Re: Firewall questions
Only a little note about the comment: On FreeBSD you have a choice of IPFW, IPF, and PF. IPFW is FreeBSD only, IPF runs on many OSes (but not Linux), Since i have been reading the Ipfilter maillist, you can see that Ipfilter now runs on Linux too. This is only information. Greetings. On Mar 23, 2005 1:03 PM, Ean Kingston [EMAIL PROTECTED] wrote: I have been looking for a great firewall, something not too technical, since I have only been using FreeBSD for two months now. I have FreeBSD-4.8 installed, Apache-1.3, and Netqmail-1.05. I am also planning on running an NTP time server and possibly a forum in the future. The web site is expected to become a well-recognized site, so that complicates matters. More attention to the site means more attacks. If it's a firewall you might want to upgrade to the latest in the series you are using (4.11). There may be security holes in 4.8 by now. Also, I am looking for antiviral protection for both the FreeBSD server, and any Windows or Macintosh systems that may be using the POP mail. I know qmail has one solution, which was contributed by a qmail user, but what are the alternatives? There are very few anti-virus packages for FreeBSD. AFAIK there are no viruses that target FreeBSD. There are a few that target x86 hardware but these don't propagate over the 'net. Have a look at amavis (it's in the ports collection). I've never used it but it's been mentioned a number of times on various lists. Also, F-Prot (www.f-prot.com http://www.f-prot.com) provides an AV product for FreeBSD (NetBSD, and OpenBSD too). They even have a mail scanner product. I used the file scanner for a while but stopped the last time I upgraded the OS. Any suggestions as to what firewall would provide me with the best protection, while not being overly too complicated? For simplicity, get one of the Firewall Router devices and stick your FreeBSD system behind it. Most have a web interface to manage them. Just make sure you get the Firewall model and not the Router with NAT model. Unless you get lucky, the guy a Best Buy (or whereever) won't have a clue about the differences and will not be able to help even if he thinks he is helping. You need to do your research on this. On FreeBSD you have a choice of IPFW, IPF, and PF. IPFW is FreeBSD only, IPF runs on many OSes (but not Linux), and PF is a port of the OpenBSD firewall. All are included with the FreeBSD distribution but require a kernel recomple (it's explained in the handbook and isn't nearly as scary as it sounds). All are about a complicated to configure/manage. -- Ean Kingston E-Mail: ean_AT_hedron_DOT_org PGP KeyID: 1024D/CBC5D6BB URL: http://www.hedron.org/ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Firewall questions
Only a little note about the comment: On FreeBSD you have a choice of IPFW, IPF, and PF. IPFW is FreeBSD only, IPF runs on many OSes (but not Linux), Since i have been reading the Ipfilter maillist, you can see that Ipfilter now runs on Linux too. This is only information. Greetings. Wow, I stand corrected. The last time I talked to Darren (years ago) he said IPFilter would never run on Linux. I guess the Linux folks fixed whatever was vexing him about their architecture. On Mar 23, 2005 1:03 PM, Ean Kingston [EMAIL PROTECTED] wrote: I have been looking for a great firewall, something not too technical, since I have only been using FreeBSD for two months now. I have FreeBSD-4.8 installed, Apache-1.3, and Netqmail-1.05. I am also planning on running an NTP time server and possibly a forum in the future. The web site is expected to become a well-recognized site, so that complicates matters. More attention to the site means more attacks. If it's a firewall you might want to upgrade to the latest in the series you are using (4.11). There may be security holes in 4.8 by now. Also, I am looking for antiviral protection for both the FreeBSD server, and any Windows or Macintosh systems that may be using the POP mail. I know qmail has one solution, which was contributed by a qmail user, but what are the alternatives? There are very few anti-virus packages for FreeBSD. AFAIK there are no viruses that target FreeBSD. There are a few that target x86 hardware but these don't propagate over the 'net. Have a look at amavis (it's in the ports collection). I've never used it but it's been mentioned a number of times on various lists. Also, F-Prot (www.f-prot.com http://www.f-prot.com) provides an AV product for FreeBSD (NetBSD, and OpenBSD too). They even have a mail scanner product. I used the file scanner for a while but stopped the last time I upgraded the OS. Any suggestions as to what firewall would provide me with the best protection, while not being overly too complicated? For simplicity, get one of the Firewall Router devices and stick your FreeBSD system behind it. Most have a web interface to manage them. Just make sure you get the Firewall model and not the Router with NAT model. Unless you get lucky, the guy a Best Buy (or whereever) won't have a clue about the differences and will not be able to help even if he thinks he is helping. You need to do your research on this. On FreeBSD you have a choice of IPFW, IPF, and PF. IPFW is FreeBSD only, IPF runs on many OSes (but not Linux), and PF is a port of the OpenBSD firewall. All are included with the FreeBSD distribution but require a kernel recomple (it's explained in the handbook and isn't nearly as scary as it sounds). All are about a complicated to configure/manage. -- Ean Kingston E-Mail: ean_AT_hedron_DOT_org PGP KeyID: 1024D/CBC5D6BB URL: http://www.hedron.org/ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] -- Ean Kingston E-Mail: ean_AT_hedron_DOT_org PGP KeyID: 1024D/CBC5D6BB URL: http://www.hedron.org/ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Firewall questions
