Re: ipfw rules for all interfaces not working ...
On Monday 17 December 2007 19:06:29 Gore Jarold wrote: My main goal is to lock down my ipfw rules so that when I run nmap, all I see is: Interesting ports on 192.168.0.10: Not shown: 1677 closed ports PORTSTATE SERVICE 22/tcp open ssh MAC Address: 00:12:D8:A2:23:C2 Nmap finished: 1 IP address (1 host up) scanned in 9.791 seconds So that means I will need to explicitly block all ports except for the ones I have real servers running on. That's easy. The problem is, this is a laptop and so sometimes iwi0 exists and sometimes it doesn't, and sometimes xl0 exists and sometimes it doesn't ... and that is why my ipfw rules look like this: 00010 00 allow ip from any to any via lo0 00020 00 deny ip from any to 127.0.0.0/8 01000 18134 10505749 allow tcp from any to any established 04000 149884280 allow icmp from any to any 0400127 1728 allow tcp from any to any dst-port 22 setup 04008 00 deny log logamount 100 ip from any to any recv all 65535 15202 2569754 allow ip from any to any See - in rule 04008, I say to deny ip from any to any recv all - so that no matter what interface(s) I have up, and no matter what their addresses are, this one deny rule will apply to them. THe problem is, it doesn't work. As you can see, the counter on that rule is zero, and when I nmap the system I can see things like samba and http, etc., even though the only port I am allowing through is TCP 22. Why is this ? Because there is no all keyword :) ipfw tries to match an interface named all there. Check how these rules match your needs. The first one creates states for connections initiated by your machine to the world allowing related incoming traffic to come back. The second allows all to your TCP port 22. The third denies and logs everything else. ipfw add 1000 allow ip from me to any keep-state ipfw add 2000 allow tcp from any to me dst-port 22 ipfw add 3000 deny log logamount 0 ip from any to any The above ruleset is a minimal example. Modify as needed to limit logamount, allow ICMP etc. HTH, Nikos ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: IPFW Rules and Games
[EMAIL PROTECTED] wrote: So basically the ruleset should be simple: ipfw -f flush # allow lo0 stuff # block some spoofs/attacks # if you are hosting gameservers from 192.168.17.3 or whatever, # you should (manually) open server ports, in other words, add # routes to 192.168.17.3 to specific server ports ipfw add divert natd all from any to any via $outside_interface allow all from any to any # block some more spoofs/attacks :) # define services (like you did with http) Sorry, this didn't work. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: IPFW Rules and Games
Jack Barnett wrote: [EMAIL PROTECTED] wrote: So basically the ruleset should be simple: ipfw -f flush # allow lo0 stuff # block some spoofs/attacks # if you are hosting gameservers from 192.168.17.3 or whatever, # you should (manually) open server ports, in other words, add # routes to 192.168.17.3 to specific server ports ipfw add divert natd all from any to any via $outside_interface allow all from any to any # block some more spoofs/attacks :) # define services (like you did with http) Sorry, this didn't work. just without any security concerns, try this script: #!/bin/sh ipfw -f flush ipfw add divert natd via xl0 ipfw add allow all from any to any But please tell me, what kind of internet connection do you have? You said you have a Dynamic IP. Are you using connecting to the Internet via ppp? If so, replace xl0 up there with tun0 (or whatever tunnel ppp created). Here's my stuff: ::: /etc/natd.conf ::: dynamic yes same_portsyes deny_incoming yes unregistered_only yes redirect address 192.168.123.254 0.0.0.0 ::: part of /etc/rc.conf ::: # [...] ifconfig_rl0=inet 192.168.123.254 netmask 255.255.255.0 ifconfig_ed0=up # -- this is the external one # plus there is a tun0 for PPPoE firewall_enable=YES firewall_script=/etc/ipfw.rules # something like the above script gateway_enable=YES router_enable=NO natd_enable=YES natd_interface=tun0 natd_flags=-f /etc/natd.conf ppp_enable=YES # [...] ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: IPFW Rules and Games
Bob Hall wrote:
On Fri, Nov 02, 2007 at 04:59:27AM -0500, Jack Barnett wrote:
I added this for a temporary fix:
${fwcmd} add pass all from any to any
I don't think that is the right answer; That allows to much in?
Yes.
I've tried these per the docs:
${fwcmd} add allow all from any to any out via {$iip} setup
${fwcmd} add allow all from any to any out via {$iip} established
${fwcmd} add allow all from any to any in via {$iip} established
and also a bunch of others; but none of them worked.
Try oip instead of iip. iip is your internal IP address, so anything
going out from iip is going to your lan, and anything coming in to iip
is coming from your lan. You want to control packets communicating with
the outside world, so you want to control them at oip.
Sorry, that didn't work.
I also tried this:
${fwcmd} add allow tcp from any to any via ${oip} setup
${fwcmd} add allow udp from any to any via ${oip} setup
${fwcmd} add allow tcp from any to any via ${oip} established
${fwcmd} add allow udp from any to any via ${oip} established
That also blocks it. :(
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: IPFW Rules and Games
Jack Barnett wrote:
Bob Hall wrote:
On Fri, Nov 02, 2007 at 04:59:27AM -0500, Jack Barnett wrote:
I added this for a temporary fix:
${fwcmd} add pass all from any to any
I don't think that is the right answer; That allows to much in?
Yes.
I've tried these per the docs:
${fwcmd} add allow all from any to any out via {$iip} setup
${fwcmd} add allow all from any to any out via {$iip} established
${fwcmd} add allow all from any to any in via {$iip} established
and also a bunch of others; but none of them worked.
Try oip instead of iip. iip is your internal IP address, so anything
going out from iip is going to your lan, and anything coming in to iip
is coming from your lan. You want to control packets communicating with
the outside world, so you want to control them at oip.
Sorry, that didn't work.
I also tried this:
${fwcmd} add allow tcp from any to any via ${oip} setup
${fwcmd} add allow udp from any to any via ${oip} setup
${fwcmd} add allow tcp from any to any via ${oip} established
${fwcmd} add allow udp from any to any via ${oip} established
That also blocks it. :(
Even tried this and still doesn't work.
${fwcmd} add allow tcp from any to any via ${oip}
${fwcmd} add allow udp from any to any via ${oip}
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: IPFW Rules and Games
Jack Barnett wrote:
Jack Barnett wrote:
Jack Barnett wrote:
Bob Hall wrote:
On Fri, Nov 02, 2007 at 04:59:27AM -0500, Jack Barnett wrote:
I added this for a temporary fix:
${fwcmd} add pass all from any to any
I don't think that is the right answer; That allows to much in?
Yes.
I've tried these per the docs:
${fwcmd} add allow all from any to any out via {$iip} setup
${fwcmd} add allow all from any to any out via {$iip} established
${fwcmd} add allow all from any to any in via {$iip} established
and also a bunch of others; but none of them worked.
Try oip instead of iip. iip is your internal IP address, so anything
going out from iip is going to your lan, and anything coming in to iip
is coming from your lan. You want to control packets communicating with
the outside world, so you want to control them at oip.
Sorry, that didn't work.
I also tried this:
${fwcmd} add allow tcp from any to any via ${oip} setup
${fwcmd} add allow udp from any to any via ${oip} setup
${fwcmd} add allow tcp from any to any via ${oip} established
${fwcmd} add allow udp from any to any via ${oip} established
That also blocks it. :(
Even tried this and still doesn't work.
${fwcmd} add allow tcp from any to any via ${oip}
${fwcmd} add allow udp from any to any via ${oip}
Grrr, this doesn't work either:
# statefull
${fwcmd} add check-state
${fwcmd} add allow tcp from any to any established
${fwcmd} add allow all from any to any out keep-state
${fwcmd} add allow icmp from any to any
This thread talks about the same problem:
[1]http://lists.freebsd.org/pipermail/freebsd-ipfw/2005-December/00225
8.html
You will most likely find that dynamic rules will allow this
ingress traffic, without the need to explicitly allow it.
But unfortunately there is no follow up reply in that archive.
References
1. http://lists.freebsd.org/pipermail/freebsd-ipfw/2005-December/002258.html
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: IPFW Rules and Games
On Fri, 02 Nov 2007 04:59:27 -0500
Jack Barnett [EMAIL PROTECTED] wrote:
Lots of people play games here and basically a pain to keep trying to
get these stupid things to work with individual rules for each.
I'm running FreeBSD 6.x with IPFW/natd
I get a dynamic IP from my ISP and the internal nic is 192.168.17.1
Everything inside the network is 192.168.17.xxx
The setup is this:
192.168.17.x -- 192.168.17.1 [FreeBSD] Dynamic IP -- {Random
Game Server on the Internets}
[Internet Network(GAME)] -- [FreeBSD] -- {Internets}
There are a bunch of games that send out TCP/UDP packets (and who
knows what else) on different ports to different destinations and then
receive data back on random ports. Basically, anything on any
protocol from the internal network should be able to establish and
setup connections out AND be allowed to receive data back from
whomever they connected out to; but random hosts trying to connect
in should be blocked.
You simply need to allow back traffic on the same socket connection
this will happen automatically with TCP if you are passing established
traffic, with UDP you will have to keep-state. You will probably find
that the games also require you to open one or more incoming ports too.
