RE: Firewall and FreeBSD ports
On Behalf Of RW I don't normally do this as Watson is usually less impressed when Holmes reveals his working, but the clues were there. He wrote: install software with ports (i.e, the /usr/ports collection.) and FTP to grab source files from mirrors If you combine that with crediting the poster with enough common sense to mention he was using a version before 6.2, then it seemed unlikely to be a problem with active FTP. BTW neither of us actually answered the question. I know I forgot as I was in a hurry. I'm pretty sure you didn't either, but I don't have the time to read all of your reply in detail. The answer is: enable outgoing tcp connections to port 21 and to all ports above 1023. Is there a way to set up any firewall so that while there is an active outgoing connection on port 21, allow any incoming connections from the same IP address? Bob McConnell ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Firewall and FreeBSD ports
On Fri, Oct 10, 2008 at 12:45:04PM -0400, John Almberg wrote: I just set up a new server with a very restricted PF configuration. One problem: I can no longer install software with ports (i.e, the / usr/ports collection.) I have to disable PF to do so. Obviously not a great solution. Am I correct in guessing that ports uses FTP to grab source files from mirrors? I'm trying to figure out the smallest number of ports (the TCP/IP kind) that I need to open in my firewall. I don't want to enable incoming FTP requests, but do want to allow outgoing ftp requests, I believe. Am I on the right track, here? See the fetch(1) man page. Try this first: sh/bash: export FTP_PASSIVE_MODE=true csh: setenv FTP_PASSIVE_MODE true Chances are this will address the problem for you. -- | Jeremy Chadwickjdc at parodius.com | | Parodius Networking http://www.parodius.com/ | | UNIX Systems Administrator Mountain View, CA, USA | | Making life hard for others since 1977. PGP: 4BD6C0CB | ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Firewall and FreeBSD ports
On Fri, 10 Oct 2008 09:51:16 -0700 Jeremy Chadwick [EMAIL PROTECTED] wrote: On Fri, Oct 10, 2008 at 12:45:04PM -0400, John Almberg wrote: I just set up a new server with a very restricted PF configuration. One problem: I can no longer install software with ports (i.e, the / usr/ports collection.) I have to disable PF to do so. Obviously not a great solution. Am I correct in guessing that ports uses FTP to grab source files from mirrors? I'm trying to figure out the smallest number of ports (the TCP/IP kind) that I need to open in my firewall. I don't want to enable incoming FTP requests, but do want to allow outgoing ftp requests, I believe. Am I on the right track, here? See the fetch(1) man page. Try this first: sh/bash: export FTP_PASSIVE_MODE=true csh: setenv FTP_PASSIVE_MODE true passive ftp has been the default for long time, fetch is called with the -p option. If you have access to an http-proxy that supports ftp requests over http, fetch can use that. Alternately you can probably avoid ftp altogether by setting: MASTER_SORT_REGEX?= ^http: in make.conf ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Firewall and FreeBSD ports
On Fri, Oct 10, 2008 at 06:54:32PM +0100, RW wrote: On Fri, 10 Oct 2008 09:51:16 -0700 Jeremy Chadwick [EMAIL PROTECTED] wrote: On Fri, Oct 10, 2008 at 12:45:04PM -0400, John Almberg wrote: I just set up a new server with a very restricted PF configuration. One problem: I can no longer install software with ports (i.e, the / usr/ports collection.) I have to disable PF to do so. Obviously not a great solution. Am I correct in guessing that ports uses FTP to grab source files from mirrors? I'm trying to figure out the smallest number of ports (the TCP/IP kind) that I need to open in my firewall. I don't want to enable incoming FTP requests, but do want to allow outgoing ftp requests, I believe. Am I on the right track, here? See the fetch(1) man page. Try this first: sh/bash: export FTP_PASSIVE_MODE=true csh: setenv FTP_PASSIVE_MODE true passive ftp has been the default for long time, fetch is called with the -p option. Let's give the users some actual detail, not terse one-liners which will induce more questions/confusion. First off, libfetch (which is what fetch(1)) uses) itself DOES NOT default to using FTP passive mode. You have to either pass the -p option to the fetch(1) binary, or you have to set the FTP_PASSIVE_MODE environment variable (which affects anything using libfetch). Secondly, the ports framework (not pkg_* tools!), specifically ports/Mk/bsd.port.mk, defines FETCH_ARGS with the -p argument to force passive mode. This will be