small fanless mini-pc for home router/firewall?
What is the best option out there for a mini-pc to run FreeBSD as a home router/firewall? (needs to have 2 nic's) ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: small fanless mini-pc for home router/firewall?
On Wed, May 8, 2013 at 4:10 PM, firm...@gmail.com firm...@gmail.com wrote: What is the best option out there for a mini-pc to run FreeBSD as a home router/firewall? (needs to have 2 nic's) I had some pretty good experiences with older Soekris models (net-4801) acting as fanless routers and little servers (DHCP, NFS, lighttpd, etc...). http://soekris.com/products/net4801.html I don't know how well their newer products run on FreeBSD though, especially after the switch to clang. Others on this list may be able to add their experiences. -cpghost. -- Cordula's Web. http://www.cordula.ws/ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: small fanless mini-pc for home router/firewall?
Op 8 mei 2013 om 16:24 heeft C. P. Ghost cpgh...@cordula.ws het volgende geschreven: On Wed, May 8, 2013 at 4:10 PM, firm...@gmail.com firm...@gmail.com wrote: What is the best option out there for a mini-pc to run FreeBSD as a home router/firewall? (needs to have 2 nic's) I had some pretty good experiences with older Soekris models (net-4801) acting as fanless routers and little servers (DHCP, NFS, lighttpd, etc...). http://soekris.com/products/net4801.html I don't know how well their newer products run on FreeBSD though, especially after the switch to clang. Others on this list may be able to add their experiences. -cpghost. I had some serious performance problems running M0n0wall on a 4801. These were solved by replacing it with a 5501. But otherwise perfect hardware. Peter ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: small fanless mini-pc for home router/firewall?
On 05/08/13 15:10, firm...@gmail.com wrote: What is the best option out there for a mini-pc to run FreeBSD as a home router/firewall? (needs to have 2 nic's) I use an alix2d3 running embedded pfSense as a 3 NIC (WAN, LAN, DMZ) router. If you only need 2 NICs go for the alix2d2. You can also add two mini-PCI WiFi cards to the 2d2 (or one to the 2d3) should you want WiFi as well. http://www.pcengines.ch/alix.htm I think you can get these from a supplier in the US as well, but someone else will have to tell you who. -- In the dungeons of Mordor, Sauron bred Orcs with LOLcats to create a new race of servants. Called Uruk-Oh-Hai in the Black Speech, they were cruel and delighted in torturing spelling and grammar. _Lord of the Rings 2.0, the Web Edition_ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: small fanless mini-pc for home router/firewall?
On 05/08/13 15:48, Arthur Chance wrote: On 05/08/13 15:10, firm...@gmail.com wrote: What is the best option out there for a mini-pc to run FreeBSD as a home router/firewall? (needs to have 2 nic's) I use an alix2d3 running embedded pfSense as a 3 NIC (WAN, LAN, DMZ) router. If you only need 2 NICs go for the alix2d2. You can also add two mini-PCI WiFi cards to the 2d2 (or one to the 2d3) should you want WiFi as well. http://www.pcengines.ch/alix.htm I think you can get these from a supplier in the US as well, but someone else will have to tell you who. As soon as I sent that I noticed the shop link on the Alix page gives you a list of providers round the world. They've expanded their outlets a lot since I bought mine. -- In the dungeons of Mordor, Sauron bred Orcs with LOLcats to create a new race of servants. Called Uruk-Oh-Hai in the Black Speech, they were cruel and delighted in torturing spelling and grammar. _Lord of the Rings 2.0, the Web Edition_ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: small fanless mini-pc for home router/firewall?
Hi, I currently run this one: http://www.applianceshop.eu/index.php/firewalls/opnsense/opnsense-desktop-and-wallmountable/opnsense-pfsense-appliance.html with pfsense 2 (it is freebsd too) Works great :) The only problems I see so far is when I push it at 90+ Mb/s it start to have issues with load but if do not plan such high speeds it work like charm..Kind of expensive though... Peter On 08/05/2013 17:10, firm...@gmail.com wrote: What is the best option out there for a mini-pc to run FreeBSD as a home router/firewall? (needs to have 2 nic's) ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: small fanless mini-pc for home router/firewall?
On 05/08/2013 9:10 am, firm...@gmail.com wrote: What is the best option out there for a mini-pc to run FreeBSD as a home router/firewall? (needs to have 2 nic's) ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org You might want to look at the pfSense project, works great for this use, Embedded FreeBSD with Web configuration. http://www.pfsense.org they have a hardware page on the website with links to vendors where you can get some complete kits and do it your self assembly and installation for around $200 (using PC Engines Alix Boards), or for a little more pre-assembled, and installed systems. I have been running it at my house and 3 installations at work for well over a year, on the Alix platforms. Performance and stability have been great, though the Alix platform does lack memory and processor for doing much more than routing/dhcp/firewall/ipsec. I used one of the do it your-self kits at my house, and used pre-assembled and installed setups for work, big difference is writing the image to the compact flash yourself. Assembly is so simple it might as well not be called assembly. If you are wanting IPSEC do pay attention though to the throughput on the Alix systems, and what you have available on your bandwidth, the same would likely go for any of the low boarded fan less systems, they should all handle routing/firewall just fine for whatever bandwidth you likely have but once you starting getting into 15Mbits and up these smaller boards will likely struggle with IPSEC. -- Thanks, Dean E. Weimer http://www.dweimer.net/ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
How to manually start firewall after system completed boot.
I have special purpose situation where I need to wait until the boot process has completed the starting of the system and then start the firewall (ipfw or pf). Commenting out the firewall statements from the hosts /etc/rc.conf does stop the firewall from starting at boot time. Is there some format of the service command that could be used to manually start the selected firewall? Any ideas on how to accomplish this is welcome. Thanks ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
How to manually start firewall after system completed boot.
Joe writes: I have special purpose situation where I need to wait until the boot process has completed the starting of the system and then start the firewall (ipfw or pf). Commenting out the firewall statements from the hosts /etc/rc.conf does stop the firewall from starting at boot time. Is there some format of the service command that could be used to manually start the selected firewall? Any ideas on how to accomplish this is welcome. The boot process, as used here, is simply a series of calls to various scripts in /etc/rc.d ... any of which can (theoretically) be invoked by itself. The details of this may be important; _please_ do more research before blowing yourself up. :-) Robert Huff ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: How to manually start firewall after system completed boot.
Le Wed, 17 Apr 2013 08:25:46 -0400, Joe fb...@a1poweruser.com a écrit : Hello, I have special purpose situation where I need to wait until the boot process has completed the starting of the system and then start the firewall (ipfw or pf). Commenting out the firewall statements from the hosts /etc/rc.conf does stop the firewall from starting at boot time. Is there some format of the service command that could be used to manually start the selected firewall? You can use onestart/onestop if the service is not enabled in rc.conf. service pf onestart or /etc/rc.d/pf onestart Regard ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: How to manually start firewall after system completed boot.
On Wed, 17 Apr 2013 08:25:46 -0400, Joe wrote: Is there some format of the service command that could be used to manually start the selected firewall? How about the rc.d framework? # /etc/rc.d/ipfw start Or # service ipfw start Both will honor the firewall_type= setting in /etc/rc.conf (here: for IPFW). -- Polytropon Magdeburg, Germany Happy FreeBSD user since 4.0 Andra moi ennepe, Mousa, ... ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: openbsd packet firewall
On Thu, 6 Sep 2012 23:41:44 -0400 (EDT) Darrel levi...@iglou.com wrote: Packet Filter does not work Hi, you might want to give more information other than that. Andreas -- GnuPG key : 0x2A573565|http://www.gnupg.org/howtos/de/ Fingerprint: 925D 2089 0BF9 8DE5 9166 33BB F0FD CD37 2A57 3565 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: openbsd packet firewall
Darrel wrote: Hello, When I moved from -fbsd82 to -fbsd90 it required a total reinstall since Packet Filter did not *work* any longer. Now that I have moved from -fbsd90 to the new release candidate, Packet Filter does not work considering at least IPv6 and ssh. I have tested a simple pf.conf on this system with the same result. It seems like I will need to learn ipfw or give up on fbsd. Darrel ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org pf is way back level in Freebsd, the online openbsd pf manual is at the current pf level and uses the newer syntax for the nat function. You have to use the freebsd pf man pages for correct matching documentation. You can always use ipf (ipfilter) instead of ipfw. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: openbsd packet firewall
On Fri, 7 Sep 2012, Fbsd8 wrote: Darrel wrote: Hello, When I moved from -fbsd82 to -fbsd90 it required a total reinstall since Packet Filter did not *work* any longer. Now that I have moved from -fbsd90 to the new release candidate, Packet Filter does not work considering at least IPv6 and ssh. I have tested a simple pf.conf on this system with the same result. It seems like I will need to learn ipfw or give up on fbsd. Darrel ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org pf is way back level in Freebsd, the online openbsd pf manual is at the current pf level and uses the newer syntax for the nat function. You have to use the freebsd pf man pages for correct matching documentation. You can always use ipf (ipfilter) instead of ipfw. thanks for your kind response. darrel ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: openbsd packet firewall
On Fri, 7 Sep 2012, Andreas Rudisch wrote: On Thu, 6 Sep 2012 23:41:44 -0400 (EDT) Darrel levi...@iglou.com wrote: Packet Filter does not work Hi, you might want to give more information other than that. when i updated from fbsd82 to fbsd90 using buildworld, buildkernel, installkernel, reboot, installworld, mergemaster, and make check-old, then packet filter simply did not load. others on the list had the same problem. i do not recall if it was specific to amd64. now that i have updated from fbsd90 to fbsd91rc, ipv6 of packet filter is broken. i can not connect to ipv6 services. nmap run against the machine reports per usual with -4 flag and using -6 flag reports no opened ports. ssh and auth should be open. i substituted a very simple pf.conf and got the same result. i think that there is no troubleshooting to be done, but if you want further information then i will send it. darrel ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: openbsd packet firewall
On Fri, 7 Sep 2012 09:00:27 -0400 (EDT), Darrel wrote: when i updated from fbsd82 to fbsd90 using buildworld, buildkernel, installkernel, reboot, installworld, mergemaster, and make check-old, then packet filter simply did not load. That's nmot 100% the procedure. Please refer to the comment header of /usr/src/Makefile for the full description. It should also be mentioned in The FreeBSD Handbook. 1. `cd /usr/src' (or to the directory containing your source tree). 2. `make buildworld' 3. `make buildkernel KERNCONF=YOUR_KERNEL_HERE' (default is GENERIC). 4. `make installkernel KERNCONF=YOUR_KERNEL_HERE' (default is GENERIC). [steps 3. 4. can be combined by using the kernel target] 5. `reboot'(in single user mode: boot -s from the loader prompt). 6. `mergemaster -p' 7. `make installworld' 8. `make delete-old' 9. `mergemaster'(you may wish to use -i, along with -U or -F). 10. `reboot' 11. `make delete-old-libs' (in case no 3rd party program uses them anymore) The proper use of mergemaster and the two delete* targets seems to be different from your description. -- Polytropon Magdeburg, Germany Happy FreeBSD user since 4.0 Andra moi ennepe, Mousa, ... ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: openbsd packet firewall
On Fri, 7 Sep 2012, Polytropon wrote: On Fri, 7 Sep 2012 09:00:27 -0400 (EDT), Darrel wrote: when i updated from fbsd82 to fbsd90 using buildworld, buildkernel, installkernel, reboot, installworld, mergemaster, and make check-old, then packet filter simply did not load. That's nmot 100% the procedure. Please refer to the comment header of /usr/src/Makefile for the full description. It should also be mentioned in The FreeBSD Handbook. 1. `cd /usr/src' (or to the directory containing your source tree). 2. `make buildworld' 3. `make buildkernel KERNCONF=YOUR_KERNEL_HERE' (default is GENERIC). 4. `make installkernel KERNCONF=YOUR_KERNEL_HERE' (default is GENERIC). [steps 3. 4. can be combined by using the kernel target] 5. `reboot'(in single user mode: boot -s from the loader prompt). 6. `mergemaster -p' 7. `make installworld' 8. `make delete-old' 9. `mergemaster'(you may wish to use -i, along with -U or -F). 10. `reboot' 11. `make delete-old-libs' (in case no 3rd party program uses them anymore) The proper use of mergemaster and the two delete* targets seems to be different from your description. You are correct, of course. Actually that is what I have been doing, except that I have been running 'make delete-old' after mergemaster. Also, I have been deleting /usr/obj/* before 'cd /usr/src' and after 'cd /usr/src' running 'make cleandir make cleandir'. Thanks for the clarification. Darrel ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
openbsd packet firewall
Hello, When I moved from -fbsd82 to -fbsd90 it required a total reinstall since Packet Filter did not *work* any longer. Now that I have moved from -fbsd90 to the new release candidate, Packet Filter does not work considering at least IPv6 and ssh. I have tested a simple pf.conf on this system with the same result. It seems like I will need to learn ipfw or give up on fbsd. Darrel ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
packet filter problem on transparent firewall using bridge and pf
I have some trouble with pf on freebsd bridge.
Network topology:
( untrust ) -- { em0 , bridge0 , em1 } -- ( trust )
Bridge Network: 10.1.1.0/24
bridge0 IP: 10.1.1.1 ( freebsd's ip )
default gw: 10.1.1.254 ( in untrust area )
server: 10.1.1.101 ~ 200 ( in trust area )
pf.conf on freebsd
serv1=10.1.1.101
client1=10.1.6.73
block in all
block out all
pass in quick on lo0 all
pass out quick on lo0 all
pass in quick on bridge0 from 10.1.1.0/24 to any
pass out quick on bridge0 from 10.1.1.0/24 to any
pass in quick on bridge0 from $client1 to 10.1.1.1
pass in quick on bridge0 from $client1 to $serv1
When I turn on the pf, I test some connection status.
1. client1 cannot connect to serv1.
2. gw cannot connect to serv1
3. client1 connect to freebsd ( 10.1.1.1 ) successfully
4. gw connect to freebsd ( 10.1.1.1 ) successfully
If I turn off the pf, all conneciton test are success.
What's wrong with the pf rules?
The following is some description of the bridge topology.
Freebsd and server are vmware guest in the vmware ESXi.