I have been looking for a great firewall, something not too technical, since I have only been using FreeBSD for two months now. I have FreeBSD-4.8 installed, Apache-1.3, and Netqmail-1.05. I am also planning on running an NTP time server and possibly a forum in the future. The web site is expected to become a well-recognized site, so that complicates matters. More attention to the site means more attacks. Also, I am looking for antiviral protection for both the FreeBSD server, and any Windows or Macintosh systems that may be using the POP mail. I know qmail has one solution, which was contributed by a qmail user, but what are the alternatives? Any suggestions as to what firewall would provide me with the best protection, while not being overly too complicated? All help is greatly appreciated. __ Post your free ad now! http://personals.yahoo.ca ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Firewall questions
I have been looking for a great firewall, something not too technical, since I have only been using FreeBSD for two months now. I have FreeBSD-4.8 installed, Apache-1.3, and Netqmail-1.05. I am also planning on running an NTP time server and possibly a forum in the future. The web site is expected to become a well-recognized site, so that complicates matters. More attention to the site means more attacks. If it's a firewall you might want to upgrade to the latest in the series you are using (4.11). There may be security holes in 4.8 by now. Also, I am looking for antiviral protection for both the FreeBSD server, and any Windows or Macintosh systems that may be using the POP mail. I know qmail has one solution, which was contributed by a qmail user, but what are the alternatives? There are very few anti-virus packages for FreeBSD. AFAIK there are no viruses that target FreeBSD. There are a few that target x86 hardware but these don't propagate over the 'net. Have a look at amavis (it's in the ports collection). I've never used it but it's been mentioned a number of times on various lists. Also, F-Prot (www.f-prot.com) provides an AV product for FreeBSD (NetBSD, and OpenBSD too). They even have a mail scanner product. I used the file scanner for a while but stopped the last time I upgraded the OS. Any suggestions as to what firewall would provide me with the best protection, while not being overly too complicated? For simplicity, get one of the Firewall Router devices and stick your FreeBSD system behind it. Most have a web interface to manage them. Just make sure you get the Firewall model and not the Router with NAT model. Unless you get lucky, the guy a Best Buy (or whereever) won't have a clue about the differences and will not be able to help even if he thinks he is helping. You need to do your research on this. On FreeBSD you have a choice of IPFW, IPF, and PF. IPFW is FreeBSD only, IPF runs on many OSes (but not Linux), and PF is a port of the OpenBSD firewall. All are included with the FreeBSD distribution but require a kernel recomple (it's explained in the handbook and isn't nearly as scary as it sounds). All are about a complicated to configure/manage. -- Ean Kingston E-Mail: ean_AT_hedron_DOT_org PGP KeyID: 1024D/CBC5D6BB URL: http://www.hedron.org/ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Firewall questions
Well, I suggest PF from openbsd ok, it's really simple, and it exist a good page on freebsd to learn how it works ok see ya Le Wed, Mar 23, 2005 at 03:47:10PM -0500, Shawn B a écrit: From: Shawn B [EMAIL PROTECTED] To: freebsd-questions@freebsd.org Date: Wed, 23 Mar 2005 15:47:10 -0500 (EST) Subject: Firewall questions I have been looking for a great firewall, something not too technical, since I have only been using FreeBSD for two months now. I have FreeBSD-4.8 installed, Apache-1.3, and Netqmail-1.05. I am also planning on running an NTP time server and possibly a forum in the future. The web site is expected to become a well-recognized site, so that complicates matters. More attention to the site means more attacks. Also, I am looking for antiviral protection for both the FreeBSD server, and any Windows or Macintosh systems that may be using the POP mail. I know qmail has one solution, which was contributed by a qmail user, but what are the alternatives? Any suggestions as to what firewall would provide me with the best protection, while not being overly too complicated? All help is greatly appreciated. __ Post your free ad now! http://personals.yahoo.ca -- Vincent Bachelier [EMAIL PROTECTED] Language: Francais / English Societ(e/y) : Solintech - http://www.solintech.fr - Serveurs linux Citation (fortune): How long a minute is depends on which side of the bathroom door you're on. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
RE: Firewall questions