used for things like make fetch. It *will not* be used for things like pkg_add -r or pkg_add ftp://...; The addition of the -p argument to FETCH_ARGS in ports/Mk/bsd.port.mk was applied to HEAD on 2006/09/20. HEAD at that time is what became FreeBSD 6.2. Of course, anyone updating their ports tree after that date would also get the change; I'm just pointing it out so people know what the actual date was when -p was added to the default argument list. Now let's expand a bit on FTP_PASSIVE_MODE, because I'm absolutely sure someone will try to argue that's also been turned on by default for a long time; I know how people are... :-) FTP_PASSIVE_MODE being set by default on login shells was induced by an addition to login.conf(5) back in late 2001 (around the time of RELENG_6). See revision 1.45 (not 1.44!) of src/etc/login.conf in cvsweb. But I'll remind people that login.conf only applies to login shells; logging in on the console, or logging in to an account via ssh [EMAIL PROTECTED]. Most people I know of *do not* SSH into their servers as root; they SSH in as themselves and use sudo. Some use su2, and some use su. Let's examine the behaviours: $ env | grep FTP FTP_PASSIVE_MODE=YES As you can see here, the machine I've SSH'd into as myself does apply login.conf's defaults. But... $ sudo -s # env | grep FTP # exit $ sudo -i # env | grep FTP # The above scenario (as root) fails, since the FTP_PASSIVE_MODE environment variable isn't being handed down from the login shell (my user account) to the root shell spawned by sudo[1]. su, on the other hand, does it a little differently: $ su Password: # env | grep FTP FTP_PASSIVE_MODE=YES And likewise, su -l behaves the same way. The OP did not disclose how he was installing ports. A lot of users think that packages == ports, so for all we know, he could be pkg_add'ing things while using sudo and running into this. If make fetch in an actual port is timing out, then he's either doing it on a machine with a ports tree prior to 2006/09/20 (see above), or his outbound pf rules are so strict that the machine is absurdly limited. I've advocated in another thread my displeasure for filtering outbound traffic *solely* because of this exact scenario. Network admins seem to think that oh, HTTP is always going to use port 80, and likewise, oh, FTP is always going to use ports 20-21. Bzzzt. Nothing stops a MASTER_SITE from being http://lelele.com:9382/. [1]: The problem with sudo can be addressed; FTP_PASSIVE_MODE needs to be added to the env_keep list in the default sudoers file. I know the port maintainer, so I'll take this up with him so that users (including myself) don't keep getting bit by forgetting to set FTP_PASSIVE_MODE after doing a sudo. -- | Jeremy Chadwickjdc at parodius.com | | Parodius Networking http://www.parodius.com/ | | UNIX Systems Administrator Mountain View, CA, USA | | Making life hard for others since 1977. PGP: 4BD6C0CB | ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Firewall and FreeBSD ports
problem: I can no longer install software with ports (i.e, the /usr/ports collection.) I have to disable PF to do so. Obviously not a great solution. Am I correct in guessing that ports uses FTP to grab source files from FTP or HTTP. if you have http proxy like squid in your network do export http_proxy=http://yourproxy:port export ftp_proxy=http://yourproxy:port ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Firewall and FreeBSD ports
On Fri, 10 Oct 2008 11:41:40 -0700 Jeremy Chadwick [EMAIL PROTECTED] wrote: On Fri, Oct 10, 2008 at 06:54:32PM +0100, RW wrote: On Fri, 10 Oct 2008 09:51:16 -0700 Jeremy Chadwick [EMAIL PROTECTED] wrote: passive ftp has been the default for long time, fetch is called with the -p option. Let's give the users some actual detail, not terse one-liners which will induce more questions/confusion. Snip some facts used as a blunt instrument The OP did not disclose how he was installing ports. A lot of users think that packages == ports, I don't normally do this as Watson is usually less impressed when Holmes reveals his working, but the clues were there. He wrote: install software with ports (i.e, the /usr/ports collection.) and FTP to grab source files from mirrors If you combine that with crediting the poster with enough common sense to mention he was using a version before 6.2, then it seemed unlikely to be a problem with active FTP. BTW neither of us actually answered the question. I know I forgot as I was in a hurry. I'm pretty sure you didn't either, but I don't have the time to read all of your reply in detail. The answer is: enable outgoing tcp connections to port 21 and to all ports above 1023. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Firewall and FreeBSD ports