If you are not very confident with ipfw I would suggest you switch to
pf. It's a very good firewall and generally easier to use. Also if you
are playing games, you'll want to do traffic prioritisation, which is a
pain with ipfw.
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: IPFW Rules and Games
RW wrote:
On Fri, 02 Nov 2007 04:59:27 -0500
Jack Barnett [1][EMAIL PROTECTED] wrote:
Lots of people play games here and basically a pain to keep trying to
get these stupid things to work with individual rules for each.
I'm running FreeBSD 6.x with IPFW/natd
I get a dynamic IP from my ISP and the internal nic is 192.168.17.1
Everything inside the network is 192.168.17.xxx
The setup is this:
192.168.17.x -- 192.168.17.1 [FreeBSD] Dynamic IP -- {Random
Game Server on the Internets}
[Internet Network(GAME)] -- [FreeBSD] -- {Internets}
There are a bunch of games that send out TCP/UDP packets (and who
knows what else) on different ports to different destinations and then
receive data back on random ports. Basically, anything on any
protocol from the internal network should be able to establish and
setup connections out AND be allowed to receive data back from
whomever they connected out to; but random hosts trying to connect
in should be blocked.
You simply need to allow back traffic on the same socket connection
this will happen automatically with TCP if you are passing established
traffic, with UDP you will have to keep-state. You will probably find
that the games also require you to open one or more incoming ports too.
If you are not very confident with ipfw I would suggest you switch to
pf. It's a very good firewall and generally easier to use. Also if you
are playing games, you'll want to do traffic prioritisation, which is a
pain with ipfw.
Thanks. Yes, generally firewalls and networking isn't my strong
point.
I checked out the handbook on it and it looks easy enough.
I found this: [2]http://www.allard.nu/pfw/ - but appears it's not in
the ports and commerical software?
I also have fwbuilder installed; but don't really like that much.
Are there any other GUI like interfaces that could help me in building
rules for pf?
I haven't read though it all yet; but I'll still need natd with pf,
right?
References
1. mailto:[EMAIL PROTECTED]
2. http://www.allard.nu/pfw/
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: IPFW Rules and Games
On Fri, Nov 02, 2007 at 04:59:27AM -0500, Jack Barnett wrote:
I added this for a temporary fix:
${fwcmd} add pass all from any to any
I don't think that is the right answer; That allows to much in?
Yes.
I've tried these per the docs:
${fwcmd} add allow all from any to any out via {$iip} setup
${fwcmd} add allow all from any to any out via {$iip} established
${fwcmd} add allow all from any to any in via {$iip} established
and also a bunch of others; but none of them worked.
Try oip instead of iip. iip is your internal IP address, so anything
going out from iip is going to your lan, and anything coming in to iip
is coming from your lan. You want to control packets communicating with
the outside world, so you want to control them at oip.
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: IPFW Rules and Games
Jack Barnett wrote:
Jack Barnett wrote:
Bob Hall wrote:
On Fri, Nov 02, 2007 at 04:59:27AM -0500, Jack Barnett wrote:
I added this for a temporary fix:
${fwcmd} add pass all from any to any
I don't think that is the right answer; That allows to much in?
Yes.
I've tried these per the docs:
${fwcmd} add allow all from any to any out via {$iip} setup
${fwcmd} add allow all from any to any out via {$iip} established
${fwcmd} add allow all from any to any in via {$iip} established
and also a bunch of others; but none of them worked.
Try oip instead of iip. iip is your internal IP address, so anything
going out from iip is going to your lan, and anything coming in to iip
is coming from your lan. You want to control packets communicating with
the outside world, so you want to control them at oip.
Sorry, that didn't work.
I also tried this:
${fwcmd} add allow tcp from any to any via ${oip} setup
${fwcmd} add allow udp from any to any via ${oip} setup
${fwcmd} add allow tcp from any to any via ${oip} established
${fwcmd} add allow udp from any to any via ${oip} established
That also blocks it. :(
Even tried this and still doesn't work.
${fwcmd} add allow tcp from any to any via ${oip}
${fwcmd} add allow udp from any to any via ${oip}
Grrr, this doesn't work either:
# statefull
${fwcmd} add check-state
${fwcmd} add allow tcp from any to any established
${fwcmd} add allow all from any to any out keep-state
${fwcmd} add allow icmp from any to any
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: IPFW Rules and Games
Hi, Jack, let's see.
Jack Barnett wrote:
Lots of people play games here and basically a pain to keep trying to
get these stupid things to work with individual rules for each.
I'm running FreeBSD 6.x with IPFW/natd
I get a dynamic IP from my ISP and the internal nic is 192.168.17.1
Everything inside the network is 192.168.17.xxx
The setup is this:
192.168.17.x -- 192.168.17.1 [FreeBSD] Dynamic IP -- {Random Game
Server on the Internets}
[Internet Network(GAME)] -- [FreeBSD] -- {Internets}
There are a bunch of games that send out TCP/UDP packets (and who knows
what else) on different ports to different destinations and then
receive data back on random ports. Basically, anything on any
protocol from the internal network should be able to establish and setup
connections out AND be allowed to receive data back from whomever they
connected out to; but random hosts trying to connect in should be
blocked.
Back on random ports? That's not how it should be. Your client must
send a request (ping or connect) to a server, using the game's client
port as the local port, and the server port as the remote port. The
reply should come back the same way, reversed.
for example, a client sends a connect request:
192.168.17.7:28000 87.15.13.165
natd converts the packet to:
49.74.121.3:28000 87.15.13.165:29000
(49.74.121.3 is your public IP)
and adds a dynamic rule (inside natd, not ipfw), that packet coming from
87.15.13.165, port 29000 to 49.74.121.3 port 28000 should be routed to
192.168.17.7, port 28000. So:
the server replies:
87.15.13.165:29000 49.74.121.3:28000
natd converts the packet to:
87.15.13.165:29000 192.168.17.7:28000
Any unknown packets will be blocked by natd. These are the unauthorized
random hosts.
So basically the ruleset should be simple:
ipfw -f flush
# allow lo0 stuff
# block some spoofs/attacks
# if you are hosting gameservers from 192.168.17.3 or whatever,
# you should (manually) open server ports, in other words, add
# routes to 192.168.17.3 to specific server ports
ipfw add divert natd all from any to any via $outside_interface
allow all from any to any
# block some more spoofs/attacks :)
# define services (like you did with http)
Correct me if I'm wrong.
What games do reply back on random ports?
I added this for a temporary fix:
${fwcmd} add pass all from any to any
I don't think that is the right answer; That allows to much in?
I've tried these per the docs:
${fwcmd} add allow all from any to any out via {$iip} setup
${fwcmd} add allow all from any to any out via {$iip} established
${fwcmd} add allow all from any to any in via {$iip} established
and also a bunch of others; but none of them worked.
Here is my full config:
# simple
[Ss][Ii][Mm][Pp][Ll][Ee])
# This is a prototype setup for a simple firewall. Configure this
# machine as a DNS and NTP server, and point all the machines
# on the inside at this machine for those services.
# set these to your outside interface network and netmask and ip
oif=xl0
onet=`ifconfig xl0 | grep inet | awk '{print $6}'`
I'm not sure about this. Isn't the sixth word the broadcast address
(ending with .255)?
omask=0xfe00
0xfe00 wtf?
oip=`ifconfig xl0 | grep inet | awk '{print $2}'`
# set these to your inside interface network and netmask and ip
iif=dc1
inet=192.168.17.0
imask=0xff00
iip=192.168.17.1
What kind of internet connection do you have?
setup_loopback
# Stop spoofing
${fwcmd} add deny all from ${inet}:${imask} to any in via ${oif}
${fwcmd} add deny all from ${onet}:${omask} to any in via ${iif}
# Stop RFC1918 nets on the outside interface
${fwcmd} add deny all from any to 10.0.0.0/8 via ${oif}
${fwcmd} add deny all from any to 172.16.0.0/12 via ${oif}
${fwcmd} add deny all from any to 192.168.0.0/16 via ${oif}
# Stop draft-manning-dsua-03.txt (1 May 2000) nets (includes
RESERVED-1,
# DHCP auto-configuration, NET-TEST, MULTICAST (class D), and
class E)
# on the outside interface
${fwcmd} add deny all from any to 0.0.0.0/8 via ${oif}
${fwcmd} add deny all from any to 169.254.0.0/16 via ${oif}
${fwcmd} add deny all from any to 192.0.2.0/24 via ${oif}
${fwcmd} add deny all from any to 224.0.0.0/4 via ${oif}
${fwcmd} add deny all from any to 240.0.0.0/4 via ${oif}
# Network Address Translation. This rule is placed here
deliberately
# so that it does not interfere with the surrounding
address-checking
# rules. If for example one of your internal LAN machines had
its IP
# address set to 192.0.2.1 then an incoming packet for it after
being
# translated by natd(8) would match the `deny' rule above.
Similarly
# an outgoing packet
Re: IPFW Rules and Games
On Fri, Nov 02, 2007 at 10:59:04PM +0100, [EMAIL PROTECTED] wrote:
onet=`ifconfig xl0 | grep inet | awk '{print $6}'`
I'm not sure about this. Isn't the sixth word the broadcast address
(ending with .255)?
