Re: ipfw confusion

2013-08-22 Thread Gary Aitken
On 08/20/13 12:41, Dan Lists wrote: > You might turn on logging and post the logs of what is being blocked. > Sometimes things are being blocked by rules you do not expect. Thanks for the suggestion. I was seeing refusals from named and mistakenly interpreting them as ipfw issues. > On Mon, Aug

Re: ipfw confusion

2013-08-20 Thread Dan Lists
You might turn on logging and post the logs of what is being blocked. Sometimes things are being blocked by rules you do not expect. On Mon, Aug 19, 2013 at 4:18 PM, Gary Aitken wrote: > On 08/19/13 00:36, Jason Cox wrote: > > Are you sure that your DNS requests are over TCP? DNS primarily uses

Re: ipfw confusion

2013-08-19 Thread Gary Aitken
On 08/19/13 00:36, Jason Cox wrote: > Are you sure that your DNS requests are over TCP? DNS primarily uses UDP to > serve requests. TCP is used when the response data size exceeds 512 bytes > (I think), or for tasks such as zone transfers. I know a few resolver > implementations use TCP for all que

Re: ipfw confusion

2013-08-19 Thread Gary Aitken
On 08/19/13 11:53, OpenSlate ChalkDust wrote: > On Sun, Aug 18, 2013 at 8:06 PM, Gary Aitken wrote: > >> I'm having some weird ipfw behavior, or it seems weird to me, and am >> looking >> for an explaination and then a way out. >> >> ipfw list >> ... >> 21109 allow tcp from any to 12.32.44.142 ds

Re: ipfw confusion

2013-08-19 Thread Dan Lists
On Mon, Aug 19, 2013 at 1:06 AM, Gary Aitken wrote: > > ipfw list > ... > 21109 allow tcp from any to 12.32.44.142 dst-port 53 in via tun0 setup > keep-state > 21129 allow tcp from any to 12.32.36.65 dst-port 53 in via tun0 setup > keep-state > ... > 65534 deny log logamount 5 ip from any to any

Re: ipfw confusion

2013-08-19 Thread OpenSlate ChalkDust
On Sun, Aug 18, 2013 at 8:06 PM, Gary Aitken wrote: > I'm having some weird ipfw behavior, or it seems weird to me, and am > looking > for an explaination and then a way out. > > ipfw list > ... > 21109 allow tcp from any to 12.32.44.142 dst-port 53 in via tun0 setup > keep-state > 21129 allow tc

Re: ipfw gateway rerouting

2013-08-19 Thread Michael Sierchio
# my kernel has # options ROUTETABLES=16 GATEWAY_0="10.3.255.0" GATEWAY_1="10.3.255.1" setfib 0 route add default $GATEWAY_0 setfib 1 route add default $GATEWAY_1 ipfw table 1 add $NET_0 0 ipfw table 1 add $NET_1 0 ipfw table 1 add $NET_2 1 ipfw table 1 add $NET_3 0 ipfw add 00500 setfi

Re: ipfw confusion

2013-08-18 Thread Jason Cox
Are you sure that your DNS requests are over TCP? DNS primarily uses UDP to serve requests. TCP is used when the response data size exceeds 512 bytes (I think), or for tasks such as zone transfers. I know a few resolver implementations use TCP for all queries, but most I have used not. You might wa

Re: IPFW stopped logging

2013-01-07 Thread Michael Sierchio
On Mon, Jan 7, 2013 at 12:33 PM, Jerry wrote: > > I have discovered that IPFW stopped logging any messages in the > security log over a week ago. I did a reset, etcetera, but without > favorable results. I even tried a cold reboot to see if that made any > difference; however, it didn't. Other tha

Re: ipfw headers

2012-10-23 Thread Polytropon
On Tue, 23 Oct 2012 17:35:45 +0330, s m wrote: > thanks for your quick reply. you know, i want to add studio.h header but > the below error occurs: "no such file or directory". i am sure that > studio.h locates in usr/src/include but that error occured. if i write the > full path of studio.h in ipf