sh/bash: export FTP_PASSIVE_MODE=true csh: setenv FTP_PASSIVE_MODE true First off, this did solve the problem. Thank you, Jeremy. Now, as to the why... That's odd, because if you are running 7.x with a default settings, FTP_PASSIVE_MODE should be irrelevant to fetching distfiles - even if it's set to no. Do you have any FETCH_* variables defined? No What happens if you cd to a port directory and type: make -V FETCH_CMD ? [EMAIL PROTECTED]:~] cd /usr/ports/shells/zsh '[EMAIL PROTECTED]:zsh] make -V FETCH_CMD /usr/bin/fetch -ApRr [EMAIL PROTECTED]:zsh] I then wanted to install NTP: cd /usr/ports/net/ntp make config; make install clean This failed because the mirrors were not accessible. I just tried this port myself and it failed on all four servers configured in the Makefile, only succeeding on the fallback Freebsd server, (Freebsd's own cache for package building). Unless you turn-up something odd for FETCH_CMD, I think there's a good chance that you never had an FTP firewall problem in the first place, and that the file has simply been added to ftp.freebsd.org since you got the original failure. I just removed the FTP_PASSIVE_MODE variable from .bash_profile, logged out, and logged back in. I then tried to install another port and it installed without problem. -- John ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: firewall on FreeBSD
--On June 26, 2005 12:40:14 AM +0100 Alex Zbyslaw [EMAIL PROTECTED] wrote: Paul Schmehl wrote: --On June 25, 2005 8:42:24 AM +0200 mess-mate [EMAIL PROTECTED] wrote: I've a firewall/router/proxy with openbsd and think to replace it with freebsd 5.4 Do you mean freebsd's PF don't support the 'quick' keyword ?? Thought PF on freebsd and openbsd was identical, isn't ? pf on freebsd does support the quick keyword. The default firewall, ipfw, does not. This makes no sense to me. The two firewalls work very differently. In pf, each rule is always processed on every packet and the last rule matching determines the action. quick terminates the rule matching and forces the quick rule to be, in effect, the final rule (assuming the packet matched it). ipfw does not match every rule for every packet, rather is processes down the rules until the packet matches one with a terminating action such as accept or deny. No quick keyword is needed. Precisely. Paul Schmehl ([EMAIL PROTECTED]) Adjunct Information Security Officer University of Texas at Dallas AVIEN Founding Member http://www.utdallas.edu/ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: firewall on FreeBSD
* Paul Schmehl [EMAIL PROTECTED] [2005-06-24 12:58:51 -0500]: I've been using pf for a few years now, and I've never had problems understanding the syntax or how it works (but I also never do NAT, so that might be the reason it seems easy to me.) Yes, pf is great, but doing NAT with pf is also just as easy to understand. It depends on what you are doing, but for most people using NAT is as easy turning on ip forwarding via sysctl and adding a single line to your pf.conf configuration file (nat on $ext_if...). Thomas -- N.J. Thomas [EMAIL PROTECTED] Etiamsi occiderit me, in ipso sperabo ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: firewall on FreeBSD
Giorgos Keramidas wrote: On 2005-06-26 00:40, Alex Zbyslaw [EMAIL PROTECTED] wrote: Paul Schmehl wrote: pf on freebsd does support the quick keyword. The default firewall, ipfw, does not. This makes no sense to me. The two firewalls work very differently. [...] You describe very nicely the way rules are matched by two of the three different firewalls available on FreeBSD. The description, being very correct, *does* make sense. Why do you say that ``This makes no sense to you'' Maybe I'm misreading something, or taking it out of context, but the statement ipfw does not support the quick keyword makes no sense to me. For me, it implies that somehow ipfw could (or even should) support the quick keyword, and that is nonsensical. The way ipfw rules work there is not only no need to support a quick keyword, but no point in supporting one because all relevant matches are already quick, by definition. Maybe I'm being overly pedantic, but if I had stumbled across this message in an archive search, and knew nothing about FreeBSD firewalls, I could easily take it to mean that ipfw was lacking a feature with respect to pf when, in fact, it wasn't. (There may be plenty of other reasons for picking one firewall or the other, but the lack of a quick keyword in ipfw isn't one of them). Am *I* making any more sense, now? --Alex ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: firewall on FreeBSD