The ESXi has two virtual switchs,
vSw1: connect to untrust
vSw2: interconnect with freebsd and servers
freebsd has tow vNICs,
em0: connect to vSw1
em1: connect to vSw2.
servers has only one vNIC,
em0: connect to vSw2
freebsd's rc.conf
cloned_interfaces=bridge0
ifconfig_bridge0=inet 10.1.1.1 netmask 255.255.255.0 addm em0 addm em1 up
ifconfig_em0=up
ifconfig_em1=up
pf_enable=YES
pf_rules=/etc/pf.conf
freebsd's sysctl
net.link.bridge.ipfw: 0
net.link.bridge.inherit_mac: 0
net.link.bridge.log_stp: 0
net.link.bridge.pfil_local_phys: 0
net.link.bridge.pfil_member: 1
net.link.bridge.pfil_bridge: 1
net.link.bridge.ipfw_arp: 0
net.link.bridge.pfil_onlyip: 1
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Firewall, blocking POP3
At 07:18 PM 5/30/2012, Robert Bonomi wrote: From jbiq...@intranet.com.mx Wed May 30 13:48:05 2012 Date: Wed, 30 May 2012 13:47:34 -0500 To: Robert Bonomi bon...@mail.r-bonomi.com From: Jorge Biquez jbiq...@intranet.com.mx Subject: Re: Firewall, blocking POP3 Cc: freebsd-questions@freebsd.org Hello. Thanks a lot!. Simple an elegant solution. I just did that and of course it worked I just was wondering... what if I need to have the service working BUT want to block those break attemps? IN this and other services. ? My guess is that it is a never ending process? I mean, block one, block another, another, etc? If one knows the address-blocks that legitimate customers will be using, one can block off access from 'everywhere else'. What the people who has big servers running for hosting services are doing? Or you just have a policy of strng passworrds, server up-todate and let the attemps to try forever? There are tools like 'fail2ban' that can be used to lock out persistant doorknob-rattlers. Also, one can do things like allow mail access (POP, IMAP, 'whatever') only via a port that is 'tunneled' through an SSH/SSL connection. This eliminates almost all doorknob rattling on the mail access ports, but gets lots of attempts on the SSH port. Which is generally not a problem, since the SSH keyspace is vastly larger, and more evenly distributed, than that for plaintext passwords. To eliminate virtually all the 'noise' from SSH doorknob-rattling, run it on a non-standard port. This does =not= increase the actual security of the system, but it does greatly reduce the 'noise' in the logs -- so any actual attack attempt is much more obvious. You can use /etc/hosts.allow to list your friendly IP's allowed by protocol. This provides an easy way to block all foreign users. You can use wildcards in this file, so if you need to allow users in for POP access from an ISP, you can do that. Also, if you do have wide array of addresses you need to let in, you may want to put the email services in a jail. -Derek -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Firewall, blocking POP3
Hello all. I am sorry if the question is too basic. I have a personal small machine running FreeBSD 7.3-PRERELEASE #0: It runs as my web and email server for a cuple of domains. NO clients no other users have access to it. Is there any , easy/faster way to stop POP3 from being working. I am running qpopper to be able to download emailes. I decided to use sendmail since only a few accounts are there and I do not need more but in the last days the server has been under a big attack where people is trying to guess users and passwords. I am using a strong schema of passwords so no problem on that but I rather to be sure . I was thinking on the following options. - Stopping the service, port 110 to respond and open it everytime I want to download email. - Install a firewall and block all the IP's but they are trying from a lot different ones. - Maybe changing the port for pop3 and change all my devices to use another port? In case I need to start from zero and install a newer version I can do it, no problem at all but I am not sure if that helps to do things a easier way. Maybe install a complete different schema of sending receiving email (perhaps do not use sendmail to send , change to postfix and use IMAP instead of pop3. Would that help? Thank in advance for all your comments and help. Jorge Biquez ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Firewall, blocking POP3
From owner-freebsd-questi...@freebsd.org Wed May 30 13:16:37 2012 Date: Wed, 30 May 2012 13:08:30 -0500 To: freebsd-questions@freebsd.org From: Jorge Biquez jbiq...@intranet.com.mx Cc: Subject: Firewall, blocking POP3 Hello all. I am sorry if the question is too basic. I have a personal small machine running FreeBSD 7.3-PRERELEASE #0: It runs as my web and email server for a cuple of domains. NO clients no other users have access to it. Is there any , easy/faster way to stop POP3 from being working. I am running qpopper to be able to download emailes. I decided to use sendmail since only a few accounts are there and I do not need more but in the last days the server has been under a big attack where people is trying to guess users and passwords. I am using a strong schema of passwords so no problem on that but I rather to be sure . The mail -server- you use is irrelevant to how users retrieve mail. you can use sendmail and qpopper, or sendmail and an IMAP server, or sendmail and webmail app, or postix and qpopper, or exim and qpopper, etc. All you have to do to disable qpopper is edit comment out the line in /etc/inetd.conf, and SIGHUP inetd. To re-enable when you need it, uncomment the line, and SIGHUP inetd again. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Firewall, blocking POP3
Hello. Thanks a lot!. Simple an elegant solution. I just did that and of course it worked I just was wondering... what if I need to have the service working BUT want to block those break attemps? IN this and other services. ? My guess is that it is a never ending process? I mean, block one, block another, another, etc? What the people who has big servers running for hosting services are doing? Or you just have a policy of strng passworrds, server up-todate and let the attemps to try forever? Thanks for the solution Mr Robert. Jorge Biquez At 01:32 p.m. 30/05/2012, Robert Bonomi wrote: From owner-freebsd-questi...@freebsd.org Wed May 30 13:16:37 2012 Date: Wed, 30 May 2012 13:08:30 -0500 To: freebsd-questions@freebsd.org From: Jorge Biquez jbiq...@intranet.com.mx Cc: Subject: Firewall, blocking POP3 Hello all. I am sorry if the question is too basic. I have a personal small machine running FreeBSD 7.3-PRERELEASE #0: It runs as my web and email server for a cuple of domains. NO clients no other users have access to it. Is there any , easy/faster way to stop POP3 from being working. I am running qpopper to be able to download emailes. I decided to use sendmail since only a few accounts are there and I do not need more but in the last days the server has been under a big attack where people is trying to guess users and passwords. I am using a strong schema of passwords so no problem on that but I rather to be sure . The mail -server- you use is irrelevant to how users retrieve mail. you can use sendmail and qpopper, or sendmail and an IMAP server, or sendmail and webmail app, or postix and qpopper, or exim and qpopper, etc. All you have to do to disable qpopper is edit comment out the line in /etc/inetd.conf, and SIGHUP inetd. To re-enable when you need it, uncomment the line, and SIGHUP inetd again. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Firewall, blocking POP3
See /usr/ports/security/py-fail2ban (http://www.fail2ban.org/). Used in conjunction with FreeBSD's ipfw or pf firewall facility, you can ban an attacking IP address for a set period of time after a configurable amount of failed attempts. Fail2ban watches your log files for you and then triggers some sort of action -- which can really be anything you can conceive of. Patrick On Wed, May 30, 2012 at 11:47 AM, Jorge Biquez jbiq...@intranet.com.mx wrote: Hello. Thanks a lot!. Simple an elegant solution. I just did that and of course it worked I just was wondering... what if I need to have the service working BUT want to block those break attemps? IN this and other services. ? My guess is that it is a never ending process? I mean, block one, block another, another, etc? What the people who has big servers running for hosting services are doing? Or you just have a policy of strng passworrds, server up-todate and let the attemps to try forever? Thanks for the solution Mr Robert. Jorge Biquez At 01:32 p.m. 30/05/2012, Robert Bonomi wrote: From owner-freebsd-questi...@freebsd.org Wed May 30 13:16:37 2012 Date: Wed, 30 May 2012 13:08:30 -0500 To: freebsd-questions@freebsd.org From: Jorge Biquez jbiq...@intranet.com.mx Cc: Subject: Firewall, blocking POP3 Hello all. I am sorry if the question is too basic. I have a personal small machine running FreeBSD 7.3-PRERELEASE #0: It runs as my web and email server for a cuple of domains. NO clients no other users have access to it. Is there any , easy/faster way to stop POP3 from being working. I am running qpopper to be able to download emailes. I decided to use sendmail since only a few accounts are there and I do not need more but in the last days the server has been under a big attack where people is trying to guess users and passwords. I am using a strong schema of passwords so no problem on that but I rather to be sure . The mail -server- you use is irrelevant to how users retrieve mail. you can use sendmail and qpopper, or sendmail and an IMAP server, or sendmail and webmail app, or postix and qpopper, or exim and qpopper, etc. All you have to do to disable qpopper is edit comment out the line in /etc/inetd.conf, and SIGHUP inetd. To re-enable when you need it, uncomment the line, and SIGHUP inetd again. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Firewall, blocking POP3
From jbiq...@intranet.com.mx Wed May 30 13:48:05 2012 Date: Wed, 30 May 2012 13:47:34 -0500 To: Robert Bonomi bon...@mail.r-bonomi.com From: Jorge Biquez jbiq...@intranet.com.mx Subject: Re: Firewall, blocking POP3 Cc: freebsd-questions@freebsd.org Hello. Thanks a lot!. Simple an elegant solution. I just did that and of course it worked I just was wondering... what if I need to have the service working BUT want to block those break attemps? IN this and other services. ? My guess is that it is a never ending process? I mean, block one, block another, another, etc? If one knows the address-blocks that legitimate customers will be using, one can block off access from 'everywhere else'. What the people who has big servers running for hosting services are doing? Or you just have a policy of strng passworrds, server up-todate and let the attemps to try forever? There are tools like 'fail2ban' that can be used to lock out persistant doorknob-rattlers. Also, one can do things like allow mail access (POP, IMAP, 'whatever') only via a port that is 'tunneled' through an SSH/SSL connection. This eliminates almost all doorknob rattling on the mail access ports, but gets lots of attempts on the SSH port. Which is generally not a problem, since the SSH keyspace is vastly larger, and more evenly distributed, than that for plaintext passwords. To eliminate virtually all the 'noise' from SSH doorknob-rattling, run it on a non-standard port. This does =not= increase the actual security of the system, but it does greatly reduce the 'noise' in the logs -- so any actual attack attempt is much more obvious. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
SV: pf firewall and ftp
To solve the ftp pre 4.7 part, you can start reading here http://home.nuug.no/~peter/pf/en/long-firewall.html#FTPPROBLEM /Hasse -Oprindelig meddelelse- Fra: owner-freebsd-questi...@freebsd.org [mailto:owner-freebsd-questi...@freebsd.org] På vegne af Fbsd8 Sendt: den 16 april 2012 04:31 Til: FreeBSD Questions; FreeBSD Current; FreeBSD doc Emne: Re: pf firewall and ftp Fbsd8 wrote: Running 9.0 as a gateway host with pf firewall enabled. FTP is launched by inetd. Both active and passive ftp works from lan pc's to the host ftp. The lan ftp session can be initiated from the host or any lan pc and things work because there are no rules on the lan interface except single pass all rule. But I can not do host initiated or lan initiated ftp sessions to the public internet. Get operation not permitted message. Tried to setup ftp-proxy per openbsd pf manual without any joy. Looking for working rule set with nat and ftp services to study and learn from. OK I have uncovered what the problem is. The pf version running on Freebsd 9.0 matches the version running on openbsd 4.5. Found it on man pf at the end. The documentation on the Openbsd website for pf is for Openbsd 5.0 and it has warning saying NOTE: This information is for OpenBSD 4.7. NAT configuration was significantly different in earlier versions. http://pf4freebsd.love2party.net/ has more info about how back dated the 9.0 Freebsd production version of pf is. The Freebsd handbook had a detailed section on pf including rules examples matching the version of pf included with 9.0 But someone allowed it to be removed in the current version of the handbook. So here we are with an outdated version of pf in the current production 9.0 version of Freebsd and there is no documentation available on nat rule syntax in the handbook or at openbsd/pf. Going to dig through the 9.0 pf man pages for the info ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: SV: pf firewall and ftp
On Mon, Apr 16, 2012 at 09:39:38AM +0200, Hasse Hansson wrote: To solve the ftp pre 4.7 part, you can start reading here http://home.nuug.no/~peter/pf/en/long-firewall.html#FTPPROBLEM /Hasse -Oprindelig meddelelse- Fra: owner-freebsd-questi...@freebsd.org [mailto:owner-freebsd-questi...@freebsd.org] På vegne af Fbsd8 Sendt: den 16 april 2012 04:31 Til: FreeBSD Questions; FreeBSD Current; FreeBSD doc Emne: Re: pf firewall and ftp Fbsd8 wrote: Running 9.0 as a gateway host with pf firewall enabled. FTP is launched by inetd. Both active and passive ftp works from lan pc's to the host ftp. The lan ftp session can be initiated from the host or any lan pc and things work because there are no rules on the lan interface except single pass all rule. But I can not do host initiated or lan initiated ftp sessions to the public internet. Get operation not permitted message. Tried to setup ftp-proxy per openbsd pf manual without any joy. Looking for working rule set with nat and ftp services to study and learn from. OK I have uncovered what the problem is. The pf version running on Freebsd 9.0 matches the version running on openbsd 4.5. Found it on man pf at the end. The documentation on the Openbsd website for pf is for Openbsd 5.0 and it has warning saying NOTE: This information is for OpenBSD 4.7. NAT configuration was significantly different in earlier versions. http://pf4freebsd.love2party.net/ has more info about how back dated the 9.0 Freebsd production version of pf is. The Freebsd handbook had a detailed section on pf including rules examples matching the version of pf included with 9.0 But someone allowed it to be removed in the current version of the handbook. So here we are with an outdated version of pf in the current production 9.0 version of Freebsd and there is no documentation available on nat rule syntax in the handbook or at openbsd/pf. The version of PF in FreeBSD is corresponds to the one in OpenBSD 4.5. There are old versions of the OpenBSD PF FAQ on mirrors: http://ftp2.eu.openbsd.org/pub/OpenBSD/doc/history/pf-faq45.pdf http://ftp2.eu.openbsd.org/pub/OpenBSD/doc/history/pf-faq45.txt Going to dig through the 9.0 pf man pages for the info The rules should also be documented in the man pages. -- Denny Lin ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: pf firewall and ftp
There's also web available manuals for probably every release of OpenBSD here: http://www.openbsd.org/cgi-bin/man.cgi http://www.openbsd.org/cgi-bin/man.cgi?query=pf.confmanpath=OpenBSD+4.5 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
pf firewall and ftp
Running 9.0 as a gateway host with pf firewall enabled. FTP is launched by inetd. Both active and passive ftp works from lan pc's to the host ftp. The lan ftp session can be initiated from the host or any lan pc and things work because there are no rules on the lan interface except single pass all rule. But I can not do host initiated or lan initiated ftp sessions to the public internet. Get operation not permitted message. Tried to setup ftp-proxy per openbsd pf manual without any joy. Looking for working rule set with nat and ftp services to study and learn from. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: pf firewall and ftp
Fbsd8 wrote: Running 9.0 as a gateway host with pf firewall enabled. FTP is launched by inetd. Both active and passive ftp works from lan pc's to the host ftp. The lan ftp session can be initiated from the host or any lan pc and things work because there are no rules on the lan interface except single pass all rule. But I can not do host initiated or lan initiated ftp sessions to the public internet. Get operation not permitted message. Tried to setup ftp-proxy per openbsd pf manual without any joy. Looking for working rule set with nat and ftp services to study and learn from. OK I have uncovered what the problem is. The pf version running on Freebsd 9.0 matches the version running on openbsd 4.5. Found it on man pf at the end. The documentation on the Openbsd website for pf is for Openbsd 5.0 and it has warning saying NOTE: This information is for OpenBSD 4.7. NAT configuration was significantly different in earlier versions. http://pf4freebsd.love2party.net/ has more info about how back dated the 9.0 Freebsd production version of pf is. The Freebsd handbook had a detailed section on pf including rules examples matching the version of pf included with 9.0 But someone allowed it to be removed in the current version of the handbook. So here we are with an outdated version of pf in the current production 9.0 version of Freebsd and there is no documentation available on nat rule syntax in the handbook or at openbsd/pf. Going to dig through the 9.0 pf man pages for the info ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: pf firewall rule numbers
Mike Tancsa wrote: On 4/11/2012 8:34 PM, Fbsd8 wrote: In the pf log I see the rule number of the rule used to create the log file entry. pfctl -sr command does not list the rule number of each rule it lists. Hi, Try pfctl -sr -vv ---Mike Thanks the -vv printed the rule number with the rule. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
pf firewall rule numbers
In the pf log I see the rule number of the rule used to create the log file entry. pfctl -sr command does not list the rule number of each rule it lists. So my question is how do I relate the rule number shown in the log listing back to the text rule file rules? ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: pf firewall rule numbers
On 4/11/2012 8:34 PM, Fbsd8 wrote: In the pf log I see the rule number of the rule used to create the log file entry. pfctl -sr command does not list the rule number of each rule it lists. Hi, Try pfctl -sr -vv ---Mike -- --- Mike Tancsa, tel +1 519 651 3400 Sentex Communications, m...@sentex.net Providing Internet services since 1994 www.sentex.net Cambridge, Ontario Canada http://www.tancsa.com/ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
bridge firewall in virtualbox not passing traffic after upgrade to stable/9
Hello,
Was running 8.2 and virtualbox 3 - wiped Freebsd 8.2, installed 9.0,
installed latest virtualbox port 4.0.14 and the networking broke in my
vms.
Setup I had:
{vm1,vm2,etc}--- vbox internal network - em2[firewall VM]em1 --
re0[physical box]--ISP
the firewall vm has this:
ifconfig_em0='172.20.6.210/24'
cloned_interfaces=bridge0
ifconfig_bridge0=addm em1 addm em2 up
ifconfig_em1=up
ifconfig_em2=up
Firewall vm has this setup:
nic1 - bridge re0
nic2 - bridge re0
nic3 - internal network
The VMs are still on 8.2, the only change was virtualbox from 3 to 4.0.14
and host system fresh install of stable/9.
vboxnet is loaded, if I change the VMs to just bridge re0, they are able
to get out, if I put them on the internal network, nothing gets out.
internal networking works because without bridge and just setting static
IP on vm1 and firewall vm em2, they talk without problem.
