Re: IPFW Rule
On Nov 22, 2008, at 10:37 AM, Wojciech Puchar wrote: rule looks OK, but your message clearly suggest you DO NOT have IP forwarding enabled Interesting sysctl reports that forwarding is enabled: $ sysctl -a |grep forward net.inet.ip.forwarding: 1 it's not that. it's about routing, not ipfw forwarding you need IPFIREWALL_FORWARD option in kernel. Thanks that was it. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: IPFW Rule
rule looks OK, but your message clearly suggest you DO NOT have IP forwarding enabled Interesting sysctl reports that forwarding is enabled: $ sysctl -a |grep forward net.inet.ip.forwarding: 1 it's not that. it's about routing, not ipfw forwarding you need IPFIREWALL_FORWARD option in kernel. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: IPFW Rule
On Nov 22, 2008, at 5:43 AM, Tom Marchand wrote: On Nov 21, 2008, at 6:25 PM, Wojciech Puchar wrote: I am trying to add a IPFW rule to forward traffic but I keep getting the message "ipfw: getsockopt(IP_FW_ADD): Invalid argument". The rule I am trying to add looks like this: ipfw add 600 fwd 192.169.2.3, 6000 tcp from 192.169.2.3 to any 80 I do have IP Forwarding enabled. Any ideas what I am doing wrong? rule looks OK, but your message clearly suggest you DO NOT have IP forwarding enabled Interesting sysctl reports that forwarding is enabled: $ sysctl -a |grep forward net.inet.ip.forwarding: 1 IP forwarding is enabled in GENERIC isn't it? I am running 6.1- RELEASE FreeBSD 6.1-RELEASE I'm looking at a 6.2 box that does forwarding. The GENERIC kernel does not have this line: options IPFIREWALL_FORWARD In my kernel, I am using that. Recollection is you need this specified explicitly. I could be wrong. #0.___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions- [EMAIL PROTECTED]" ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: IPFW Rule
On Nov 21, 2008, at 6:25 PM, Wojciech Puchar wrote: I am trying to add a IPFW rule to forward traffic but I keep getting the message "ipfw: getsockopt(IP_FW_ADD): Invalid argument". The rule I am trying to add looks like this: ipfw add 600 fwd 192.169.2.3, 6000 tcp from 192.169.2.3 to any 80 I do have IP Forwarding enabled. Any ideas what I am doing wrong? rule looks OK, but your message clearly suggest you DO NOT have IP forwarding enabled Interesting sysctl reports that forwarding is enabled: $ sysctl -a |grep forward net.inet.ip.forwarding: 1 IP forwarding is enabled in GENERIC isn't it? I am running 6.1- RELEASE FreeBSD 6.1-RELEASE #0. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: IPFW Rule
I am trying to add a IPFW rule to forward traffic but I keep getting the message "ipfw: getsockopt(IP_FW_ADD): Invalid argument". The rule I am trying to add looks like this: ipfw add 600 fwd 192.169.2.3, 6000 tcp from 192.169.2.3 to any 80 I do have IP Forwarding enabled. Any ideas what I am doing wrong? rule looks OK, but your message clearly suggest you DO NOT have IP forwarding enabled ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: ipfw rule question ... all possible interfaces ?
On Monday 05 November 2007 02:10:12 Juri Mianovich wrote: > Is there a way to tell ipfw: > > "all interfaces currently configured on this system" ? That's not possible directly, I think. > I have a laptop and at any time I could plug in a USB > NIC or plug in a pccard, in addition to the onboard > LAN and WIFI, either of which may or may not be > configured at boot time. Being configured or not isn't a problem for ipfw. The interface is just a string and can be anything regardless of validity, such as rl0, fxp0, blah etc. Asterisks can be also used to denote a shell-like interface-name matching e.g. rl* > > So the point is, the active, configured interfaces > changes regularly. > > So if I have a rule like: > > allow ip from any to any via iwi0 > > that won't work well, and neither will: > > allow ip from any to any via iwi0,abc0 I am not sure you have understood correctly the "via" keyword. Read the ipfw manual. Not all packets have receive or transmit interfaces so that might a problem you haven't considered. Is "via" what you want? > So is there any way to say "all interfaces currently > configured" and have that rule apply to new interfaces > automatically as they are added and subtracted from > the system ? You can use "me" which is an alias for "my IP addresses". allow ip from any to me allow ip from me to any This ruleset effectivelly allows all trafic from you to the world and from the world to you. Ofcourse there is not interface checking. HTH, Nikos ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: ipfw rule question ... all possible interfaces ?