http://www.unixguide.net/freebsd/fbsd_installguide/index.php This install guide covers both of the 2 firewalls that come built in to FreeBSD for all 4.x release. Software firewalls are heads and shoulders above hardware firewalls which can not do stateful type of protection. I recommend ipfilter over ipfw as it so much easier to use and is supported be its own open source development team. Its been stable for a long time while ipfw is FreeBSD developed and has been rewritten between 4.8 and 5.3 Firewalls only protect your private network and not email content for various. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Shawn B Sent: Wednesday, March 23, 2005 3:47 PM To: freebsd-questions@freebsd.org Subject: Firewall questions I have been looking for a great firewall, something not too technical, since I have only been using FreeBSD for two months now. I have FreeBSD-4.8 installed, Apache-1.3, and Netqmail-1.05. I am also planning on running an NTP time server and possibly a forum in the future. The web site is expected to become a well-recognized site, so that complicates matters. More attention to the site means more attacks. Also, I am looking for antiviral protection for both the FreeBSD server, and any Windows or Macintosh systems that may be using the POP mail. I know qmail has one solution, which was contributed by a qmail user, but what are the alternatives? Any suggestions as to what firewall would provide me with the best protection, while not being overly too complicated? All help is greatly appreciated. __ Post your free ad now! http://personals.yahoo.ca ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
RE: Firewall questions
http://www.unixguide.net/freebsd/fbsd_installguide/index.php This install guide covers both of the 2 firewalls that come built in to FreeBSD for all 4.x release. Software firewalls are heads and shoulders above hardware firewalls which can not do stateful type of protection. You might want to check your sources again. My Linksys hardware firewalls do a good job of providing statefull packet inspection. -- Ean Kingston E-Mail: ean_AT_hedron_DOT_org PGP KeyID: 1024D/CBC5D6BB URL: http://www.hedron.org/ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Firewall questions
On Wednesday 23 March 2005 21:03, Ean Kingston wrote: Also, I am looking for antiviral protection for both the FreeBSD server, and any Windows or Macintosh systems that may be using the POP mail. I know qmail has one solution, which was contributed by a qmail user, but what are the alternatives? There are very few anti-virus packages for FreeBSD. AFAIK there are no viruses that target FreeBSD. There are a few that target x86 hardware but these don't propagate over the 'net. Clamav is supposed to be good for filtering windows viruses out of email. I know Fastmail.fm dropped Kaspersky in favour of Clamav, they claimed the updates to be at least as good. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Firewall questions
--On Wednesday, March 23, 2005 09:45:56 PM + RW [EMAIL PROTECTED] wrote: Clamav is supposed to be good for filtering windows viruses out of email. I know Fastmail.fm dropped Kaspersky in favour of Clamav, they claimed the updates to be at least as good. We did some pretty thorough testing of Clamav, uvscan (McAfee) and sophie (Sophos) side by side on a mail gateway using amavisd. Clamav was *almost* as good as McAfee and definitely better than Sophos at detecting viruses. Clamav beat uvscan hands down on cpu usage and detection of Phishing scams. Here's our latest stats - clamav is primary. uvscan only gets used if clamav doesn't detect a virus. These statistics represent data from 2005-03-01 to yesterday Total detections - 7369 Total phishing scams - 7080 Total viruses - 289 Total McAfee - 23 Total ClamAV - 266 The last two lines are *unique* detections. Basically what it means is that clamav missed 23 viruses that uvscan subsequently caught. So clamav has a 92.04% virus detection rate so far for the month. (Updates are fetched and installed automatically for both scanners.) When I was keeping separate stats on each, clamav ran about a half a percent behind uvscan and sophie *never* had an independent detection. It also had a much lower detection rate. (E.g. clamav 94.6, uvscan 95.3, sophie 91.8) Paul Schmehl ([EMAIL PROTECTED]) Adjunct Information Security Officer The University of Texas at Dallas AVIEN Founding Member http://www.utdallas.edu ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: 2 quick firewall questions for FreBSD
Andy Firman wrote: First, if one were to deploy FreeBSD 5.3 as a standard web and email server, would it need a firewall? I don't see the point because only ports like 25 for smtp, 110 for pop, 80 for http, etc... will be listening and open for connections with or without a firewall. You always should use a firewall. You may run other services that may bind to ports on all interfaces, eg syslog, mysql, or others. Having a firewall will protect you against accidental misconfigurations of services that should only be accessible locally. You may argue that your server is behind a routing firewall, but that argument only holds if there are no other servers. Otherwise you are at risk that if one server is compromised, the others fall easily thereafter. The point is to use layers of security and filtering both on network routers/firewalls and on individual hosts, to obtain finegrained control and prevent a compromise from propagating. Cheers, Erik -- Ph: +34.666334818 web: http://www.locolomo.org S/MIME Certificate: http://www.locolomo.org/crt/2004071206.crt Subject ID: A9:76:7A:ED:06:95:2B:8D:48:97:CE:F2:3F:42:C8:F2:22:DE:4C:B9 Fingerprint: 4A:E8:63:38:46:F6:9A:5D:B4:DC:29:41:3F:62:D3:0A:73:25:67:C2 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