On 2005-06-26 22:15, Alex Zbyslaw [EMAIL PROTECTED] wrote: Giorgos Keramidas wrote: On 2005-06-26 00:40, Alex Zbyslaw [EMAIL PROTECTED] wrote: pf on freebsd does support the quick keyword. The default firewall, ipfw, does not. This makes no sense to me. The two firewalls work very differently. [...] You describe very nicely the way rules are matched by two of the three different firewalls available on FreeBSD. The description, being very correct, *does* make sense. Why do you say that ``This makes no sense to you'' Maybe I'm misreading something, or taking it out of context, but the statement ipfw does not support the quick keyword makes no sense to me. [...] Am *I* making any more sense, now? Yes, thank you :) ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: firewall on FreeBSD
-Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Khanh Cao Van Sent: Friday, June 24, 2005 9:33 AM To: freebsd-questions Subject: firewall on freebsd I'm going to learn about the freebsd firewall . In the handbook list some of them and I could not find out what is the best . So I decided to post here hoping to gain some of your opinion and experience . I would like to know what firewall was the most wanted ? I have used Linux several months and IP tables was a good statefull firewall . What about in freeBSD ? FreeBSD has m0n0wall and it just works. For example, yesterday I setup a site to site VPN using two m0n0wall boxes and it took me less then 5 minutes to reconfigure, in production use systems, the boxes to do it. I think I spent more time trying to generate a suitable 3DES shared key then it did to reconfigure the boxes ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: firewall on FreeBSD
...snip... | | Personally, I like the quick keyword of the OpenBSD firewall, (but not enough to bother | installing it.) | | Paul Schmehl ([EMAIL PROTECTED]) I've a firewall/router/proxy with openbsd and think to replace it with freebsd 5.4 Do you mean freebsd's PF don't support the 'quick' keyword ?? Thought PF on freebsd and openbsd was identical, isn't ? mess-mate -- What I tell you three times is true. -- Lewis Carroll ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: firewall on FreeBSD
On Sat, Jun 25, 2005 at 08:42:24AM +0200, mess-mate wrote: I've a firewall/router/proxy with openbsd and think to replace it with freebsd 5.4 Do you mean freebsd's PF don't support the 'quick' keyword ?? Thought PF on freebsd and openbsd was identical, isn't ? I don't know if they're identical, but PF does support the 'quick' keyword on FreeBSD. Roland -- R.F.Smith (http://www.xs4all.nl/~rsmith/) Please send e-mail as plain text. public key: http://www.xs4all.nl/~rsmith/pubkey.txt pgpf2HW9SdKtK.pgp Description: PGP signature
Re: firewall on FreeBSD
mess-mate wrote: I've a firewall/router/proxy with openbsd and think to replace it with freebsd 5.4 Do you mean freebsd's PF don't support the 'quick' keyword ?? Thought PF on freebsd and openbsd was identical, isn't ? It's a port, pf on FBSD 5.4 is the same as pf on OBSD 3.6, AFAIK. So if your OBSD is the latest or updated after 3.6, then you might have functionalities not supported yet on FBSD. The basic stuff is all the same, I don't think anyone could survive without 'quick', just as 'pass' and 'block' are supported on both platforms :-) Cheers, Erik -- Ph: +34.666334818 web: http://www.locolomo.org S/MIME Certificate: http://www.locolomo.org/crt/2004071206.crt Subject ID: A9:76:7A:ED:06:95:2B:8D:48:97:CE:F2:3F:42:C8:F2:22:DE:4C:B9 Fingerprint: 4A:E8:63:38:46:F6:9A:5D:B4:DC:29:41:3F:62:D3:0A:73:25:67:C2 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: firewall on FreeBSD
On Saturday 25 June 2005 05:19 am, Erik Nørgaard wrote: mess-mate wrote: I've a firewall/router/proxy with openbsd and think to replace it with freebsd 5.4 Do you mean freebsd's PF don't support the 'quick' keyword ?? Thought PF on freebsd and openbsd was identical, isn't ? It's a port, pf on FBSD 5.4 is the same as pf on OBSD 3.6, AFAIK. So if your OBSD is the latest or updated after 3.6, then you might have functionalities not supported yet on FBSD. The basic stuff is all the same, I don't think anyone could survive without 'quick', just as 'pass' and 'block' are supported on both platforms :-) Cheers, Erik Minor correction: pf is built into the kernel by default in FreeBSD 5.4. I think this started with FreeBSD 5.3. It may still be in the ports system; but that would be for use in FreeBSD 4* and earlier versions of 5*. Have a great weekend! Andrew Gould ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: firewall on FreeBSD
