Re: Looking for ipfw info.
Hi there, On Thu, Feb 26, 2004 at 01:13:08PM -0500, Shaun T. Erickson wrote: Thanks for the resources. A couple of questions (because I'm new to FreeBSD): The ipfw man page in 5.2.1-RELEASE says that ipfw in CURRENT is ipfw2 and that ipfw in STABLE is ipfw1. I still don't understand the releationship between RELEASE and the other two, so I am not sure which ipfw I have in 5.2.1-RELEASE. If you are using ipfw on 5.2.1 you have ipfw2. Brief summary: -STABLE is at the moment based on FreeBSD 4. -CURRENT is based on FreeBSD 5. A -RELEASE is a snapshot of the state of the code at a particular point in time. 5.2.1-RELEASE is based on FreeBSD 5. Perhaps this page can help explain: http://www.freebsd.org/releng/index.html There's also more detail on the various tags at: http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/cvs-tags.html To get ipfw2 on 4.9 you need to recompile with the ipfw2 option in the kernel config - the ipfw man page has a section on this aspect. On a version note, while I personally have not experienced any problems running 5.2.1 it is a bit more bleeding edge than 4.9 for example. 4.9 is recommended if you want maximum stability for the moment. I have read the following 5 excellent articles on ipfw, by Dru Lavigne. Even though they were written in 2001, and thus pre-date ipfw2, I found them to be a great crash course in ipfw, and the ipfw manpage in 5.2.1-RELEASE just adds to it. In Dru's first article, she(?) discusses how the kernel must be modified to support a firewall. She looks into /usr/src/sys/i386/conf/LINT to find the relevant information that needs to be added to my kernel conf file. I cannot find a LINT file on my 5.2.1-RELEASE system. Where can I find complete information on what I need to do to my kernel? 4.9 and older used LINT to list all options for kernel config, 5 and onwards use a file called NOTES. There's one of these under /usr/src/sys/conf (for machine independant bits) and another under /usr/src/sys/i386/conf for i386 related (also other arch have their own) Refer to the following pages for more info: http://www.freebsd.org/doc/en_US.ISO8859-1/books/faq/kernelconfig.html http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/kernelconfig.html /etc/rc.firewall is the best place to start for some sample rules and the ipfw man page is really quite good. With 5.2.1 you should not need to recompile a kernel to use ipfw or any of the other supported firewalls (ipfilter and pf). Which firewall you choose to go with is your choice. If you intend to use ipfw divert rule and natd you will probably need to compile a new kernel with the divert option added to the kernel config, ie: options IPDIVERT If you have firewall_enable=YES in your /etc/rc.conf the kld should be loaded at boot time and the config will be pulled in from /etc/rc.firewall so you can start with firewall_type=SIMPLE or whatever to get you going. Basically start with the man pages they cover just about everything. There is also the faq: http://www.freebsd.org/doc/en_US.ISO8859-1/books/faq/networking.html For natd specifically: http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/network-natd.html There is a lot of good information on the FreeBSD website so start there. For ipfw specifically you can also search browse the freebsd-ipfw mailing list. For other firewalls you can find specific lists or try freebsd-net for some questions. In general search the archives first to see if your question isn't already answered. http://www.freebsd.org/search/search.html#mailinglists Hope it helps, Tony ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Looking for ipfw info.
On Thu, Feb 26, 2004 at 02:49:55PM -0500, Shaun T. Erickson wrote: [...] Can someone who isn't trying to sell me something, corroborate anything he's said? It would be nice to hear from someone else, too. :) Here's an example of using ipfw+natd with stateful rules. The basic idea is to use the stateful rules on the inside interfaces: http://lists.freebsd.org/pipermail/freebsd-questions/2004-January/032694.html Cheers. -- Jonathan Chen [EMAIL PROTECTED] -- Do not take life too seriously. You will never get out of it alive. ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Looking for ipfw info.
JJB wrote: -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Shaun T. Erickson Sent: Thursday, February 26, 2004 2:08 PM To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Subject: Re: Looking for ipfw info. JJB wrote: The problem with all those links is that what they write about is outdated and complete mis-directs the reader into using IPFW's legacy stateless rules when only stateful rules should be used to get the max level of protection. The rules she gives in her second article most certainly describe creating a stateful firewall. Yes for an firewall without an lan behind it Which is exactly what I'm trying to set up. www.a1poweruser.com Is where you can purchase the complete results of my in-depth research, as soon as I complete the buy now button function. Check back in a week. Can someone who isn't trying to sell me something, corroborate anything he's said? It would be nice to hear from someone else, too. :) -ste ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
RE: Looking for ipfw info.
-Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Shaun T. Erickson Sent: Thursday, February 26, 2004 2:08 PM To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Subject: Re: Looking for ipfw info. JJB wrote: The problem with all those links is that what they write about is outdated and complete mis-directs the reader into using IPFW's legacy stateless rules when only stateful rules should be used to get the max level of protection. The rules she gives in her second article most certainly describe creating a stateful firewall. Yes for an firewall without an lan behind it They also completely ignore the problem ipfw has with stateful rules not working when the divert/naded subroutine call is used. IPFW has major legacy stateful/NAT bug and ipfilter does not. Can you provide me with links to information that documents this? There was a very long thread in this questions list that beat this subject to death some time since the start of this year if I remember correctly. Ipfilter provides an much higher level of protection in an LAN environment than IPFW can ever do in it's current state. Even the openbsd pf port is an better firewall solution for a firewall with an LAN behind it then IPFW. Please provide me with links to documentation that objectively compares them, so that I can weigh the merits of what you say. You have to do you own home work and compare then your self like I did. Or take my word for it and say yourself a lot of leg work. I have spent 18 months working on this subject before coming to this conclusions. This is not an stab in the dark put the result of much testing and questioning on this list. You can access this lists archives at Then search the questions list archives at http://docs.freebsd.org/mail/archive/2004/freebsd-questions/ Or select one of the other officially archives which may be more appropriate http://docs.freebsd.org/mail/archive/2004/ These official FBSD archives are not user friendly and do not have search ability. http://freebsd.rambler.ru/ has search ability but it does not present the posts in thread form, but in individual posts which is harder to navigate around. This is the search URL I use, http://groups.google.com/groups?hl=enlr=lang_enie=UTF-8group=luck y.freebsd.questions It uses the lucky.freebsd.question news group, It's only 8 hours behind the realtime activity on the FBSD questions list. It presents the answers to your search in thread format. Be sure to click on option to search within this newsgroup, or it will search all newsgroups which dilutes the results. When searching the archives don't bother going back further than 14 months, generally information older than that is outdated as it does not reflect the current stable release. Please don't continue the FBSD's handbook mis-information about IPFW being the only FBSD firewall solution or that it's the best solution. The handbook is also way behind in it's content being current and up to date. As a new FreeBSD user, there's no way I could possibly know that, now is there? I simply passed along what I have found to be useful. I still need to know the answer to my question about what changes I need to make to my kernel to support a firewall on my server. There is no mandatory requirement to compile ipfw or ipfilter into your kernel or that doing so provides any additional security. The loadable module versions work just fine, and only takes one comment in rc.conf and a reboot to disable. www.a1poweruser.com Is where you can purchase the complete results of my in-depth research, as soon as I complete the buy now button function. Check back in a week. -ste ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Looking for ipfw info.
JJB wrote: The problem with all those links is that what they write about is outdated and complete mis-directs the reader into using IPFW's legacy stateless rules when only stateful rules should be used to get the max level of protection. The rules she gives in her second article most certainly describe creating a stateful firewall. They also completely ignore the problem ipfw has with stateful rules not working when the divert/naded subroutine call is used. IPFW has major legacy stateful/NAT bug and ipfilter does not. Can you provide me with links to information that documents this? Ipfilter provides an much higher level of protection in an LAN environment than IPFW can ever do in it's current state. Even the openbsd pf port is an better firewall solution for a firewall with an LAN behind it then IPFW. Please provide me with links to documentation that objectively compares them, so that I can weigh the merits of what you say. Please don't continue the FBSD's handbook mis-information about IPFW being the only FBSD firewall solution or that it's the best solution. The handbook is also way behind in it's content being current and up to date. As a new FreeBSD user, there's no way I could possibly know that, now is there? I simply passed along what I have found to be useful. I still need to know the answer to my question about what changes I need to make to my kernel to support a firewall on my server. -ste ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
RE: Looking for ipfw info.