]Peter[
it can't be this hard.
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: bridge firewall in virtualbox not passing traffic after upgrade to stable/9
Hello,
Was running 8.2 and virtualbox 3 - wiped Freebsd 8.2, installed 9.0,
installed latest virtualbox port 4.0.14 and the networking broke in my
vms.
Setup I had:
{vm1,vm2,etc}--- vbox internal network - em2[firewall VM]em1 --
re0[physical box]--ISP
the firewall vm has this:
ifconfig_em0='172.20.6.210/24'
cloned_interfaces=bridge0
ifconfig_bridge0=addm em1 addm em2 up
ifconfig_em1=up
ifconfig_em2=up
Firewall vm has this setup:
nic1 - bridge re0
nic2 - bridge re0
nic3 - internal network
The VMs are still on 8.2, the only change was virtualbox from 3 to 4.0.14
and host system fresh install of stable/9.
vboxnet is loaded, if I change the VMs to just bridge re0, they are able
to get out, if I put them on the internal network, nothing gets out.
internal networking works because without bridge and just setting static
IP on vm1 and firewall vm em2, they talk without problem.
]Peter[
it can't be this hard.
Just a follow up with more info.
Set 2 vms and booting from 9 release cd using live system option.
Host system is stable/9, vbox 4.0.14:
Per the handbook setup bridging on firewall_vm that has no IP, and only
two interfaces [em0 - external, and em1 - internal networking]
http://www.freebsd.org/doc/handbook/network-bridging.html
On client_vm, em0 is connected to internal network and should pass through
that bridge, but I get nothing:
client_vm - internal network - em1[bridge vm]em0 - internet
]Peter[
on bridge vm, doing dhclient bridge0 gets nothing, doing dhclient em0
gets IP
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
solved - bridge firewall in virtualbox not passing traffic after upgrade to stable/9
Hello,
Was running 8.2 and virtualbox 3 - wiped Freebsd 8.2, installed 9.0,
installed latest virtualbox port 4.0.14 and the networking broke in my
vms.
Setup I had:
{vm1,vm2,etc}--- vbox internal network - em2[firewall VM]em1 --
re0[physical box]--ISP
the firewall vm has this:
ifconfig_em0='172.20.6.210/24'
cloned_interfaces=bridge0
ifconfig_bridge0=addm em1 addm em2 up
ifconfig_em1=up
ifconfig_em2=up
Firewall vm has this setup:
nic1 - bridge re0
nic2 - bridge re0
nic3 - internal network
The VMs are still on 8.2, the only change was virtualbox from 3 to
4.0.14
and host system fresh install of stable/9.
vboxnet is loaded, if I change the VMs to just bridge re0, they are able
to get out, if I put them on the internal network, nothing gets out.
internal networking works because without bridge and just setting static
IP on vm1 and firewall vm em2, they talk without problem.
]Peter[
it can't be this hard.
Just a follow up with more info.
Set 2 vms and booting from 9 release cd using live system option.
Host system is stable/9, vbox 4.0.14:
Per the handbook setup bridging on firewall_vm that has no IP, and only
two interfaces [em0 - external, and em1 - internal networking]
http://www.freebsd.org/doc/handbook/network-bridging.html
On client_vm, em0 is connected to internal network and should pass through
that bridge, but I get nothing:
client_vm - internal network - em1[bridge vm]em0 - internet
]Peter[
on bridge vm, doing dhclient bridge0 gets nothing, doing dhclient em0
gets IP
Another follow up and solution:
Virtualbox lost default promiscuous mode on version 4.0.6 and that option
did not appear under 'modifyvm' until 4.1.8. Followed this forum post and
used the vbox internal 'setextradata' to fix my firewall VM to allow
promiscuous mode.
https://forums.virtualbox.org/viewtopic.php?f=7t=41036
For me that was:
VBoxManage setextradata chernogorsk.pknet.net
VBoxInternal/Devices/e1000/0/LUN#0/Config/IfPolicyPromisc allow-all
VBoxManage setextradata chernogorsk.pknet.net
VBoxInternal/Devices/e1000/1/LUN#0/Config/IfPolicyPromisc allow-all
VBoxManage setextradata chernogorsk.pknet.net
VBoxInternal/Devices/e1000/2/LUN#0/Config/IfPolicyPromisc allow-all
or modify the config file for the vm:
ExtraDataItem
name=VBoxInternal/Devices/e1000/0/LUN#0/Config/IfPolicyPromisc
value=allow-all/
ExtraDataItem
name=VBoxInternal/Devices/e1000/1/LUN#0/Config/IfPolicyPromisc
value=allow-all/
ExtraDataItem
name=VBoxInternal/Devices/e1000/2/LUN#0/Config/IfPolicyPromisc
value=allow-all/
That allowed the nics to pass all data and turns off mac security - In
Vbox 4.1.8 [on Windows] that option is in the GUI, this was pure luck I
decided to upgrade my 4.1.2 to 4.1.8 for further testing and that option
appeared.
]Peter[
ahh, all the little hidden internals of vbox...
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
issue with IPF firewall state tables
Back Story: Old Server (X32 system, probably FreeBSD 4.3-ish) New Server (Dual core, X64 with plenty of RAM) running 8.1-RELEASE New Server was put in production last night as a core router, with the same rc.conf, firewall rule set and config from the old router that has been working for years. At around 12 Lunchtime we had reports of no internet connectivity, I've jumped onto the router and seen that it is blocking a whole heap of internal to external DNS server traffic, along with other would-be allowed traffic. I promptly flushed the firewall ruleset with ipf -Fa, and noted that the rules did clear - Issue still existing. I re-loaded the rule set, no change. Upon restart, the router began to behave itself again... I have been using ipfstat -ts | grep active to get a count of state entries, and comparing to the 4013 default. We are sitting on around ~2000 state entries. I am aware I can flush the state table, but until the router breaks itself again, I cannot clear it. Does this sound like a full state table? Am I using the best method to check? Is there any form of notification that this is happening anywhere? -- Murray Taylor Bytecraft Systems Special Projects Engineer P: +61 3 8710 0600 D: +61 3 9238 5168 F: +61 3 9238 5140 |_|0|_|Absence of evidence |_|_|0|is not evidence of absence |0|0|0|Carl Sagan --- The information transmitted in this e-mail is for the exclusive use of the intended addressee and may contain confidential and/or privileged material. Any review, re-transmission, dissemination or other use of it, or the taking of any action in reliance upon this information by persons and/or entities other than the intended recipient is prohibited. If you received this in error, please inform the sender and/or addressee immediately and delete the material. E-mails may not be secure, may contain computer viruses and may be corrupted in transmission. Please carefully check this e-mail (and any attachment) accordingly. No warranties are given and no liability is accepted for any loss or damage caused by such matters. --- ### This e-mail message has been scanned for Viruses by Bytecraft ### ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: easy Firewall setup
A Is there an easy firewall setup available somewhere (like the one A referenced below but for FreeBSD)? Here's a script you can use to generate a rules file for IPF. -- Karl, I have used your script and it generated me a nice ipf.rules file /* ipf.rules / quadcore# cat /etc/ipf.rules # Generated by make-ipf-rules v1.10 at Sun Jul 31 10:42:21 CDT 2011 # # NAME: #/etc/ipf.rules # # DESCRIPTION: #Ruleset for IPF packet filter. # # AUTHOR: #Antonio Olivares olivares14...@gmail.com # # We don't care about NETBIOS broadcast crap, bootpc requests, or IGMP. block in quick on msk0 proto udp from any to any port = 68 block in quick on msk0 proto udp from any to any port = 137 block in quick on msk0 proto udp from any to any port = 138 block in quick on msk0 proto igmp from any to any # # Now block everything coming down the network. block in log on msk0 all block out log on msk0 all # # Get rid of anything with options, as these can be used to hack. block in log quick from any to any with ipopts # # Get rid of short TCP/IP fragments (too small for valid comparison) # as these can be used to hack. block in log quick proto tcp from any to any with short # # Allow all traffic on loopback. pass in quick on lo0 all pass out quick on lo0 all # # Block all the private routable addresses, as these should never # come down the network, nor should we be talking to them. block out quick on msk0 from any to 192.168.0.0/16 block out quick on msk0 from any to 172.16.0.0/12 block out quick on msk0 from any to 127.0.0.0/8 block out quick on msk0 from any to 10.0.0.0/8 block out quick on msk0 from any to 0.0.0.0/8 block out quick on msk0 from any to 169.254.0.0/16 block out quick on msk0 from any to 192.0.2.0/24 block out quick on msk0 from any to 204.152.64.0/23 block out quick on msk0 from any to 224.0.0.0/3 block in quick on msk0 from 192.168.0.0/16to any block in quick on msk0 from 172.16.0.0/12 to any block in quick on msk0 from 10.0.0.0/8to any block in quick on msk0 from 127.0.0.0/8 to any block in quick on msk0 from 0.0.0.0/8 to any block in quick on msk0 from 169.254.0.0/16to any block in quick on msk0 from 192.0.2.0/24 to any block in quick on msk0 from 204.152.64.0/23 to any block in quick on msk0 from 224.0.0.0/3 to any # # Block and log portmapper attempts. block in log quick on msk0 proto tcp/udp from any to any port = 111 keep state # # Allow outbound state related packets. pass out quick on msk0 proto tcp from any to any flags S keep state pass out quick on msk0 proto udp from any to any keep state # # Allow ping and traceroute. Since we're doing everything quick, # we must have passes before blocks. pass in quick on msk0 proto icmp from any to any icmp-type 0 keep state pass in quick on msk0 proto icmp from any to any icmp-type 8 keep state pass in quick on msk0 proto icmp from any to any icmp-type 11 keep state pass out quick on msk0 proto icmp from any to any icmp-type 0 keep state pass out quick on msk0 proto icmp from any to any icmp-type 8 keep state pass out quick on msk0 proto icmp from any to any icmp-type 11 keep state block in log quick on msk0 proto icmp from any to any # # Allow DNS; should this be just from nameservers? pass in quick on msk0 proto tcp from any to any port = 53 flags S keep state pass in quick on msk0 proto udp from any to any port = 53 keep state # # Allow ssh and mail from anywhere: tcpserver filters addresses pass in quick on msk0 proto tcp from any to any port = 22 flags S keep state pass in quick on msk0 proto tcp from any to any port = 25 flags S keep state # # Allow http from selected addresses. pass in quick on msk0 proto tcp from 1.2.3.4 to any port = 80 flags S keep state pass in quick on msk0 proto tcp from 1.2.3.5 to any port = 80 flags S keep state # # Allow secure http from selected addresses. pass in quick on msk0 proto
Re: easy Firewall setup
On Sun, Jul 31, 2011 at 11:15 AM, Antonio Olivares olivares14...@gmail.com wrote: A Is there an easy firewall setup available somewhere (like the one A referenced below but for FreeBSD)? Here's a script you can use to generate a rules file for IPF. -- Karl, I have used your script and it generated me a nice ipf.rules file /* ipf.rules / quadcore# cat /etc/ipf.rules # Generated by make-ipf-rules v1.10 at Sun Jul 31 10:42:21 CDT 2011 # # NAME: # /etc/ipf.rules # # DESCRIPTION: # Ruleset for IPF packet filter. # # AUTHOR: # Antonio Olivares olivares14...@gmail.com # # We don't care about NETBIOS broadcast crap, bootpc requests, or IGMP. block in quick on msk0 proto udp from any to any port = 68 block in quick on msk0 proto udp from any to any port = 137 block in quick on msk0 proto udp from any to any port = 138 block in quick on msk0 proto igmp from any to any # # Now block everything coming down the network. block in log on msk0 all block out log on msk0 all # # Get rid of anything with options, as these can be used to hack. block in log quick from any to any with ipopts # # Get rid of short TCP/IP fragments (too small for valid comparison) # as these can be used to hack. block in log quick proto tcp from any to any with short # # Allow all traffic on loopback. pass in quick on lo0 all pass out quick on lo0 all # # Block all the private routable addresses, as these should never # come down the network, nor should we be talking to them. block out quick on msk0 from any to 192.168.0.0/16 block out quick on msk0 from any to 172.16.0.0/12 block out quick on msk0 from any to 127.0.0.0/8 block out quick on msk0 from any to 10.0.0.0/8 block out quick on msk0 from any to 0.0.0.0/8 block out quick on msk0 from any to 169.254.0.0/16 block out quick on msk0 from any to 192.0.2.0/24 block out quick on msk0 from any to 204.152.64.0/23 block out quick on msk0 from any to 224.0.0.0/3 block in quick on msk0 from 192.168.0.0/16 to any block in quick on msk0 from 172.16.0.0/12 to any block in quick on msk0 from 10.0.0.0/8 to any block in quick on msk0 from 127.0.0.0/8 to any block in quick on msk0 from 0.0.0.0/8 to any block in quick on msk0 from 169.254.0.0/16 to any block in quick on msk0 from 192.0.2.0/24 to any block in quick on msk0 from 204.152.64.0/23 to any block in quick on msk0 from 224.0.0.0/3 to any # # Block and log portmapper attempts. block in log quick on msk0 proto tcp/udp from any to any port = 111 keep state # # Allow outbound state related packets. pass out quick on msk0 proto tcp from any to any flags S keep state pass out quick on msk0 proto udp from any to any keep state # # Allow ping and traceroute. Since we're doing everything quick, # we must have passes before blocks. pass in quick on msk0 proto icmp from any to any icmp-type 0 keep state pass in quick on msk0 proto icmp from any to any icmp-type 8 keep state pass in quick on msk0 proto icmp from any to any icmp-type 11 keep state pass out quick on msk0 proto icmp from any to any icmp-type 0 keep state pass out quick on msk0 proto icmp from any to any icmp-type 8 keep state pass out quick on msk0 proto icmp from any to any icmp-type 11 keep state block in log quick on msk0 proto icmp from any to any # # Allow DNS; should this be just from nameservers? pass in quick on msk0 proto tcp from any to any port = 53 flags S keep state pass in quick on msk0 proto udp from any to any port = 53 keep state # # Allow ssh and mail from anywhere: tcpserver filters addresses pass in quick on msk0 proto tcp from any to any port = 22 flags S keep state pass in quick on msk0 proto tcp from any to any port = 25 flags S keep state # # Allow http from selected addresses. pass in quick on msk0 proto tcp from 1.2.3.4 to any port = 80 flags S keep state pass in quick on msk0 proto tcp from 1.2.3.5 to any port
Re: IPFW Firewall NAT inbound port-redirect
From: Michael Sierchio ku...@tenebras.com To: Dan Nelson dnel...@allantgroup.com Cc: Bill Tillman btillma...@yahoo.com; freebsd-questions@freebsd.org Sent: Tue, July 12, 2011 6:35:19 PM Subject: Re: IPFW Firewall NAT inbound port-redirect We're not talking about natd. The question was about the use of ipfirewall nat. On Tue, Jul 12, 2011 at 9:03 AM, Dan Nelson dnel...@allantgroup.com wrote: In the last episode (Jul 12), Michael Sierchio said: Is there a way of specifying a particular public address if there is more than one bound to the external interface? A la nat 123 config if re0.2 log same_ports redirect_port tcp 10.0.0.3:22 102.10.22.1: Yes; the redirect_port syntax is described in the natd manpage: redirect_port proto targetIP:targetPORT[-targetPORT] [aliasIP:]aliasPORT[-aliasPORT] [remoteIP[:remotePORT[-remotePORT]]] -- Dan Nelson dnel...@allantgroup.com ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org NATD and IPFW work together. It's a little hard to explain in this format so as Dan suggests, you should read the manpage on each. Also, do some google searches and you will find many helpful articles. But take my word for this, you can do exactly what you want with IPFW+NATD. There are those who will probably promote PF as the firewall of choice as well. It all depends on what you become familiar with. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: IPFW Firewall NAT inbound port-redirect
I'm familiar with natd since its appearance. I was unclear on the ipfirewall nat syntax, since there is no syntax definition in the man page. It's true the man page is already too large, but some examples (somewhere) would be nice. Marshaling packets into userland and back into the kernel makes natd much slower than kernel nat. The statement follow closely the syntax used in natd is not particularly reassuring, since it doesn't declare that the syntax is identical, and (I am repeating myself, sorry), there is no syntax def in the man page. Thanks, Dan, for explaining. - M On Tue, Jul 12, 2011 at 11:05 PM, Bill Tillman btillma...@yahoo.com wrote: From: Michael Sierchio ku...@tenebras.com To: Dan Nelson dnel...@allantgroup.com Cc: Bill Tillman btillma...@yahoo.com; freebsd-questions@freebsd.org Sent: Tue, July 12, 2011 6:35:19 PM Subject: Re: IPFW Firewall NAT inbound port-redirect We're not talking about natd. The question was about the use of ipfirewall nat. On Tue, Jul 12, 2011 at 9:03 AM, Dan Nelson dnel...@allantgroup.com wrote: In the last episode (Jul 12), Michael Sierchio said: Is there a way of specifying a particular public address if there is more than one bound to the external interface? A la nat 123 config if re0.2 log same_ports redirect_port tcp 10.0.0.3:22 102.10.22.1: Yes; the redirect_port syntax is described in the natd manpage: redirect_port proto targetIP:targetPORT[-targetPORT] [aliasIP:]aliasPORT[-aliasPORT] [remoteIP[:remotePORT[-remotePORT]]] -- Dan Nelson dnel...@allantgroup.com ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org NATD and IPFW work together. It's a little hard to explain in this format so as Dan suggests, you should read the manpage on each. Also, do some google searches and you will find many helpful articles. But take my word for this, you can do exactly what you want with IPFW+NATD. There are those who will probably promote PF as the firewall of choice as well. It all depends on what you become familiar with. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: IPFW Firewall NAT inbound port-redirect
