Re: IPFW Firewall Question
On Friday 05 December 2008 20:29:40 G magicman wrote: > I have tried this it did not work and the Co-Lo people are convinced that > sshd and sendmail need to be run out of inetd.conf for this to work. That wouldn't explain sshd being linked against libwrap. Did you comment: # The rules here work on a "First match wins" basis. ALL : ALL : allow > As i said i am used to BSDI and the Finnish SSHD Hehe, I remember having libwrap as backup, cause the firewall's pre-in/pre-out/in/out concepts were confusing at times. Anyway, I'll give you a pf example, maybe someone with ipfw skills will pick it up and translate, or you can kldload pf and use that ;) === openports="{ 11, 21, 22, 23, 25, 37, 42, 43, 53, 63, 69, 70, 80, 101, 109, 110, 115, 119, 123, 143, 443, 4321, 50001 }" table persist { 209.131.0.0/16, 66.65.0.0/16, 71.173.96.0/19, \ 71.173.128.0/17, blabla } table persist file "/etc/pf/spammers.table" ext_if="bge0" # External interface # Rules, last match wins block in all pass in from to any pass in on $ext_if proto {tcp, udp} from any to ($ext_if) port $openports block in on $ext_if from to any port 25 == The file /etc/pf/spammers.table can then be filled with one CIDR per line, easy to maintain/fail and possible to have the file maintained by grok or alike automation scripts. The file is only read on start up, but the table can be maintained 'live', using pfctl -T commands. Hope this helps. -- Mel Problem with today's modular software: they start with the modules and never get to the software part. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: IPFW Firewall Question
I have tried this it did not work and the Co-Lo people are convinced that sshd and sendmail need to be run out of inetd.conf for this to work As i said i am used to BSDI and the Finnish SSHD Also here they are using the combined hosts.allow/deny with the deny inside which i never liked Thank you for your help on this Garrett --- On Fri, 12/5/08, Mel <[EMAIL PROTECTED]> wrote: From: Mel <[EMAIL PROTECTED]> Subject: Re: IPFW Firewall Question To: freebsd-questions@freebsd.org, [EMAIL PROTECTED] Date: Friday, December 5, 2008, 6:02 AM On Friday 05 December 2008 01:26:04 G magicman wrote: > Why because of the following: > > 1. Hosts.access on freebsd works on the Application Layer instead of the > Network Layer Therefore Hosts.allow/hosts.deny no longer works the way i > want and i do not feel like running Sendmail and sshd out of Inetd which > appearantly is the only way to be able to use hosts.allow/deny You're right about the application layer, but not about the rest. From sshd(8): /etc/hosts.allow /etc/hosts.deny Access controls that should be enforced by tcp-wrappers are defined here. Further details are described in hosts_access(5). > 2. Next openssh doesnot have an AllowHosts directive like the Finnish one > does it only has an AllowUsers directive so i need to protect the system > from DDOS attacks Again, see above. > and Hacking I already tried to block things using the > Sendmail Access file but all that did was choak up the server with moronic > shit. And i want to be able to use my sftp program but it opens random > ports which can not be controlled so i need the Clearaddresses to be able > to see all ports. For the firewall, pf user here, so others should help. ;) -- Mel Problem with today's modular software: they start with the modules and never get to the software part. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: IPFW Firewall Question
G magicman wrote: > 1. I need help to reconfigure my firewall on the server using BSD's ipfw What part do you need to reconfigure? > 2. short of a reboot how do you start stop and restart the firewall Very, very carefully. Until I gained some extensive experience with IPFW, I would wrap the firewall restart within a sleep/undo of some sort. That said, now I use table(s) and set(s), so I can update rules without having to restart the firewall entirely. Below is an example, that also will guide you in answering your next two questions. The man page and Google will explain how to use tables and sets. To answer your question however, depending on where your firewall script is, simply execute it at the command line, like this: # /etc/ipfw.rules & > Here is what i want : > > 1. i want all ports open to the ipaddresses in line 4 "clearaddresses" > 2. I want to be able to control access to port 25 sendmail to be able to deny > whole "A" "B" and "C" addresses #!/bin/sh flush="/sbin/ipfw -q flush" cmd="/sbin/ipfw add" table="/sbin/ipfw table" $flush # Tables # Client/infrastructure IPs for allowing access $table 1 add 208.70.104.0/21 $table 1 add 64.39.160.0/19 $table 1 add 67.158.64.0/20 #...etc # SMTP ALLOWED OUTBOUND TABLE $table 2 add 208.70.104.202/32 $table 2 add 208.70.104.203/32 $table 2 add 208.70.104.205/32 #...etc # Block all inbound and outbound traffic for certain sites # ...review periodically to see if they are still valid $table 3 add 91.203.4.146/32# phishing # set 3 = specific deny/allow by ids # set 4 = SSH access # set 29 = for counting/testing traffic patterns # set 30 = forwarding # SET 3 # SQL $cmd 2 set 3 deny all from any to any 1433,1434 # NetBIOS $cmd 20100 set 3 allow tcp from 208.70.104.0/24 to 208.70.104.0/24 135,139,445,593 keep-state $cmd 20105 set 3 allow udp from 208.70.104.0/24 to 208.70.104.0/24 135,139,445,593 $cmd 20110 set 3 deny all from