Re: IPFW Problems
On 4/21/06, RW <[EMAIL PROTECTED]> wrote: > On Thursday 20 April 2006 05:14, Andrew Pantyukhin wrote: > > Yes. 'setup' is from "semi-stateful" firewall functionality while > > 'keep-state' is from fully stateful one. You can't use both in > > one rule without strange consequences. Just delete 'setup' > > words in both rules - it'll probably be fine. > > > Yes you can. When I used IPFW I did it that way and never had any problems. My mistake. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: IPFW Problems
On Thursday 20 April 2006 05:14, Andrew Pantyukhin wrote: > On 4/20/06, Drew Tomlinson <[EMAIL PROTECTED]> wrote: > > On 4/17/2006 2:29 PM Noah Silverman wrote: > > > ipfw add 00280 allow tcp from any to any 22 out via bge0 setup > > > keep-state ipfw add 00299 deny log all from any to any out via bge0 > > > ipfw add 0430 allow log tcp from any to me 22 in via bge0 setup limit > > > src-addr 2 > > > > I think this line is your problem. "setup" matches the initial packet > > with the syn flag set. However since you have not added "keep-state", > > no rule gets added to the dynamic rule set for this connection. "limit" creates a dynamic rule, just like keep-state > Yes. 'setup' is from "semi-stateful" firewall functionality while > 'keep-state' is from fully stateful one. You can't use both in > one rule without strange consequences. Just delete 'setup' > words in both rules - it'll probably be fine. Yes you can. When I used IPFW I did it that way and never had any problems. All it's saying is that a dynamic rule can only be setup by the legitimate first packet of a tcp handshake, and not by an out-of-sequence tcp packet. Once the dynamic rule exists, it passes packets with any tcp flags. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: IPFW Problems
On 4/20/06, Drew Tomlinson <[EMAIL PROTECTED]> wrote: > On 4/17/2006 2:29 PM Noah Silverman wrote: > > Hi, > > > > I have a system with a 4.11 Kernel. Unless I'm doing something very > > wrong, there seems to be something odd with ipfw. > > > > Take the following rules: > I assume above this you have "ipfw add check-state" defined? This is > the rule that's required to get ipfw to check its dynamic rule set. > Without it, "keep-state" rules will never work. No, this is not required. The dynamic rules are checked at first keep-state or limit, too. > > ipfw add 00280 allow tcp from any to any 22 out via bge0 setup keep-state > > ipfw add 00299 deny log all from any to any out via bge0 > > ipfw add 0430 allow log tcp from any to me 22 in via bge0 setup limit > > src-addr 2 > I think this line is your problem. "setup" matches the initial packet > with the syn flag set. However since you have not added "keep-state", > no rule gets added to the dynamic rule set for this connection. > Subsequent packets don't match because "syn" is not set. Thus they hit > rule 499 and are denied. Yes. 'setup' is from "semi-stateful" firewall functionality while 'keep-state' is from fully stateful one. You can't use both in one rule without strange consequences. Just delete 'setup' words in both rules - it'll probably be fine. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: IPFW Problems
On 4/17/2006 2:29 PM Noah Silverman wrote: Hi, I have a system with a 4.11 Kernel. Unless I'm doing something very wrong, there seems to be something odd with ipfw. Take the following rules: I assume above this you have "ipfw add check-state" defined? This is the rule that's required to get ipfw to check its dynamic rule set. Without it, "keep-state" rules will never work. ipfw add 00280 allow tcp from any to any 22 out via bge0 setup keep-state ipfw add 00299 deny log all from any to any out via bge0 ipfw add 0430 allow log tcp from any to me 22 in via bge0 setup limit src-addr 2 I think this line is your problem. "setup" matches the initial packet with the syn flag set. However since you have not added "keep-state", no rule gets added to the dynamic rule set for this connection. Subsequent packets don't match because "syn" is not set. Thus they hit rule 499 and are denied. ipfw add 00499 deny log all from any to any in via bge0 In theory, this should allow in SSH and nothing else. When I install this firewall configuration, I'm locked out of the box. An inspection of the logs shows that rule 499 is being triggered by an attempted incoming connection. Can anybody help? Also, would it be better to upgrade to ipfw2?? If so, how do I do that. Add 'ipfw2=TRUE' to /etc/make.conf. Then the next time you build world and kernel, you'll have ipfw2. There's probably a way to just recompile the ipfw part but I've always just done the whole thing. HTH, Drew -- Visit The Alchemist's Warehouse Magic Tricks, DVDs, Videos, Books, & More! http://www.alchemistswarehouse.com ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: IPFW Problems?
