be running Postfox for my MTA, I want to be able to send and recieve e-mails and any other *basic* things everyone would want on a everyday basis ya know? If I left out anything that would be helpful please let me know and I will post it to the list. Thanks in advance. __ Do you Yahoo!? Friends. Fun. Try the all-new Yahoo! Messenger. http://messenger.yahoo.com/ ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: IPFW Ruleset Help
Hello. Running FreeBSD 4.10. After I reboot with my new ipfw.rules I can't load any webpages. I didn't try by IP address cause I can't remember any off top at the moment. Is the firewall logging working? You need lines in your syslog.conf like ... !ipfw *.* /var/log/ipfw.log Then you can tail -f /var/log/ipfw.log and try to access the web page. You should see packets being blocked and figure out which rules are wrong / which rules you need to add. add 00310 allow tcp from 205.152.133.254 to any in recv xl0 add 00311 allow tcp from 205.152.132.235 to any in recv xl0 add 00320 allow udp from 205.152.133.254 53 to any in recv xl0 add 00321 allow udp from 205.152.132.235 53 to any in recv xl0 You let the DNS responses in, but I do not see any place where you let your requests out. _ Add photos to your e-mail with MSN 8. Get 2 months FREE*. http://join.msn.com/?page=features/featuredemail ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
ipfw ruleset traversal question
I'm trying to port my linux netfilter/iptables firewall to 5.2.1-RESLEASE. Iptables has the concept of chains. There are three defined by the system: INPUT, FORWARD OUTPUT. Packets coming into the system that are destined for a local process traverse the INPUT chain only, packet generated by the system, and leaving it, traverse the OUTPUT chain only, and packets that are simply passing through the system traverse the FORWARD chain only. One nice benefit of this, is that inbound packets don't have to traverse rules for outbound packets and vice-versa. This allows efficient grouping of rules and reduces the performance hit of packets having to be checked by all rules. How can I set up my ipfw ruleset so that I can achieve that same benefit? TIA -ste ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: ipfw ruleset traversal question
Shaun T. Erickson wrote: Iptables has the concept of chains. Please forgive me for following up my own post. I know it's bad form ... In addition to the system defined chains, iptables lets me create user defined chains, that I can jump to based on criteria I set, so as to further refine my rules such that packets only traverse the rules they must. So, I'm trying to figure out how to simulate everything I've said about chains, in ipfw ... -ste ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: ipfw ruleset traversal question
On Sun, Feb 29, 2004 at 05:58:53PM -0500, Shaun T. Erickson wrote: I'm trying to port my linux netfilter/iptables firewall to 5.2.1-RESLEASE. Iptables has the concept of chains. There are three defined by the system: INPUT, FORWARD OUTPUT. Packets coming into the system that are destined for a local process traverse the INPUT chain only, packet generated by the system, and leaving it, traverse the OUTPUT chain only, and packets that are simply passing through the system traverse the FORWARD chain only. One nice benefit of this, is that inbound packets don't have to traverse rules for outbound packets and vice-versa. This allows efficient grouping of rules and reduces the performance hit of packets having to be checked by all rules. How can I set up my ipfw ruleset so that I can achieve that same benefit? IPFW has one list of rules (with option to select in/out) that result in the behavure as you describe. I have a example on my home page where i select incomming and outging package. Forward is a action just like, skipto, reject, allow and deny are. See man ipfw for more info. -- Alex Articles based on solutions that I use: http://www.kruijff.org/alex/index.php?dir=docs/FreeBSD/ ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Ipfw ruleset check
I have a 4.9 router that I decided I want to have a meaningful firewall
with, so I have modified a copy of rc.firewall and would like someone to
point out if I am doing something monumentally stupid.
I want to allow all from within my network, but only let in a few from
the internet:
DNS
Email/imap-ssl(pop3-ssl in future)
Ssh
WWW
And whatever natd redirects I have (remote desktop mainly). I
definitely want to protect mysqld and only allow it from localhost or
inside network.