It's correct. I've been using this in my firewall file since FBSD
4.something. No problems. By default, awk uses spaces as column
delimiters. The line containing inet starts with eight spaces. Try it
and see what happens.
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: ipfw rules
Ok, i changed my original rules. I'm going to use both the ruleset you recommended and these ones (not at the same time though :). And see which one gives me the least trouble. greetings, jurjen. #!/bin/sh ipfw -q flush cmd=ipfw -q add ks=keep-state oif=ath0 #sort in en out packets $cmd 1 skipto 15 ip from any to any in recv $oif $cmd 2 skipto 100 ip from any to any out xmit $oif #setup the loopback $cmd 011 allow all from any to any via lo0 $cmd 012 deny all from any to 127.0.0.0/8 $cmd 013 deny ip from 127.0.0.0/8 to any $cmd 014 allow icmp from any to any # Outgoing (15) #check state of incoming packets $cmd 015 check-state #internet sites: $cmd 020 allow tcp from me to any 80 out via $oif setup $ks #allow dns queries $cmd 025 allow udp from me to any 53 out via $oif $ks #to stack $cmd 030 allow all from me to 131.155.0.0/16 via $oif $ks #e-mail pop $cmd 040 allow tcp from me to any 110 out via $oif setup $ks #imap #$cmd 041 allow tcp from me to any 143 out via $oif setup $ks #allow ssh $cmd 050 allow all from me to any 22 out via $oif setup $ks #https $cmd 054 allow tcp from me to any 443 out via $oif setup $ks #gopher $cmd 055 allow tcp from me to any 70 out via $oif setup $ks #root can do anything $cmd 070 allow log all from me to any out via $oif setup $ks uid root # Incoming (100) #log ACK packets that did'nt match the dynamic ruleset $cmd 100 deny log all from any to any established in via $oif #default: deny ip from any to any ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: ipfw rules
Cool! thanks for the reply + suggestions! I haven't had any trouble with my firewall blocking too much yet (also didn't connect to the internet much yet :), but i'll think about just allowing all out... on the other hand i like the idea of just letting through out that i need (which isn't very much) and denying all else. I don't use the file shares on the network, so i figured if i got a packet from one of those addresses it would be a mistake so i let them drop. Anyway, i'll try to build some rules based on the suggestions you made and then i can try them both and then decide which one gives me the least trouble :) greetings, jurjen. On Mon, Dec 18, 2006 at 04:29:06AM +0200, Giorgos Keramidas wrote: On 2006-12-16 18:01, Jurjen Middendorp [EMAIL PROTECTED] wrote: I tried making a firewall for my laptop..but i'm not sure if i forgot anything. And things can always be done better :) #to stack (student computer thing... e-mail, irc, ssh stuff) $cmd 020 allow all from me to 131.155.140.141/16 via $oif $ks #allow ssh $cmd 021 allow all from me to any 22 out via $oif setup $ks #internet sites: $cmd 032 allow tcp from me to any 80 out via $oif setup $ks #https $cmd 033 allow tcp from me to any 443 out via $oif setup $ks #gopher $cmd 034 allow tcp from me to any 70 out via $oif setup $ks #other e-mail #pop $cmd 040 allow tcp from me to any 110 out via $oif setup $ks #imap $cmd 041 allow tcp from me to any 143 out via $oif setup $ks #allow dns queries $cmd 050 allow udp from me to any 53 out via $oif $ks #allow ntp (?) queries $cmd 051 allow udp from me to any 123 out via $oif $ks #i can send icmp myself $cmd 060 allow icmp from me to any out via $oif $ks #but others can't $cmd 061 deny icmp from any to me # #root can do anything $cmd 070 allow tcp from me to any out via $oif setup $ks uid root #log other outgoing packets $cmd 071 deny log all from any to any out via $oif # Incoming #The default is that all other connections will be blocked anyway, but # the more stuff i put in here, the less stuff will get logged #deny incoming to private networks $cmd 100 deny all from 192.168.0.0/16 to any in via $oif#RFC 1918 $cmd 101 deny all from 172.16.0.0/16 to any in via $oif #RFC 1918 $cmd 105 deny all from 169.254.0.0/16 to any in via $oif#DHCP auto $cmd 106 deny all from 192.0.2.0/24 to any in via $oif #reserved $cmd 108 deny all from 192.168.0.0/16 to any in via $oif#D E class # multicast #block smb stuff $cmd 120 deny tcp from any to me 137 in via $oif $cmd 121 deny tcp from any to me 138 in via $oif $cmd 122 deny tcp from any to me 139 in via $oif #log ACK packets that did'nt match the dynamic ruleset $cmd 130 deny log all from any to any established in via $oif #Now log some stuff in case i did something wrong $cmd 999 deny log any to me rule 999 had a syntax error and now it reads ...log all from... that works a bit better :) It's a fairly complex ruleset, but it seems mostly ok. There are a few things I'd change, mostly resulting from my own personal preferences: * I don't like hard-coding rule numbers in IPFW rulesets. * I like using 127.0.0.1/32 instead of any for loopback interfaces. * In general, I prefer much simpler rulesets. * I try to avoid a lot of variables/macros, like your $ks, since they don't really keep things a lot shorter, and when they do they try to abstract away too much of ipfw's syntax. * I don't aggressively filter out ICMP packets. They are useful for a lot of things, they are rate-limited by the kernel, and it is usually silly to block them without a fair amount of knowledge and a very good reason. * I don't deny packets for 'private' networks,like 192.168.0.0/26 because the networks I use with my laptop *ARE* private a lot of the time. Having the firewall block too much and cause me problems is rarely a good way of spending my time. I would probably start with something like: recommendation for ipfw ruleset ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: ipfw rules
On 2006-12-16 18:01, Jurjen Middendorp [EMAIL PROTECTED] wrote: I posted this to the freebsd-security list, but i believe that is not the right list to this question (sorry! this is my first message to the freebsd mailing-lists). I hope this is the right list! :) anyway: I tried making a firewall for my laptop..but i'm not sure if i forgot anything. And things can always be done better :) #to stack (student computer thing... e-mail, irc, ssh stuff) $cmd 020 allow all from me to 131.155.140.141/16 via $oif $ks #allow ssh $cmd 021 allow all from me to any 22 out via $oif setup $ks #internet sites: $cmd 032 allow tcp from me to any 80 out via $oif setup $ks #https $cmd 033 allow tcp from me to any 443 out via $oif setup $ks #gopher $cmd 034 allow tcp from me to any 70 out via $oif setup $ks #other e-mail #pop $cmd 040 allow tcp from me to any 110 out via $oif setup $ks #imap $cmd 041 allow tcp from me to any 143 out via $oif setup $ks #allow dns queries $cmd 050 allow udp from me to any 53 out via $oif $ks #allow ntp (?) queries $cmd 051 allow udp from me to any 123 out via $oif $ks #i can send icmp myself $cmd 060 allow icmp from me to any out via $oif $ks #but others can't $cmd 061 deny icmp from any to me # #root can do anything $cmd 070 allow tcp from me to any out via $oif setup $ks uid root #log other outgoing packets $cmd 071 deny log all from any to any out via $oif # Incoming #The default is that all other connections will be blocked anyway, but # the more stuff i put in here, the less stuff will get logged #deny incoming to private networks $cmd 100 deny all from 192.168.0.0/16 to any in via $oif #RFC 1918 $cmd 101 deny all from 172.16.0.0/16 to any in via $oif #RFC 1918 $cmd 105 deny all from 169.254.0.0/16 to any in via $oif #DHCP auto $cmd 106 deny all from 192.0.2.0/24 to any in via $oif #reserved $cmd 108 deny all from 192.168.0.0/16 to any in via $oif #D E class # multicast #block smb stuff $cmd 120 deny tcp from any to me 137 in via $oif $cmd 121 deny tcp from any to me 138 in via $oif $cmd 122 deny tcp from any to me 139 in via $oif #log ACK packets that did'nt match the dynamic ruleset $cmd 130 deny log all from any to any established in via $oif #Now log some stuff in case i did something wrong $cmd 999 deny log any to me It's a fairly complex ruleset, but it seems mostly ok. There are a few things I'd change, mostly resulting from my own personal preferences: * I don't like hard-coding rule numbers in IPFW rulesets. * I like using 127.0.0.1/32 instead of any for loopback interfaces. * In general, I prefer much simpler rulesets. * I try to avoid a lot of variables/macros, like your $ks, since they don't really keep things a lot shorter, and when they do they try to abstract away too much of ipfw's syntax. * I don't aggressively filter out ICMP packets. They are useful for a lot of things, they are rate-limited by the kernel, and it is usually silly to block them without a fair amount of knowledge and a very good reason. * I don't deny packets for 'private' networks,like 192.168.0.0/26 because the networks I use with my laptop *ARE* private a lot of the time. Having the firewall block too much and cause me problems is rarely a good way of spending my time. I would probably start with something like: : flush=ipfw -q flush : add=ipfw -q add : : oif=ath0 : : $flush : $add allow all from 127.0.0.1/32 to 127.0.0.1/32 via lo0 : $add deny all from 127.0.0.1/32 to any : $add deny all from any to 127.0.0.1/32 : : $add allow icmp from any to any : : $add check-state : : # Allow all outgoing connections. : $add allow all from any to any out via $oif setup keep-state : : # Allow *some* incoming connections (only SSH right now). : $add allow all from any to any 22 in via $oif setup keep-state : : # Block everything else. : $add deny log all from any to any That's pretty minimal, and you can build on top of it :-) If you are using DHCP to get an address for your laptop, you may have to also allow incoming packets from any to 255.255.255.255, destined for UDP port 68, which would make your ruleset: : flush=ipfw -q flush : add=ipfw -q add : : oif=ath0 : : $flush : $add allow all from 127.0.0.1/32 to 127.0.0.1/32 via lo0 : $add deny all from 127.0.0.1/32 to any : $add deny all from any to 127.0.0.1/32 : : $add allow icmp from any to any : : $add check-state : : # Allow all outgoing connections. : $add allow all from any to any out via $oif setup keep-state : : # Allow *some* incoming stuff (only DHCP and SSH right now). : $add allow udp from any to 255.255.255.255 68 in via $oif : $add allow all from any to any 22 in via $oif