Andrew L. Gould [EMAIL PROTECTED] wrote: | On Saturday 25 June 2005 05:19 am, Erik Nørgaard wrote: | mess-mate wrote: | I've a firewall/router/proxy with openbsd and think to replace it | with freebsd 5.4 | Do you mean freebsd's PF don't support the 'quick' keyword ?? | Thought PF on freebsd and openbsd was identical, isn't ? | | It's a port, pf on FBSD 5.4 is the same as pf on OBSD 3.6, AFAIK. So | if your OBSD is the latest or updated after 3.6, then you might have | functionalities not supported yet on FBSD. | | The basic stuff is all the same, I don't think anyone could survive | without 'quick', just as 'pass' and 'block' are supported on both | platforms :-) | | Cheers, Erik | | Minor correction: pf is built into the kernel by default in FreeBSD | 5.4. I think this started with FreeBSD 5.3. It may still be in the | ports system; but that would be for use in FreeBSD 4* and earlier | versions of 5*. | | Have a great weekend! | | Andrew Gould | The openbsd version is 3.5. Can i porting the pf config file to freebsd ? great weekend to. mess-mate -- There is a 20% chance of tomorrow. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: firewall on FreeBSD
--On June 25, 2005 8:42:24 AM +0200 mess-mate [EMAIL PROTECTED] wrote: I've a firewall/router/proxy with openbsd and think to replace it with freebsd 5.4 Do you mean freebsd's PF don't support the 'quick' keyword ?? Thought PF on freebsd and openbsd was identical, isn't ? pf on freebsd does support the quick keyword. The default firewall, ipfw, does not. Paul Schmehl ([EMAIL PROTECTED]) Adjunct Information Security Officer University of Texas at Dallas AVIEN Founding Member http://www.utdallas.edu/ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: firewall on FreeBSD
Paul Schmehl wrote: --On June 25, 2005 8:42:24 AM +0200 mess-mate [EMAIL PROTECTED] wrote: I've a firewall/router/proxy with openbsd and think to replace it with freebsd 5.4 Do you mean freebsd's PF don't support the 'quick' keyword ?? Thought PF on freebsd and openbsd was identical, isn't ? pf on freebsd does support the quick keyword. The default firewall, ipfw, does not. This makes no sense to me. The two firewalls work very differently. In pf, each rule is always processed on every packet and the last rule matching determines the action. quick terminates the rule matching and forces the quick rule to be, in effect, the final rule (assuming the packet matched it). ipfw does not match every rule for every packet, rather is processes down the rules until the packet matches one with a terminating action such as accept or deny. No quick keyword is needed. --Alex ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: firewall on FreeBSD
On 2005-06-26 00:40, Alex Zbyslaw [EMAIL PROTECTED] wrote: Paul Schmehl wrote: pf on freebsd does support the quick keyword. The default firewall, ipfw, does not. This makes no sense to me. The two firewalls work very differently. In pf, each rule is always processed on every packet and the last rule matching determines the action. quick terminates the rule matching and forces the quick rule to be, in effect, the final rule (assuming the packet matched it). ipfw does not match every rule for every packet, rather is processes down the rules until the packet matches one with a terminating action such as accept or deny. No quick keyword is needed. You describe very nicely the way rules are matched by two of the three different firewalls available on FreeBSD. The description, being very correct, *does* make sense. Why do you say that ``This makes no sense to you''? ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
RE: firewall on FreeBSD
Which firewall you select to use should be based on your level of understanding of how information is moved across the internet. Ipfilter is best suited for people who are just learning about firewalling. PF is a little more automated and the rules are very close to IPF's. IPFW is for the advanced firewall users who have expert understanding of the internet. All 3 firewalls support stateful rules and are available in the 5.4 release. Best advice is start with Ipfilter and when you find out that you have needs which are not met by Ipfilter then move over to IPFW. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Khanh Cao Van Sent: Friday, June 24, 2005 9:33 AM To: freebsd-questions Subject: firewall on freebsd I'm going to learn about the freebsd firewall . In the handbook list some of them and I could not find out what is the best . So I decided to post here hoping to gain some of your opinion and experience . I would like to know what firewall was the most wanted ? I have used Linux several months and IP tables was a good statefull firewall . What about in freeBSD ? Thank for reading :) -- -- Cao Van Khanh ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: firewall on freebsd