2 quick firewall questions for FreBSD
First, if one were to deploy FreeBSD 5.3 as a standard web and email server, would it need a firewall? I don't see the point because only ports like 25 for smtp, 110 for pop, 80 for http, etc... will be listening and open for connections with or without a firewall. Second, I would like to replace my Linux gateway running Shorewall. Shorewall is a nice package for managing the netfilter firewall capabilities of the Linux kernel. Is there something similar for FreeBSD? ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: 2 quick firewall questions for FreBSD
Andy Firman wrote: First, if one were to deploy FreeBSD 5.3 as a standard web and email server, would it need a firewall? I don't see the point because only ports like 25 for smtp, 110 for pop, 80 for http, etc... will be listening and open for connections with or without a firewall. Second, I would like to replace my Linux gateway running Shorewall. Shorewall is a nice package for managing the netfilter firewall capabilities of the Linux kernel. Is there something similar for FreeBSD? Let's look at #2 - Is this server running a WM? If so, why? -- Best regards, Chris If the faulty part is in stock, it didn't need replacing in the first place. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: 2 quick firewall questions for FreBSD
Andy Firman wrote: Second, I would like to replace my Linux gateway running Shorewall. Shorewall is a nice package for managing the netfilter firewall capabilities of the Linux kernel. Is there something similar for FreeBSD? personally i don't like Shorewall at all but.. imho m0n0wall rocks : http://www.m0n0.ch/wall/ :) - based on FreeBSD - you can run it from a soekris, or from cdrom+floppy or from hdd - more responsive (at configuring) than some hardware-routers i've tried - features amongst others portforwarding, VPN, traffic shaper, traffic grapher ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: 2 quick firewall questions for FreBSD
Having a firewall prevents rogue programs from opening up other ports on your machine. You have to worry about services you don't install and configure just as much (maybe even more so) as the services you do install. On Sat, 29 Jan 2005 12:50:51 -0900, Andy Firman [EMAIL PROTECTED] wrote: First, if one were to deploy FreeBSD 5.3 as a standard web and email server, would it need a firewall? I don't see the point because only ports like 25 for smtp, 110 for pop, 80 for http, etc... will be listening and open for connections with or without a firewall. Second, I would like to replace my Linux gateway running Shorewall. Shorewall is a nice package for managing the netfilter firewall capabilities of the Linux kernel. Is there something similar for FreeBSD? ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: 2 quick firewall questions for FreBSD
For FreeBSD.. I highly recommend PF http://www.section6.net/help/pf.php Hope this helps T - Original Message - From: Andy Firman [EMAIL PROTECTED] To: freebsd-questions@freebsd.org Sent: Saturday, January 29, 2005 1:50 PM Subject: 2 quick firewall questions for FreBSD First, if one were to deploy FreeBSD 5.3 as a standard web and email server, would it need a firewall? I don't see the point because only ports like 25 for smtp, 110 for pop, 80 for http, etc... will be listening and open for connections with or without a firewall. Second, I would like to replace my Linux gateway running Shorewall. Shorewall is a nice package for managing the netfilter firewall capabilities of the Linux kernel. Is there something similar for FreeBSD? ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
ipf firewall questions
I'm using ipf as my firewall, and I can't figure out why OWA is being blocked going to 172.20.0.11. Below is the current config file which works. But if I removed the fourth line, my users can't access OWA externally. I would have thought the lines: pass out quick from 172.20.0.0/24 to any keep state and pass in quick from any to 172.20.0.0/24 would have superceded the line block out log proto tcp from any to any port = 80. Any suggestions would be helpful. Andrew # # Permit Outlook Web Access # pass in quick proto tcp from any to 172.20.0.11 port = 80 keep state # # Allow All College Traffic # pass in quick from 10.0.0.0/8 to any pass out quick from any to 10.0.0.0/8 # # Permit all Network Critical Machines Access # pass out quick from 172.20.0.0/24 to any keep state pass in quick from any to 172.20.0.0/24 # # Permit all Network Teacher/Staff Computers Access # pass out quick from 172.20.1.0/24 to any keep state pass in quick from any to 172.20.1.0/24 # # Block all Network Traffic from Student Used Computers # block out quick from 172.20.2.0/24 to any block in quick from any to 172.20.2.0/24 # # Block all Network Traffic from Student Owned Computers # block out quick from 172.20.3.0/24 to any block in quick from any to 172.20.3.0/24 # # Block any other Port 80 or 443 Access # block out log proto tcp from any to any port = 80 block out log proto tcp from any to any port = 443 ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: ipf firewall questions