Re: ipfw rules
RYAN vAN GINNEKEN wrote: I know this has probably been posted 1000's of times but i would like to set up a ipfw firewall i run many services on this machine. It acts as a gateway for my network APACHE web server IMAP mail server SMTP mail server BIND name server FTP server also i would like to be able to forward packets to a machine on my network for VNC and also gaming purposes. Just interested in where to find some good rules sets and documentation on the subject Here's a page that contains a long list of links posted by someone on this list: http://freebsd.amazingdev.com/blog/archives/000112.html -- Jonathan Arnold (mailto:[EMAIL PROTECTED]) Daemon Dancing in the Dark, a FreeBSD weblog: http://freebsd.amazingdev.com/blog/ ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: ipfw rules
On Thursday 04 March 2004 01:42, RYAN vAN GINNEKEN wrote: I know this has probably been posted 1000's of times but i would like to set up a ipfw firewall i run many services on this machine. It acts as a gateway for my network APACHE web server 80/TCP and perhaps 443/TCP IMAP mail server 143/TCP SMTP mail server 25/TCP BIND name server 53/UDP for xfers 53/TCP FTP server 21/TCP 20/TCP maybe (I use ipf but the principles are the same) - block in/out packages you never want to see at all (e.g. with weird opts or too short to be normal) - block in anything from your own IP - block in anything from private addresses (you can get and update lists of these) - let no broadcasting packets come in or go out even on wrong bcast addresses - block in (and log) everything else except: - your services on their ports keep state and with proxy if needed (ftp?) - let everything outward go and keep state or: - let nothing out except what you may initialize (and keep state) e.g. web traffic, mail retrieval, etc. More cumbersome. - decide on ping etc, what do you want to come in and what ICMP do you want to respond to - send out resets rather than ICMP-no-answer or whatever it's called on blocked ports Keep huge big logs at first, then later strip out what you know means no harm. I don't know about VNC. HTH, Dan ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: IPFW rules
Articles based on solutions that I use:
http://www.kruijff.org/alex/index.php?dir=docs/FreeBSD/
On Tue, Feb 17, 2004 at 08:46:09PM -0800, Saint Aardvark the Carpeted wrote:
Peter Rosa disturbed my sleep to write:
please what's the difference between this ipfw rules:
${fwcmd} add 63000 deny ip from any to 0.0.0.255:0.0.0.255 in via ${oif}
This denies broadcasts coming in to your machine through the outside
interface. The rule number is specified here, and it's rather high; if
it's not stopping the traffic you think it should, there may be another
rule earlier that's allowing it through.
I'm not certain, but I think the address 0.0.0.255:0.0.0.255 means
anything ending in .255
It just an invalid IP adress. At least the first tree number have to be
zero. The invalid IP adress 0.0.0.0 is usaly used by DHCP server (and
maybe clients). This value can be used to filther that without fithering
anything.
Alex
___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: IPFW rules
Peter Rosa disturbed my sleep to write:
please what's the difference between this ipfw rules:
${fwcmd} add 63000 deny ip from any to 0.0.0.255:0.0.0.255 in via ${oif}
This denies broadcasts coming in to your machine through the outside
interface. The rule number is specified here, and it's rather high; if
it's not stopping the traffic you think it should, there may be another
rule earlier that's allowing it through.
I'm not certain, but I think the address 0.0.0.255:0.0.0.255 means
anything ending in .255 -- the part after the colon is a netmask, and
for ipfw it means only the last byte of the address needs to match.
This would catch a broadcast going to your local network if it was a /24.
For example, if your local network was 192.168.100.0/24 (/24 is the
same netmask as 255.255.255.0), then this rule would stop broadcasts on
that network (going to 192.168.100.255). It would *not* stop broadcasts
if you had a smaller or larger netmask, where the broadcast address
didn't end in .255.
${fwcmd} add deny all from any to 255.255.255.255
This denies broadcasts going in any direction (from or to your machine),
no matter what the interface. The address specified is different from
the first -- it's 255.255.255.255, and the whole address needs to match.
Usually you'd see this address when the host is trying to figure out
its IP address -- during DHCP requests, say.
Hope that helps,
Hugh
--
Saint Aardvark the Carpeted
[EMAIL PROTECTED]
Because the plural of Anecdote is Myth.
___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: ipfw rules help.
Marwan Sultan disturbed my sleep to write:
I compiled ipfw to accept by default.
This is my ipfw list:
00050 divert 8668 ip from any to any via rl0
00100 allow ip from any to any via lo0
00200 deny ip from any to 127.0.0.0/8
00300 deny ip from 127.0.0.0/8 to any
65000 allow ip from any to any
65535 allow ip from any to any
Hm...this may not be a big deal, but is there any reason you're putting
the divert rule before the rules dealing with lo0/127.0.0.0/8? The
default FreeBSD open firewall ruleset usually puts the divert rule after
-- this would be rule 400 in your example.
a) lets say I want to deny everything except a range of IPs
starting from 192.168.1.1 to 192.168.1.50.
what rule set should be? how to set range of IPs? to pass
and deny rest of the C class. FreeBSD Doc's doesnot cover this?
or i didnot see.!
man ipfw(8) will help you. Depending on the version of ipfw (I forget
when this syntax was added), you may be able to do this:
ipfw allow all from 192.168.1.{1,50} to any
ipfw deny all from any to any
As for which rule it should be...typically what I do is write down
my firewall rules in a separate file, try to make sure that they make
sense (allow rules before deny rules, for example), then try them
out...always making sure that I have some way into the machine if I'm
working remotely! Usually you can let ipfw take care of assigning rule
numbers, unless you've got something fairly special going on.
b) If i want to deny everything except ip 192.168.1.5 as follow
00400 allow all from 192.168.1.5 to any
01000 deny all from any to any.
when ipfw reads the rules and pass by 00400 then comes to 01000
then it denies even the 192.168.1.5, althou i put this rule before the
deny ? what im missing? how should i pass 1 ip and deny all?
I'm not sure why that would happen, but you can find out. If you change
that deny rule to a deny-and-log rule, like this:
ipfw deny log all from any to any
you can then run tail -f /var/log/security and see what packets are
being caught by the deny rule. You can also run ipfw show, which
will show you how many packets/bytes are being caught by which rules.
Again, read the man page for ipfw.
Off the top of my head, I suspect you're allowing traffic out, but not
back in -- you haven't listed a rule that would allow replies to TCP
traffic back in, or DNS queries. Denying either of these would make it
look like nothing is working. Try this:
allow tcp from 192.168.1.5 to any
allow udp from 192.168.1.5 to any keep-state
check-state
allow tcp from any to any established
deny all from any to any
c) If I want rule 00400 to expire in 9PM and be active in 8AM.(EXAMPLE)
how do we do that? is it by set a cron job to delete and add
the ipfw rule? or there is something to do from the ipfw it self?
As far as I know, you can only do this with a cron job. Test carefully,
though -- it's frighteningly easy to lock yourself out while doing this
sort of thing. I speak from bitter experience. :-)
D) Last Q: IF I restart the box all the rules will be reset,
and comes to default. which is reasonable.
How to keep it everytime I restart?
do i create a file somewhere, and i tell my rc.conf for it?
what the rc.conf line should be? and file format?
man rc.conf(5) will show you firewall options. What I usually do is
write my own and keep it in a separate file -- I find rc.firewall too
confusing when trying to customize it. But have a look at
/etc/rc.firewall and the simple option -- it probably does a lot of
what you want.
Question out of subject,
How i can do something thro cronjob to make the box Email me the
log of firewall everyday on certain time, lets say 9PM ?
Well, you could just have a script that would, say, grep for today's
date in your firewall logs and email that. Another thing you could
consider doing, though, is signing up at dshield.org and using one of
their clients to parse your logs. Dshield collects firewall information
from volunteers around the world, and uses it to alert people to new
or fast-moving threats. It's an excellent idea, and a lot of help to
security people. I use ipfw2dshield to parse and mail my logs, and as a
bonus I get a copy of the email myself to see if there's anything
interesting.