On June 24, 2005 09:33 am, Khanh Cao Van wrote: I'm going to learn about the freebsd firewall . In the handbook list some of them and I could not find out what is the best . So I decided to post here hoping to gain some of your opinion and experience . I would like to know what firewall was the most wanted ? I have used Linux several months and IP tables was a good statefull firewall . What about in freeBSD ? All three are well written and all three pretty much do the same thing. Some things you may want to consider when choosing which firewall product to use: IPFW is part of FreeBSD and only runs on FreeBSD. Filtering is implemented in the kernel, NAT is a user-land daemon. IPFilter is written to work with many operating systems (FreeBSD and Solaris are two examples). Filtering and NAT both run in the kernel. IPF was written for OpenBSD and later ported to FreeBSD. IPF came into existence because of disagreements between certain members of the OpenBSD team and the author of IPFilter. Filtering is done in the kernel and I believe NAT is also in-kernel. I have used both IPFW and IPFilter professionally. I prefer IPFW but only because I am more used to its filtering language. I have not found a sufficiently good technical reason for choosing one over the other. For anyone who wants to start the in-kernel vs user-land NAT argument, I've already been through it and there are valid arguments for both sides. So, I won't get into it again. -- Ean Kingston E-Mail: ean AT hedron DOT org URL: http://www.hedron.org/ I am currently looking for work. If you need competent system/network administration please feel free to contact me directly. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: firewall on freebsd
On Friday 24 June 2005 10:59 am, Ean Kingston wrote: IPF was written for OpenBSD and later ported to FreeBSD. IPF came into existence because of disagreements between certain members of the OpenBSD team and the author of IPFilter. Filtering is done in the kernel and I believe NAT is also in-kernel. The OpenBSD packet filter is known as pf, not ipf. It exists in FreeBSD as pf. I have to say that I find it has some very useful features, though they are outside the mainstream firewall feature set. For instance, authpf. When you log into the firewall (usually via ssh), if the account's login type shell is authpf, a special set of firewall rules get loaded for the IP address the client is connecting from. I have used pf and ipfw, and they're both fine. If I had to pick, I'd choose pf because I like that it uses a seperate configuration file, rather than a shell script to load its rules. I'm not an expert on either. Mike ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
RE: firewall on freebsd
I have been using ipfw for quite some time and I love it. The only issues I have with it are on the NAT side. Without a tool to modify the current nat rules, I can not change them dynamically without editing my config file then doing something like... killall -9 natd ; sleep 2 ; /sbin/natd -f /etc/natd.conf to reinitialize it. Also natd is resource intensive. I have a PII 266 (not exactly a monster) and natd chews up 20-30 percent of my cpu during the day while nating about 3Mb/sec of traffic. I am planning on switching to pf and implementing a load balanced pair of firewalls using carp and pfsync. I hope that using an in-kernel nat will help performance and give me better control while adding/removing rules. -- Chad -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Khanh Cao Van Sent: Friday, June 24, 2005 8:33 AM To: freebsd-questions Subject: firewall on freebsd I'm going to learn about the freebsd firewall . In the handbook list some of them and I could not find out what is the best . So I decided to post here hoping to gain some of your opinion and experience . I would like to know what firewall was the most wanted ? I have used Linux several months and IP tables was a good statefull firewall . What about in freeBSD ? Thank for reading :) -- -- Cao Van Khanh ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: firewall on FreeBSD