Here is what I have come up with so far (kernel built with default to
deny):
setup_loopback
# set these to your network and netmask and ip
net=192.168.1.0
mask=255.255.255.0
ip=192.168.1.1
# Allow any traffic to or from my own net.
${fwcmd} add pass all from ${ip} to ${net}:${mask}
${fwcmd} add pass all from ${net}:${mask} to ${ip}
# Allow all out the world
${fwcmd} add pass all from ${ip} to any keep-state
# Allow DNS queries out or in the world
${fwcmd} add pass all from any to any 53 keep-state
# Allow email out or in the world
${fwcmd} add pass all from any to any 25 keep-state
# Allow imap-ssl out or in the world
${fwcmd} add pass all from any to any 993 keep-state
# Allow ssh out or in the world
${fwcmd} add pass all from any to any 22 keep-state
# Allow www out or in the world
${fwcmd} add pass all from any to any 80 keep-state
# Allow MSTSC in the world
${fwcmd} add pass all from any to any 5001 keep-state
Any glaring mistakes on my part?
TIA
-Derrick
___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]
IPFW ruleset not working... advice? WAS Re: Running processes...
Hello all, I've got the following ruleset, but I can't ssh into my server anymore. What did I miss? grog# ipfw show 00100 0 0 allow ip from any to any via lo0 00200 0 0 deny ip from any to 127.0.0.0/8 00300 0 0 deny ip from 127.0.0.0/8 to any 00400 7 1562 allow ip from 1.2.3.4/29 to me 00500 0 0 allow ip from any 22 to me 00600 0 0 allow ip from any 21 to me 00700 0 0 allow ip from any 25 to me 00800 0 0 allow ip from any 80 to me 00900 0 0 allow ip from any 443 to me 01000 0 0 allow ip from any 110 to me 01100 0 0 allow ip from any 53 to me 01200 0 0 allow ip from any 6667 to me 01300 0 0 allow ip from any 6668 to me 01400 0 0 deny ip from not 1.2.3.4/29 8080 to me 65535 101 13960 deny ip from any to any Thanks. -- Eric F Crist AdTech Integrated Systems, Inc (612) 998-3588 pgp0.pgp Description: signature
Re: IPFW ruleset not working... advice? WAS Re: Running processes...
On Sat, Feb 14, 2004 at 12:47:01PM -0600, Eric F Crist wrote: Hello all, I've got the following ruleset, but I can't ssh into my server anymore. What did I miss? You missed allowing IP packets going from your server to the outside. You only allow packets from the outside to you. I also think you might have misplaced the port numbers. As it is you allow connections *from* port 25 (etc.) on the outside to any port on your machine. I believe you want it the other way around (i.e. allowing connections *to* port 25 on your machine from anywhere on the outside.) grog# ipfw show 00100 0 0 allow ip from any to any via lo0 00200 0 0 deny ip from any to 127.0.0.0/8 00300 0 0 deny ip from 127.0.0.0/8 to any 00400 7 1562 allow ip from 1.2.3.4/29 to me 00500 0 0 allow ip from any 22 to me 00600 0 0 allow ip from any 21 to me 00700 0 0 allow ip from any 25 to me 00800 0 0 allow ip from any 80 to me 00900 0 0 allow ip from any 443 to me 01000 0 0 allow ip from any 110 to me 01100 0 0 allow ip from any 53 to me 01200 0 0 allow ip from any 6667 to me 01300 0 0 allow ip from any 6668 to me 01400 0 0 deny ip from not 1.2.3.4/29 8080 to me 65535 101 13960 deny ip from any to any Thanks. -- Eric F Crist AdTech Integrated Systems, Inc (612) 998-3588 -- Insert your favourite quote here. Erik Trulsson [EMAIL PROTECTED] ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: IPFW ruleset not working... advice? WAS Re: Running processes...