Hope that helps!
Hugh
--
Saint Aardvark the Carpeted
[EMAIL PROTECTED]
Because the plural of Anecdote is Myth.
___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: ipfw rules help.
Marwan Sultan wrote: a) lets say I want to deny everything except a range of IPs starting from 192.168.1.1 to 192.168.1.50. what rule set should be? how to set range of IPs? to pass and deny rest of the C class. FreeBSD Doc's doesnot cover this? or i didnot see.! I would set a default to deny, then poke holes through it for the stuff you need, such as add allow ip from 192.168.1.1/5 to any add allow ip from any to 192.168.1.1/5 (which sets up to use 1.1 to 1.32). That netmask is your best friend. b) If i want to deny everything except ip 192.168.1.5 as follow 00400 allow all from 192.168.1.5 to any 01000 deny all from any to any. when ipfw reads the rules and pass by 00400 then comes to 01000 then it denies even the 192.168.1.5, althou i put this rule before the deny ? what im missing? how should i pass 1 ip and deny all? It means something didn't even check it with rule 400. This can be due to an IPDIVERT thing changing the address so it doesn't match, or something similar. c) If I want rule 00400 to expire in 9PM and be active in 8AM.(EXAMPLE) how do we do that? is it by set a cron job to delete and add the ipfw rule? or there is something to do from the ipfw it self? cron job. ipfw doesn't have the capability of doing time-based rulesets. Temporary ones are okay, but time based, it can't really handle. D) Last Q: IF I restart the box all the rules will be reset, and comes to default. which is reasonable. How to keep it everytime I restart? do i create a file somewhere, and i tell my rc.conf for it? what the rc.conf line should be? and file format? Create or edit the '/etc/rc.firewall'. I would only make the changes to allow a firewall type of 'file', and then make rc.conf reference a file that contains the rules. Or, you can add a startup script in /usr/local/etc/rc.d/ that adds the rules. Joe ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: ipfw rules for letting ssh requests in
On Monday 19 January 2004 00:47, Andrew L. Gould wrote:
I can't seem to get the ipfw rules right for letting ssh clients access a
ssh server. I can use ssh on the server to connect to the client; but if I
try to connect from the client to the server, the operation times out.
I have my rules in /etc/ipfw.rules. Executing 'ipfw show' displays all of
the rules as expected. It also shows packets having been allowed at rule
300 after an attempt to connect has been made.
I have copied the top portion of /etc/ipfw.rules:
#!/bin/sh
# Andrew L. Gould's firewall rules.
fwcmd=/sbin/ipfw -q
${fwcmd} -f flush
# Basic rules that should not be changed
${fwcmd} add 00100 pass all from any to any via lo0
${fwcmd} add 00110 deny all from any to 127.0.0.0/8
${fwcmd} add 00120 deny ip from 127.0.0.0/8 to any
# Allow specified service requests in
# ssh
${fwcmd} add 00300 allow tcp from any to me 22
${fwcmd} add 00301 allow udp from any to me 22
Does anyone have any idea why the operation is timing out or what I have
done wrong?
You forgot the packets in the other direction... This should do the trick :
${fwcmd} add 00300 allow tcp from any to me 22
${fwcmd} add 00301 allow tcp from me 22 to any
grtz,
Daan
___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: ipfw rules for letting ssh requests in
On Sunday 18 January 2004 05:53 pm, Daan Vreeken [PA4DAN] wrote:
On Monday 19 January 2004 00:47, Andrew L. Gould wrote:
I can't seem to get the ipfw rules right for letting ssh clients access a
ssh server. I can use ssh on the server to connect to the client; but if
I try to connect from the client to the server, the operation times out.
I have my rules in /etc/ipfw.rules. Executing 'ipfw show' displays all
of the rules as expected. It also shows packets having been allowed at
rule 300 after an attempt to connect has been made.
I have copied the top portion of /etc/ipfw.rules:
#!/bin/sh
# Andrew L. Gould's firewall rules.
fwcmd=/sbin/ipfw -q
${fwcmd} -f flush
# Basic rules that should not be changed
${fwcmd} add 00100 pass all from any to any via lo0
${fwcmd} add 00110 deny all from any to 127.0.0.0/8
${fwcmd} add 00120 deny ip from 127.0.0.0/8 to any
# Allow specified service requests in
# ssh
${fwcmd} add 00300 allow tcp from any to me 22
${fwcmd} add 00301 allow udp from any to me 22
Does anyone have any idea why the operation is timing out or what I have
done wrong?
You forgot the packets in the other direction... This should do the trick :
${fwcmd} add 00300 allow tcp from any to me 22
${fwcmd} add 00301 allow tcp from me 22 to any
grtz,
Daan
I have the firewall configured to let anything out. As noted above, I was
able to connect from the server to the client using ssh.
Here's the entirety of /etc/ipfw.rules:
#!/bin/sh
# Andrew L. Gould's firewall rules.
fwcmd=/sbin/ipfw -q
${fwcmd} -f flush
${fwcmd} add 00100 pass all from any to any via lo0
${fwcmd} add 00110 deny all from any to 127.0.0.0/8
${fwcmd} add 00120 deny ip from 127.0.0.0/8 to any
# Allow specified service requests in
# ssh
${fwcmd} add 00300 allow tcp from any to me 22
${fwcmd} add 00301 allow udp from any to me 22
# irc
${fwcmd} add 00302 allow tcp from any to me 194
${fwcmd} add 00303 allow udp from any to me 194
# auth (ident)
${fwcmd} add 00304 allow tcp from any to me 113
${fwcmd} add 00305 allow udp from any to me 113
# ircd
${fwcmd} add 00310 allow tcp from any to me 6667
# Allow TCP connections that were initiated locally
${fwcmd} add 00400 check-state
${fwcmd} add 00402 allow tcp from any to any out setup keep-state
# Allow DNS and DHCP activities
${fwcmd} add 00500 allow udp from any 53 to any in recv dc0
${fwcmd} add 00501 allow udp from any 67 to any 68 in recv dc0
${fwcmd} add 00502 allow udp from any to any out
# Allow ICMP activities
${fwcmd} add 00600 allow icmp from any to any icmptype 0
${fwcmd} add 00601 allow icmp from any to any icmptype 3
${fwcmd} add 00602 allow icmp from any to any icmptype 4
${fwcmd} add 00603 allow icmp from any to any icmptype 8
${fwcmd} add 00604 allow icmp from any to any icmptype 11 in
${fwcmd} add 00901 deny tcp from any to any in established
${fwcmd} add 65535 deny all from any to any
#
Thanks,
Andrew Gould
___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: ipfw rules for letting ssh requests in
Does portmap have to be enabled to connect to sshd? Thanks, Andrew Gould ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: ipfw rules for letting ssh requests in
Andrew L. Gould wrote: Does portmap have to be enabled to connect to sshd? No ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: ipfw rules for letting ssh requests in
On Sunday 18 January 2004 05:53 pm, Daan Vreeken [PA4DAN] wrote:
You forgot the packets in the other direction... This should do the trick :
${fwcmd} add 00300 allow tcp from any to me 22
${fwcmd} add 00301 allow tcp from me 22 to any
grtz,
Daan
It worked.