On Mon, 15 Nov 2004 15:21:47 -0500, Andrew Smith [EMAIL PROTECTED] wrote: I'm using ipf as my firewall, and I can't figure out why OWA is being blocked going to 172.20.0.11. Below is the current config file which works. But if I removed the fourth line, my users can't access OWA externally. I would have thought the lines: pass out quick from 172.20.0.0/24 to any keep state and pass in quick from any to 172.20.0.0/24 would have superceded the line block out log proto tcp from any to any port = 80. Any suggestions would be helpful. Andrew # # Permit Outlook Web Access # pass in quick proto tcp from any to 172.20.0.11 port = 80 keep state # # Allow All College Traffic # pass in quick from 10.0.0.0/8 to any pass out quick from any to 10.0.0.0/8 # # Permit all Network Critical Machines Access # pass out quick from 172.20.0.0/24 to any keep state pass in quick from any to 172.20.0.0/24 # # Permit all Network Teacher/Staff Computers Access # pass out quick from 172.20.1.0/24 to any keep state pass in quick from any to 172.20.1.0/24 If you remove rule #4 - then there's nothing to allow response traffic that I can see (unless I'm missing something). I'd guess that if you remove #4 and add 'keep state' to #5 it'll work. Aaron ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: ipf firewall questions
On Mon, 15 Nov 2004 15:21:47 -0500, Andrew Smith [EMAIL PROTECTED] wrote: I'm using ipf as my firewall, and I can't figure out why OWA is being blocked going to 172.20.0.11. Below is the current config file which works. But if I removed the fourth line, my users can't access OWA externally. I would have thought the lines: pass out quick from 172.20.0.0/24 to any keep state and pass in quick from any to 172.20.0.0/24 would have superceded the line block out log proto tcp from any to any port = 80. Any suggestions would be helpful. Andrew # # Permit Outlook Web Access # pass in quick proto tcp from any to 172.20.0.11 port = 80 keep state Sorry - I missed the very first rule - how thorough of me. Given that - and my lack of familiarity with ipf vs. ipfw or pf - I'd say the problem may be the lack of any check state type rule which applies to the response traffic. I haven't exhaustively looked at the man page on ipf to verify this, but reviewing what rules will cause ipf to check for any existing states may help. If they are hitting that rule and nothing below is catching response traffic based on existing states then I'm guessing that is what's needed. Sorry for the confusion on the last post and my apologies if this one causes any more. Aaron Aaron ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: network and firewall questions
Andrew L. Gould [EMAIL PROTECTED] writes: Can someone access your computer by a port if nothing is listening to that port? Hopefully not. If not, then if you turn off services that you don't use and need to access used services remotely (i.e. let them through a firewall), do you need a firewall? Assuming you *never* make mistakes and either accidentally enable a service you didn't mean to, or misconfigure one of the services you're supposed to be running, and also assuming none of the services you're running intentionally has any bugs, then you're quite safe without a firewall. Obviously, I recommend using a firewall, just to be sure. ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
network and firewall questions
I'm still very much a newbie regarding networking issues and firewalls; so if I need to be slapped, please be gentle. ;-) Most of my home computers are behind a NAT router with very simple firewalls -- let all requests out, allow established in, deny everything else. I put a test computer in the DMZ the other day to experiment with firewalls, and remote access as I travel next week. Can someone access your computer by a port if nothing is listening to that port? If not, then if you turn off services that you don't use and need to access used services remotely (i.e. let them through a firewall), do you need a firewall? Thanks, Andrew Gould ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
ipfw firewall questions
hello I'm about to compose my first ipfw firewall - and, since I have worked quite a lot with iptables, I'm interesed in a few minor similarities: 1 - the firewall is called by rc.conf ? or ca I call it at boot time via whatever *.sh placed in the right place 2 - the firewall can be a executable bash script (i.e. like a regular linux firewall, with variables like myIP=192.168.0.0) ? I guess the rest is covered in the docs I have carefully RTFM :-) thanks, petre -- Login: petreName: Petre Bandac Directory: /home/petre Shell: /usr/local/bin/zsh On since Fri Jan 31 20:40 (EET) on ttyv1, idle 1 day 14:58 (messages off) On since Sun Feb 2 09:28 (EET) on ttyp0, idle 1:15, from :0 On since Sun Feb 2 09:43 (EET) on ttyp1, idle 1:31, from :0 On since Fri Jan 31 23:46 (EET) on ttyp2, idle 0:02, from :0 On since Sun Feb 2 11:07 (EET) on ttyp3, idle 0:24, from :0 No Mail. No Plan. To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message
Re: ipfw firewall questions
On Sun, Feb 02, 2003 at 11:50:52AM +0200, Petre Bandac wrote:
hello
I'm about to compose my first ipfw firewall - and, since I have worked quite
a lot with iptables, I'm interesed in a few minor similarities:
1 - the firewall is called by rc.conf ? or ca I call it at boot time via
whatever *.sh placed in the right place
A typical setup is that the /etc/rc.firewall script sets up
firewalling for IPv4, possibly with /etc/rc.firewall6 doing the
equivalent for IPv6. The rc.firewall script contains options to load
various pre-canned ipfw(8) rulesets, or you can load a custom ipfw(8)
ruleset through it.