Michael Sierchio wrote: I'm familiar with natd since its appearance. I was unclear on the ipfirewall nat syntax, since there is no syntax definition in the man page. It's true the man page is already too large, but some examples (somewhere) would be nice. Marshaling packets into userland and back into the kernel makes natd much slower than kernel nat. This is no longer true as some while ago IPFW's NATD switched over to being kernel-based. A long time ago when NATD was still userland I switched to Darren Reed's IPFILTER for just this reason. The first thing this entailed was learning the IPFILTER syntax as it was somewhat different from IPFW. I made the adjustment and later I found when I moved to PF the syntax from IPFILTER was closer to PF which made it easier to migrate. The statement follow closely the syntax used in natd is not particularly reassuring, since it doesn't declare that the syntax is identical, and (I am repeating myself, sorry), there is no syntax def in the man page. [snip] NATD and IPFW work together. It's a little hard to explain in this format so as Dan suggests, you should read the manpage on each. Also, do some google searches and you will find many helpful articles. But take my word for this, you can do exactly what you want with IPFW+NATD. There are those who will probably promote PF as the firewall of choice as well. It all depends on what you become familiar with. All trueness here. I have used all three: IPFW, IPFILTER, and PF. I use PF today, but any of the three will work just fine for essentially the same purpose (mostly). For example, IPFW had dummynet for traffic-shaping while PF uses ALTQ for essentially the same purpose. Mostly it is just grokking the syntax for whichever of the three you choose. The Handbook contains some content examples for getting started for IPFW and the PF docs can be found on the OpenBSD web site. Understand the syntax and you can shape the firewall however you choose. The various ruleset examples should probably not just be dropped in cut-and-paste style, but rather dissected line by line for understanding and then make tweaks which conform to exactly your local requirements. And it _is_ some arcane stuff to be sure, but stare at it long enough and it'll make sense eventually. :-) -Mike ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: IPFW Firewall NAT inbound port-redirect
Mike - You're confused. natd is still a userland process that works via divert sockets. ipfirewall nat is an extension to ipfirewall (ipfw is the userland control program to modify the rulesets, nat config, tables, etc.). - Michael On Tue, Jul 12, 2011 at 11:51 PM, Michael Powell nightre...@hotmail.com wrote: Michael Sierchio wrote: I'm familiar with natd since its appearance. I was unclear on the ipfirewall nat syntax, since there is no syntax definition in the man page. It's true the man page is already too large, but some examples (somewhere) would be nice. Marshaling packets into userland and back into the kernel makes natd much slower than kernel nat. This is no longer true as some while ago IPFW's NATD switched over to being kernel-based. A long time ago when NATD was still userland I switched to Darren Reed's IPFILTER for just this reason. The first thing this entailed was learning the IPFILTER syntax as it was somewhat different from IPFW. I made the adjustment and later I found when I moved to PF the syntax from IPFILTER was closer to PF which made it easier to migrate. The statement follow closely the syntax used in natd is not particularly reassuring, since it doesn't declare that the syntax is identical, and (I am repeating myself, sorry), there is no syntax def in the man page. [snip] NATD and IPFW work together. It's a little hard to explain in this format so as Dan suggests, you should read the manpage on each. Also, do some google searches and you will find many helpful articles. But take my word for this, you can do exactly what you want with IPFW+NATD. There are those who will probably promote PF as the firewall of choice as well. It all depends on what you become familiar with. All trueness here. I have used all three: IPFW, IPFILTER, and PF. I use PF today, but any of the three will work just fine for essentially the same purpose (mostly). For example, IPFW had dummynet for traffic-shaping while PF uses ALTQ for essentially the same purpose. Mostly it is just grokking the syntax for whichever of the three you choose. The Handbook contains some content examples for getting started for IPFW and the PF docs can be found on the OpenBSD web site. Understand the syntax and you can shape the firewall however you choose. The various ruleset examples should probably not just be dropped in cut-and-paste style, but rather dissected line by line for understanding and then make tweaks which conform to exactly your local requirements. And it _is_ some arcane stuff to be sure, but stare at it long enough and it'll make sense eventually. :-) -Mike ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: IPFW Firewall NAT inbound port-redirect
OK - I'm confused. Could be all the top posting. ;-) testbed# man ipfw Formatting page, please wait...Done. IPFW(8) FreeBSD System Manager's Manual IPFW(8) NAME ipfw -- User interface for firewall, traffic shaper, packet scheduler, in-kernel NAT. [...] kernel config options: options IPFIREWALL_NAT #ipfw kernel nat support With this option you do not need userland natd and NAT stays in the kernel and keywords are in the IPFW ruleset. I did indeed mis-speak wrt to natd as the above was conceived in IPFW2 to supersede userland natd. Been about maybe 7 or 8 years since I used IPFW, so the memory is rusty. Michael Sierchio wrote: Mike - You're confused. natd is still a userland process that works via divert sockets. ipfirewall nat is an extension to ipfirewall (ipfw is the userland control program to modify the rulesets, nat config, tables, etc.). - Michael On Tue, Jul 12, 2011 at 11:51 PM, Michael Powell nightre...@hotmail.com wrote: Michael Sierchio wrote: I'm familiar with natd since its appearance. I was unclear on the ipfirewall nat syntax, since there is no syntax definition in the man page. It's true the man page is already too large, but some examples (somewhere) would be nice. Marshaling packets into userland and back into the kernel makes natd much slower than kernel nat. This is no longer true as some while ago IPFW's NATD switched over to being kernel-based. A long time ago when NATD was still userland I switched to Darren Reed's IPFILTER for just this reason. The first thing this entailed was learning the IPFILTER syntax as it was somewhat different from IPFW. I made the adjustment and later I found when I moved to PF the syntax from IPFILTER was closer to PF which made it easier to migrate. The statement follow closely the syntax used in natd is not particularly reassuring, since it doesn't declare that the syntax is identical, and (I am repeating myself, sorry), there is no syntax def in the man page. [snip] NATD and IPFW work together. It's a little hard to explain in this format so as Dan suggests, you should read the manpage on each. Also, do some google searches and you will find many helpful articles. But take my word for this, you can do exactly what you want with IPFW+NATD. There are those who will probably promote PF as the firewall of choice as well. It all depends on what you become familiar with. All trueness here. I have used all three: IPFW, IPFILTER, and PF. I use PF today, but any of the three will work just fine for essentially the same purpose (mostly). For example, IPFW had dummynet for traffic-shaping while PF uses ALTQ for essentially the same purpose. Mostly it is just grokking the syntax for whichever of the three you choose. The Handbook contains some content examples for getting started for IPFW and the PF docs can be found on the OpenBSD web site. Understand the syntax and you can shape the firewall however you choose. The various ruleset examples should probably not just be dropped in cut-and-paste style, but rather dissected line by line for understanding and then make tweaks which conform to exactly your local requirements. And it _is_ some arcane stuff to be sure, but stare at it long enough and it'll make sense eventually. :-) -Mike ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: IPFW Firewall NAT inbound port-redirect
From: Dan Nelson dnel...@allantgroup.com To: Michael Sierchio ku...@tenebras.com Cc: freebsd-questions@freebsd.org Sent: Mon, July 11, 2011 1:07:31 PM Subject: Re: IPFW Firewall NAT inbound port-redirect In the last episode (Jul 11), Michael Sierchio said: Sorry for the naive question, but most of my old rulesets still use natd, and I've only used built-in nat for outbound traffic. I'd like to redirect certain ports on certain addresses to the same ports on internal (RFC1918) addresses. The examples in the man page aren't helpful, and the handbook still seems very natd-centric in its examples. Thanks in advance. I use this at the top of my /etc/ipfw.conf file (re0.2 is the interface corresponding to my internet connection) : nat 123 config if re0.2 log same_ports redirect_port tcp 10.0.0.3:22 22 add nat 123 ip from any to any via re0.2 , which redirects incoming port 22 connections to 10.0.0.3. If you want to redirect more ports, add more redirect_port tcp host:port port expressions to the end of your nat line. I believe you can run the nat config command manually with a new list (as in ipfw nat 123 ...) to add/remove entries dynamically. I'm not at home to try it, and don't want to risk losing my remote connection if I mess up :) -- Dan Nelson dnel...@allantgroup.com ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org I have used IPFW for many years now. As for forwarding traffic from your gateway to internal machines I've always used the following in my /etc/natd.conf file: dynamic redirect_port tcp 10.0.0.254:80 80 # Apache Webserver inside my LAN redirect_port udp 10.0.0.214:1194 1194 # OpenVPN Port redirect_port tcp 10.0.0.213:443 443 # OpenVPN Port Of course you will need a line like this in your /etc/rc.conf to get natd to read this file: natd_flags=-f /etc/natd.conf ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: IPFW Firewall NAT inbound port-redirect
Is there a way of specifying a particular public address if there is more than one bound to the external interface? A la nat 123 config if re0.2 log same_ports redirect_port tcp 10.0.0.3:22 102.10.22.1: ? On Tue, Jul 12, 2011 at 5:19 AM, Bill Tillman btillma...@yahoo.com wrote: From: Dan Nelson dnel...@allantgroup.com To: Michael Sierchio ku...@tenebras.com Cc: freebsd-questions@freebsd.org Sent: Mon, July 11, 2011 1:07:31 PM Subject: Re: IPFW Firewall NAT inbound port-redirect In the last episode (Jul 11), Michael Sierchio said: Sorry for the naive question, but most of my old rulesets still use natd, and I've only used built-in nat for outbound traffic. I'd like to redirect certain ports on certain addresses to the same ports on internal (RFC1918) addresses. The examples in the man page aren't helpful, and the handbook still seems very natd-centric in its examples. Thanks in advance. I use this at the top of my /etc/ipfw.conf file (re0.2 is the interface corresponding to my internet connection) : nat 123 config if re0.2 log same_ports redirect_port tcp 10.0.0.3:22 22 add nat 123 ip from any to any via re0.2 , which redirects incoming port 22 connections to 10.0.0.3. If you want to redirect more ports, add more redirect_port tcp host:port port expressions to the end of your nat line. I believe you can run the nat config command manually with a new list (as in ipfw nat 123 ...) to add/remove entries dynamically. I'm not at home to try it, and don't want to risk losing my remote connection if I mess up :) -- Dan Nelson dnel...@allantgroup.com ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org I have used IPFW for many years now. As for forwarding traffic from your gateway to internal machines I've always used the following in my /etc/natd.conf file: dynamic redirect_port tcp 10.0.0.254:80 80 # Apache Webserver inside my LAN redirect_port udp 10.0.0.214:1194 1194 # OpenVPN Port redirect_port tcp 10.0.0.213:443 443 # OpenVPN Port Of course you will need a line like this in your /etc/rc.conf to get natd to read this file: natd_flags=-f /etc/natd.conf ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: IPFW Firewall NAT inbound port-redirect
In the last episode (Jul 12), Michael Sierchio said: Is there a way of specifying a particular public address if there is more than one bound to the external interface? A la nat 123 config if re0.2 log same_ports redirect_port tcp 10.0.0.3:22 102.10.22.1: Yes; the redirect_port syntax is described in the natd manpage: redirect_port proto targetIP:targetPORT[-targetPORT] [aliasIP:]aliasPORT[-aliasPORT] [remoteIP[:remotePORT[-remotePORT]]] -- Dan Nelson dnel...@allantgroup.com ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: IPFW Firewall NAT inbound port-redirect
We're not talking about natd. The question was about the use of ipfirewall nat. On Tue, Jul 12, 2011 at 9:03 AM, Dan Nelson dnel...@allantgroup.com wrote: In the last episode (Jul 12), Michael Sierchio said: Is there a way of specifying a particular public address if there is more than one bound to the external interface? A la nat 123 config if re0.2 log same_ports redirect_port tcp 10.0.0.3:22 102.10.22.1: Yes; the redirect_port syntax is described in the natd manpage: redirect_port proto targetIP:targetPORT[-targetPORT] [aliasIP:]aliasPORT[-aliasPORT] [remoteIP[:remotePORT[-remotePORT]]] -- Dan Nelson dnel...@allantgroup.com ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: IPFW Firewall NAT inbound port-redirect
In the last episode (Jul 12), Michael Sierchio said: On Tue, Jul 12, 2011 at 9:03 AM, Dan Nelson dnel...@allantgroup.com wrote: In the last episode (Jul 12), Michael Sierchio said: Is there a way of specifying a particular public address if there is more than one bound to the external interface? A la nat 123 config if re0.2 log same_ports redirect_port tcp 10.0.0.3:22 102.10.22.1: Yes; the redirect_port syntax is described in the natd manpage: redirect_port proto targetIP:targetPORT[-targetPORT] [aliasIP:]aliasPORT[-aliasPORT] [remoteIP[:remotePORT[-remotePORT]]] We're not talking about natd. The question was about the use of ipfirewall nat. Right, but ipfw nat is basically the userland libalias library loaded as a kernel module, so the config parameters are the same. $ grep MODULE_DEPEND /sys/netinet/ipfw/ip_fw_nat.c MODULE_DEPEND(ipfw_nat, libalias, 1, 1, 1); MODULE_DEPEND(ipfw_nat, ipfw, 2, 2, 2); also, man ipfw: NETWORK ADDRESS TRANSLATION (NAT) ipfw support in-kernel NAT using the kernel version of libalias(3). [..] REDIRECT AND LSNAT SUPPORT IN IPFW Redirect and LSNAT support follow closely the syntax used in natd(8). See Section EXAMPLES for some examples on how to do redirect and lsnat. -- Dan Nelson dnel...@allantgroup.com ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
IPFW Firewall NAT inbound port-redirect
Sorry for the naive question, but most of my old rulesets still use natd, and I've only used built-in nat for outbound traffic. I'd like to redirect certain ports on certain addresses to the same ports on internal (RFC1918) addresses. The examples in the man page aren't helpful, and the handbook still seems very natd-centric in its examples. Thanks in advance. - Michael ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Home firewall with DLink router FreeBSD
Please excuse me. I typed my reply below all the existing text but somehow it ended up being formatted into the middle of this one. Can someone give me the tip for insuring I don't top post and that my reply ends up at the bottom of the e-mail? From: Bill Tillman btillma...@yahoo.com To: Leonardo M. Ramé martinr...@yahoo.com; questi...@freebsd.org Sent: Fri, May 6, 2011 6:53:56 AM Subject: Re: Home firewall with DLink router FreeBSD From: Leonardo M. Ramé martinr...@yahoo.com To: questi...@freebsd.org Sent: Thu, May 5, 2011 3:44:36 PM Subject: Home firewall with DLink router FreeBSD The short answer is a definite yes, but you will need two NIC's in the FreeBSD server. I have a FreeBSD server which runs diskless and it acts as my router right behind the cable modem. All networks in my home including the wireless one uses this machine as it's route to the Internet. It runs IPFW2 as the firewall. It also does some port forwarding from my Asterisk PBX and webserver which are running on other FreeBSD servers inside my LAN. There is excellent information in the FreeBSD handbook on how to setup a FreeBSD server as a gateway/router. Check it out. Hi, at home I have a DLink Dir 300 router to provide internet access for my home network. The network is composed by two Windows PCs, one Linux laptop and one FreeBSD server we use mainly for storage and as web/database server. I must add, the server only have one network card. I would like to know if its possible to use the FreeBSD server as a Firewall for the whole network, securing LAN and WiFi connections. If this can be done, then how? could you point me to some howto?. Thanks in advance, Leonardo M. Ramé http://leonardorame.blogspot.com ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Home firewall with DLink router FreeBSD