On Saturday 14 February 2004 12:58 pm, Erik Trulsson wrote: On Sat, Feb 14, 2004 at 12:47:01PM -0600, Eric F Crist wrote: Hello all, I've got the following ruleset, but I can't ssh into my server anymore. What did I miss? You missed allowing IP packets going from your server to the outside. You only allow packets from the outside to you. I also think you might have misplaced the port numbers. As it is you allow connections *from* port 25 (etc.) on the outside to any port on your machine. I believe you want it the other way around (i.e. allowing connections *to* port 25 on your machine from anywhere on the outside.) grog# ipfw show 00100 0 0 allow ip from any to any via lo0 00200 0 0 deny ip from any to 127.0.0.0/8 00300 0 0 deny ip from 127.0.0.0/8 to any 00400 7 1562 allow ip from 1.2.3.4/29 to me 00500 0 0 allow ip from any 22 to me 00600 0 0 allow ip from any 21 to me 00700 0 0 allow ip from any 25 to me 00800 0 0 allow ip from any 80 to me 00900 0 0 allow ip from any 443 to me 01000 0 0 allow ip from any 110 to me 01100 0 0 allow ip from any 53 to me 01200 0 0 allow ip from any 6667 to me 01300 0 0 allow ip from any 6668 to me 01400 0 0 deny ip from not 1.2.3.4/29 8080 to me 65535 101 13960 deny ip from any to any Thanks. -- Eric F Crist AdTech Integrated Systems, Inc (612) 998-3588 Hey, thanks! I changed all the rules so they read: allow ip from any to me port and added the rule: allow ip from me to any at rule 50 All seems to work now! Does anyone have any suggestions on how to make this system even tighter? Thanks. -- Eric F Crist AdTech Integrated Systems, Inc (612) 998-3588 pgp0.pgp Description: signature
Re: IPFW ruleset not working... advice? WAS Re: Running processes...
On Sat, Feb 14, 2004 at 01:15:07PM -0600, Eric F Crist wrote: Hey, thanks! I changed all the rules so they read: allow ip from any to me port and added the rule: allow ip from me to any at rule 50 All seems to work now! Does anyone have any suggestions on how to make this system even tighter? Thanks. Yes. Use the stateful rules feature. Instead of opening up outgoing packets to everywhere, the keep-state rules dynamically open up a point to point connection that remains open while traffic is flowing beteeen the two systems, and times out after traffic stops or the connection is closed. A very minimal partial ruleset to allow incoming SSH, HTTP, HTTPS, SMTP and outgoing DNS lookups would look like: 00100 check-state 00200 deny log tcp from any to any established 00300 allow tcp from any to me 22,25,80,443 keep-state in recv fxp0 00400 allow udp from me to any 53 out xmit fxp0 00500 deny log ip from any to any [The 'in recv fxp0' and 'out xmit fxp0' stuff is optional: all it does is filter packets according to what interface they are traversing and in what direction. Remember to substitute the correct device name for your network interface.] Although at first sight, this would appear to block all tcp traffic except for the first 'SYN' packet, and not permit any incoming UDP traffic at all, the 'keep-state' flag in rules 00300 and 00400 generates dynamic rules that permit packets to flow in response to the packet that triggered them. Those rules are effectively inserted into the ruleset at the 'check-state' line (or at the first occuring 'limit' or 'keep-state' line). Use 'ipfw -d list' to show all active dynamic rules. Cheers, Matthew -- Dr Matthew J Seaman MA, D.Phil. 26 The Paddocks Savill Way PGP: http://www.infracaninophile.co.uk/pgpkey Marlow Tel: +44 1628 476614 Bucks., SL7 1TH UK pgp0.pgp Description: PGP signature