The problem with all those links is that what they write about is outdated and complete mis-directs the reader into using IPFW's legacy stateless rules when only stateful rules should be used to get the max level of protection. They also completely ignore the problem ipfw has with stateful rules not working when the divert/naded subroutine call is used. IPFW has major legacy stateful/NAT bug and ipfilter does not. Ipfilter provides an much higher level of protection in an LAN environment than IPFW can ever do in it's current state. Even the openbsd pf port is an better firewall solution for a firewall with an LAN behind it then IPFW. Please don't continue the FBSD's handbook mis-information about IPFW being the only FBSD firewall solution or that it's the best solution. The handbook is also way behind in it's content being current and up to date. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Shaun T. Erickson Sent: Thursday, February 26, 2004 1:20 PM To: [EMAIL PROTECTED] Subject: Re: Looking for ipfw info. I wrote: I have read the following 5 excellent articles on ipfw, by Dru Lavigne. I forgot to include the links. Here they are: BSD Firewalls: IPFW http://www.onlamp.com/pub/a/bsd/2001/04/25/FreeBSD_Basics.html BSD Firewalls: IPFW Rulesets http://www.onlamp.com/pub/a/bsd/2001/05/09/FreeBSD_Basics.html BSD Firewalls: Fine-Tuning Rulesets http://www.onlamp.com/pub/a/bsd/2001/06/01/FreeBSD_Basics.html IPFW Logging http://www.onlamp.com/pub/a/bsd/2001/06/21/FreeBSD_Basics.html Monitoring IPFW Logs http://www.onlamp.com/pub/a/bsd/2001/07/05/FreeBSD_Basics.html -ste ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Looking for ipfw info.
I wrote: I have read the following 5 excellent articles on ipfw, by Dru Lavigne. I forgot to include the links. Here they are: BSD Firewalls: IPFW http://www.onlamp.com/pub/a/bsd/2001/04/25/FreeBSD_Basics.html BSD Firewalls: IPFW Rulesets http://www.onlamp.com/pub/a/bsd/2001/05/09/FreeBSD_Basics.html BSD Firewalls: Fine-Tuning Rulesets http://www.onlamp.com/pub/a/bsd/2001/06/01/FreeBSD_Basics.html IPFW Logging http://www.onlamp.com/pub/a/bsd/2001/06/21/FreeBSD_Basics.html Monitoring IPFW Logs http://www.onlamp.com/pub/a/bsd/2001/07/05/FreeBSD_Basics.html -ste ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Looking for ipfw info.
Thanks for the resources. A couple of questions (because I'm new to FreeBSD): The ipfw man page in 5.2.1-RELEASE says that ipfw in CURRENT is ipfw2 and that ipfw in STABLE is ipfw1. I still don't understand the releationship between RELEASE and the other two, so I am not sure which ipfw I have in 5.2.1-RELEASE. I have read the following 5 excellent articles on ipfw, by Dru Lavigne. Even though they were written in 2001, and thus pre-date ipfw2, I found them to be a great crash course in ipfw, and the ipfw manpage in 5.2.1-RELEASE just adds to it. In Dru's first article, she(?) discusses how the kernel must be modified to support a firewall. She looks into /usr/src/sys/i386/conf/LINT to find the relevant information that needs to be added to my kernel conf file. I cannot find a LINT file on my 5.2.1-RELEASE system. Where can I find complete information on what I need to do to my kernel? TIA -ste P.S.: I find that ipfw rules are far more human-readable than I thought, and when comparing my linux server's ipchains rules to /etc/rc.firewall's simple firewall rules, I found them to be very similar. :) ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Looking for ipfw info.
At 20:45 2/25/2004, Shaun T. Erickson, wrote: Can someone point me to a good, current ipfw HOW-TO? I'm very good with linux's ipchains/iptables firewall commands, but am replacing that server with a FreeBSD server and need to translate my firewall ... TIA -ste Hey Shaun, I am giving you this info with the hope that after you figure it out you will summarize what you know in a Linux to FreeBSD firewall howto. Pretty please. I've got some Web space if needed. Here ya go: http://www.FreeBSD.org/doc/en_US.ISO8859-1/books/handbook/firewalls.html http://lists.freebsd.org/pipermail/freebsd-ipfw/ http://marc.theaimsgroup.com/?l=freebsd-ipfwr=1w=2 http://marc.theaimsgroup.com/?l=freebsd-ipfww=2r=1s=newbieq=b http://www.onlamp.com/pub/a/bsd/2001/04/25/FreeBSD_Basics.html http://www.onlamp.com/pub/a/bsd/2001/05/09/FreeBSD_Basics.html http://freebsd.hanirc.org/holyboard/holyboard.cgi?db=ipfw http://www.Google.com/search?q=%22ipfw_rules%22+Richard+Caley http://www.Google.com/search?q=ipfw+firewall+rules http://www.Google.com/search?q=%22ipfw_rules%22 http://www.Google.com/search?q=ipfw+firewall+rules+primer http://dva.dyndns.org/faq.html I've got some more files not listed here. If you want them, let me know. Start Here to Find It Fast! - http://www.US-Webmasters.com/best-start-page/ ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