Thanks,
Andrew Gould
___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: IPFW Rules for samba PDC? [WAS: samba PDC for WIN2K clients?]
On Sat, Oct 26, 2002 at 10:47:48PM +0100, Stacey Roberts wrote: Subject: Re: IPFW Rules for samba PDC? [WAS: samba PDC for WIN2K clients?] From: Stacey Roberts [EMAIL PROTECTED] To: D. Penev [EMAIL PROTECTED] Cc: FreeBSD Questions [EMAIL PROTECTED] Date: 26 Oct 2002 22:47:48 +0100 Hi, Thanks for the reply. I should mention that I've made some progress with my efforts to set up a samba PDC for my Win2K clients. First of all I am now able to successfully complete all tests in the recommended DIAGNOSTICS.TXT at http://hr.uoregon.edu/davidrl/DIAGNOSIS.txt, except:- test 8: On the PC type the command net view \\BIGSERVER Specifically, I am only able to complete this test by using the IP Addr of the samba server in place of its name. Likewise for test 9 that follows. Recapping, I *am* able to serve share dirs to *NIX clients as well as the Win2K boxes, with the caveat that for the Windows boxes, I have to use the IP Addr of the samba server. This is not an issue for other (*NIX) client hosts. Needless to say, I am not as yet able to have the Win2K boxes join the domain as described in Chapter 9. (How to Configure Samba 2.2 as a Primary Domain Controller - 9.4.3. Joining the Client to the Domain.4.3. Joining the Client to the Domain). I still get the MS error when I click OK after entering the domain as defined in smb.conf. Hope this presents somewhat a clearer description of the current status here. Do get back to if you would require more information in assisting me in resolving this. From you description of the problem it's looks like that win2k box can't make resolving of names to ip address. That's why I accent to firewall because according to you logs ipfw block port 137, which is used to resolve NetBIOS names to IP address. I make a little test and block port 137 on my PDC (Samba 2.2.4 on NetBSD) and results are the same as yours. If that is true (blocking of netbios-ns port) you PDC can't register as domain controler, and workstations when is joined to domain can't find who is PDC for this domain. What are you firewall rules? What's show nbtstat -A YOU_SAMBA_SERVER and nbtstat -c on win2k box? Thanks On Sat, 2002-10-26 at 22:26, D. Penev wrote: On Mon, Oct 21, 2002 at 07:33:58PM +0100, Stacey Roberts wrote: Subject: IPFW Rules for samba PDC? [WAS: samba PDC for WIN2K clients?] From: Stacey Roberts [EMAIL PROTECTED] To: Andrew Boothman [EMAIL PROTECTED] Cc: [EMAIL PROTECTED], FreeBSD Questions [EMAIL PROTECTED] Date: 21 Oct 2002 19:33:58 +0100 Hello, I'd appreciate some help from anyone who's got samba 2.2.6 running on FreeBSD as a PDC for Win2K client wkstations, please. I'm trying to following the SAMBA How-To at: http://samba.epfl.ch/samba/docs/Samba-HOWTO-Collection.html#AEN60 but fail at the smbclient -L PDC host stage: # smbclient -L -N Demon added interface ip=192.168.1.8 bcast=192.168.1.255 nmask=255.255.255.0 Packet send failed to 192.168.1.255(137) ERRNO=Permission denied Connection to -N failed # I get these entries in /var/log/security: Oct 21 19:31:08 Demon /kernel: ipfw: 910 Deny UDP My IP:2308 net.255:137 out via sis0 You firewall blocks packets to port 137 (netbios-ns). That's why you can access samba server with ip address and not by name. Please help me out here. Stacey On Mon, 2002-10-21 at 02:32, Andrew Boothman wrote: Stacey Roberts wrote: Hello, I've got 2 WIN2K Pro workstations on my home lan that I'd like to enable network logon for. I've been banging my head against a wall for the last four hours trying to get this sorted, but to no avail. I keep getting the same error when trying to enter the Domain name into the WORKGROUP field in Win2K network properties: The following error occured validating the name my_domainname, This condition may be caused by a DNS lookup problem. For more information about troubleshooting common DNS lookup problems see the following Microsoft blah., blah.., blah.., The specified domain either does not exist or could not be contacted. Have you added machine accounts to the FreeBSD box for the client boxes? You need machine accounts that look like clientname$ (dollar sign at end) added both as local accounts and then again with smbpasswd passing whatever the appropriate switch is to create a machine account. I have a FreeBSD box here acting as a PDC so we should be able to find the problem. Andrew. To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message -- Stacey Roberts B.Sc (HONS) Computer Science Web: www.vickiandstacey.com -- Regards, D. Penev To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message -- Stacey Roberts B.Sc (HONS) Computer Science Web: www.vickiandstacey.com -- Regards, D. Penev To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message
Re: IPFW Rules for samba PDC? [WAS: samba PDC for WIN2K clients?]
Hi, Here's the relevant lines in my firewall: 00620 allow udp from any to any 137 keep-state out xmit sis0 00621 allow tcp from any to any 137 keep-state out xmit sis0 00623 allow log logamount 10 tcp from Win2KBox to me 137,138 keep-state in recv sis0 setup 00624 allow udp from any to any 138 keep-state out xmit sis0 00625 allow tcp from any to any 138 keep-state out xmit sis0 The output from nbtstat -A SAMBA_SERVER_IP: Host not found The output from nbtstat -c: No names in cache After running both commands, no new entries in /var/log/security appear for packets issued from Win2K box. Hope this helps. Stacey On Sun, 2002-10-27 at 07:15, D. Penev wrote: On Sat, Oct 26, 2002 at 10:47:48PM +0100, Stacey Roberts wrote: Subject: Re: IPFW Rules for samba PDC? [WAS: samba PDC for WIN2K clients?] From: Stacey Roberts [EMAIL PROTECTED] To: D. Penev [EMAIL PROTECTED] Cc: FreeBSD Questions [EMAIL PROTECTED] Date: 26 Oct 2002 22:47:48 +0100 Hi, Thanks for the reply. I should mention that I've made some progress with my efforts to set up a samba PDC for my Win2K clients. First of all I am now able to successfully complete all tests in the recommended DIAGNOSTICS.TXT at http://hr.uoregon.edu/davidrl/DIAGNOSIS.txt, except:- test 8: On the PC type the command net view \\BIGSERVER Specifically, I am only able to complete this test by using the IP Addr of the samba server in place of its name. Likewise for test 9 that follows. Recapping, I *am* able to serve share dirs to *NIX clients as well as the Win2K boxes, with the caveat that for the Windows boxes, I have to use the IP Addr of the samba server. This is not an issue for other (*NIX) client hosts. Needless to say, I am not as yet able to have the Win2K boxes join the domain as described in Chapter 9. (How to Configure Samba 2.2 as a Primary Domain Controller - 9.4.3. Joining the Client to the Domain.4.3. Joining the Client to the Domain). I still get the MS error when I click OK after entering the domain as defined in smb.conf. Hope this presents somewhat a clearer description of the current status here. Do get back to if you would require more information in assisting me in resolving this. From you description of the problem it's looks like that win2k box can't make resolving of names to ip address. That's why I accent to firewall because according to you logs ipfw block port 137, which is used to resolve NetBIOS names to IP address. I make a little test and block port 137 on my PDC (Samba 2.2.4 on NetBSD) and results are the same as yours. If that is true (blocking of netbios-ns port) you PDC can't register as domain controler, and workstations when is joined to domain can't find who is PDC for this domain. What are you firewall rules? What's show nbtstat -A YOU_SAMBA_SERVER and nbtstat -c on win2k box? Thanks On Sat, 2002-10-26 at 22:26, D. Penev wrote: On Mon, Oct 21, 2002 at 07:33:58PM +0100, Stacey Roberts wrote: Subject: IPFW Rules for samba PDC? [WAS: samba PDC for WIN2K clients?] From: Stacey Roberts [EMAIL PROTECTED] To: Andrew Boothman [EMAIL PROTECTED] Cc: [EMAIL PROTECTED], FreeBSD Questions [EMAIL PROTECTED] Date: 21 Oct 2002 19:33:58 +0100 Hello, I'd appreciate some help from anyone who's got samba 2.2.6 running on FreeBSD as a PDC for Win2K client wkstations, please. I'm trying to following the SAMBA How-To at: http://samba.epfl.ch/samba/docs/Samba-HOWTO-Collection.html#AEN60 but fail at the smbclient -L PDC host stage: # smbclient -L -N Demon added interface ip=192.168.1.8 bcast=192.168.1.255 nmask=255.255.255.0 Packet send failed to 192.168.1.255(137) ERRNO=Permission denied Connection to -N failed # I get these entries in /var/log/security: Oct 21 19:31:08 Demon /kernel: ipfw: 910 Deny UDP My IP:2308 net.255:137 out via sis0 You firewall blocks packets to port 137 (netbios-ns). That's why you can access samba server with ip address and not by name. Please help me out here. Stacey On Mon, 2002-10-21 at 02:32, Andrew Boothman wrote: Stacey Roberts wrote: Hello, I've got 2 WIN2K Pro workstations on my home lan that I'd like to enable network logon for. I've been banging my head against a wall for the last four hours trying to get this sorted, but to no avail. I keep getting the same error when trying to enter the Domain name into the WORKGROUP field in Win2K network properties: The following error occured validating the name my_domainname, This condition may be caused by a DNS lookup problem. For more information about troubleshooting common DNS lookup problems see the following Microsoft blah., blah.., blah.., The specified domain either does not exist or could not be contacted. Have you added machine accounts to the FreeBSD box for the client boxes? You need machine accounts that look like clientname
Re: IPFW Rules for samba PDC? [WAS: samba PDC for WIN2K clients?]