any to any 135,139,445,593 # SET 4 $cmd 4 set 4 allow tcp from "table(1)" to any 22 keep-state $cmd 40005 set 4 deny tcp from any to any 22 # SET 29 #$cmd 59000 set 29 count log logamount 100 tcp from any to any # SET 30 $cmd 6 set 30 fwd 208.70.104.3,53 all from any to 209.167.16.10 53 $cmd 60005 set 30 fwd 208.70.106.59,53 all from any to 209.167.16.30 53 $cmd 64998 deny all from "table(3)" to any $cmd 64999 deny all from any to "table(3)" ### end dummy ruleset ...if you want specific rule examples, just let me know. The above does pretty much what you want it to do. I've purposely left it up to you to do some further research. Tweaking a non-forgiving firewall remotely is not something you want to learn the hard way. The benefit of tables is that you can have one rule, but manually add/remove specific addresses or prefixes on the fly without having to reload the rule. With sets, you can disable an entire block of rules, modify it, and reload it without restarting IPFW, therefore destroying your existing established rules. Steve ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: IPFW Firewall Question
On Friday 05 December 2008 01:26:04 G magicman wrote: > Why because of the following: > > 1. Hosts.access on freebsd works on the Application Layer instead of the > Network Layer Therefore Hosts.allow/hosts.deny no longer works the way i > want and i do not feel like running Sendmail and sshd out of Inetd which > appearantly is the only way to be able to use hosts.allow/deny You're right about the application layer, but not about the rest. From sshd(8): /etc/hosts.allow /etc/hosts.deny Access controls that should be enforced by tcp-wrappers are defined here. Further details are described in hosts_access(5). > 2. Next openssh doesnot have an AllowHosts directive like the Finnish one > does it only has an AllowUsers directive so i need to protect the system > from DDOS attacks Again, see above. > and Hacking I already tried to block things using the > Sendmail Access file but all that did was choak up the server with moronic > shit. And i want to be able to use my sftp program but it opens random > ports which can not be controlled so i need the Clearaddresses to be able > to see all ports. For the firewall, pf user here, so others should help. ;) -- Mel Problem with today's modular software: they start with the modules and never get to the software part. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: IPFW Firewall Question
Often discussed and adviced... On Thu, 4 Dec 2008 16:26:04 -0800 (PST), G magicman <[EMAIL PROTECTED]> wrote: > here is part of the configuration file so far that the Co-lo people put in. > [...] > #!/usr/local/bin/bash When possible, use the STANDARD form: #!/bin/sh Declare #!/usr/local/bin/bash only if you're intentionally using BASH specifig functionalities that SH doesn't include. May save you lots of headache. > 2. short of a reboot how do you start stop and restart the firewall You can use ipfw's rc.d script: # /etc/rc.d/ipfw start # /etc/rc.d/ipfw stop # /etc/rc.d/ipfw restart Just a small note, but I hope it will help you. -- Polytropon >From Magdeburg, Germany Happy FreeBSD user since 4.0 Andra moi ennepe, Mousa, ... ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
IPFW Firewall Question
1. I need help to reconfigure my firewall on the server using BSD's ipfw here is part of the configuration file so far that the Co-lo people put in. 2. short of a reboot how do you start stop and restart the firewall #!/usr/local/bin/bash export IPF="ipfw -q add" ports="11 21 22 23 25 37 42 43 53 63 69 70 80 101 109 110 115 119 123 143 443 4321 50001" clearaddresses="209.131.0.0/16 66.65.0.0/16 71.173.96.0/19 71.173.128.0/17 blah blah" count=60 ipfw -q -f flush $IPF 10 allow all from any to any via lo0 $IPF 20 deny all from any to 127.0.0.0/8 $IPF 30 deny all from 127.0.0.0/8 to any $IPF 40 deny tcp from any to any frag $IPF 50 allow icmp from any to any for a in $clearaddresses; do $IPF $count allow ip from $a to any $IPF $(($count+1)) allow ip from any to $a count=$(($count+10)) done for p in $ports; do $IPF $count allow ip from any to any $p in $IPF $(($count+1)) allow ip from any to any $p out $IPF $(($count+2)) allow ip from any $p to any in $IPF $(($count+3)) allow ip from any $p to any out count=$(($count+10)) done $IPF 5000 deny log all from any to any echo Firewall created Here is what i want : 1. i want all ports open to the ipaddresses in line 4 "clearaddresses" 2. I want to be able to control access to port 25 sendmail to be able to deny whole "A" "B" and "C" addresses Why because of the following: 1. Hosts.access on freebsd works on the Application Layer instead of the Network Layer Therefore Hosts.allow/hosts.deny no longer works the way i want and i do not feel like running Sendmail and sshd out of Inetd which appearantly is the only way to be able to use hosts.allow/deny 2. Next openssh doesnot have an AllowHosts directive like the Finnish one does it only has an AllowUsers directive so i need to protect the system from DDOS attacks and Hacking I already tried to block things using the Sendmail Access file but all that did was choak up the server with moronic shit. And i want to be able to use my sftp program but it opens random ports which can not be controlled so i need the Clearaddresses to be able to see all ports. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"