Re: ipfw ruleset question
Sounds like your spam-blocking rules include some packet-accepting rules. What does the ruleset look like? 100 divert natd all from any to any via ext_if rules from 150 to 500 are blocking rules for my firewall rules from 1000 and up are for my clients. My natd runs as 1:1 nat. what I need is: rules from 100 to 499 for blocking spam 500 divert natd all from any to any via ext_if and the rest is not important... I would like not all packets sending to nat, it some kind of disabling spam, and so on.. Have got any idea ? Thanks in advance Andrzej Kwiatkowski ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: ipfw ruleset question
Andrzej Kwiatkowski [EMAIL PROTECTED] writes: I've got a bit strange problem.. My freeBSD works as NAT with natd. Whene rule divert 8668 ip from any to any via fxp0 is first everything is ok,but when i try to move this rule after some blocking spamer rules, my Nat won't work properly. Incoming traffic is well nated, but outgoing looks like not nated. sysctl net.inet.ip.fw.one_pass is set to 1. I try to set to 0 but nothings changed . Have any Idea ?? Sounds like your spam-blocking rules include some packet-accepting rules. What does the ruleset look like? ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
ipfw ruleset question
Helo. I've got a bit strange problem.. My freeBSD works as NAT with natd. Whene rule divert 8668 ip from any to any via fxp0 is first everything is ok,but when i try to move this rule after some blocking spamer rules, my Nat won't work properly. Incoming traffic is well nated, but outgoing looks like not nated. sysctl net.inet.ip.fw.one_pass is set to 1. I try to set to 0 but nothings changed . Have any Idea ?? thanks in advance Andrzej Kwiatkowski ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
restrictive ipfw ruleset and ftp
any suggestions would be great. i have a restrictive ipfw ruleset that works great.. it only allows incoming connections that i allow and outgoing connections allow. i have a list of ports that i let my users go out on: 80, 22, 143, 443 etc etc.. All the stuff they might need to do. how can i handle passive ftp though? i can let 21 out, but when the remote ftp server says use this x high port.. i block that because it's not in my list. so what can i do to get around this.. not totally familiar with it, but is this what fw_punch is for within nat?? thanks, ajt. ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: restrictive ipfw ruleset and ftp
Andrew Thomson writes:
any suggestions would be great.
i have a restrictive ipfw ruleset that works great.. it only allows
incoming connections that i allow and outgoing connections allow. i have
a list of ports that i let my users go out on: 80, 22, 143, 443 etc
etc..
All the stuff they might need to do.
how can i handle passive ftp though?
i can let 21 out, but when the remote ftp server says use this x high
port.. i block that because it's not in my list. so what can i do to get
around this.
not totally familiar with it, but is this what fw_punch is for within
nat??
Personally, I have a pair of rules something similar to the following:
ipfw add {n} allow tcp from ${inet}:${imask} 1024-65535 to any 1024-65535
setup in via ${iif}
ipfw add {n} allow tcp from ${inet}:${imask} 1024-65535 to any 1024-65535
setup out via ${oif}
This is quite wide, but ensures that only outbound connections on the high
port numbers are permitted, both on the source and the destination ends of
the connection.
Perhaps some real experts will give you a more definitive answer...
Patrick.