From: Leonardo M. Ramé martinr...@yahoo.com To: questi...@freebsd.org Sent: Thu, May 5, 2011 3:44:36 PM Subject: Home firewall with DLink router FreeBSD The short answer is a definite yes, but you will need two NIC's in the FreeBSD server. I have a FreeBSD server which runs diskless and it acts as my router right behind the cable modem. All networks in my home including the wireless one uses this machine as it's route to the Internet. It runs IPFW2 as the firewall. It also does some port forwarding from my Asterisk PBX and webserver which are running on other FreeBSD servers inside my LAN. There is excellent information in the FreeBSD handbook on how to setup a FreeBSD server as a gateway/router. Check it out. Hi, at home I have a DLink Dir 300 router to provide internet access for my home network. The network is composed by two Windows PCs, one Linux laptop and one FreeBSD server we use mainly for storage and as web/database server. I must add, the server only have one network card. I would like to know if its possible to use the FreeBSD server as a Firewall for the whole network, securing LAN and WiFi connections. If this can be done, then how? could you point me to some howto?. Thanks in advance, Leonardo M. Ramé http://leonardorame.blogspot.com ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Home firewall with DLink router FreeBSD
On Fri, 6 May 2011 04:10:58 -0700 (PDT) Bill Tillman btillma...@yahoo.com articulated: Please excuse me. I typed my reply below all the existing text but somehow it ended up being formatted into the middle of this one. Can someone give me the tip for insuring I don't top post and that my reply ends up at the bottom of the e-mail? What are you using for an MUA? In any case, you could just delete all but a few lines of the original text and try placing your reply below that. Including 50+ lines of old text, especially text that has been replied to several times is more than slightly redundant; it borders on insane. Yet, unfortunately, it is done all the time. -- Jerry ✌ jerry+f...@seibercom.net Disclaimer: off-list followups get on-list replies, ignored or reported as Spam. Do not CC this poster. Please do not ignore the Reply-To header. __ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Home firewall with DLink router FreeBSD
Hi, at home I have a DLink Dir 300 router to provide internet access for my home network. The network is composed by two Windows PCs, one Linux laptop and one FreeBSD server we use mainly for storage and as web/database server. I must add, the server only have one network card. I would like to know if its possible to use the FreeBSD server as a Firewall for the whole network, securing LAN and WiFi connections. If this can be done, then how? could you point me to some howto?. Thanks in advance, Leonardo M. Ramé http://leonardorame.blogspot.com ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Home firewall with DLink router and FreeBSD
Hi, at home I have a DLink Dir 300 router to provide internet access for my home network. The network is composed by two Windows PCs, one Linux laptop and one FreeBSD server we use mainly for storage and as web/database server. I must add, the server only have one network card. I would like to know if its possible to use the FreeBSD server as a Firewall for the whole network, securing LAN and WiFi connections. If this can be done, then how? could you point me to some howto?. P.S.: this is the 2nd time I send this email, the first time it got caught by SpamAssassin. Maybe because a link in my signature. Thanks in advance, Leonardo M. Ramé ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Home firewall with DLink router and FreeBSD
On 5/5/11 8:37 PM, Leonardo M. Ramé wrote: Hi, at home I have a DLink Dir 300 router to provide internet access for my home network. The network is composed by two Windows PCs, one Linux laptop and one FreeBSD server we use mainly for storage and as web/database server. I must add, the server only have one network card. It becomes difficult to use a server as a firewall unless you have an inside and an outside network. Easiest is to simply add another network card, should that be possible on your server. Another possibility is to use VLAN taggging and connect the server to a switch that understands VLANs. I would like to know if its possible to use the FreeBSD server as a Firewall for the whole network, securing LAN and WiFi connections. If this can be done, then how? could you point me to some howto?. Yes. I'd start on the FreeBSD website and start reading things that look useful. If you're thinking about using pf as your firewall, which I'd personally recommend though other options are perfectly workable also, there's a nice document on the OpenBSD web site, IIRC. P.S.: this is the 2nd time I send this email, the first time it got caught by SpamAssassin. Maybe because a link in my signature. We got both on the list. --Jon Radel j...@radel.com ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Home firewall with DLink router and FreeBSD
--As of May 5, 2011 5:37:52 PM -0700, Leonardo M. Ramé is alleged to have said: Hi, at home I have a DLink Dir 300 router to provide internet access for my home network. The network is composed by two Windows PCs, one Linux laptop and one FreeBSD server we use mainly for storage and as web/database server. I must add, the server only have one network card. I would like to know if its possible to use the FreeBSD server as a Firewall for the whole network, securing LAN and WiFi connections. If this can be done, then how? could you point me to some howto?. --As for the rest, it is mine. I don't know of any howto's but it is possible. You would need to set up the FreeBSD box with two ip's on it's interface, (one as an alias), and have them on separate networks. (Sharing the same hardware, but with non-overlapping ip ranges. Make one a 10.* network and one a 192.168.* network.) One is the 'outside' network, and includes your internet gateway. The other is your 'inside' network and includes everything else. (Including your WiFi access point.) Then you set up the FreeBSD box to route NAT between them, and to firewall along the way. A standard FreeBSD firewall howto would work there, as long as you watch that you never specify an interface name in the firewall rules, but use the IP address instead. However, I would not recommend this. It's way too easy to accidentally at some later point put one of your home boxes on the 'outside' network and then you've just bypassed your firewall. Another ethernet card won't cost much, and will make the setup easier and more secure: You can then physically separate the networks. Daniel T. Staal --- This email copyright the author. Unless otherwise noted, you are expressly allowed to retransmit, quote, or otherwise use the contents for non-commercial purposes. This copyright will expire 5 years after the author's death, or in 30 years, whichever is longer, unless such a period is in excess of local copyright law. --- ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Home firewall with DLink router and FreeBSD
--- On Thu, 5/5/11, Jon Radel j...@radel.com wrote: From: Jon Radel j...@radel.com Subject: Re: Home firewall with DLink router and FreeBSD To: freebsd-questions@freebsd.org Date: Thursday, May 5, 2011, 9:50 PM On 5/5/11 8:37 PM, Leonardo M. Ramé wrote: Hi, at home I have a DLink Dir 300 router to provide internet access for my home network. The network is composed by two Windows PCs, one Linux laptop and one FreeBSD server we use mainly for storage and as web/database server. I must add, the server only have one network card. It becomes difficult to use a server as a firewall unless you have an inside and an outside network. Easiest is to simply add another network card, should that be possible on your server. Another possibility is to use VLAN taggging and connect the server to a switch that understands VLANs. I would like to know if its possible to use the FreeBSD server as a Firewall for the whole network, securing LAN and WiFi connections. If this can be done, then how? could you point me to some howto?. Yes. I'd start on the FreeBSD website and start reading things that look useful. If you're thinking about using pf as your firewall, which I'd personally recommend though other options are perfectly workable also, there's a nice document on the OpenBSD web site, IIRC. Thanks, I think I better add a 2nd network card, as Daniel suggested. Then I'll try this again. Leonardo M. Ramé http://leonardorame.blogspot.com ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: easy Firewall setup
Thanks Karl for your script :) this will help tremendously Also thanks to Daniel Polytropon Krad Warren Fbsd for your suggestions help. Sorry I could not get back since the network went down. I will report back as soon as I can get going again. Regards, Antonio On Tue, Apr 26, 2011 at 1:48 PM, Karl Vogel vogelke+u...@pobox.com wrote: On Mon, 25 Apr 2011 19:43:33 -0500, Antonio Olivares olivares14...@gmail.com said: A Is there an easy firewall setup available somewhere (like the one A referenced below but for FreeBSD)? Here's a script you can use to generate a rules file for IPF. -- Karl Vogel I don't speak for the USAF or my company The only freedom which deserves the name, is that of pursuing our own good in our own way, so long as we do not attempt to deprive others of theirs, or impede their efforts to obtain it. --John Stuart Mill, On Liberty --- #!/bin/sh # This is a shell archive (produced by GNU sharutils 4.6). # To extract the files from this archive, save it to some FILE, remove # everything before the `!/bin/sh' line above, then type `sh FILE'. # # Existing files will *not* be overwritten unless `-c' is specified. # This format requires very little intelligence at unshar time. # if test, echo, mkdir, and sed may be needed. # # This shar contains: # length mode name # -- -- -- # 7197 -rw-r--r-- ipf-sample-ruleset # 71 -rw-r--r-- ipf.break # 144 -rw-r--r-- ipf.header # 64 -rw-r--r-- ipf.whitelist # 4977 -rwxr-xr-x make-ipf-rules # echo=echo shar_tty= shar_n= shar_c=' ' mkdir _sh14472 || ( echo 'failed to create locking directory' '_sh14472'; exit 1 ) # = ipf-sample-ruleset == if test -f 'ipf-sample-ruleset' test $first_param != -c; then $echo 'x -' SKIPPING 'ipf-sample-ruleset' '(file already exists)' else $echo 'x -' extracting 'ipf-sample-ruleset' '(text)' sed 's/^X//' 'SHAR_EOF' 'ipf-sample-ruleset' X# X# http://www.pc-freak.net/handbook/firewalls-ipf.html X# No restrictions on Inside LAN Interface for private network X# Not needed unless you have LAN X# X X#pass out quick on xl0 all X#pass in quick on xl0 all X X# X# No restrictions on Loopback Interface X# Xpass in quick on lo0 all Xpass out quick on lo0 all X X# X# Interface facing Public Internet (Outbound Section) X# Interrogate session start requests originating from behind the X# firewall on the private network X# or from this gateway server destine for the public Internet. X# X X# Allow out access to my ISP's Domain name server. X# xxx must be the IP address of your ISP's DNS. X# Dup these lines if your ISP has more than one DNS server X# Get the IP addresses from /etc/resolv.conf file Xpass out quick on dc0 proto tcp from any to xxx port = 53 flags S keep state Xpass out quick on dc0 proto udp from any to xxx port = 53 keep state X X# Allow out access to my ISP's DHCP server for cable or DSL networks. X# This rule is not needed for 'user ppp' type connection to the X# public Internet, so you can delete this whole group. X# Use the following rule and check log for IP address. X# Then put IP address in commented out rule delete first rule Xpass out log quick on dc0 proto udp from any to any port = 67 keep state X#pass out quick on dc0 proto udp from any to z.z.z.z port = 67 keep state X X X# Allow out non-secure standard www function Xpass out quick on dc0 proto tcp from any to any port = 80 flags S keep state X X# Allow out secure www function https over TLS SSL Xpass out quick on dc0 proto tcp from any to any port = 443 flags S keep state X X# Allow out send get email function Xpass out quick on dc0 proto tcp from any to any port = 110 flags S keep state Xpass out quick on dc0 proto tcp from any to any port = 25 flags S keep state X X# Allow out Time Xpass out quick on dc0 proto tcp from any to any port = 37 flags S keep state X X# Allow out nntp news Xpass out quick on dc0 proto tcp from any to any port = 119 flags S keep state X X# Allow out gateway LAN users non-secure FTP ( both passive active modes) X# This function uses the IPNAT built in FTP proxy function coded in X# the nat rules file to make this single rule function correctly. X# If you want to use the pkg_add command to install application packages X# on your gateway system you need this rule. Xpass out quick on dc0 proto tcp from any to any port = 21 flags S keep state X X
Re: easy Firewall setup
On Mon, 25 Apr 2011 21:34:41 -0500, Antonio Olivares olivares14...@gmail.com wrote: Thanks for sharing this. I have a base FreeBSD 8.2 system on one machine and I would like to setup a firewall that allows me to visit websites and not allow incoming traffic. Something easy to set up and start like /etc/local/rc.d/rc.pf start or similar. A nice example which I can change somethings like name of network device, i.e, nv0, or similar device. I will try further reading and try to set something up as I am afraid to screw things up. You can easily do this with IPFW (from the base system) Step 1: Create a file /etc/ipfw.conf which will contain your firewall rules. Depending on what you need, try out something like this: -f flush add allow ip from any to any add allow tcp from any to any ftp in recv xl0 add allow tcp from any to any ssh in recv xl0 add deny ip from any to any Of course you'll have to replace xl0 with the correct device name; ifconfig -a will surely tell you. Please see that this is just an excerpt of an example. In this case, FTP and SSH should be allowed for incoming, everything else will be denied. If you do not want to use FTP - nobody seriously wants that :-) - do not enable it. The reference for SSH also goes to the default port, maybe you want to choose a different one. Step 2: Edit /etc/rc.conf to contain the following lines: firewall_enable=YES firewall_type=/etc/ipfw.conf Step 3: Start (or restart) the firewall: # /etc/rc.d/ipfw start See the information contained in man ipfw; it's strong tobacco, but it provides very good knowledge about how to properly configure the firewall, containing examples that you can use for form your own rules, like allow anything from inside to outside, but deny any requests coming from outside. -- Polytropon Magdeburg, Germany Happy FreeBSD user since 4.0 Andra moi ennepe, Mousa, ... ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: easy Firewall setup
On 26 April 2011 08:52, Polytropon free...@edvax.de wrote:
On Mon, 25 Apr 2011 21:34:41 -0500, Antonio Olivares
olivares14...@gmail.com wrote:
Thanks for sharing this. I have a base FreeBSD 8.2 system on one
machine and I would like to setup a firewall that allows me to visit
websites and not allow incoming traffic. Something easy to set up and
start like
/etc/local/rc.d/rc.pf start
or similar. A nice example which I can change somethings like name of
network device, i.e, nv0, or similar device.
I will try further reading and try to set something up as I am afraid
to screw things up.
You can easily do this with IPFW (from the base system)
Step 1: Create a file /etc/ipfw.conf which will contain
your firewall rules. Depending on what you need, try out
something like this:
-f flush
add allow ip from any to any
add allow tcp from any to any ftp in recv xl0
add allow tcp from any to any ssh in recv xl0
add deny ip from any to any
Of course you'll have to replace xl0 with the correct
device name; ifconfig -a will surely tell you.
Please see that this is just an excerpt of an example.
In this case, FTP and SSH should be allowed for incoming,
everything else will be denied. If you do not want to use
FTP - nobody seriously wants that :-) - do not enable it.
The reference for SSH also goes to the default port, maybe
you want to choose a different one.
Step 2: Edit /etc/rc.conf to contain the following lines:
firewall_enable=YES
firewall_type=/etc/ipfw.conf
Step 3: Start (or restart) the firewall:
# /etc/rc.d/ipfw start
See the information contained in man ipfw; it's strong
tobacco, but it provides very good knowledge about how to
properly configure the firewall, containing examples that
you can use for form your own rules, like allow anything
from inside to outside, but deny any requests coming from
outside.