On Sun, Oct 27, 2002 at 10:50:47AM +, Stacey Roberts wrote: Subject: Re: IPFW Rules for samba PDC? [WAS: samba PDC for WIN2K clients?] From: Stacey Roberts [EMAIL PROTECTED] To: D. Penev [EMAIL PROTECTED] Cc: FreeBSD Questions [EMAIL PROTECTED] Date: 27 Oct 2002 10:50:47 + Hi, Here's the relevant lines in my firewall: 00620 allow udp from any to any 137 keep-state out xmit sis0 00621 allow tcp from any to any 137 keep-state out xmit sis0 Add: 00622 allow udp from Win2KBox to any 137,138 keep-state in recv sis0 00623 allow log logamount 10 tcp from Win2KBox to me 137,138 ^^ use any because win2k use broadcast if you don't have wins server keep-state in recv sis0 setup 00624 allow udp from any to any 138 keep-state out xmit sis0 00625 allow tcp from any to any 138 keep-state out xmit sis0 The output from nbtstat -A SAMBA_SERVER_IP: Host not found The output from nbtstat -c: No names in cache After running both commands, no new entries in /var/log/security appear for packets issued from Win2K box. Hope this helps. Stacey On Sun, 2002-10-27 at 07:15, D. Penev wrote: On Sat, Oct 26, 2002 at 10:47:48PM +0100, Stacey Roberts wrote: Subject: Re: IPFW Rules for samba PDC? [WAS: samba PDC for WIN2K clients?] From: Stacey Roberts [EMAIL PROTECTED] To: D. Penev [EMAIL PROTECTED] Cc: FreeBSD Questions [EMAIL PROTECTED] Date: 26 Oct 2002 22:47:48 +0100 Hi, Thanks for the reply. I should mention that I've made some progress with my efforts to set up a samba PDC for my Win2K clients. First of all I am now able to successfully complete all tests in the recommended DIAGNOSTICS.TXT at http://hr.uoregon.edu/davidrl/DIAGNOSIS.txt, except:- test 8: On the PC type the command net view \\BIGSERVER Specifically, I am only able to complete this test by using the IP Addr of the samba server in place of its name. Likewise for test 9 that follows. Recapping, I *am* able to serve share dirs to *NIX clients as well as the Win2K boxes, with the caveat that for the Windows boxes, I have to use the IP Addr of the samba server. This is not an issue for other (*NIX) client hosts. Needless to say, I am not as yet able to have the Win2K boxes join the domain as described in Chapter 9. (How to Configure Samba 2.2 as a Primary Domain Controller - 9.4.3. Joining the Client to the Domain.4.3. Joining the Client to the Domain). I still get the MS error when I click OK after entering the domain as defined in smb.conf. Hope this presents somewhat a clearer description of the current status here. Do get back to if you would require more information in assisting me in resolving this. From you description of the problem it's looks like that win2k box can't make resolving of names to ip address. That's why I accent to firewall because according to you logs ipfw block port 137, which is used to resolve NetBIOS names to IP address. I make a little test and block port 137 on my PDC (Samba 2.2.4 on NetBSD) and results are the same as yours. If that is true (blocking of netbios-ns port) you PDC can't register as domain controler, and workstations when is joined to domain can't find who is PDC for this domain. What are you firewall rules? What's show nbtstat -A YOU_SAMBA_SERVER and nbtstat -c on win2k box? Thanks On Sat, 2002-10-26 at 22:26, D. Penev wrote: On Mon, Oct 21, 2002 at 07:33:58PM +0100, Stacey Roberts wrote: Subject: IPFW Rules for samba PDC? [WAS: samba PDC for WIN2K clients?] From: Stacey Roberts [EMAIL PROTECTED] To: Andrew Boothman [EMAIL PROTECTED] Cc: [EMAIL PROTECTED], FreeBSD Questions [EMAIL PROTECTED] Date: 21 Oct 2002 19:33:58 +0100 Hello, I'd appreciate some help from anyone who's got samba 2.2.6 running on FreeBSD as a PDC for Win2K client wkstations, please. I'm trying to following the SAMBA How-To at: http://samba.epfl.ch/samba/docs/Samba-HOWTO-Collection.html#AEN60 but fail at the smbclient -L PDC host stage: # smbclient -L -N Demon added interface ip=192.168.1.8 bcast=192.168.1.255 nmask=255.255.255.0 Packet send failed to 192.168.1.255(137) ERRNO=Permission denied Connection to -N failed # I get these entries in /var/log/security: Oct 21 19:31:08 Demon /kernel: ipfw: 910 Deny UDP My IP:2308 net.255:137 out via sis0 You firewall blocks packets to port 137 (netbios-ns). That's why you can access samba server with ip address and not by name. Please help me out here. Stacey On Mon, 2002-10-21 at 02:32, Andrew Boothman wrote: Stacey Roberts wrote: Hello, I've got 2 WIN2K Pro workstations on my home lan that I'd like to enable network logon for. I've been banging my head against a wall for the last four hours trying to get this sorted, but to no avail. I keep getting the same error when trying to enter
Re: IPFW Rules for samba PDC? [WAS: samba PDC for WIN2K clients?]
Hi, I've got a break-through.., I've been testing with new ipfw options and now I'm able to get past entering the Domain and clicking OK. Now I am getting the Password to log into Domain dialogue box appear. This is the amended rule that appears to make this work: $fwcmd add 00622 allow log udp from $oip to me 137-139 in via $oif $fwcmd add 00624 allow udp from any to any 137-139 out via $oif However, for now, I'm getting: The specified user does not exist when I enter [root] and [root's samba passwd] Any thoughts? Don't think I'm not appreciating your patient efforts to assist me. Cheers! Stacey On Sun, 2002-10-27 at 17:56, D. Penev wrote: On Sun, Oct 27, 2002 at 10:50:47AM +, Stacey Roberts wrote: Subject: Re: IPFW Rules for samba PDC? [WAS: samba PDC for WIN2K clients?] From: Stacey Roberts [EMAIL PROTECTED] To: D. Penev [EMAIL PROTECTED] Cc: FreeBSD Questions [EMAIL PROTECTED] Date: 27 Oct 2002 10:50:47 + Hi, Here's the relevant lines in my firewall: 00620 allow udp from any to any 137 keep-state out xmit sis0 00621 allow tcp from any to any 137 keep-state out xmit sis0 Add: 00622 allow udp from Win2KBox to any 137,138 keep-state in recv sis0 00623 allow log logamount 10 tcp from Win2KBox to me 137,138 ^^ use any because win2k use broadcast if you don't have wins server keep-state in recv sis0 setup 00624 allow udp from any to any 138 keep-state out xmit sis0 00625 allow tcp from any to any 138 keep-state out xmit sis0 The output from nbtstat -A SAMBA_SERVER_IP: Host not found The output from nbtstat -c: No names in cache After running both commands, no new entries in /var/log/security appear for packets issued from Win2K box. Hope this helps. Stacey On Sun, 2002-10-27 at 07:15, D. Penev wrote: On Sat, Oct 26, 2002 at 10:47:48PM +0100, Stacey Roberts wrote: Subject: Re: IPFW Rules for samba PDC? [WAS: samba PDC for WIN2K clients?] From: Stacey Roberts [EMAIL PROTECTED] To: D. Penev [EMAIL PROTECTED] Cc: FreeBSD Questions [EMAIL PROTECTED] Date: 26 Oct 2002 22:47:48 +0100 Hi, Thanks for the reply. I should mention that I've made some progress with my efforts to set up a samba PDC for my Win2K clients. First of all I am now able to successfully complete all tests in the recommended DIAGNOSTICS.TXT at http://hr.uoregon.edu/davidrl/DIAGNOSIS.txt, except:- test 8: On the PC type the command net view \\BIGSERVER Specifically, I am only able to complete this test by using the IP Addr of the samba server in place of its name. Likewise for test 9 that follows. Recapping, I *am* able to serve share dirs to *NIX clients as well as the Win2K boxes, with the caveat that for the Windows boxes, I have to use the IP Addr of the samba server. This is not an issue for other (*NIX) client hosts. Needless to say, I am not as yet able to have the Win2K boxes join the domain as described in Chapter 9. (How to Configure Samba 2.2 as a Primary Domain Controller - 9.4.3. Joining the Client to the Domain.4.3. Joining the Client to the Domain). I still get the MS error when I click OK after entering the domain as defined in smb.conf. Hope this presents somewhat a clearer description of the current status here. Do get back to if you would require more information in assisting me in resolving this. From you description of the problem it's looks like that win2k box can't make resolving of names to ip address. That's why I accent to firewall because according to you logs ipfw block port 137, which is used to resolve NetBIOS names to IP address. I make a little test and block port 137 on my PDC (Samba 2.2.4 on NetBSD) and results are the same as yours. If that is true (blocking of netbios-ns port) you PDC can't register as domain controler, and workstations when is joined to domain can't find who is PDC for this domain. What are you firewall rules? What's show nbtstat -A YOU_SAMBA_SERVER and nbtstat -c on win2k box? Thanks On Sat, 2002-10-26 at 22:26, D. Penev wrote: On Mon, Oct 21, 2002 at 07:33:58PM +0100, Stacey Roberts wrote: Subject: IPFW Rules for samba PDC? [WAS: samba PDC for WIN2K clients?] From: Stacey Roberts [EMAIL PROTECTED] To: Andrew Boothman [EMAIL PROTECTED] Cc: [EMAIL PROTECTED], FreeBSD Questions [EMAIL PROTECTED] Date: 21 Oct 2002 19:33:58 +0100 Hello, I'd appreciate some help from anyone who's got samba 2.2.6 running on FreeBSD as a PDC for Win2K client wkstations, please. I'm trying to following the SAMBA How-To at: http://samba.epfl.ch/samba/docs/Samba-HOWTO-Collection.html#AEN60 but fail at the smbclient -L PDC host stage: # smbclient -L -N Demon
Re: IPFW Rules for samba PDC? [WAS: samba PDC for WIN2K clients?]