___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: restrictive ipfw ruleset and ftp
On Tue, 17 Jun 2003, Andrew Thomson wrote: how can i handle passive ftp though? i can let 21 out, but when the remote ftp server says use this x high port.. i block that because it's not in my list. so what can i do to get around this.. IIRC, FTP sends its replies on TCP port 20. I can't recall if that is port 20 on the remote or local host, though. A little experimentation and you'll probably figure it out. (hint: netstat -nf inet) Good luck, Jaime ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: restrictive ipfw ruleset and ftp
Jaime writes: IIRC, FTP sends its replies on TCP port 20. I can't recall if that is port 20 on the remote or local host, though. A little experimentation and you'll probably figure it out. (hint: netstat -nf inet) That's true of non-passive mode connections (FTP server port 20 to FTP Client port 1024-65535), but I suspect the original poster is trying to permit passive mode connections. PS: does anyone know what the correct terminology for FTP's non-passive mode is? I sometimes refer to active mode when talking FTP (because that term somehow got stuck in my head once upon a time), but I usually get some very curious/confused looks when I talk about active FTP... :) Patrick. ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: restrictive ipfw ruleset and ftp
Andrew Thomson wrote: any suggestions would be great. i have a restrictive ipfw ruleset that works great.. it only allows incoming connections that i allow and outgoing connections allow. i have a list of ports that i let my users go out on: 80, 22, 143, 443 etc etc.. All the stuff they might need to do. how can i handle passive ftp though? i can let 21 out, but when the remote ftp server says use this x high port.. i block that because it's not in my list. so what can i do to get around this.. not totally familiar with it, but is this what fw_punch is for within nat?? That's what it's designed for. I've never used it so I can't verify how well it works. -- Bill Moran Potential Technologies http://www.potentialtech.com ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
RE: restrictive ipfw ruleset and ftp
Read man info carefully. The fw_punch IPFW command opens up more things than just FTP. There is no way just to active FTP part. The other things become a security problem. The fw_punch command is a very poorly designed command and should have never been allowed into IPFW as it currently is. User be ware. Best solution is to make and publish to all users of your environment that passive FTP is only FTP method allowed to be used per security, and be done with it. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Bill Moran Sent: Tuesday, June 17, 2003 9:08 AM To: Andrew Thomson Cc: [EMAIL PROTECTED] Subject: Re: restrictive ipfw ruleset and ftp Andrew Thomson wrote: any suggestions would be great. i have a restrictive ipfw ruleset that works great.. it only allows incoming connections that i allow and outgoing connections allow. i have a list of ports that i let my users go out on: 80, 22, 143, 443 etc etc.. All the stuff they might need to do. how can i handle passive ftp though? i can let 21 out, but when the remote ftp server says use this x high port.. i block that because it's not in my list. so what can i do to get around this.. not totally familiar with it, but is this what fw_punch is for within nat?? That's what it's designed for. I've never used it so I can't verify how well it works. -- Bill Moran Potential Technologies http://www.potentialtech.com ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: restrictive ipfw ruleset and ftp
At 2003-06-17T12:13:46Z, Andrew Thomson [EMAIL PROTECTED] writes: i have a list of ports that i let my users go out on: 80, 22, 143, 443 etc etc.. Out of curiosity, do you have control over the set of machines that your users are connecting to? I.e., are they uploading to your own FTP server at a colo site? If so, you might consider dropping FTP altogether in favor of SFTP. It's radically easier to firewall; you just open a single TCP port. You also get decent authentication and end-to-end encryption. Just a thought. -- Kirk Strauser In Googlis non est, ergo non est. pgp0.pgp Description: PGP signature
Re: restrictive ipfw ruleset and ftp
[EMAIL PROTECTED] wrote: [ ... ] PS: does anyone know what the correct terminology for FTP's non-passive mode is? I sometimes refer to active mode when talking FTP (because that term somehow got stuck in my head once upon a time), but I usually get some very curious/confused looks when I talk about active FTP... :) active mode FTP or simply normal FTP. -Chuck ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