--
Polytropon
Magdeburg, Germany
Happy FreeBSD user since 4.0
Andra moi ennepe, Mousa, ...
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to
freebsd-questions-unsubscr...@freebsd.org
If you are new to firewalls and dont want to use something like pfsense, i
would stay away from ipfw (wait for flames 8) ) . This is not for any
technical reason as it is a perfectly good and well featured firewall. It is
however in my experience from a few years ago a little trickier to get the
rule orderings correct when you are natting things. Therefore I would advise
you use pf. Here is a simple starter ruleset to get you going.
Is provides no external access but you can easily uncomment the bits to
allow things through. Just drop it into /etc/pf.conf and run
echo -en pf_enable=yes\npflog_enable=yes /etc/rc.conf.local
/etc/rc.d/pf start
/etc/rc.d/pflog start
ruleset
--
ext_if=xl0
int_if=xl1
#table sshhosts const { 1.1.1.1, 2.2.2.2 }
table internal_nets const { 192.168.0.0/16, 10.0.0.0/8, 172.16.0.0/12 }
# Options: tune the behavior of pf, default values are given.
set timeout { interval 10, frag 30 }
set timeout { tcp.first 120, tcp.opening 30, tcp.established 86400 }
set timeout { tcp.closing 900, tcp.finwait 45, tcp.closed 90 }
set timeout { udp.first 60, udp.single 30, udp.multiple 60 }
set timeout { icmp.first 20, icmp.error 10 }
set timeout { other.first 60, other.single 30, other.multiple 60 }
set timeout { adaptive.start 80, adaptive.end 120 }
set limit { states 100, frags 5, src-nodes 30 }
#set loginterface none
set optimization normal
set block-policy drop
set state-policy if-bound
set skip on lo0
#set skip on $vpn_ints
set require-order yes
set fingerprints /etc/pf.os
set skip on lo0
set skip on $int_if
# Normalization: reassemble fragments and resolve or reduce traffic
ambiguities.
scrub all random-id fragment reassemble
nat on $ext_if from internal_nets to any - ($ext_if)
# dump everything by default
block log on $ext_if all
# uncomment this to allow ssh through
# let ssh work and let those ppl ping me
#block in on $ext_if proto tcp from any to any port ssh
#pass in quick on $ext_if proto tcp from sshhosts to any port ssh keep
state
#pass in quick on $ext_if inet proto icmp from sshhosts to any icmp-type
echoreq keep state
#pass out quick on $ext_if proto tcp from any to any port ssh keep state
pass out on $ext_if from any to any keep state
---
ps i have ripped this out of my existing rule set so its possible typos
have crept in
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: easy Firewall setup
Antonio Olivares wrote: Dear kind folks, Is there an easy firewall setup available somewhere(like the one referenced below but for FreeBSD)? i.e, like I saw reading in Distrowatch an easy way(using a page on the net: http://connie.slackware.com/~alien/efg/) I have read that there is pf and there is an implementation by OpenBSD and both are available on FreeBSD via ports system/packages. http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/firewalls.html I don't know which one to use, is there a page, howto (build a firewall or convert an existing one) to use here? All I want is to be allowed to visit websites but don't allow anyone out there to come in somehow a template that I can use and try out to see if I can get it working. Of course the network name might be different, but I can try to figure things out. ne0, fe0, ra0, ..., etc After figuring this out, my next big job/task is to use FreeBSD to make up a new router/dhcp server to give/assign ip numbers to machines from one and give to many. This has been something hard that I have failed at several times. Maybe with FreeBSD I can be successfull? Thanks, Antonio The Freebsd handbook has a very detailed section on the firewalls that are part of the base system. Start there. http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/firewalls.html ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: easy Firewall setup
On Tue, 26 Apr 2011, Polytropon wrote: You can easily do this with IPFW (from the base system) Step 1: Create a file /etc/ipfw.conf which will contain your firewall rules. /etc/rc.firewall has a bunch of predefined firewall types, usable as-is or as examples. Instructions are in that file. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
easy Firewall setup
Dear kind folks, Is there an easy firewall setup available somewhere(like the one referenced below but for FreeBSD)? i.e, like I saw reading in Distrowatch an easy way(using a page on the net: http://connie.slackware.com/~alien/efg/) I have read that there is pf and there is an implementation by OpenBSD and both are available on FreeBSD via ports system/packages. http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/firewalls.html I don't know which one to use, is there a page, howto (build a firewall or convert an existing one) to use here? All I want is to be allowed to visit websites but don't allow anyone out there to come in somehow a template that I can use and try out to see if I can get it working. Of course the network name might be different, but I can try to figure things out. ne0, fe0, ra0, ..., etc After figuring this out, my next big job/task is to use FreeBSD to make up a new router/dhcp server to give/assign ip numbers to machines from one and give to many. This has been something hard that I have failed at several times. Maybe with FreeBSD I can be successfull? Thanks, Antonio ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: easy Firewall setup
--As of April 25, 2011 7:43:33 PM -0500, Antonio Olivares is alleged to have said: I don't know which one to use, is there a page, howto (build a firewall or convert an existing one) to use here? All I want is to be allowed to visit websites but don't allow anyone out there to come in somehow a template that I can use and try out to see if I can get it working. Of course the network name might be different, but I can try to figure things out. If all you want is a firewall, I'd go with this: http://www.pfsense.org/ Based on FreeBSD, but they've set it up nice and put an easy-to-use interface on top of it. Of course if you wanted you could always just install the base system, turn on routing, and configure pf/iptables. There's not really a whole lot to either one, really... But if you don't feel like learning their syntax right now, or doing everything via a text editor, I'd really go with pfsense. (Even if you *do* know their syntax, in most cases I'd go with pfsense...) After figuring this out, my next big job/task is to use FreeBSD to make up a new router/dhcp server to give/assign ip numbers to machines from one and give to many. This has been something hard that I have failed at several times. Maybe with FreeBSD I can be successfull? pfsense has a DHCP server, no problem there. Daniel T. Staal --- This email copyright the author. Unless otherwise noted, you are expressly allowed to retransmit, quote, or otherwise use the contents for non-commercial purposes. This copyright will expire 5 years after the author's death, or in 30 years, whichever is longer, unless such a period is in excess of local copyright law. --- ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: easy Firewall setup
On Mon, Apr 25, 2011 at 9:06 PM, Daniel Staal dst...@usa.net wrote: --As of April 25, 2011 7:43:33 PM -0500, Antonio Olivares is alleged to have said: I don't know which one to use, is there a page, howto (build a firewall or convert an existing one) to use here? All I want is to be allowed to visit websites but don't allow anyone out there to come in somehow a template that I can use and try out to see if I can get it working. Of course the network name might be different, but I can try to figure things out. If all you want is a firewall, I'd go with this: http://www.pfsense.org/ Based on FreeBSD, but they've set it up nice and put an easy-to-use interface on top of it. Of course if you wanted you could always just install the base system, turn on routing, and configure pf/iptables. There's not really a whole lot to either one, really... But if you don't feel like learning their syntax right now, or doing everything via a text editor, I'd really go with pfsense. (Even if you *do* know their syntax, in most cases I'd go with pfsense...) After figuring this out, my next big job/task is to use FreeBSD to make up a new router/dhcp server to give/assign ip numbers to machines from one and give to many. This has been something hard that I have failed at several times. Maybe with FreeBSD I can be successfull? pfsense has a DHCP server, no problem there. Daniel T. Staal --- Thanks for sharing this. I have a base FreeBSD 8.2 system on one machine and I would like to setup a firewall that allows me to visit websites and not allow incoming traffic. Something easy to set up and start like /etc/local/rc.d/rc.pf start or similar. A nice example which I can change somethings like name of network device, i.e, nv0, or similar device. I will try further reading and try to set something up as I am afraid to screw things up. Regards, Antonio ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: PF firewall rules and documentation
On 02/01/11 00:40, Kevin Wilcox wrote: On Mon, Jan 31, 2011 at 05:58, Da Rock freebsd-questi...@herveybayaustralia.com.au wrote: Yes. Me unfortunately, but I did manage to pick it up quite quickly though. I had a little thief attack one of my ports and attempt login on the firewall. I had to change it to 'block in $log on $ext_if all block out $log on $ext_if all' to actually block the traffic. Bit of a doozy really, I'm still monitoring the traffic very closely with tcpdump on the interface and not the log. Unless you have an explicit need to block in/out, it's easier to maintain a ruleset that uses block log on $ext_if For example, I use the following as a starting point for some of my routing firewalls: = int_if=bge1 ext_if=bge0 set skip on lo # block everything block # NAT rule pass out log(all) on $ext_if from ($int_if:network) to any nat-to ($ext_if) # allow traffic in on the internal interface pass in on $int_if from ($int_if:network) to any keep state = There are at least three things in that basic config that some people would jump on me for. 1) why block all if I'm then allowing every in on the internal interface? 2) why block all if I'm allowing everything out on the external interface? 3) why not pass everything on the internal interface and then filter on the external? The shortest answer is because I happen to like that starting point and it serves as a syntactical reminder if I deploy without a pf reference handy. Regarding 1) and 2), the longer answer is that I like to control traffic flow. I don't want to allow inbound connections on the external interface and I don't have a need for the firewall to connect to machines inside the NAT. On my bridges I'll set skip on the internal interface and filter on the other but I don't like doing that for a router. No jumping here- just a big fat ditto! But that was the point of this whole thread- that block statement doesn't cut it. I started there and noticed a little sneak getting through anyway. Set it to the block explicitly and bam! No problem. Just a little heads up anyway... There are some plans to update PF to a more recent version. So may be it will be better. Actually, that sounds like a better idea than mine ;) Kills 2 birds with one stone then... I am truly excited about this as the NAT and RDR stuff was significantly cleaned up (and the OpenBSD pf FAQ is a great resource). I'm even more excited about the patch to tcpdump that Daniel just sent to freebsd-pf@ that allows you to tcpdump a pfsync device and pull the state creation/updates - in my opinion, that's the weakest area for a BSD firewall (we'll ignore span ports on routers since you can bridge two addressed interfaces and create a span of that bridge) and being able to easily pull those NAT translations fulfills some serious accountability issues. You think?! Man I was scratching a bit trying to translate between versions there- not too long, but long enough to a PITA. It would be nice to have it all nice and tidy... If you need a reliable printed reference, you should really consider picking up Hansteen's _The Book of PF_, available from No Starch Press: http://nostarch.com/pf2.htm I have the first edition and it's incredible but somewhat dated. The author suggests the second edition for FreeBSD 8.x+. kmw ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: PF firewall rules and documentation
Le Sat, 29 Jan 2011 12:39:18 +1000, Da Rock freebsd-questi...@herveybayaustralia.com.au a écrit : I spent some time playing with pf and pf.conf, and followed the directions in the handbook. It redirected me to the openbsd site for pf.conf, and recommended it as the most comprehensive documentation for pf. Firstly, I didn't find that. I had to translate the instructions into the current version used in FreeBSD, OpenBSD appears to be further advanced than this based on the current docs. Yes, you should refer to the OpenBSD 4.1 Packet FAQ : http://ftp.openbsd.org/pub/OpenBSD/doc/history/pf-faq41.pdf Secondly, some of the rules don't appear to be following. From my understanding based on the documentation in the handbook and on the site pf is default allowing traffic. According to a current discussion on m...@openbsd.org. It allows traffic to pass but without creating states. So explicit rules to block should be set first and then rules set to allow what is needed in. Some assumptions are made in the rules by the interpreter, so according to OpenBSD one can (even in the older versions) simply state block and it is interpreted as 'block on $interfaces all'. This turned out to not be the case. Ah? Do have an example for this? I know this has come up before, but I think it might be time to document pf.conf properly. It seems to be a bit of security risk not to. Users may be mistaken in their belief of their security on the network using pf, and may be less likely to trust again when it breaks. This is true, many things are now more precise in the manual page of OpenBSD's PF. But it will be hard to merge only these precisions in our pf.conf manual page. There are some plans to update PF to a more recent version. So may be it will be better. Regards. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: PF firewall rules and documentation
On 01/31/11 20:30, Patrick Lamaiziere wrote: Le Sat, 29 Jan 2011 12:39:18 +1000, Da Rockfreebsd-questi...@herveybayaustralia.com.au a écrit : I spent some time playing with pf and pf.conf, and followed the directions in the handbook. It redirected me to the openbsd site for pf.conf, and recommended it as the most comprehensive documentation for pf. Firstly, I didn't find that. I had to translate the instructions into the current version used in FreeBSD, OpenBSD appears to be further advanced than this based on the current docs. Yes, you should refer to the OpenBSD 4.1 Packet FAQ : http://ftp.openbsd.org/pub/OpenBSD/doc/history/pf-faq41.pdf Secondly, some of the rules don't appear to be following. From my understanding based on the documentation in the handbook and on the site pf is default allowing traffic. According to a current discussion on m...@openbsd.org. It allows traffic to pass but without creating states. Exactly. 'permitting' is the term in the handbook I believe. So explicit rules to block should be set first and then rules set to allow what is needed in. Some assumptions are made in the rules by the interpreter, so according to OpenBSD one can (even in the older versions) simply state block and it is interpreted as 'block on $interfaces all'. This turned out to not be the case. Ah? Do have an example for this? Yes. Me unfortunately, but I did manage to pick it up quite quickly though. I had a little thief attack one of my ports and attempt login on the firewall. I had to change it to 'block in $log on $ext_if all block out $log on $ext_if all' to actually block the traffic. Bit of a doozy really, I'm still monitoring the traffic very closely with tcpdump on the interface and not the log. Thankfully I was also getting ready to update and completely rebuild most (scratch that- all) of my systems to newer and more manageable levels. I know this has come up before, but I think it might be time to document pf.conf properly. It seems to be a bit of security risk not to. Users may be mistaken in their belief of their security on the network using pf, and may be less likely to trust again when it breaks. This is true, many things are now more precise in the manual page of OpenBSD's PF. But it will be hard to merge only these precisions in our pf.conf manual page. There are some plans to update PF to a more recent version. So may be it will be better. Actually, that sounds like a better idea than mine ;) Kills 2 birds with one stone then... ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: PF firewall rules and documentation
On Mon, Jan 31, 2011 at 05:58, Da Rock freebsd-questi...@herveybayaustralia.com.au wrote: Yes. Me unfortunately, but I did manage to pick it up quite quickly though. I had a little thief attack one of my ports and attempt login on the firewall. I had to change it to 'block in $log on $ext_if all block out $log on $ext_if all' to actually block the traffic. Bit of a doozy really, I'm still monitoring the traffic very closely with tcpdump on the interface and not the log. Unless you have an explicit need to block in/out, it's easier to maintain a ruleset that uses block log on $ext_if For example, I use the following as a starting point for some of my routing firewalls: = int_if=bge1 ext_if=bge0 set skip on lo # block everything block # NAT rule pass out log(all) on $ext_if from ($int_if:network) to any nat-to ($ext_if) # allow traffic in on the internal interface pass in on $int_if from ($int_if:network) to any keep state = There are at least three things in that basic config that some people would jump on me for. 1) why block all if I'm then allowing every in on the internal interface? 2) why block all if I'm allowing everything out on the external interface? 3) why not pass everything on the internal interface and then filter on the external? The shortest answer is because I happen to like that starting point and it serves as a syntactical reminder if I deploy without a pf reference handy. Regarding 1) and 2), the longer answer is that I like to control traffic flow. I don't want to allow inbound connections on the external interface and I don't have a need for the firewall to connect to machines inside the NAT. On my bridges I'll set skip on the internal interface and filter on the other but I don't like doing that for a router. There are some plans to update PF to a more recent version. So may be it will be better. Actually, that sounds like a better idea than mine ;) Kills 2 birds with one stone then... I am truly excited about this as the NAT and RDR stuff was significantly cleaned up (and the OpenBSD pf FAQ is a great resource). I'm even more excited about the patch to tcpdump that Daniel just sent to freebsd-pf@ that allows you to tcpdump a pfsync device and pull the state creation/updates - in my opinion, that's the weakest area for a BSD firewall (we'll ignore span ports on routers since you can bridge two addressed interfaces and create a span of that bridge) and being able to easily pull those NAT translations fulfills some serious accountability issues. If you need a reliable printed reference, you should really consider picking up Hansteen's _The Book of PF_, available from No Starch Press: http://nostarch.com/pf2.htm I have the first edition and it's incredible but somewhat dated. The author suggests the second edition for FreeBSD 8.x+. kmw ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: PF firewall rules and documentation