Re: ipfw headers

2012-10-23 Thread Mike Bristow
On Tue, Oct 23, 2012 at 05:35:45PM +0330, s m wrote: > thanks for your quick reply. you know, i want to add studio.h header but > the below error occurs: "no such file or directory". You appear to have misstyepd "stdio.h" (no u!). If that's not the case, please put the source you are trying to c

Re: ipfw headers

2012-10-23 Thread s m
thanks for your quick reply. you know, i want to add studio.h header but the below error occurs: "no such file or directory". i am sure that studio.h locates in usr/src/include but that error occured. if i write the full path of studio.h in ipfw file and then compile it, another error happened. do

Re: ipfw headers

2012-10-23 Thread Polytropon
On Tue, 23 Oct 2012 17:18:43 +0330, s m wrote: > hi every one > > i want to set TOS bit in ipfw but don't know how to do it directly. > therefore i want to change ipfw code in order to do it for me. i don't know > ipfw headers path (from where ipfw loads its headers). > > please help if somebody

Re: ipfw counters for tables

2012-07-22 Thread Ian Smith
In freebsd-questions Digest, Vol 424, Issue 10, Message: 10 On Sun, 22 Jul 2012 14:55:46 +0300 Eugen Konkov wrote: Hi Eugen, > I use ipfw tables to allow host to access to internet. > is there counter for matched packets/bytes for table entry like for > ipfw rule? > > #ipfw show 901 > ru

Re: ipfw subnetting

2012-06-15 Thread Wojciech Puchar
can anyone suggest what i'm doing wrong here. Desired:drop everything from 180.0.0.0 to 180.255.255.255 ipfw -q add 137 deny all from 180.0.0.0/8 to any nothing wrong. all is fine. ___ freebsd-questions@freebsd.org mailing list http://lists.freeb

Re: ipfw subnetting

2012-05-21 Thread Michael Sierchio
On Mon, May 21, 2012 at 10:19 AM, Paul Macdonald wrote: > this is now resolved, i hadn't realised (embarrassingly) that ipfw list will > show rules if if the fw is disabled. You should consider using tables, which allow you to add ad hoc nets, etc. and you can swap rulesets atomically so you can

Re: ipfw subnetting

2012-05-21 Thread Paul Macdonald
On 21/05/2012 17:01, Paul Macdonald wrote: On 21/05/2012 16:44, Michael Sierchio wrote: On Mon, May 21, 2012 at 8:30 AM, Paul Macdonald wrote: A very open firewall test script is as follows: this is now resolved, i hadn't realised (embarrassingly) that ipfw list will show rules if if the

Re: ipfw subnetting

2012-05-21 Thread Ian Smith
On Mon, 21 May 2012 16:30:59 +0100, Paul Macdonald wrote: > On 21/05/2012 14:50, Ian Smith wrote: > > In freebsd-questions Digest, Vol 416, Issue 1, Message: 26 > > On Mon, 21 May 2012 10:06:12 +0100 Paul Macdonald wrote: > > > > > can anyone suggest what i'm doing wrong here. > > > >

Re: ipfw subnetting

2012-05-21 Thread Michael Powell
Paul Macdonald wrote: [snip] It has been many years since I used IPFW as I moved on to IPFILTER, and then on to PF which is what I use now. I don't even recall exactly why I chose to utilize both setting directionality of flow per specific interface. I suspect that somehow there is some rule o

Re: ipfw subnetting

2012-05-21 Thread Paul Macdonald
On 21/05/2012 16:44, Michael Sierchio wrote: On Mon, May 21, 2012 at 8:30 AM, Paul Macdonald wrote: A very open firewall test script is as follows: 00010 allow ip from any to any via lo0 00081 deny log ip from 180.0.0.0/8 to any 00100 check-state You don't need the following 00101 allow tcp

Re: ipfw subnetting

2012-05-21 Thread Michael Sierchio
On Mon, May 21, 2012 at 8:30 AM, Paul Macdonald wrote: > A very open firewall test script is as follows: > > 00010 allow ip from any to any via lo0 > 00081 deny log ip from 180.0.0.0/8 to any > 00100 check-state You don't need the following > 00101 allow tcp from any to any established This may