The rc.firewall{,6} script behaviours are controlled by setting
variables in /etc/rc.conf. Default values (from
/etc/defaults/rc.conf) are:
% grep firewall /etc/defaults/rc.conf
### Basic network and firewall/security options: ###
firewall_enable=NO# Set to YES to enable firewall functionality
firewall_script=/etc/rc.firewall # Which script to run to set up the firewall
firewall_type=UNKNOWN # Firewall type (see /etc/rc.firewall)
firewall_quiet=NO # Set to YES to suppress rule display
firewall_logging=NO # Set to YES to enable events logging
firewall_flags= # Flags passed to ipfw when type is a file
natd_enable=NO# Enable natd (if firewall_enable == YES).
ipv6_firewall_enable=NO # Set to YES to enable IPv6 firewall
ipv6_firewall_script=/etc/rc.firewall6 # Which script to run to set up the IPv6
firewall
ipv6_firewall_type=UNKNOWN# IPv6 Firewall type (see /etc/rc.firewall6)
ipv6_firewall_quiet=NO# Set to YES to suppress rule display
ipv6_firewall_logging=NO # Set to YES to enable events logging
ipv6_firewall_flags= # Flags passed to ip6fw when type is a file
Although setting 'firewall_enable' to 'yes' will work with a standard
system, by causing the ipfw.ko module to be loaded into a GENERIC
kernel, check /usr/src/sys/i386/conf/LINT (FreeBSD 4.x) or
/usr/src/sys/conf/NOTES (FreeBSD 5.0) for some extra functionality you
can enable by building yourself a custom kernel.
Alternatively you can use ipf(8) which is a second firewall flavour
but with much the same functionality. If you aren't doing anything
tricky like traffic shaping or QoS, which one you choose is mostly a
matter of taste:
% grep ipf defaults/rc.conf
firewall_flags= # Flags passed to ipfw when type is a file
ipfilter_enable=NO# Set to YES to enable ipfilter functionality
ipfilter_program=/sbin/ipf# where the ipfilter program lives
ipfilter_rules=/etc/ipf.rules # rules definition file for ipfilter, see
# /usr/src/contrib/ipfilter/rules for examples
ipfilter_flags= # additional flags for ipfilter
ipmon_enable=NO # Set to YES for ipmon; needs ipfilter or ipnat
ipmon_program=/sbin/ipmon # where the ipfilter monitor program lives
ipmon_flags=-Ds # typically -Ds or -D /var/log/ipflog
ipfs_enable=NO# Set to YES to enable saving and restoring
ipfs_program=/sbin/ipfs # where the ipfs program lives
ipfs_flags= # additional flags for ipfs
ipv6_ipfilter_rules=/etc/ipf6.rules # rules definition file for ipfilter,
# see /usr/src/contrib/ipfilter/rules
The ipf(8) firewalling is started out of /etc/rc.network --- it's
possible and sometimes useful to run ipfw(8) and ipf(8)
simultaneously.
Finally, you can write your own script and call it in place of
rc.firewall by setting the 'firewall_script' variable. This method is
generally used to run a skeleton firewall ruleset through a
preprocessor to substitute in local interface addresses etc.
2 - the firewall can be a executable bash script (i.e. like a regular linux
firewall, with variables like myIP=192.168.0.0) ?