On 01/29/11 23:50, Iñigo Ortiz de Urbina wrote: I think that kind of user should never be in charge of anything security related Reading my own post I realise I forgot my question due to kiddie issues that were occuring in my vicinity. That is, how would one go about this? As for user suitability, how else does one learn if not through practice? On 1/29/11, Da Rockfreebsd-questi...@herveybayaustralia.com.au wrote: I spent some time playing with pf and pf.conf, and followed the directions in the handbook. It redirected me to the openbsd site for pf.conf, and recommended it as the most comprehensive documentation for pf. Firstly, I didn't find that. I had to translate the instructions into the current version used in FreeBSD, OpenBSD appears to be further advanced than this based on the current docs. Secondly, some of the rules don't appear to be following. From my understanding based on the documentation in the handbook and on the site pf is default allowing traffic. So explicit rules to block should be set first and then rules set to allow what is needed in. Some assumptions are made in the rules by the interpreter, so according to OpenBSD one can (even in the older versions) simply state block and it is interpreted as 'block on $interfaces all'. This turned out to not be the case. I know this has come up before, but I think it might be time to document pf.conf properly. It seems to be a bit of security risk not to. Users may be mistaken in their belief of their security on the network using pf, and may be less likely to trust again when it breaks. Cheers ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
PF firewall rules and documentation
I spent some time playing with pf and pf.conf, and followed the directions in the handbook. It redirected me to the openbsd site for pf.conf, and recommended it as the most comprehensive documentation for pf. Firstly, I didn't find that. I had to translate the instructions into the current version used in FreeBSD, OpenBSD appears to be further advanced than this based on the current docs. Secondly, some of the rules don't appear to be following. From my understanding based on the documentation in the handbook and on the site pf is default allowing traffic. So explicit rules to block should be set first and then rules set to allow what is needed in. Some assumptions are made in the rules by the interpreter, so according to OpenBSD one can (even in the older versions) simply state block and it is interpreted as 'block on $interfaces all'. This turned out to not be the case. I know this has come up before, but I think it might be time to document pf.conf properly. It seems to be a bit of security risk not to. Users may be mistaken in their belief of their security on the network using pf, and may be less likely to trust again when it breaks. Cheers ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: foo; no such thing as a dual-nic atom firewall
On 11/25/10 03:01, Gary Kline wrote: Folks (mostly Adam), Hang on a sec. I think I misread what my friend said. Following is a snip of what he said was good; that this was among the stuff he installed a few years back and now was much better:: ALIX.2D13 system board - $115 CompactFlash card 4GB SLC - $20 Enclosure - $9 AC adapter - $13 Is this the same board and so forth that Arthur pointed me at below? My friend's name is Noah; what he saw was that the boad was not in stock and that it would not be restocked until 20dec. Because the 15th is better for Noah to drive down, I would like to have the stuff here when it's best for him. Figure ther have to be other vendors that sell this. OK, I'm in the UK as are these people I buy from, but they do prices in dollars as well as pounds and euros, and will ship to the US. They don't have a 2d13 at the moment but do have 2d3s in stock (the 2d13 has a battery and RTC extra, that's all). http://linitx.com/index.php They've got enclosures, but the power supplies are european plugs. However, they are universal (100-250V), so an EU-US adapter would work. I use a SanDisk CF card in mine, and the pfSense install worked like a dream. The only wrinkle is remembering to change the serial line speed from 19200 to 9600 baud before installing pfSense, as the serial bootloader likes 9600. I'd recommend getting pfSense: The Definite Guide as well http://www.amazon.com/pfSense-Definitive-Christopher-M-Buechler/dp/0979034280/ref=sr_1_1/177-9101540-7293707?ie=UTF8s=booksqid=1290689178sr=1-1 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: foo; no such thing as a dual-nic atom firewall
On Thu, Nov 25, 2010 at 12:48:47PM +, Arthur Chance wrote: On 11/25/10 03:01, Gary Kline wrote: Folks (mostly Adam), Hang on a sec. I think I misread what my friend said. Following is a snip of what he said was good; that this was among the stuff he installed a few years back and now was much better:: ALIX.2D13 system board - $115 CompactFlash card 4GB SLC - $20 Enclosure - $9 AC adapter - $13 Is this the same board and so forth that Arthur pointed me at below? My friend's name is Noah; what he saw was that the boad was not in stock and that it would not be restocked until 20dec. Because the 15th is better for Noah to drive down, I would like to have the stuff here when it's best for him. Figure ther have to be other vendors that sell this. OK, I'm in the UK as are these people I buy from, but they do prices in dollars as well as pounds and euros, and will ship to the US. They don't have a 2d13 at the moment but do have 2d3s in stock (the 2d13 has a battery and RTC extra, that's all). http://linitx.com/index.php They've got enclosures, but the power supplies are european plugs. However, they are universal (100-250V), so an EU-US adapter would work. I use a SanDisk CF card in mine, and the pfSense install worked like a dream. The only wrinkle is remembering to change the serial line speed from 19200 to 9600 baud before installing pfSense, as the serial bootloader likes 9600. I'd recommend getting pfSense: The Definite Guide as well http://www.amazon.com/pfSense-Definitive-Christopher-M-Buechler/dp/0979034280/ref=sr_1_1/177-9101540-7293707?ie=UTF8s=booksqid=1290689178sr=1-1 I _will_ order the Guide since I rely on pfSense ... What I ordered last night was the 6e1. The pcengines.com site pointed me to a netgate website here in the States. So: the entire kit is enroute; or will be soon. What I don't understand is the CF card and howto install pfSense. I'll re-read wherever I have to but some clues would certainly help. I installed pfSense by CDROM initially and figure this time the install would be done by thumb-drive. [?] Pointers, URLs welcome! gary ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org -- Gary Kline kl...@thought.org http://www.thought.org Public Service Unix Journey Toward the Dawn, E-Book: http://www.thought.org The 7.97a release of Jottings: http://jottings.thought.org ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: foo; no such thing as a dual-nic atom firewall
On 11/25/10 18:22, Gary Kline wrote: [Huge snip] What I don't understand is the CF card and howto install pfSense. I'll re-read wherever I have to but some clues would certainly help. I installed pfSense by CDROM initially and figure this time the install would be done by thumb-drive. [?] Pointers, URLs welcome! If you're installing onto a CF card you want the embedded version. You download the version that matches the size of your CF card - there are 512M, 1G, 2G and 4G versions. I went for 4G because I had a convenient card lying around, but it's overkill. You decompress it and simply dd it onto the card (presuming you've got a normal Unix box). This link will help http://doc.pfsense.org/index.php/Installing_pfSense This is the embedded category page on the doc wiki http://doc.pfsense.org/index.php/Category:Embedded Then all you do is insert the card into the CF adapter on the Alix board, fire it up and point your web browser at it to do the initial set up. (Don't forget to change the serial line speed to 9600 beforehand.) The initial address is 192.168.1.1, username/password are admin/pfsense. Have fun. -- Although the wombat is real and the dragon is not, few know what a wombat looks like, but everyone knows what a dragon looks like. -- Avram Davidson, _Adventures in Unhistory_ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: foo; no such thing as a dual-nic atom firewall
On Thu, Nov 25, 2010 at 07:16:01PM +, Arthur Chance wrote: On 11/25/10 18:22, Gary Kline wrote: [Huge snip] Super :-) What I don't understand is the CF card and howto install pfSense. I'll re-read wherever I have to but some clues would certainly help. I installed pfSense by CDROM initially and figure this time the install would be done by thumb-drive. [?] Pointers, URLs welcome! If you're installing onto a CF card you want the embedded version. You download the version that matches the size of your CF card - there are 512M, 1G, 2G and 4G versions. I went for 4G because I had a convenient card lying around, but it's overkill. You decompress it and simply dd it onto the card (presuming you've got a normal Unix box). This link will help I just took a second look at what I have coming in my ALIX.6E1 Kit. (Also found that 'CF' == Compact Flash; we've got enough abbrvs, all right. ) At any rate, here is what is in my 6e1 kit: * ALIX.6E1 system board (2/1/1/256/LX800) * Laser etched black aluminum enclosure with USB and antenna cutouts * Blank 2 GB Sandisk Ultra II CF Card * Standard 15V 1.25A 18W power supply (US plug style) * Ships unassembled If your 4G CF card was overkill, will my 2GB card be enough? If not I'll order a slave chip; or maybe a 4G flash card. Pasted immediately below is what I was pointed last last night. There were links like your URLs to the pfSense site. Hm. I have more research to do (looks like) to learn enough to __know__ was I'm doing. Or my friend and I. But then I've had pfSense going for about three years on severely antique hardware, no problem. http://store.netgate.com/ALIX6E1-Kit-Black-Unassembled-P183.aspx http://doc.pfsense.org/index.php/Installing_pfSense This is the embedded category page on the doc wiki http://doc.pfsense.org/index.php/Category:Embedded Then all you do is insert the card into the CF adapter on the Alix board, fire it up and point your web browser at it to do the initial set up. (Don't forget to change the serial line speed to 9600 beforehand.) The initial address is 192.168.1.1, username/password are admin/pfsense. Have fun. Last question[s]: is there a toggle somewhere to change the speed to 9600? When a friend helped save my network in JAn, 2008, we did it all my chat and maybe one phone call, so my memories of the details of getting pfSense set up the first time have faded ... . I have a 10.* internal network! Oboy. Well, here's hoping that a few FreeBSD types are around on 15th dec. FWIW, My chat is gdk98188 [at] yahoo gary PS: before my almost-disaster in 12/07 I used ifp and ifpw for years. The server also handled DHCP. THe reason I went with pfsense was to offload that stuff somewhere else; it seems apropos of the Unix philosophy: simplicity is better. -- Although the wombat is real and the dragon is not, few know what a wombat looks like, but everyone knows what a dragon looks like. -- Avram Davidson, _Adventures in Unhistory_ -- Gary Kline kl...@thought.org http://www.thought.org Public Service Unix Journey Toward the Dawn, E-Book: http://www.thought.org The 7.97a release of Jottings: http://jottings.thought.org ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: foo; no such thing as a dual-nic atom firewall
Gary Kline kl...@thought.org wrote: I can't find an atom cpu computer with dual NICs. Dunno about having them on-board, but anything with a Poulsbo SCH should have two PCIe channels, each of which could be used for a NIC. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: foo; no such thing as a dual-nic atom firewall
On Wed, 24 Nov 2010 01:26:53 -0800 per...@pluto.rain.com wrote: Dunno about having them on-board, but anything with a Poulsbo SCH should have two PCIe channels, each of which could be used for a NIC. You also get network cards with multiple ports which would work. e.g. http://reviews.cnet.com/adapters-nics/d-link-dfe-570tx/1707-3380_7-785663.html -- Bruce Cran ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: foo; no such thing as a dual-nic atom firewall
On 24.11.2010 02:43, Gary Kline wrote: Maybe someone on-list can help me; after 5+ hours of clicking and typing, I can't find an atom cpu computer with dual NICs. I _thought_ I'd found a computer to replace to Kayak firewall [pfSense], but nada. Any wizards on this list have a clue? http://global.msi.eu/index.php?func=proddescmaincat_no=388prod_no=1943 //Svein -- +---+--- /\ |Svein Skogen | sv...@d80.iso100.no \ / |Solberg Østli 9| PGP Key: 0xE5E76831 X|2020 Skedsmokorset | sv...@jernhuset.no / \ |Norway | PGP Key: 0xCE96CE13 | | sv...@stillbilde.net ascii | | PGP Key: 0x58CD33B6 ribbon |System Admin | svein-listm...@stillbilde.net Campaign|stillbilde.net | PGP Key: 0x22D494A4 +---+--- |msn messenger: | Mobile Phone: +47 907 03 575 |sv...@jernhuset.no | RIPE handle:SS16503-RIPE +---+--- A: Because it fouls the order in which people normally read text. Q: Why is top-posting such a bad thing? A: Top-posting. Q: What is the most annoying thing on usenet and in e-mail? Picture Gallery: https://gallery.stillbilde.net/v/svein/ signature.asc Description: OpenPGP digital signature
Re: foo; no such thing as a dual-nic atom firewall
Bruce Cran writes: You also get network cards with multiple ports which would work. e.g. http://reviews.cnet.com/adapters-nics/d-link-dfe-570tx/1707-3380_7-785663.html The machine I'm typing on has a two port Intel Pro/1000-GT; I cannot recommend it highly enough. One caveat: the better multi-port cards can get expensive very fast. Robert Huff ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: foo; no such thing as a dual-nic atom firewall
--On November 23, 2010 17:43:12 -0800 Gary Kline kl...@thought.org wrote: Maybe someone on-list can help me; after 5+ hours of clicking and typing, I can't find an atom cpu computer with dual NICs. I _thought_ I'd found a computer to replace to Kayak firewall [pfSense], but nada. Any wizards on this list have a clue? -- Gary Kline kl...@thought.org http://www.thought.org Public Service UnixJourney Toward the Dawn, E-Book: http://www.thought.org The 7.97a release of Jottings: http://jottings.thought.org I run pfSense on this http://www.supermicro.com/products/motherboard/ATOM/ICH9/X7SPE.cfm?typ=HIPMI=Y in this http://www.supermicro.com/products/chassis/1U/503/SC503L-200.cfm - glz ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: foo; no such thing as a dual-nic atom firewall
On 11/24/10 01:43, Gary Kline wrote: Maybe someone on-list can help me; after 5+ hours of clicking and typing, I can't find an atom cpu computer with dual NICs. I _thought_ I'd found a computer to replace to Kayak firewall [pfSense], but nada. Any wizards on this list have a clue? I don't know if your requirement for an Atom CPU is absolute, or you're just looking for a low power solution, but if it's the latter and 100Mb/s networking is fast enough, I use one of these http://www.pcengines.ch/alix2d13.htm for my pfSense firewall. Three network interfaces so you have a DMZ, plus a hardware crypto accelerator for VPNs. Total power consumption measured at 5W. The alix2d2 is the 2 network port version. -- Although the wombat is real and the dragon is not, few know what a wombat looks like, but everyone knows what a dragon looks like. -- Avram Davidson, _Adventures in Unhistory_ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: foo; no such thing as a dual-nic atom firewall
On Wed, Nov 24, 2010 at 04:03:56PM +, Arthur Chance wrote: On 11/24/10 01:43, Gary Kline wrote: Maybe someone on-list can help me; after 5+ hours of clicking and typing, I can't find an atom cpu computer with dual NICs. I _thought_ I'd found a computer to replace to Kayak firewall [pfSense], but nada. Any wizards on this list have a clue? I don't know if your requirement for an Atom CPU is absolute, or you're just looking for a low power solution, but if it's the latter and 100Mb/s networking is fast enough, I use one of these http://www.pcengines.ch/alix2d13.htm for my pfSense firewall. Three network interfaces so you have a DMZ, plus a hardware crypto accelerator for VPNs. Total power consumption measured at 5W. The alix2d2 is the 2 network port version. Thanks to everyone indeed. The long-story-short is that just a few months ago I thought I *had* found a low-power [Atom] box with a dual-NIC for around $300. So I figured that since there was at least that one there might be others. Late last night my friend at the University figured that it wouldn't be that hard to build one from parts. [[ Sure, if you've got two good hands and a several hours, etc. ]] An Atom CPU is only the means to the end of finally having a low power config. Right now I'm probably burning 100w using the Kayak and an '05 40G drive. Any low-power box will work. Appreciate the help! gary -- Although the wombat is real and the dragon is not, few know what a wombat looks like, but everyone knows what a dragon looks like. -- Avram Davidson, _Adventures in Unhistory_ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org -- Gary Kline kl...@thought.org http://www.thought.org Public Service Unix Journey Toward the Dawn, E-Book: http://www.thought.org The 7.97a release of Jottings: http://jottings.thought.org ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: foo; no such thing as a dual-nic atom firewall