Re: ipfw subnetting

2012-05-21 Thread Paul Macdonald
On 21/05/2012 14:50, Ian Smith wrote: In freebsd-questions Digest, Vol 416, Issue 1, Message: 26 On Mon, 21 May 2012 10:06:12 +0100 Paul Macdonald wrote: > can anyone suggest what i'm doing wrong here. > > Desired:drop everything from 180.0.0.0 to 180.255.255.255 > > ipfw -q ad

Re: ipfw subnetting

2012-05-21 Thread Ian Smith
In freebsd-questions Digest, Vol 416, Issue 1, Message: 26 On Mon, 21 May 2012 10:06:12 +0100 Paul Macdonald wrote: > can anyone suggest what i'm doing wrong here. > > Desired:drop everything from 180.0.0.0 to 180.255.255.255 > > ipfw -q add 137 deny all from 180.0.0.0/8 to any t23# i

Re: IPFW transparent VS dummynet rules

2012-01-08 Thread budsz
On Sun, Jan 8, 2012 at 1:00 PM, Ian Smith wrote: > On Sat, 7 Jan 2012, budsz wrote: > [..] >  > >             keyword instead of an explicit address.  The search > terminates if >  > >             this rule matches. >  > > >  > > Note particularly the last sentence.  You'll have to do your dummyn

Re: IPFW transparent VS dummynet rules

2012-01-07 Thread Ian Smith
On Sat, 7 Jan 2012, budsz wrote: > Hi folks, > > I already found the mistake of my ruleset sequence on my box, for ex: > > ${fwcmd} add 30 fwd ${ipproxy},${portproxy} tcp from ${ipclproxy} to > any dst-port ${porthttp} in via ${ifint0} > > ${fwcmd} add 52 pipe 2 ip from any to ${ipclient

Re: ipfw And ping

2011-12-04 Thread Ian Smith
In freebsd-questions Digest, Vol 391, Issue 10, Message: 25 On Sun, 04 Dec 2011 01:44:53 -0600 Tim Daneliuk wrote: > On 12/04/2011 01:04 AM, Ian Smith wrote: > > > > > > For one, google 'icmp redirect attack' > > But isn't that handled by setting: > > > net.inet.icmp.drop_redire

Re: ipfw And ping

2011-12-03 Thread Tim Daneliuk
On 12/04/2011 01:04 AM, Ian Smith wrote: For one, google 'icmp redirect attack' But isn't that handled by setting: net.inet.icmp.drop_redirect=1 # This is the ICMP rule we generally use: # ipfw add 10 allow icmp from any to any in icmptypes 0,3,4,11,12,14,16,18 Hmmm I just t

Re: ipfw And ping

2011-12-03 Thread Ian Smith
In freebsd-questions Digest, Vol 391, Issue 9, Message: 9 On Fri, 02 Dec 2011 10:35:45 -0600 Tim Daneliuk wrote: > On 12/01/2011 05:45 PM, Jon Radel wrote: > > > > On 12/1/11 6:25 PM, Tim Daneliuk wrote: > > > >> ${FWCMD} add allow icmp from any to any > >> > >> It does work but, two quest

Re: ipfw And ping

2011-12-02 Thread Коньков Евгений
Здравствуйте, Tim. Вы писали 2 декабря 2011 г., 1:25:04: TD> I have a fairly restrictive ipfw setup on a FBSD 8.2-STABLE machine. TD> Pings were not getting through so I added this near the top TD> of the rule set: TD># TD># Allow icmp TD># TD>${FWCMD} add allow icmp fr

Re: ipfw And ping

2011-12-02 Thread Tim Daneliuk
On 12/01/2011 05:45 PM, Jon Radel wrote: On 12/1/11 6:25 PM, Tim Daneliuk wrote: I have a fairly restrictive ipfw setup on a FBSD 8.2-STABLE machine. Pings were not getting through so I added this near the top of the rule set: # # Allow icmp # ${FWCMD} add allow icmp from any to any