On Mon, Oct 21, 2002 at 07:33:58PM +0100, Stacey Roberts wrote: Subject: IPFW Rules for samba PDC? [WAS: samba PDC for WIN2K clients?] From: Stacey Roberts [EMAIL PROTECTED] To: Andrew Boothman [EMAIL PROTECTED] Cc: [EMAIL PROTECTED], FreeBSD Questions [EMAIL PROTECTED] Date: 21 Oct 2002 19:33:58 +0100 Hello, I'd appreciate some help from anyone who's got samba 2.2.6 running on FreeBSD as a PDC for Win2K client wkstations, please. I'm trying to following the SAMBA How-To at: http://samba.epfl.ch/samba/docs/Samba-HOWTO-Collection.html#AEN60 but fail at the smbclient -L PDC host stage: # smbclient -L -N Demon added interface ip=192.168.1.8 bcast=192.168.1.255 nmask=255.255.255.0 Packet send failed to 192.168.1.255(137) ERRNO=Permission denied Connection to -N failed # I get these entries in /var/log/security: Oct 21 19:31:08 Demon /kernel: ipfw: 910 Deny UDP My IP:2308 net.255:137 out via sis0 You firewall blocks packets to port 137 (netbios-ns). That's why you can access samba server with ip address and not by name. Please help me out here. Stacey On Mon, 2002-10-21 at 02:32, Andrew Boothman wrote: Stacey Roberts wrote: Hello, I've got 2 WIN2K Pro workstations on my home lan that I'd like to enable network logon for. I've been banging my head against a wall for the last four hours trying to get this sorted, but to no avail. I keep getting the same error when trying to enter the Domain name into the WORKGROUP field in Win2K network properties: The following error occured validating the name my_domainname, This condition may be caused by a DNS lookup problem. For more information about troubleshooting common DNS lookup problems see the following Microsoft blah., blah.., blah.., The specified domain either does not exist or could not be contacted. Have you added machine accounts to the FreeBSD box for the client boxes? You need machine accounts that look like clientname$ (dollar sign at end) added both as local accounts and then again with smbpasswd passing whatever the appropriate switch is to create a machine account. I have a FreeBSD box here acting as a PDC so we should be able to find the problem. Andrew. To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message -- Stacey Roberts B.Sc (HONS) Computer Science Web: www.vickiandstacey.com -- Regards, D. Penev To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message
Re: IPFW Rules for samba PDC? [WAS: samba PDC for WIN2K clients?]
Hi, Thanks for the reply. I should mention that I've made some progress with my efforts to set up a samba PDC for my Win2K clients. First of all I am now able to successfully complete all tests in the recommended DIAGNOSTICS.TXT at http://hr.uoregon.edu/davidrl/DIAGNOSIS.txt, except:- test 8: On the PC type the command net view \\BIGSERVER Specifically, I am only able to complete this test by using the IP Addr of the samba server in place of its name. Likewise for test 9 that follows. Recapping, I *am* able to serve share dirs to *NIX clients as well as the Win2K boxes, with the caveat that for the Windows boxes, I have to use the IP Addr of the samba server. This is not an issue for other (*NIX) client hosts. Needless to say, I am not as yet able to have the Win2K boxes join the domain as described in Chapter 9. (How to Configure Samba 2.2 as a Primary Domain Controller - 9.4.3. Joining the Client to the Domain.4.3. Joining the Client to the Domain). I still get the MS error when I click OK after entering the domain as defined in smb.conf. Hope this presents somewhat a clearer description of the current status here. Do get back to if you would require more information in assisting me in resolving this. Thanks On Sat, 2002-10-26 at 22:26, D. Penev wrote: On Mon, Oct 21, 2002 at 07:33:58PM +0100, Stacey Roberts wrote: Subject: IPFW Rules for samba PDC? [WAS: samba PDC for WIN2K clients?] From: Stacey Roberts [EMAIL PROTECTED] To: Andrew Boothman [EMAIL PROTECTED] Cc: [EMAIL PROTECTED], FreeBSD Questions [EMAIL PROTECTED] Date: 21 Oct 2002 19:33:58 +0100 Hello, I'd appreciate some help from anyone who's got samba 2.2.6 running on FreeBSD as a PDC for Win2K client wkstations, please. I'm trying to following the SAMBA How-To at: http://samba.epfl.ch/samba/docs/Samba-HOWTO-Collection.html#AEN60 but fail at the smbclient -L PDC host stage: # smbclient -L -N Demon added interface ip=192.168.1.8 bcast=192.168.1.255 nmask=255.255.255.0 Packet send failed to 192.168.1.255(137) ERRNO=Permission denied Connection to -N failed # I get these entries in /var/log/security: Oct 21 19:31:08 Demon /kernel: ipfw: 910 Deny UDP My IP:2308 net.255:137 out via sis0 You firewall blocks packets to port 137 (netbios-ns). That's why you can access samba server with ip address and not by name. Please help me out here. Stacey On Mon, 2002-10-21 at 02:32, Andrew Boothman wrote: Stacey Roberts wrote: Hello, I've got 2 WIN2K Pro workstations on my home lan that I'd like to enable network logon for. I've been banging my head against a wall for the last four hours trying to get this sorted, but to no avail. I keep getting the same error when trying to enter the Domain name into the WORKGROUP field in Win2K network properties: The following error occured validating the name my_domainname, This condition may be caused by a DNS lookup problem. For more information about troubleshooting common DNS lookup problems see the following Microsoft blah., blah.., blah.., The specified domain either does not exist or could not be contacted. Have you added machine accounts to the FreeBSD box for the client boxes? You need machine accounts that look like clientname$ (dollar sign at end) added both as local accounts and then again with smbpasswd passing whatever the appropriate switch is to create a machine account. I have a FreeBSD box here acting as a PDC so we should be able to find the problem. Andrew. To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message -- Stacey Roberts B.Sc (HONS) Computer Science Web: www.vickiandstacey.com -- Regards, D. Penev To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message -- Stacey Roberts B.Sc (HONS) Computer Science Web: www.vickiandstacey.com signature.asc Description: This is a digitally signed message part
Re: ipfw rules
- Original Message - From: Grant Cooper [EMAIL PROTECTED] To: [EMAIL PROTECTED]; [EMAIL PROTECTED] Sent: Friday, October 11, 2002 5:10 PM Subject: Re: ipfw rules I am having the same problem. I now just allow ftp from certain IP address's. But doesn't the second rule, # /sbin/upfw 10001 allow tco from any 1024-65535 to any 1024-65535 setup keep-state kind of beat's the purpose of a firewall. That's a lot of open ports. I thought IPFW had a way to remember the ports opened by ftp and creates rules dynamically based on the ports opened buy ftp. You're thinking of the punch firewall option in natd. If you're using the ftpd that comes with FBSD, you will see in the man page that the default port range is 49152-65535 so as I understand it, you do not need to open ports 1024-49151 as they will not be used. I am also told one can further limit the port range used by the default ftpd by modifying these sysctl vars: net.inet.ip.portrange.hifirst: 49152 net.inet.ip.portrange.hilast: 65535 However I have not actually tried this. I don't know if there's any significant security advantage in limiting the port range further as I have not seen any discussion on this. But I would suspect that it certainly wouldn't hurt to limit the port range to the number of expected concurrent ftp sessions, thus closing off more ports. Anyone else reading this, please correct me if I am mistaken. Thanks, Drew - Original Message - From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Friday, October 11, 2002 3:33 PM Subject: re: ipfw rules i was finally able to get ftp (using passive ftp) to work through our firewall. these are the rules I had to add: # /sbin/ipfw 1 allow tcp from any 1024-65535 to any 21 out setup keep-state # /sbin/upfw 10001 allow tco from any 1024-65535 to any 1024-65535 setup keep-state the first rule (1) allows our server to connect via any high port to any server out there on port 21(ftp). this is to initiate the 'control connection'. the second rule (10001) allows anyone to connect via high ports to and from our server. this is for the data transfer part. To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message
re: ipfw rules
I am able to use cvsup with our firewall. The problem is when actually trying to install the software using the make command since the make command tries to fetch the source tarball from a remote server using ftp. If you have a proxy server running, try putting FETCH_ENV variable into /etc/make.conf (see /etc/defaults/make.conf for example) -- Toomas Aas | [EMAIL PROTECTED] | http://www.raad.tartu.ee/~toomas/ * If it wasn't for C, we'd be using BASI, PASAL and OBOL! To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message
Re: ipfw rules
At 05:52 PM 10.10.2002 -0400, [EMAIL PROTECTED] wrote: Could anyone please tell me what ipfw rules need to be set in order to allow software installation through the ports collection? I tried adding a rule to allow ftp outbound and although I can ftp out, I still cannot fetch the source tarball when using the make command in /usr/ports. What else needs to be open for the make command to work? Thank you, Michelle I believe it likes to use port 5999 for cvsuping. Best regards, Jack L. Stone, Administrator SageOne Net http://www.sage-one.net [EMAIL PROTECTED] To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message
re: ipfw rules
On Thursday, October 10, 2002, at 03:06 PM, Jack L. Stone wrote: At 05:52 PM 10.10.2002 -0400, [EMAIL PROTECTED] wrote: Could anyone please tell me what ipfw rules need to be set in order to allow software installation through the ports collection? I tried adding a rule to allow ftp outbound and although I can ftp out, I still cannot fetch the source tarball when using the make command in /usr/ports. What else needs to be open for the make command to work? Thank you, Michelle I believe it likes to use port 5999 for cvsuping. I am able to use cvsup with our firewall. The problem is when actually trying to install the software using the make command since the make command tries to fetch the source tarball from a remote server using ftp. I cannot get ftp to dowload data through our firewall. Is it possible to use the make command without opening up our firewall completely or is it best to put the source tarballs in /usr/ports/distfiles manually? To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message