On Mon, 5 Nov 2007 00:22:00 + RW <[EMAIL PROTECTED]> wrote: > On Sun, 4 Nov 2007 16:10:12 -0800 (PST) > Juri Mianovich <[EMAIL PROTECTED]> wrote: > > > > > Is there a way to tell ipfw: > > > > "all interfaces currently configured on this system" ? > > > >... > > > > So if I have a rule like: > > > > allow ip from any to any via iwi0 > > > > You don't have to use "via" in a rule. That's true, though you can also specify 'via any'. Whether either is actually a good idea for the case in question may be another matter .. Cheers, Ian ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
RE: ipfw rule question ... all possible interfaces ?
> > Is there a way to tell ipfw: > > "all interfaces currently configured on this system" ? > > I have a laptop and at any time I could plug in a USB > NIC or plug in a pccard, in addition to the onboard > LAN and WIFI, either of which may or may not be > configured at boot time. > > So the point is, the active, configured interfaces > changes regularly. > > So if I have a rule like: > > allow ip from any to any via iwi0 > > that won't work well, and neither will: > > allow ip from any to any via iwi0,abc0 > > So is there any way to say "all interfaces currently > configured" and have that rule apply to new interfaces > automatically as they are added and subtracted from > the system ? Try this: allow ip from any to any Just leave out "via" > > __ > Do You Yahoo!? > Tired of spam? Yahoo! Mail has the best spam protection around > http://mail.yahoo.com > > ___ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to "freebsd-questions- > [EMAIL PROTECTED]" ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: ipfw rule question ... all possible interfaces ?
On Sun, 4 Nov 2007 16:10:12 -0800 (PST) Juri Mianovich <[EMAIL PROTECTED]> wrote: > > Is there a way to tell ipfw: > > "all interfaces currently configured on this system" ? > >... > > So if I have a rule like: > > allow ip from any to any via iwi0 > You don't have to use "via" in a rule. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: ipfw rule deletion
--On Sunday, July 18, 2004 11:43 AM -0600 Aaron Dalton <[EMAIL PROTECTED]> wrote: I am using Doorman (http://doorman.sourceforge.net)as a port knocking daemon and I need to write a short script that adds and deletes rules to the ipfw firewall. I can add them just fine, but I can't find the best way to delete them. Is the only way to specify the exact rule number? Yes. Just use awk to extract the number. One way to handle it would be to write each add rule to a text file. Then, when you want to delete the rule, you grab the IP address from the text file, and then use awk to find the right rule. Something like this: ${fwcmd} delete `awk '/$IP/ {print $1}'` Paul Schmehl ([EMAIL PROTECTED]) Adjunct Information Security Officer The University of Texas at Dallas AVIEN Founding Member http://www.utdallas.edu ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: IPFW Rule set question...