Hello! On Tue, 18 Apr 2006, Tod McQuillin wrote: Add: options IPFW2 ...to your kernel config file and rebuild the kernel (and world also, probably). Yes, you need to rebuild the userland too, which means you also need IPFW2=true in /etc/make.conf before you build world. It's absolutely necessary, after installation of the new kernel with 'options IPFW2', to add 'IPFW2=true' in /etc/make.conf and rebuild+reinstall _at least_ /sbin/ipfw, then /usr/lib/libalias.* and /sbin/natd (which depends on libalias), e.g. cd /usr/src/sbin/ipfw make obj && make depend all install cd /usr/src/lib/libalias make obj && make depend all install cd /usr/src/sbin/natd make obj && make depend all install (note that natd doesn't depend on IPFW2, but links against libalias which does, so sequence libalias -> natd is critical). I haven't found other parts of base OS in RELENG_4 which depend on IPFW2, though I can miss something. Also every custom utility which utilizes must also be recompiled with IPFW2 defined and rebuilt (and those using libalias must be rebuilt). Sincerely, Dmitry -- Atlantis ISP, System Administrator e-mail: [EMAIL PROTECTED] nic-hdl: LYNX-RIPE ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: IPFW Problems?
On Mon, 17 Apr 2006, Charles Swiger wrote: Add: options IPFW2 ...to your kernel config file and rebuild the kernel (and world also, probably). Yes, you need to rebuild the userland too, which means you also need IPFW2=true in /etc/make.conf before you build world. -- Tod ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: IPFW Problems?
On Tuesday 18 April 2006 00:42, Chuck Swiger wrote: > David Wolfskill wrote: > > I thought check-state was fairly optional; ref: > > > > These dynamic rules, which have a limited lifetime, are checked at > > the first occurrence of a check-state, keep-state or limit rule, and are > > typ- ically used to open the firewall on-demand to legitimate traffic > > only. See the STATEFUL FIREWALL and EXAMPLES Sections below for more > > informa- tion on the stateful behaviour of ipfw. > > > > (from "man ipfw" on a 4.11 system). > > Yeah...but a rule like "from any to any 22 out via bge0 setup keep-state" > isn't going to match inbound established traffic, right? But the man page doesn't say *matching* rule, it says: " the first occurrence of a check-state, keep-state or limit rule". It is pretty vague though. The inference I take from this is that check-state mostly exists so you can force an early, fast hash-table lookup. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: IPFW Problems
On Monday 17 April 2006 22:29, Noah Silverman wrote: > ipfw add 0430 allow log tcp from any to me 22 in via bge0 setup limit > src-addr 2 > ipfw add 00499 deny log all from any to any in via bge0 > > In theory, this should allow in SSH and nothing else. > What happens when you replace "limit src-addr 2" with keep-state? If that works replace it with "limit src-addr 200" and work down/ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: IPFW Problems
--On April 17, 2006 5:20:27 PM -0700 Noah Silverman <[EMAIL PROTECTED]> wrote: Hi, I doing this over an SSH connection, so I can't see console. If I do it wrong, I get locked out and have to initiate a remote reboot. Fun! Once you've ssh'd in to the box. Can you ssh out? And what does ipfw show reveal? Can you add a rule prior to your incoming ssh rule that allows all traffic from your IP so you can stay connected while you test? Paul Schmehl ([EMAIL PROTECTED]) Adjunct Information Security Officer University of Texas at Dallas AVIEN Founding Member http://www.utdallas.edu/
Re: IPFW Problems
Hi, I doing this over an SSH connection, so I can't see console. If I do it wrong, I get locked out and have to initiate a remote reboot. Fun! Thanks! -N On Apr 17, 2006, at 5:10 PM, Paul Schmehl wrote: --On April 17, 2006 2:29:23 PM -0700 Noah Silverman <[EMAIL PROTECTED]> wrote: I have a system with a 4.11 Kernel. Unless I'm doing something very wrong, there seems to be something odd with ipfw. Take the following rules: ipfw add 00280 allow tcp from any to any 22 out via bge0 setup keep- state ipfw add 00299 deny log all from any to any out via bge0 ipfw add 0430 allow log tcp from any to me 22 in via bge0 setup limit src-addr 2 ipfw add 00499 deny log all from any to any in via bge0 In theory, this should allow in SSH and nothing else. When I install this firewall configuration, I'm locked out of the box. An inspection of the logs shows that rule 499 is being triggered by an attempted incoming connection. What does "ipfw show" reveal regarding connection stats? If you're at the console, can you ssh out to some other box? Paul Schmehl ([EMAIL PROTECTED]) Adjunct Information Security Officer University of Texas at Dallas AVIEN Founding Member http://www.utdallas.edu/ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: IPFW Problems
--On April 17, 2006 2:29:23 PM -0700 Noah Silverman <[EMAIL PROTECTED]> wrote: I have a system with a 4.11 Kernel. Unless I'm doing something very wrong, there seems to be something odd with ipfw. Take the following rules: ipfw add 00280 allow tcp from any to any 22 out via bge0 setup keep- state ipfw add 00299 deny log all from any to any out via bge0 ipfw add 0430 allow log tcp from any to me 22 in via bge0 setup limit src-addr 2 ipfw add 00499 deny log all from any to any in via bge0 In theory, this should allow in SSH and nothing else. When I install this firewall configuration, I'm locked out of the box. An inspection of the logs shows that rule 499 is being triggered by an attempted incoming connection. What does "ipfw show" reveal regarding connection stats? If you're at the console, can you ssh out to some other box? Paul Schmehl ([EMAIL PROTECTED]) Adjunct Information Security Officer University of Texas at Dallas AVIEN Founding Member http://www.utdallas.edu/
Re: IPFW Problems?
