Re: Newbie firewall
Thank you again. Now it works fine. Nicolas ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Newbie firewall
Vikash Badal - PCS wrote: Greetings, -Original Message- From: Nicolas [mailto:[EMAIL PROTECTED] Sent: 02 February 2004 12:28 To: [EMAIL PROTECTED] Subject: Newbie firewall Hope that somebody wants to waste some time on my question. Many thanks Nicolas. If you have a look at /etc/rc.firewall, under the [Cc][Ll][Ii][Ee][Nn][Tt]) config, you will see : # set these to your network and netmask and ip net="192.0.2.0" mask="255.255.255.0" ip="192.0.2.1" The firewall rules are based these values. You could try replacing the net= ... with the network address and ip=... with the word "me" Vikash Hello. Thanks for responding. I have put all the right values in net, mask and ip. It was working yesterday. But then I changed in rc.conf and this morning it did not work. It could be the changes in rc.conf , the change in ip adress or both. I will try to put ip=me. Thanks again. Nicolas ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Newbie firewall
Hello. I want to use FreeBSD 5.2 on a standalone deskto I am trying to put up a firewall. For now i have been trying to use the client version in rc.firewall. I have a LAN connection with dynamic ip adress. How do I get the rc.firewall to know that I have dynamic adresses? It worked yesterday but when I turned my computer on today the ip adress had changed. The only changes I made in rc.firewall client was to put in my net: mask: ip: I made some changes also to rc.conf. It looks like this: firewall_enable="YES" firewall_script="/etc/rc.firewall" firewall_type="client" hostname="Moak.prisma.fbsd" ifconfig_sis0="DHCP" kern_securelevel_enable="NO" keymap="swedish.cp850" linux_enable="YES" lpd_enable="YES" moused_enable="YES" named_enable="YES" network_interfaces="auto" nfs_reserved_port_only="YES" router_enable="NO" sendmail_enable="YES" sendmail_flags="-bd" sendmail_outbound_enable="NO" sendmail_submit_enable="NO" sendmail_msp_queue_enable="NO" sshd_enable="YES" syslogd_enable="YES" usbd_enable="YES" Hope that somebody wants to waste some time on my question. Many thanks Nicolas. ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Newbie firewall question
Nicolas wrote: I have just installed 5.2 on my machine and everything works. Now I am trying to configure it and I want to put up a firewall but a everything I read seem to refer to a dial up connection, I have a LAN connection.So my question(s) is: is there a difference between a firewall for a dial up connection and a Lan connection.? And if so what is the difference, where can I read about it and is there any good sites to look at? I have The Complete FreeBSD, the handbook, Absolute FreeBSD.. I would be very grateful for some help or directions where to look. Hi, Nicolas: I just set up something similar. Not sure what kind of configuration that you're looking for, but here's an article that helped me a lot in setting up my PC. It's an article on setting up a firewall/gateway using PPPoE.. On a side note, setting up PPPoE in FreeBSD was infinately simpler then my old Linux box.. That aside, this as well as the IPFW HOWTO got me all setup and running.. http://www.unixcircle.com/features/freebsd_pppoe.php Good luck! Kurt -- Kurt Claussen <[EMAIL PROTECTED]> SDF Public Access Unix System -- http://sdf.lonestar.org ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Newbie firewall question
On Wed, 28 Jan 2004 07:15:46 +0100 Nicolas <[EMAIL PROTECTED]> wrote: > Hello. > I have just installed 5.2 on my machine and everything works. Now I am > > trying to configure it and I want to put up a firewall but a > everything I read seem to refer to a dial up connection, I have a LAN > connection.So my question(s) is: is there a difference between a > firewall for a dial up connection and a Lan connection.? And if so > what is the difference, where can I read about it and is there any > good sites to look at? I have The Complete FreeBSD, the handbook, > Absolute FreeBSD.. I would be very grateful for some help or > directions where to look. Many Thanks!! > ___ If what you want is to set up a simple firewall for a standalone computer connected via LAN to an ISP there are a number of informative articles by Dru Lavigne on http://www.onlamp.com/pub/ct/15 ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Newbie firewall question
On Wed, 28 Jan 2004 07:15:46 +0100 Nicolas <[EMAIL PROTECTED]> wrote: > Hello. > I have just installed 5.2 on my machine and everything works. Now I > am trying to configure it and I want to put up a firewall but a > everything I read seem to refer to a dial up connection, I have a > LAN connection.So my question(s) is: is there a difference between a > firewall for a dial up connection and a Lan connection.? And if so > what is the difference, where can I read about it and is there any > good sites to look at? I have The Complete FreeBSD, the handbook, > Absolute FreeBSD.. I would be very grateful for some help or > directions where to look. Many Thanks!! Check out ipfw. Should not really matter what the connection is over... unless you specifically want a rule to apply to a device... ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Newbie firewall question