Re: ipfw And ping

2011-12-02 Thread Jon Radel
On 12/1/11 6:25 PM, Tim Daneliuk wrote: I have a fairly restrictive ipfw setup on a FBSD 8.2-STABLE machine. Pings were not getting through so I added this near the top of the rule set: # # Allow icmp # ${FWCMD} add allow icmp from any to any It does work but, two questions: 1) Is

Re: ipfw And ping

2011-12-01 Thread Robert Bonomi
Tim Daneliuk wrote: > To: Robert Bonomi > Subject: Re: ipfw And ping > > On 12/01/2011 09:12 PM, Robert Bonomi wrote: > >> From tun...@tundraware.com Thu Dec 1 20:57:55 2011 > >> Date: Thu, 01 Dec 2011 20:56:03 -0600 > >> > >> Both. > >

Re: ipfw And ping

2011-12-01 Thread Tim Daneliuk
On 12/01/2011 08:56 PM, Robert Bonomi wrote: Similarly, I let the firewall respond to pings adressed to it's _external_ interface, but silently drop anything addressed any further inside my network. (If they can _reach_ my firewall, then a problem, whatever it is, *is* 'my problem' and that's

Re: ipfw And ping

2011-12-01 Thread Tim Daneliuk
On 12/01/2011 08:56 PM, Robert Bonomi wrote: From owner-freebsd-questi...@freebsd.org Thu Dec 1 17:27:19 2011 Date: Thu, 01 Dec 2011 17:25:04 -0600 From: Tim Daneliuk To: FreeBSD Mailing List Subject: ipfw And ping I have a fairly restrictive ipfw setup on a FBSD 8.2-STABLE machine. Pings we

Re: ipfw And ping

2011-12-01 Thread Robert Bonomi
> From owner-freebsd-questi...@freebsd.org Thu Dec 1 17:27:19 2011 > Date: Thu, 01 Dec 2011 17:25:04 -0600 > From: Tim Daneliuk > To: FreeBSD Mailing List > Subject: ipfw And ping > > I have a fairly restrictive ipfw setup on a FBSD 8.2-STABLE machine. > Pings were not getting through so I add

Re: ipfw And ping

2011-12-01 Thread Michael Sierchio
You can rate-limit pings and other icmp with sysctl nodes (sysctl net.inet.icmp ) You can make the rule a little more restrictive: add allow icmp from any to any icmptypes 0,3,8,11 if you want to disallow echo requests, omit 8 - the others are essential for most things to work properly or to dia

Re: IPFW

2011-07-25 Thread Bas Smeelen
On 07/25/2011 09:36 AM, Jos Chrispijn wrote: > Dear group, > Is there a web driven configuration for ipfw after I installed it on my > server? webmin /usr/ports/sysutils/webmin/ the BSD Firewall module http://www.webmin.com/standard.html DISCLAIMER: This e-mail is for the intended recipient(s)

Re: IPFW Firewall NAT inbound port-redirect

2011-07-13 Thread Michael Powell
OK - I'm confused. Could be all the top posting. ;-) testbed# man ipfw Formatting page, please wait...Done. IPFW(8) FreeBSD System Manager's Manual IPFW(8) NAME ipfw -- User interface for firewall, traffic shaper, packet scheduler, in-kernel NAT. ^^^

Re: IPFW Firewall NAT inbound port-redirect

2011-07-12 Thread Michael Sierchio
Mike - You're confused. natd is still a userland process that works via divert sockets. ipfirewall nat is an extension to ipfirewall (ipfw is the userland control program to modify the rulesets, nat config, tables, etc.). - Michael On Tue, Jul 12, 2011 at 11:51 PM, Michael Powell wrote: > Mic

Re: IPFW Firewall NAT inbound port-redirect

2011-07-12 Thread Michael Powell
Michael Sierchio wrote: > I'm familiar with natd since its appearance. I was unclear on the > ipfirewall nat syntax, since there is no syntax definition in the man > page. It's true the man page is already too large, but some examples > (somewhere) would be nice. Marshaling packets into userland