I tried it with: "ipfw add 00015 check-state" I still get locked out :( This is the "standard" firewall from the openbsd manual (on the website.) I don't understand why it wouldn't work "as is". Thanks, -N On Apr 17, 2006, at 4:42 PM, Chuck Swiger wrote: David Wolfskill wrote: On Mon, Apr 17, 2006 at 06:29:13PM -0400, Charles Swiger wrote: [ ...redirected to freebsd-questions... ] Thanks for doing that! It seemed appropriate. :) [ ... ] You don't have a check-state rule anywhere, so you either need to add one or a rule to pass established traffic to and from port 22. I thought check-state was fairly optional; ref: These dynamic rules, which have a limited lifetime, are checked at the first occurrence of a check-state, keep-state or limit rule, and are typ- ically used to open the firewall on-demand to legitimate traffic only. See the STATEFUL FIREWALL and EXAMPLES Sections below for more informa- tion on the stateful behaviour of ipfw. (from "man ipfw" on a 4.11 system). Yeah...but a rule like "from any to any 22 out via bge0 setup keep- state" isn't going to match inbound established traffic, right? So the dynamic rule checking doesn't actually fire, so the "add 00499 deny log all from any to any" rule fires and blocks it. Doing a "ipfw add 10 check-state" would probably make SSH go for the original poster... -- -Chuck ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions- [EMAIL PROTECTED]" ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: IPFW Problems?
David Wolfskill wrote: On Mon, Apr 17, 2006 at 06:29:13PM -0400, Charles Swiger wrote: [ ...redirected to freebsd-questions... ] Thanks for doing that! It seemed appropriate. :) [ ... ] You don't have a check-state rule anywhere, so you either need to add one or a rule to pass established traffic to and from port 22. I thought check-state was fairly optional; ref: These dynamic rules, which have a limited lifetime, are checked at the first occurrence of a check-state, keep-state or limit rule, and are typ- ically used to open the firewall on-demand to legitimate traffic only. See the STATEFUL FIREWALL and EXAMPLES Sections below for more informa- tion on the stateful behaviour of ipfw. (from "man ipfw" on a 4.11 system). Yeah...but a rule like "from any to any 22 out via bge0 setup keep-state" isn't going to match inbound established traffic, right? So the dynamic rule checking doesn't actually fire, so the "add 00499 deny log all from any to any" rule fires and blocks it. Doing a "ipfw add 10 check-state" would probably make SSH go for the original poster... -- -Chuck ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: IPFW Problems?
On Mon, Apr 17, 2006 at 06:29:13PM -0400, Charles Swiger wrote: > ... > [ ...redirected to freebsd-questions... ] Thanks for doing that! > ... > You don't have a check-state rule anywhere, so you either need to add > one or a rule to pass established traffic to and from port 22. I thought check-state was fairly optional; ref: These dynamic rules, which have a limited lifetime, are checked at the first occurrence of a check-state, keep-state or limit rule, and are typ- ically used to open the firewall on-demand to legitimate traffic only. See the STATEFUL FIREWALL and EXAMPLES Sections below for more informa- tion on the stateful behaviour of ipfw. (from "man ipfw" on a 4.11 system). Peace, david -- David H. Wolfskill [EMAIL PROTECTED] Mail filters, like sewers, need to be most restrictive at the point of entry. See http://www.catwhisker.org/~david/publickey.gpg for my public key. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: IPFW problems connecting to port 25!