Hello. I have just installed 5.2 on my machine and everything works. Now I am trying to configure it and I want to put up a firewall but a everything I read seem to refer to a dial up connection, I have a LAN connection.So my question(s) is: is there a difference between a firewall for a dial up connection and a Lan connection.? And if so what is the difference, where can I read about it and is there any good sites to look at? I have The Complete FreeBSD, the handbook, Absolute FreeBSD.. I would be very grateful for some help or directions where to look. Many Thanks!! ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Newbie Firewall Question
On Sat, Jul 12, 2003 at 12:33:47AM +0200, mempheria wrote: > Q1: > i just setup my first ipfw/with natd firewall :-) > i run the preconfigured firewalltype called "simple" > can anyone help me make a ruleset that blocks all to inside > (except dhcp from my isp & ssh from inside) and allows everything out? > outside interface ep0 "DHCP" > inside interface fxp0 "192.168.0.1" > > when i try to learn, and look at the "simple" configuration ruleset in rc.firewall i > go nuts > i mean, why is there natd rules? isnt natd transparent? if i block all in it should > block all in for natd aswell (?) Answering your last questions first, natd isn't transparent because: - it runs in userland (rather than kernelspace), so it doesn't see anything before the firewall. - the flexibility to not run it, or closely control how it runs is appreciated in many situations (multiple divert rules, for example). In other words, it could be transparent but that would annoy those of us with wierd/complex setups! The trick with natd/ipfw is to realise that as soon as your divert rule runs, you can ignore natd in your firewall rules: after the divert rule, all packets show up with correct endpoints. Generally, that means running natd early. A really basic firewall script to allow outbound traffic and deny inbound would look something like this: --- (snip) # Clear the firewall ipfw flush # Run natd ipfw add divert natd all from any to any via ep0 # Allow established TCP sessions ipfw add allow tcp from any to any established # Allow TCP setup from local to anywhere ipfw add allow tcp from 192.168.0.0/24 to any setup # Allow SSH administration from inside ipfw add allow tcp from 192.168.0.0/24 to me 22 setup # Block all TCP that didn't match the above rules ipfw add deny tcp from any to 192.168.0.0/24 # Allow DNS ipfw add allow udp from any 53 to any ipfw add allow udp from any to any 53 # Allow DHCP ipfw add allow udp from any to any 546 ipfw add allow udp from any to any 547 ipfw add allow udp from any to any 67 ipfw add allow udp from any to any 68 # Block stupid MS UDP traffic ipfw add deny udp from any to any 137-139 # Block low port UDP (safety measure optional) ipfw deny udp from any to 192.168.0.0/24 1-1024 # Allow all udp (I generally don't do this!) ipfw add allow udp from any to any # Allow all icmp ipfw add allow icmp from any to any --- (snip) This is from memory, so there may be something wrong with it. I strongly recommend taking a look at the FreeBSD cheat sheets, http://www.mostgraveconcern.com/freebsd/ , the handbook at freebsd.org, "man ipfw", and "man natd". > Q2: > What means by statefull inspection? i guess ipfw doesnt have suport for that. Stateful inspection means that the firewall "keeps state" - in other words, it remembers which connections are supposed to be allowed, rather than taking the protocol's word for it; that way it can't be tricked into allowing certain scans that work by faking the "established" flag in TCP connections. ipfw has had this for a long time! (see "man ipfw" for details) A non-stateful ruleset to allow only outgoing TCP traffic: ipfw add allow tcp from any to any established ipfw add allow tcp from 192.168.0.0/24 to any setup ipfw add deny tcp from any to any A stateful version of the same thing: ipfw add check-state ipfw add allow tcp from 192.168.0.0/24 to any setup keep-state ipfw add deny tcp from any to any The first set of rules will allow any TCP packet market as being part of an ongoing connection, and can be tricked into allowing certain scans as a result. The second set automagically adds an ipfw rule for each connection that passes the "keep-state" rule - in this case, any TCP connection setup originating in the local subnet. Scans that attempt to get in because they are marked "established" fail, because "check-state" doesn't see a rule created by a matching outbound connection. Note that there is a performance hit for using stateful rules. It isn't huge, but for a busy firewall it is noticable. Also note that natd and check-state/keep-state don't like one another. FreeBSD has two other firewalls (pf and ipf) to try if you really need this functionality (you almost certainly don't!). -- Herbert. ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Newbie Firewall Question
Q1: i just setup my first ipfw/with natd firewall :-) i run the preconfigured firewalltype called "simple" can anyone help me make a ruleset that blocks all to inside (except dhcp from my isp & ssh from inside) and allows everything out? when i try to learn, and look at the "simple" configuration ruleset in rc.firewall i go nuts i mean, why is there natd rules? isnt natd transparent? if i block all in it should block all in for natd aswell (?) Q2: What means by statefull inspection? i guess ipfw doesnt have suport for that. im sorry for being such a lamer and dont read manuals better, but i guess this list is for people like me :-) anyway, feel free to answer me, and here is the information you need to know outside interface ep0 "DHCP" inside interface fxp0 "192.168.0.1" / Mempheria ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