Basically, yes. However bash is not supplied with the FreeBSD system
--- you can install it as /usr/local/bin/bash from ports, or
(preferably) use the system supplied /bin/sh for writing startup
scripts. /bin/sh is a POSIX compliant Bourne Shell with broadly
equivalent *programming* capabilities to bash (/bin/sh doesn't have
the same sort of support for interactive use though). Syntax is very
similar to bash with a few significant differences to keep you on your
toes.
Cheers,
Matthew
--
Dr Matthew J Seaman MA, D.Phil. 26 The Paddocks
Savill Way
PGP: http://www.infracaninophile.co.uk/pgpkey Marlow
Tel: +44 1628 476614 Bucks., SL7 1TH UK
To Unsubscribe: send mail to [EMAIL PROTECTED]
with unsubscribe freebsd-questions in the body of the message
Re: ipfw firewall questions
ipf ipfw are something like iptables ipchains ? both tools do the same job ? On Sunday 02 February 2003 20:26 Anno Domini, JoeB wrote using one of his keyboards: There are 3 classes of rules in IPFW, each class has separate packet interrogation abilities. Each proceeding class has greater packet interrogation abilities than the previous one. These are stateless, simple stateful, and advanced stateful. The advanced stateful rule class is the only class having technically advanced interrogation abilities capable of defending against the flood of different attack methods currently employed by perpetrators. Stateless and Simple Stateful IPFW firewall rules are inadequate to protect the users system in today's internet environment and leaves the user unknowingly believing they are protected when in reality they are not. The advanced stateful rule option keep-state works as documented only when used in a rule set that does not use the divert rule. Simply stated the IPFW advanced stateful rule option keep-state does not function correctly when used in a IPFW firewall that also is using the IPFW built in NATD function. For the most complete keep-state protection the other FIREWALL solution (IPFILTER) that comes with FBSD should be used. Just checkout the IPFW list archives and you will see this subject discussed in detail with out any solution forthcoming. http://www.obfuscation.org/ipf/ http://www.obfuscation.org/ipf/ipf-howto.html -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Petre Bandac Sent: Sunday, February 02, 2003 4:51 AM To: [EMAIL PROTECTED] Subject: ipfw firewall questions hello I'm about to compose my first ipfw firewall - and, since I have worked quite a lot with iptables, I'm interesed in a few minor similarities: 1 - the firewall is called by rc.conf ? or ca I call it at boot time via whatever *.sh placed in the right place 2 - the firewall can be a executable bash script (i.e. like a regular linux firewall, with variables like myIP=192.168.0.0) ? I guess the rest is covered in the docs I have carefully RTFM :-) thanks, petre -- Login: petreName: Petre Bandac Directory: /home/petre Shell: /usr/local/bin/zsh On since Sun Feb 2 13:56 (EET) on ttyv0, idle 8:51 (messages off) Last login Sun Feb 2 20:03 (EET) on ttyp0 from ns.rdsbv.ro No Mail. No Plan. To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message
Re: FreeBSD Router/Firewall Questions
Check out my IPFilter/IPNAT setup script for FreeBSD, it might be just what you are after http://www.roq.com/bsd/ - Original Message - From: RD [EMAIL PROTECTED] To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Sent: Friday, November 01, 2002 11:08 AM Subject: FreeBSD Router/Firewall Questions Hi guys, me again :) well I've been reading up on compiling a kernel for nat and ipfw. I'm running a d-link 704 router now. I want some input here... I have an extra box (p200 - 128ram) for a router firewall.. I was thinking about it being my Gateway/Router/Firewall for my other 3 computers. I run a webserver box, a ftp server box, and my workstation box behind my d-link. What advantages/disadvantages would I have by running freebsd in place of the d-link? How do I connect this? Do I use 2 eithernets 1 to net and 1 to a hub? I also have 1 crossover rj45 cable for card to card connection that I haven't tried yet... Tx guys RD To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message
Re: FreeBSD Router/Firewall Questions
Hi! On Thu, 31 Oct 2002, RD wrote: How do I connect this? Do I use 2 eithernets 1 to net and 1 to a hub? If your ethernet card has two types of connectors (RJ45 aka UTP and BNC [which is a thing that sticks out of the card]) then you could try to connect the adsl-modem to the RJ45 and the rest of your stuff to the BNC, which would save you the hub (as BNC is daisy chain) and one network card. You're joking, right? The only Ethernet cards I know of which support connecting multiple network cables to one card are the really expensive 4-port RJ45 cards that have highly specialized hardware to basically act as 4 NICs on one board. Any plain $5 BNC/TP combo card certainly does NOT support connecting a cable to both BNC and TP connector! now that it's been brought up, which quad Ethernet cards exist with good working drivers for FreeBSD? a friend had one of those a long time ago, and it messed everything up since the drivers were real cheap. I don't remember which card he had, and maybe the drivers has been improved since then. But are there any cards, which do NOT work? and which work better? greatful for any response /Kristian To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message