IPFW ruleset w/nat help
Help, I am trying to come up with a ruleset that allows ip, tcp port 25 22, and icmp traffic out from an internal network 10.1.1.0/8 on the sis1 interface to the sis0 interface. I also want the traffic to appear as though it is coming from one of the public IP addresses on the public subnet. my ruleset thus far with no luck: # ipfw list 00100 allow ip from any to any via lo0 00200 deny ip from any to 127.0.0.0/8 00300 deny ip from 127.0.0.0/8 to any 00400 deny ip from any to 172.16.0.0/12 via sis0 00500 deny ip from any to 192.168.0.0/16 via sis0 00600 deny ip from any to 0.0.0.0/8 via sis0 00700 deny ip from any to 169.254.0.0/16 via sis0 00800 deny ip from any to 192.0.2.0/24 via sis0 00900 deny ip from any to 224.0.0.0/4 via sis0 01000 deny ip from any to 240.0.0.0/4 via sis0 # then nat 01100 divert 8668 ip from any to any via sis0 01200 deny ip from 172.16.0.0/12 to any via sis0 01300 deny ip from 192.168.0.0/16 to any via sis0 01400 deny ip from 0.0.0.0/8 to any via sis0 01500 deny ip from 169.254.0.0/16 to any via sis0 01600 deny ip from 192.0.2.0/24 to any via sis0 01700 deny ip from 224.0.0.0/4 to any via sis0 01800 deny ip from 240.0.0.0/4 to any via sis0 01900 allow tcp from any to any established 02000 allow ip from any to any frag 1 deny log logamount 100 tcp from any to any in recv sis0 setup 10100 allow tcp from any to any setup 10200 allow udp from any to any 53 keep-state out xmit sis0 10200 allow udp from any to any 53 keep-state in recv sis0 10300 allow udp from any to any 22 keep-state out xmit sis0 10300 allow udp from any to any 22 keep-state in recv sis0 10400 allow udp from any to any 123 keep-state out xmit sis0 10500 allow udp from any to any 123 keep-state in recv sis1 10600 allow udp from me to any 67 keep-state out xmit sis0 10700 allow icmp from any to any 65535 deny ip from any to any nad my rc.natd file has: redirect_address 10.1.1.113 public.address.was.here so far I get no pings out from behind the firewall, no ssh either. -terrac --- [EMAIL PROTECTED] Unix / Music Production / Web Tech --- To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message
ipfw ruleset
Hi People, I'm trying to setup my firewall using ipfw on 4.6 Stable. I have read through the man pages and also several howto's but now I need your advice. I would like to setup a DNS server that will respond to queries and my current ruleset does not seem to permit this. Please tell me what I am doing wrong. My Ruleset: ( ip's omitted ) add 00301 check-state add 00302 allow tcp from any to any established add 00303 allow tcp from any to any out setup keep-state add 00304 allow tcp from any to $lan 22,25,80,443 setup add 00400 allow udp from any to any out add 00401 allow udp from $lan to any 53 add 00402 allow udp from any 53 to $lan in recv rl0 #allow some icmp types (codes not supported) ##allow path-mtu in both directions add 00600 allow icmp from any to any icmptypes 3 ##allow source quench in and out add 00601 allow icmp from any to any icmptypes 4 ##allow me to ping out and receive response back add 00602 allow icmp from any to any icmptypes 8 out add 00603 allow icmp from any to any icmptypes 0 in ##allow me to run traceroute add 00604 allow icmp from any to any icmptypes 11 in #allow ident requests add 00700 allow tcp from any to any 113 keep-state setup #deny syn and fin bits used for OS finger printing using nmap add 00701 deny log tcp from any to any in tcpflags syn,fin #log anything that falls through add 09000 deny log ip from any to any Kind Regards, Nelis To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message
Re: ipfw ruleset
whoops, never mind people I have just realized blocking all udp except for on port 53 does not allow other DNS servers to do queries to my host ( even though I can query them ). would help if I actually bothered to read my logs once in awhile :O) Hi People, I'm trying to setup my firewall using ipfw on 4.6 Stable. I have read through the man pages and also several howto's but now I need your advice. I would like to setup a DNS server that will respond to queries and my current ruleset does not seem to permit this. Please tell me what I am doing wrong. My Ruleset: ( ip's omitted ) add 00301 check-state add 00302 allow tcp from any to any established add 00303 allow tcp from any to any out setup keep-state add 00304 allow tcp from any to $lan 22,25,80,443 setup add 00400 allow udp from