On 2005-06-24 10:31, fbsd_user [EMAIL PROTECTED] wrote: Which firewall you select to use should be based on your level of understanding of how information is moved across the internet. Ipfilter is best suited for people who are just learning about firewalling. PF is a little more automated and the rules are very close to IPF's. True. IPFW is for the advanced firewall users who have expert understanding of the internet. Blatantly false. All 3 firewalls support stateful rules and are available in the 5.4 release. Best advice is start with Ipfilter and when you find out that you have needs which are not met by Ipfilter then move over to IPFW. IPFW or PF is fine for starting too. The choise of the best firewall is, these days, more often than not an issue of which one matches the specific application and the taste of the one who is going to set it up, i.e. * DUMMYNET is a very nice bandwidth limiting shaping tool, which may some times lead to choosing IPFW. * On the other hand, PF/ALTQ may be used to do similar things, so some users will obviously prefer this set of tools for other reasons (for instance, because the like the ruleset style better). * IP Filter, is almost obsoleted by PF on FreeBSD, but it's still one of the most portable firewalls out there (I use it on Solaris all the time, for example). There isn't a best firewall for all cases. They all have their respective strengths and/or weaknesses. === To the original poster === I say, try them all out and choose the one _YOU_ prefer, for the reasons that are important in _YOUR_ setup. - Giorgos ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: firewall on freebsd
On 2005-06-24 10:59, Ean Kingston [EMAIL PROTECTED] wrote: For anyone who wants to start the in-kernel vs user-land NAT argument, I've already been through it and there are valid arguments for both sides. So, I won't get into it again. Agreed. Most of the people who use FreeBSD in SOHO installations (small office, home office), and have far less than dozens of systems behind a NAT-ting FreeBSD system will very rarely have a chance to notice *ANY* difference between userlevel vs. in-kernel NAT. This top snapshot: http://keramida.serverhive.com/pixelshow-top.txt is from a relatively recent demo-party where ipfw/natd were used in a gateway of more than 100 systems madly downloading files from each other and from the wide Internet. Notice the 97% idle cpu percentage :-) If FreeBSD can handle NAT, packet forwarding, and general connectivity for more than 100 systems and still sit 97% of the time waiting for something interesting to happen, then I'd be surprised if SOHO users with less than 10-15 systems will notice anything :) ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: firewall on FreeBSD
--On June 24, 2005 5:31:13 PM +0100 [EMAIL PROTECTED] wrote: On Friday 24 June 2005 15:31, fbsd_user wrote: Which firewall you select to use should be based on your level of understanding of how information is moved across the internet. Ipfilter is best suited for people who are just learning about firewalling. PF is a little more automated and the rules are very close to IPF's. IPFW is for the advanced firewall users who have expert understanding of the internet. All 3 firewalls support stateful rules and are available in the 5.4 release. Best advice is start with Ipfilter and when you find out that you have needs which are not met by Ipfilter then move over to IPFW. Is this right? If it is, then I'm a lot smarter than I give myself credit for. The first firewall I ever used was ipchains. The I used iptables, but I never learned much about either because Linux obscures the config (unless you're doing something fancy, you can run setup on the cli, click a few check boxes and you're done. When I decided to switch a server over to FBSD, I had to read the man page to understand how pf worked, because there *was* no setup to run. I've been using pf for a few years now, and I've never had problems understanding the syntax or how it works (but I also never do NAT, so that might be the reason it seems easy to me.) I started off using IPFW, and found it no harder or easier than ipfilter, which I am using now. Can't remember the reason I changed to ipfilter, think it might have something to do with being easier to use with ipnat, but I am pretty happy with it. Is there anything that ipfw does better than ipfilter to make it preferable? The only thing I would say about firewalls is, know what you're doing and do it at the console. There's nothing like having to get dressed and drive 40 miles to fix a box because you screwed up the firewall config will working remotely to impress upon you the need to work at the console. :-) Personally, I like the quick keyword of the OpenBSD firewall, (but not enough to bother installing it.) Paul Schmehl ([EMAIL PROTECTED]) Adjunct Information Security Officer University of Texas at Dallas AVIEN Founding Member http://www.utdallas.edu/ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]