> Aye, there's the rub. Last rule is usually > "deny ip from any to any"; somewhere above > that, but after the setup rules is "allow ip from > any to my.ip.add.ress established"* ... it does > no good to allow the setup packets but no > further data > > Kevin Kinsey > DaleCo S.P. > > *instead of "allow ip" this could conceivably > be protocol specific, e.g. if you only have tcp > services available, "allow tcp from any to {me} established" ok I figured out the problem. I moved the SMTP line from 04010 to 03001 top of the list. Rebooted the machine, and it now works. Thanks to all who pitched in with comments... ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: IPFW problems connecting to port 25!
> Aye, there's the rub. Last rule is usually > "deny ip from any to any"; somewhere above > that, but after the setup rules is "allow ip from > any to my.ip.add.ress established"* ... it does > no good to allow the setup packets but no > further data > > Kevin Kinsey > DaleCo S.P. > > *instead of "allow ip" this could conceivably > be protocol specific, e.g. if you only have tcp > services available, "allow tcp from any to {me} established" Below is the rc.firewall.rules file. I found this on a How To website, I just removed most of the NAT stuff because this is just a VERY SMALL web/email/test server. I have added what you had mentioned above, but it still does not connect to port 25. What do I have wronge? Thanks for all your help... # be quiet and flush all rules on start -q flush # allow local traffic, deny RFC 1918 addresses on the outside add 00100 allow ip from any to any via lo0 add 00110 deny ip from any to 127.0.0.0/8 add 00120 deny ip from any to any not verrevpath in add 00301 deny ip from 10.0.0.0/8 to any in via xl0 add 00302 deny ip from 172.16.0.0/12 to any in via xl0 add 00303 deny ip from 192.168.0.0/16 to any in via xl0 # allow some traffic from the local net to the router # SSH add 04000 allow tcp from any to me dst-port 22 in via xl0 setup keep-state #IMAP-SSL add 04001 allow tcp from any to me dst-port 143 in via xl0 setup keep-state # NTP add 04002 allow tcp from any to me dst-port 123 in via xl0 setup keep-state add 04003 allow udp from any to me dst-port 123 in via xl0 keep-state #webmin add 04004 allow tcp from any to me dst-port 1 in via xl0 setup keep-state #http add 04005 allow tcp from any to me dst-port 80 in via xl0 setup keep-state # DNS add 04006 allow udp from any to me dst-port 53 in via xl0 #POP add 04007 allow tcp from any to me dst-port 110 in via xl0 setup keep-state add 04008 allow tcp from any to me dst-port 443 in via xl0 setup keep-state #IMAPS add 04009 allow tcp from any to me dst-port 993 in via xl0 setup keep-state #SMTP add 04010 allow tcp from any to me smtp in via xl0 setup add 04011 allow tcp from any to me established add 04012 allow udp from any to me established # drop everything else add 04020 deny ip from any to me # allow all outgoing traffic from the router add 05010 allow ip from me to any out keep-state # drop everything that has come so far. This means it doesn't belong to an # established connection, don't log the most noisy scans. add 59998 deny icmp from any to me add 5 deny ip from any to me dst-port 135,137-139,445,4665 add 6 deny log tcp from any to any established add 60001 deny log ip from any to any ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: IPFW problems connecting to port 25!
[EMAIL PROTECTED] wrote: [snip] You do have a rule for established connections? Kevin Kinsey DaleCo S.P. you know the only rule i have for that is add 6 deny log tcp from any to any established I am assuming this is incorrect? Aye, there's the rub. Last rule is usually "deny ip from any to any"; somewhere above that, but after the setup rules is "allow ip from any to my.ip.add.ress established"* ... it does no good to allow the setup packets but no further data Kevin Kinsey DaleCo S.P. *instead of "allow ip" this could conceivably be protocol specific, e.g. if you only have tcp services available, "allow tcp from any to {me} established" ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: IPFW problems connecting to port 25!
[snip] > > You do have a rule for established connections? > > > Kevin Kinsey > DaleCo S.P. > > you know the only rule i have for that is add 6 deny log tcp from any to any established I am assuming this is incorrect? ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: IPFW problems connecting to port 25!
[EMAIL PROTECTED] wrote: I have IPFW setup, and in my ruleset i have the following line add 04009 allot tcp from any to me dst port 80 in via x10 setup add 04010 allow tcp from any to me dst port 25 in via xl0 setup however if I enable the firewall and try to telnet into port 25, it cannot connect.. BUT if I disable the firewall I have NO problems. With the firewall enabled I can browse my webserver with no problem, but I cannot connect to port 25.. Any suggestions? FreeBSD 5.1-Current ipfw disable firewall I can access port 25 remotely ipfw enable firewall it cannot connect to port 25 remotely You do have a rule for established connections? Kevin Kinsey DaleCo S.P. ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"