FreeBSD Router/Firewall Questions
Hi guys, me again :) well I've been reading up on compiling a kernel for nat and ipfw. I'm running a d-link 704 router now. I want some input here... I have an extra box (p200 - 128ram) for a router firewall.. I was thinking about it being my Gateway/Router/Firewall for my other 3 computers. I run a webserver box, a ftp server box, and my workstation box behind my d-link. What advantages/disadvantages would I have by running freebsd in place of the d-link? How do I connect this? Do I use 2 eithernets 1 to net and 1 to a hub? I also have 1 crossover rj45 cable for card to card connection that I haven't tried yet... Tx guys RD To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message
RE: FreeBSD Router/Firewall Questions
Hi guys, me again :) well I've been reading up on compiling a kernel for nat and ipfw. I'm running a d-link 704 router now. I want some input here... I have an extra box (p200 - 128ram) for a router firewall.. I was thinking about it being my Gateway/Router/Firewall for my other 3 computers. I run a webserver box, a ftp server box, and my workstation box behind my d-link. What advantages/disadvantages would I have by running freebsd in place of the d-link? Adv: More flexible, more services can be run, well supported via email lists, etc. DisAdv: More power needed, higher learning curve, more time needed for updates, more things to go wrong, etc. How do I connect this? Do I use 2 eithernets 1 to net and 1 to a hub? Yes. To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message
Re: FreeBSD Router/Firewall Questions
One advantage is you can keep you current subnet and with the freebsd box you could run a whole another subnet with it .. or it can be used just to learn and play. But with a dlink already in the network Iwould use it as a play thing and try new things on that box. I like to use p1 and below for small routers anything above is a good test platform for new projects I want to learn - Original Message - From: RD [EMAIL PROTECTED] To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Sent: Thursday, October 31, 2002 4:08 PM Subject: FreeBSD Router/Firewall Questions Hi guys, me again :) well I've been reading up on compiling a kernel for nat and ipfw. I'm running a d-link 704 router now. I want some input here... I have an extra box (p200 - 128ram) for a router firewall.. I was thinking about it being my Gateway/Router/Firewall for my other 3 computers. I run a webserver box, a ftp server box, and my workstation box behind my d-link. What advantages/disadvantages would I have by running freebsd in place of the d-link? How do I connect this? Do I use 2 eithernets 1 to net and 1 to a hub? I also have 1 crossover rj45 cable for card to card connection that I haven't tried yet... Tx guys RD To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message
Re: FreeBSD Router/Firewall Questions
On Thu, 31 Oct 2002, RD wrote: Hi guys, me again :) well I've been reading up on compiling a kernel for nat and ipfw. I'm running a d-link 704 router now. I want some input here... I have an extra box (p200 - 128ram) for a router firewall.. I was thinking about it being my Gateway/Router/Firewall for my other 3 computers. I run a webserver box, a ftp server box, and my workstation box behind my d-link. What advantages/disadvantages would I have by running freebsd in place of the d-link? Let's be honest folks, If you are not running any special services or are not in the pursuit of learning, then having BSD do the work is pointless. If you want to learn a little something then it may be worth doing. It does give you the opportunity to do more with your network. People could go on and on about what it can do for you. I'll just leave it at: lots. How do I connect this? Do I use 2 eithernets 1 to net and 1 to a hub? I also have 1 crossover rj45 cable for card to card connection that I haven't tried yet... Yes, 2 ethernet cards. One for the outside network and one for the inside network. Basic stuff. Nick Rogness [EMAIL PROTECTED] - Wouldn't it be great if we could answer people with a kick to the crotch? [EMAIL PROTECTED] To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message
Re: FreeBSD Router/Firewall Questions
On Thu, 31 Oct 2002, at 17:28 [=GMT-0700], Nick Rogness wrote: On Thu, 31 Oct 2002, RD wrote: How do I connect this? Do I use 2 eithernets 1 to net and 1 to a hub? I also have 1 crossover rj45 cable for card to card connection that I haven't tried yet... Yes, 2 ethernet cards. One for the outside network and one for the inside network. Basic stuff. If your ethernet card has two types of connectors (RJ45 aka UTP and BNC [which is a thing that sticks out of the card]) then you could try to connect the adsl-modem to the RJ45 and the rest of your stuff to the BNC, which would save you the hub (as BNC is daisy chain) and one network card. And black thick dusty coax cable can be found for free everywhere. And BNC connectors don't break so easily! Don't forget to let us know how it works! To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message