any to any out add 00401 allow udp from $lan to any 53 add 00402 allow udp from any 53 to $lan in recv rl0 #allow some icmp types (codes not supported) ##allow path-mtu in both directions add 00600 allow icmp from any to any icmptypes 3 ##allow source quench in and out add 00601 allow icmp from any to any icmptypes 4 ##allow me to ping out and receive response back add 00602 allow icmp from any to any icmptypes 8 out add 00603 allow icmp from any to any icmptypes 0 in ##allow me to run traceroute add 00604 allow icmp from any to any icmptypes 11 in #allow ident requests add 00700 allow tcp from any to any 113 keep-state setup #deny syn and fin bits used for OS finger printing using nmap add 00701 deny log tcp from any to any in tcpflags syn,fin #log anything that falls through add 09000 deny log ip from any to any Kind Regards, Nelis To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message
Re: ipfw ruleset
On Fri, Oct 04, 2002 at 08:58:50AM +0200, Nelis Lamprecht wrote: Hi People, I'm trying to setup my firewall using ipfw on 4.6 Stable. I have read through the man pages and also several howto's but now I need your advice. I would like to setup a DNS server that will respond to queries and my current ruleset does not seem to permit this. Please tell me what I am doing wrong. My Ruleset: ( ip's omitted ) add 00301 check-state add 00302 allow tcp from any to any established Um... This rule is probably not what you want. Essentially it makes all the later tcp rules pointless... Try: add 00302 deny log tcp from any to any established The idea is that the 'setup' packet for a tcp connection will generate a specific dynamic rule via keep-state, and that will match at rule 00301. Any other tcp packets should be denied. add 00303 allow tcp from any to any out setup keep-state add 00304 allow tcp from any to $lan 22,25,80,443 setup Modify this to say: add 00304 allow tcp from any to $lan 22,25,53,80,443 setup DNS uses tcp connections for zone transfers and also it will fall back to tcp if the response generated is too big for a single UDP packet. add 00400 allow udp from any to any out add 00401 allow udp from $lan to any 53 add 00402 allow udp from any 53 to $lan in recv rl0 If DNS is the only UDP service you use (which is quite possible), then drop your rule 00400. Otherwise, move it to after the DNS specific rules. You need to allow your server to perform recursive lookups on your behalf: add 00401 allow udp from $lan to any 53 keep-state out via rl0 and to let other people query your server: add 00402 allow udp from any to $lan 53 keep-state in via rl0 Using dynamic rules for a DNS server like this gives a good level of security and is OK for a low traffic site, but it would probably overwhelm IPFW's dynamic rule capacity if there was any significant DNS traffic. If you want to use static rules only, you need something like add 00401 add allow udp from $lan to any 53 out via rl0 add 00402 add allow udp from any 53 to $lan in via rl0 add 00403 add allow udp from any to $lan 53 in via rl0 add 00404 add allow udp from $lan 53 to any out via rl0 Unfortunately if going the static rule way, rule 00402 will expose all of your UDP ports to a sufficiently wily cracker. This section in the default /etc/namedb/named.conf may prove illuminating: /* * If there is a firewall between you and nameservers you want * to talk to, you might need to uncomment the query-source * directive below. Previous versions of BIND always asked * questions using port 53, but BIND 8.1 uses an unprivileged * port by default. */ // query-source address * port 53; That will let you lock down both source and destination ports in rules 00401 and 00402. #allow some icmp types (codes not supported) ##allow path-mtu in both directions add 00600 allow icmp from any to any icmptypes 3 ##allow source quench in and out add 00601 allow icmp from any to any icmptypes 4 ##allow me to ping out and receive response back add 00602 allow icmp from any to any icmptypes 8 out add 00603 allow icmp from any to any icmptypes 0 in ##allow me to run traceroute add 00604 allow icmp from any to any icmptypes 11 in #allow ident requests add 00700 allow tcp from any to any 113 keep-state setup #deny syn and fin bits used for OS finger printing using nmap add 00701 deny log tcp from any to any in tcpflags syn,fin #log anything that falls through add 09000 deny log ip from any to any Cheers, Matthew -- Dr Matthew J Seaman MA, D.Phil. 26 The Paddocks Savill Way Marlow Tel: +44 1628 476614 Bucks., SL7 1TH UK To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message