Thanks for your reply. I don't understand what you mean when you say NAT modifications... meaning how the packets are changed on the gateway to allow them to be seen as transparent from behind?? When I do a netstat -an while connected remotley it shows the connection on SSH as coming from 203.10.10.38, but when I add a rule to allow everything from that net it still won't allow access... I did add the rule before the divert, but i still couldn't connect until i added an allow all manually... i also tried opening up the ssh port to everyone, with allow tcp from any to me 22 via tl0, but that wouldn't allow a connection either... It's a bit confusing... Thanks again, D From: Lowell Gilbert <[EMAIL PROTECTED]> Reply-To: [EMAIL PROTECTED] To: "Drew Robertson" <[EMAIL PROTECTED]> CC: [EMAIL PROTECTED] Subject: Re: IPFW Rule set question... Date: 24 Dec 2003 16:43:49 -0500 "Drew Robertson" <[EMAIL PROTECTED]> writes: > I have enabled SSH, TELNET and FTP on my freeBSD 4.8 box at home... it > is dual homed, 2 NICs one for the internal LAN one running my cable > modem. Everything works fine on the internal side. > > When accessing the box using any of those apps from work, the system > looks to briefly connect and then returns a "Connection Lost" or > "Connection closed by remote host error". > > The command setup to allow in access is as follows... > > 820 allow log tcp from any to me 22 limit src-addr 4 in recv tl0 setup > 830 allow log tcp from any to me 23 limit src-addr 4 in recv tl0 setup I assume these are supposed to have "keep-state" in them. It *is* written that way in the full ruleset you posted lower down. > when this didn't work I added another command at the start of the > ruleset to just let everything in from a particular IP address range... > > 202 allow ip from 203.10.10.0/24 to any > > however this produced the same error... > > It wasn't until I allowed all from any to any that I was able to connect... Then the packets aren't actually being seen as coming from that address. Maybe you're running into NAT modifications? > When checking out the security log, it tells me that rule 820 is > allowing access to my computer at home... But only for SYN packets... -- Lowell Gilbert, embedded/networking software engineer, Boston area: resume/CV at http://be-well.ilk.org:8088/~lowell/resume/ username/password "public" _ Hot chart ringtones and polyphonics. Go to http://ninemsn.com.au/mobilemania/default.asp ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: IPFW Rule set question...
Just a very quick suggestion - when you get an initial connection that closes almost immediately, it is usually TCP wrappers rather than a firewall. Have you checked /etc/hosts.allow? - Original Message - From: "Drew Robertson" <[EMAIL PROTECTED]> Subject: IPFW Rule set question... > > Hi everyone, > > Thanks to those who take the time to read and reply to these emails. > > I have a strange issue regarding my firewall (IPFW)... > > I have enabled SSH, TELNET and FTP on my freeBSD 4.8 box at home... it is > dual homed, 2 NICs one for the internal LAN one running my cable modem. > Everything works fine on the internal side. > > When accessing the box using any of those apps from work, the system looks > to briefly connect and then returns a "Connection Lost" or "Connection > closed by remote host error". > > The command setup to allow in access is as follows... > > 820 allow log tcp from any to me 22 limit src-addr 4 in recv tl0 setup > 830 allow log tcp from any to me 23 limit src-addr 4 in recv tl0 setup > > when this didn't work I added another command at the start of the ruleset to > just let everything in from a particular IP address range... > > 202 allow ip from 203.10.10.0/24 to any > > however this produced the same error... > > It wasn't until I allowed all from any to any that I was able to connect... > > When checking out the security log, it tells me that rule 820 is allowing > access to my computer at home... > > > Ruleset is attached completely below > > /sbin/ipfw -q -f flush > > # Set rules command prefix > # The -q option on the command is for quite mode. > # Do not display rules as they load. Remove during development to see. > cmd="/sbin/ipfw -q add" > > # Set defaults > oif="tl0"# Nic card to cable modem public internet > connection > odns1="203.2.75.132" # ISP's dns server IP address > > $cmd 00200 divert natd all from any to any via $oif > > > control section > # Start of IPFW advanced Stateful Filtering using "dynamic" rules. > # The check-state statement behavior is to match bi-directional packet > traffic > # flow between source and destination using protocol/IP/port/sequence > number. > # The dynamic rule has a limited lifetime which is controlled by a set of > # sysctl(8) variables. The lifetime is refreshed every time a matching > # packet is found in the dynamic table. > > # Allow the packet through if it has previous been added to the > # the "dynamic" rules table by an allow keep-state statement. > > $cmd 00202 allow log all from 203.10.10.0/24 to any > $cmd 00203 allow log all from any to any via tun0 > > $cmd 00400 check-state > > > # SAMBA File/Printer Sharing on Internal LAN > $cmd 0410 allow log tcp from 192.168.1.0/24 to 192.168.1.0/24 > $cmd 0411 allow log udp from 192.168.1.0/24 to 192.168.1.0/24 > > # Run all private LAN xl0 packet traffic through the dynamic rules > # table so the IP address are in sync with Natd. > $cmd 00500 allow log all from any to any via sis0 keep-state > > # Deny all fragments as bogus packets > $cmd 00530 deny log all from any to any frag in via $oif > > # Deny ACK packets that did not match the dynamic rule table > $cmd 00540 deny log tcp from any to any established in via $oif > > outbound section > # Interrogate packets originating from behind the firewall, private net. > # Upon a rule match, it's keep-state option will create a dynamic rule. > > # Allow out non-secure standard http function > $cmd 00600 allow log tcp from any to any 80 out via $oif setup keep-state > > # Allow out secure www function https over TLS SSL > $cmd 00601 allow log tcp from any to any 443 out via $oif setup keep-state > > # Allow out access to my ISP's Domain name server. > $cmd 00610 allow log tcp from any to $odns1 53 out via $oif setup > keep-state > $cmd 00611 allow log udp from any to $odns1 53 out via $oif keep-state > > # Allow out send & get email function > $cmd 00630 allow log tcp from any to any 25,110 out via $oif setup > keep-state > > # Allow out & in FBSD (make install & CVSUP) functions > # Basically give user id [ROOT] "GOD" privileges. > $cmd 00640 allow log tcp from me to any out via $oif setup keep-state uid > root > > inbound section > # Interrogate packets originating from in front of the firewall, public net. > > # Allow in www http access to my apache server > #$cmd 00800 allow log tcp from any to any 80 in via $oif setup keep-state > limit src-addr 4 > > # Allow TCP FTP control channel in & data channel out > $cmd 00810 allow log tcp from any to me 21 in via $oif setup keep-state > limit src-addr 4 > $cmd 00811 allow log tcp from any 20 to any 1024-49151 out via $oif setup > keep limit src-addr 4 > > # Allow in ssh function > $cmd 00820 allow log tcp from any to me 22 in via $oif setup keep-state > limit src-addr 4 > > # Allow in
Re: IPFW Rule set question...
"Drew Robertson" <[EMAIL PROTECTED]> writes: > I have enabled SSH, TELNET and FTP on my freeBSD 4.8 box at home... it > is dual homed, 2 NICs one for the internal LAN one running my cable > modem. Everything works fine on the internal side. > > When accessing the box using any of those apps from work, the system > looks to briefly connect and then returns a "Connection Lost" or > "Connection closed by remote host error". > > The command setup to allow in access is as follows... > > 820 allow log tcp from any to me 22 limit src-addr 4 in recv tl0 setup > 830 allow log tcp from any to me 23 limit src-addr 4 in recv tl0 setup I assume these are supposed to have "keep-state" in them. It *is* written that way in the full ruleset you posted lower down. > when this didn't work I added another command at the start of the > ruleset to just let everything in from a particular IP address range... > > 202 allow ip from 203.10.10.0/24 to any > > however this produced the same error... > > It wasn't until I allowed all from any to any that I was able to connect... Then the packets aren't actually being seen as coming from that address. Maybe you're running into NAT modifications? > When checking out the security log, it tells me that rule 820 is > allowing access to my computer at home... But only for SYN packets... -- Lowell Gilbert, embedded/networking software engineer, Boston area: resume/CV at http://be-well.ilk.org:8088/~lowell/resume/ username/password "public" ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"