On Wed, Nov 24, 2010 at 2:43 AM, Gary Kline kl...@thought.org wrote: Maybe someone on-list can help me; after 5+ hours of clicking and typing, I can't find an atom cpu computer with dual NICs. I _thought_ I'd found a computer to replace to Kayak firewall [pfSense], but nada. Any wizards on this list have a clue? I don't know if I'm a wizard, but FitPC2i might do you good. http://www.fit-pc.com/web/fit-pc2/specifications/ -- chs, ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: foo; no such thing as a dual-nic atom firewall
On Wed, Nov 24, 2010 at 02:23:33PM +0100, Goran Lowkrantz wrote: --On November 23, 2010 17:43:12 -0800 Gary Kline kl...@thought.org wrote: Maybe someone on-list can help me; after 5+ hours of clicking and typing, I can't find an atom cpu computer with dual NICs. I _thought_ I'd found a computer to replace to Kayak firewall [pfSense], but nada. Any wizards on this list have a clue? -- Gary Kline kl...@thought.org http://www.thought.org Public Service UnixJourney Toward the Dawn, E-Book: http://www.thought.org The 7.97a release of Jottings: http://jottings.thought.org I run pfSense on this http://www.supermicro.com/products/motherboard/ATOM/ICH9/X7SPE.cfm?typ=HIPMI=Y in this http://www.supermicro.com/products/chassis/1U/503/SC503L-200.cfm - glz Well, it looks like this one is it; it has the enclosure and so on with take more assembly that I myself can do, but not a fellow computer geek. Since I'm doing this as-if from scratch, what's the best way of getting pfSense installed? Can I do it somehow over the wire or use a thumb drive? What I understand is that the board won't be in stock until Dec 20th and I need it by the 15th, so should I just google around? (I'm imagine all the tens of millions of peiople who are shopping for a board that runs a firewall integrated with FrreeBSD:-) Anybody? -- Gary Kline kl...@thought.org http://www.thought.org Public Service Unix Journey Toward the Dawn, E-Book: http://www.thought.org The 7.97a release of Jottings: http://jottings.thought.org ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: foo; no such thing as a dual-nic atom firewall
On Wed, Nov 24, 2010 at 7:20 PM, Gary Kline kl...@thought.org wrote: Anybody? Gary, in case you didn't catch it the pcengines link already given to you is low power setup with comsumption comparable or better than an Atom. It's also been tested with FreeBSD and pfSense according to the manufacturers site. There's nothing wrong with Atom, but different models have different chipsets/NIC's and there may be a possibility of unsupported hardware. Perhaps it might be easier for you to go with a known commodity. pfSense documentation is offered on their website as well as community support. I suggest you start there. -- Adam Vande More ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: foo; no such thing as a dual-nic atom firewall
On Wed, Nov 24, 2010 at 08:14:01PM -0600, Adam Vande More wrote: On Wed, Nov 24, 2010 at 7:20 PM, Gary Kline kl...@thought.org wrote: Anybody? Gary, in case you didn't catch it the pcengines link already given to you is low power setup with comsumption comparable or better than an Atom. It's also been tested with FreeBSD and pfSense according to the manufacturers site. There's nothing wrong with Atom, but different models have different chipsets/NIC's and there may be a possibility of unsupported hardware. Perhaps it might be easier for you to go with a known commodity. pfSense documentation is offered on their website as well as community support. I suggest you start there. Thanks Adam, I forwarded the other model to my friend at the U and didn't hear back. --Of course, for lots of the civilian class, it is almost T'giving :-) Good thing there is ~three weeks left... . gary -- Adam Vande More ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org -- Gary Kline kl...@thought.org http://www.thought.org Public Service Unix Journey Toward the Dawn, E-Book: http://www.thought.org The 7.97a release of Jottings: http://jottings.thought.org ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: foo; no such thing as a dual-nic atom firewall
Folks (mostly Adam), Hang on a sec. I think I misread what my friend said. Following is a snip of what he said was good; that this was among the stuff he installed a few years back and now was much better:: ALIX.2D13 system board - $115 CompactFlash card 4GB SLC - $20 Enclosure - $9 AC adapter - $13 Is this the same board and so forth that Arthur pointed me at below? My friend's name is Noah; what he saw was that the boad was not in stock and that it would not be restocked until 20dec. Because the 15th is better for Noah to drive down, I would like to have the stuff here when it's best for him. Figure ther have to be other vendors that sell this. gary On Wed, Nov 24, 2010 at 04:03:56PM +, Arthur Chance wrote: On 11/24/10 01:43, Gary Kline wrote: Maybe someone on-list can help me; after 5+ hours of clicking and typing, I can't find an atom cpu computer with dual NICs. I _thought_ I'd found a computer to replace to Kayak firewall [pfSense], but nada. Any wizards on this list have a clue? I don't know if your requirement for an Atom CPU is absolute, or you're just looking for a low power solution, but if it's the latter and 100Mb/s networking is fast enough, I use one of these http://www.pcengines.ch/alix2d13.htm for my pfSense firewall. Three network interfaces so you have a DMZ, plus a hardware crypto accelerator for VPNs. Total power consumption measured at 5W. The alix2d2 is the 2 network port version. -- Although the wombat is real and the dragon is not, few know what a wombat looks like, but everyone knows what a dragon looks like. -- Avram Davidson, _Adventures in Unhistory_ -- Gary Kline kl...@thought.org http://www.thought.org Public Service Unix Journey Toward the Dawn, E-Book: http://www.thought.org The 7.97a release of Jottings: http://jottings.thought.org ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: foo; no such thing as a dual-nic atom firewall
On Wed, Nov 24, 2010 at 9:01 PM, Gary Kline kl...@thought.org wrote: Folks (mostly Adam), Hang on a sec. I think I misread what my friend said. Following is a snip of what he said was good; that this was among the stuff he installed a few years back and now was much better:: ALIX.2D13 system board - $115 CompactFlash card 4GB SLC - $20 Enclosure - $9 AC adapter - $13 Is this the same board and so forth that Arthur pointed me at below? My friend's name is Noah; what he saw was that the boad was not in stock and that it would not be restocked until 20dec. Because the 15th is better for Noah to drive down, I would like to have the stuff here when it's best for him. Figure ther have to be other vendors that sell this. Yes, but if you browse the manufacturer you'll see that there are other boards in-stock which meet your requirements like this one: http://www.pcengines.ch/alix6e1.htm Doesn't have battery but that's easy enough to address around and less to go wrong. -- Adam Vande More ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: foo; no such thing as a dual-nic atom firewall
Maybe someone on-list can help me; after 5+ hours of clicking and typing, I can't find an atom cpu computer with dual NICs. I _thought_ I'd found a computer to replace to Kayak firewall [pfSense], but nada. Any wizards on this list have a clue? You'd probably have to build one yourself out of parts. Any respectable computer shop will have Mini-ITX Atom motherboards and cases, just add another NIC to that along with memory/drives and you're done. Regards, -- Matt Emmerton ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: foo; no such thing as a dual-nic atom firewall
On Wed, Nov 24, 2010 at 09:45:41PM -0600, Adam Vande More wrote: On Wed, Nov 24, 2010 at 9:01 PM, Gary Kline kl...@thought.org wrote: Folks (mostly Adam), Hang on a sec. I think I misread what my friend said. Following is a snip of what he said was good; that this was among the stuff he installed a few years back and now was much better:: ALIX.2D13 system board - $115 CompactFlash card 4GB SLC - $20 Enclosure - $9 AC adapter - $13 Is this the same board and so forth that Arthur pointed me at below? My friend's name is Noah; what he saw was that the boad was not in stock and that it would not be restocked until 20dec. Because the 15th is better for Noah to drive down, I would like to have the stuff here when it's best for him. Figure ther have to be other vendors that sell this. Yes, but if you browse the manufacturer you'll see that there are other boards in-stock which meet your requirements like this one: http://www.pcengines.ch/alix6e1.htm Doesn't have battery but that's easy enough to address around and less to go wrong. all right. the thing is that here i don't know the requirments. if 6e1 is better, that good. -- Adam Vande More -- Gary Kline kl...@thought.org http://www.thought.org Public Service Unix Journey Toward the Dawn, E-Book: http://www.thought.org The 7.97a release of Jottings: http://jottings.thought.org ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
foo; no such thing as a dual-nic atom firewall
Maybe someone on-list can help me; after 5+ hours of clicking and typing, I can't find an atom cpu computer with dual NICs. I _thought_ I'd found a computer to replace to Kayak firewall [pfSense], but nada. Any wizards on this list have a clue? -- Gary Kline kl...@thought.org http://www.thought.org Public Service Unix Journey Toward the Dawn, E-Book: http://www.thought.org The 7.97a release of Jottings: http://jottings.thought.org ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
firewall hardware running quasi FreeBSD
Folks, The weakest (and probably most costly power-wise) link among my three computers is my '98 Kayak that runs pfSense. I just found a computer that runs ATOM and has two NICS ... i need two because of the way things were configured. My Dell server and my AMD homebrew that was build out of my prev'ly last new computer are vastly more efficient than my other hardware. Altho the SSD chips are fairly new , I would rather put 8 or 16G of solid state memory rather than have a spinning disk. Maybe I'll buy both and disable one or the o ther. Anybody know if I can buy this in COTS form (cots == commercial, off-the-shelf). I would rather have the vendor do it right there since they do it by the truckload. Among the few things that hasn't been robotized:) -- Gary Kline kl...@thought.org http://www.thought.org Public Service Unix Journey Toward the Dawn, E-Book: http://www.thought.org/#JTTD ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: router / firewall with PF and carp.
Le Fri, 01 Oct 2010 08:24:30 -0400, Kevin Kobb kk...@skylinecorp.com a écrit : Both would probably be fine. However, I would recommend taking a look at pfsense if I were you. It is made to do what you want without as much of the overhead as a full blown *BSD install. It is easier to configure, update, the documentation is good, and you can get top notch paid support from the developers if you want. Pfsense was our first choice but it does not handle IPv6 yet. http://doc.pfsense.org/index.php/Is_there_IPv6_support_available Thanks to all for yours replies, regards. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: router / firewall with PF and carp.
On 30 September 2010 23:19, Patrick Lamaiziere patf...@davenulle.orgwrote: Hi, We are in the process to replace two Cisco Pix firewalls and one Cisco router with two servers running PF with carp. The network is large (it is an University) and all will depend on this two machines. We have made some tests with OpenBSD, PF and OpenBGPD and it looks to work (but we have to make a lot of more tests to validate this). I think that the support for an OpenBSD release is very small (only one year) and I'm suggesting to use FreeBSD instead (we can expect ~3/4 years of support if we follow a stable branch). I am an happy user of FreeBSD since some time - I mean that I know it is not perfect and there are some bugs! - but I dont have any experience running it as a router on a large network. So, are PF and carp expected to work fine on FreeBSD or are there some known problems? Do you think that OpenBSD suits better for this? Thanks, regards. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org In my experiance freebsd should work fine. However I would say openbsd is probably better suited to your needs, due to its tighter security model (auditing) You will also get a newer version of pf with openbsd. If you get issues with openBGP would could look at quagga. I have used it in the past but havent for a while so am not sure of the state of it now. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: router / firewall with PF and carp.
I can say that both of them are pretty good choice, in my personal experience I had the same configuration that you are planning to implement qith two servers on OpenBsd 4.6 + carp+ bgp as a router in a huge network , the only problem was some well know bug with carp and bgp..that for some reason some times one of the server nic (carp-backup) try to became master, when wasn't necesary... and the routes were screwed up. But now with the new openbsd 4.8, if i were you I would give it a try Jorge E. Espada On Fri, Oct 1, 2010 at 6:29 AM, krad kra...@gmail.com wrote: On 30 September 2010 23:19, Patrick Lamaiziere patf...@davenulle.org wrote: Hi, We are in the process to replace two Cisco Pix firewalls and one Cisco router with two servers running PF with carp. The network is large (it is an University) and all will depend on this two machines. We have made some tests with OpenBSD, PF and OpenBGPD and it looks to work (but we have to make a lot of more tests to validate this). I think that the support for an OpenBSD release is very small (only one year) and I'm suggesting to use FreeBSD instead (we can expect ~3/4 years of support if we follow a stable branch). I am an happy user of FreeBSD since some time - I mean that I know it is not perfect and there are some bugs! - but I dont have any experience running it as a router on a large network. So, are PF and carp expected to work fine on FreeBSD or are there some known problems? Do you think that OpenBSD suits better for this? Thanks, regards. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org In my experiance freebsd should work fine. However I would say openbsd is probably better suited to your needs, due to its tighter security model (auditing) You will also get a newer version of pf with openbsd. If you get issues with openBGP would could look at quagga. I have used it in the past but havent for a while so am not sure of the state of it now. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: router / firewall with PF and carp.
Both would probably be fine. However, I would recommend taking a look at pfsense if I were you. It is made to do what you want without as much of the overhead as a full blown *BSD install. It is easier to configure, update, the documentation is good, and you can get top notch paid support from the developers if you want. On 9/30/2010 6:19 PM, Patrick Lamaiziere wrote: Hi, We are in the process to replace two Cisco Pix firewalls and one Cisco router with two servers running PF with carp. The network is large (it is an University) and all will depend on this two machines. We have made some tests with OpenBSD, PF and OpenBGPD and it looks to work (but we have to make a lot of more tests to validate this). I think that the support for an OpenBSD release is very small (only one year) and I'm suggesting to use FreeBSD instead (we can expect ~3/4 years of support if we follow a stable branch). I am an happy user of FreeBSD since some time - I mean that I know it is not perfect and there are some bugs! - but I dont have any experience running it as a router on a large network. So, are PF and carp expected to work fine on FreeBSD or are there some known problems? Do you think that OpenBSD suits better for this? Thanks, regards. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: router / firewall with PF and carp.
On 1 October 2010 05:29, krad kra...@gmail.com wrote: In my experiance freebsd should work fine. However I would say openbsd is probably better suited to your needs, due to its tighter security model (auditing) Krad, I was under the impression that 'audit' from TrustedBSD is built into FreeBSD. Is there a facility in OpenBSD that is better or is there something in 'audit' that is lacking? Thanks! kmw ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: router / firewall with PF and carp.
On Fri, Oct 01, 2010 at 09:40:56AM -0400, Kevin Wilcox wrote: On 1 October 2010 05:29, krad kra...@gmail.com wrote: In my experiance freebsd should work fine. However I would say openbsd is probably better suited to your needs, due to its tighter security model (auditing) Krad, I was under the impression that 'audit' from TrustedBSD is built into FreeBSD. Is there a facility in OpenBSD that is better or is there something in 'audit' that is lacking? I think krad is referring to the well-publicised code audit that the OpenBSD project conducts, rather than the TrustedBSD audit framework. As far as I know, OpenBSD doesn't have anything comparable, but it's a long time since I looked at it, so I might be typing out of me ear... Dan -- Daniel Bye _ ASCII ribbon campaign ( ) - against HTML, vCards and X - proprietary attachments in e-mail / \ pgpu4rTdktZV6.pgp Description: PGP signature
Re: router / firewall with PF and carp.
On 1 October 2010 10:16, Daniel Bye freebsd-questi...@slightlystrange.org wrote: On Fri, Oct 01, 2010 at 09:40:56AM -0400, Kevin Wilcox wrote: Krad, I was under the impression that 'audit' from TrustedBSD is built into FreeBSD. Is there a facility in OpenBSD that is better or is there something in 'audit' that is lacking? I think krad is referring to the well-publicised code audit that the OpenBSD project conducts, rather than the TrustedBSD audit framework. As far as I know, OpenBSD doesn't have anything comparable, but it's a long time since I looked at it, so I might be typing out of me ear... Dan, that makes perfect sense. I'm working up a BSD presentation for the local LUG next week and the latest compare/contrast I was working on was SELinux/GrSecurity/Pax versus TrustedBSD; my brain immediately parsed auditing as an audit trail, not the immense code audit for the base system. Thanks for the reality check!! kmw ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