Re: IPFW Firewall NAT inbound port-redirect

2011-07-12 Thread Michael Sierchio
aining. - M On Tue, Jul 12, 2011 at 11:05 PM, Bill Tillman wrote: > > > > > > > From: Michael Sierchio > To: Dan Nelson > Cc: Bill Tillman ; freebsd-questions@freebsd.org > Sent: Tue, July 12, 2011 6:35:19 PM > Subject: Re: IPF

Re: IPFW Firewall NAT inbound port-redirect

2011-07-12 Thread Bill Tillman
From: Michael Sierchio To: Dan Nelson Cc: Bill Tillman ; freebsd-questions@freebsd.org Sent: Tue, July 12, 2011 6:35:19 PM Subject: Re: IPFW Firewall NAT inbound port-redirect We're not talking about natd.  The question was about the use of ipfirewal

Re: IPFW Firewall NAT inbound port-redirect

2011-07-12 Thread Dan Nelson
In the last episode (Jul 12), Michael Sierchio said: > On Tue, Jul 12, 2011 at 9:03 AM, Dan Nelson wrote: > > In the last episode (Jul 12), Michael Sierchio said: > >> Is there a way of specifying a particular public address if there is > >> more than one bound to the external interface?  A la > >

Re: IPFW Firewall NAT inbound port-redirect

2011-07-12 Thread Michael Sierchio
We're not talking about natd. The question was about the use of ipfirewall nat. On Tue, Jul 12, 2011 at 9:03 AM, Dan Nelson wrote: > In the last episode (Jul 12), Michael Sierchio said: >> Is there a way of specifying a particular public address if there is >> more than one bound to the external

Re: IPFW Firewall NAT inbound port-redirect

2011-07-12 Thread Dan Nelson
In the last episode (Jul 12), Michael Sierchio said: > Is there a way of specifying a particular public address if there is > more than one bound to the external interface? A la > > nat 123 config if re0.2 log same_ports redirect_port tcp 10.0.0.3:22 > 102.10.22.1: Yes; the redirect_port sy

Re: IPFW Firewall NAT inbound port-redirect

2011-07-12 Thread Michael Sierchio
: > > > > From: Dan Nelson > To: Michael Sierchio > Cc: freebsd-questions@freebsd.org > Sent: Mon, July 11, 2011 1:07:31 PM > Subject: Re: IPFW Firewall NAT inbound port-redirect > > In the last episode (Jul 11), Michael Sierchio said: >> Sorry for the naive q

Re: IPFW Firewall NAT inbound port-redirect

2011-07-12 Thread Bill Tillman
From: Dan Nelson To: Michael Sierchio Cc: freebsd-questions@freebsd.org Sent: Mon, July 11, 2011 1:07:31 PM Subject: Re: IPFW Firewall NAT inbound port-redirect In the last episode (Jul 11), Michael Sierchio said: > Sorry for the naive question, but most

Re: IPFW Firewall NAT inbound port-redirect

2011-07-11 Thread Dan Nelson
In the last episode (Jul 11), Michael Sierchio said: > Sorry for the naive question, but most of my old rulesets still use > natd, and I've only used built-in nat for outbound traffic. I'd like > to redirect certain ports on certain addresses to the same ports on > internal (RFC1918) addresses. T

Re: ipfw: getsockopt(IP_FW_ADD): Invalid argument

2011-07-06 Thread Ian Smith
On Wed, 6 Jul 2011, Unga wrote: > On Tue, 7/5/11, Ian Smith wrote: > > > Does anybody successfully use the "ipfw fwd"? If so > > > in which FreeBSD version? > > > Not I, but many do.  On the face of it the rule looks > > correct.  Do you > > have a TCP service running on localhost:1234 ? 

Re: ipfw: getsockopt(IP_FW_ADD): Invalid argument

2011-07-06 Thread Unga
--- On Tue, 7/5/11, Ian Smith wrote: > > Does anybody successfully use the "ipfw fwd"? If so > in which FreeBSD version? > > Not I, but many do.  On the face of it the rule looks > correct.  Do you > have a TCP service running on localhost:1234 ?  Does > wlan0 exist?  You > may do better po

Re: ipfw: getsockopt(IP_FW_ADD): Invalid argument

2011-07-05 Thread Unga
--- On Tue, 7/5/11, Ian Smith wrote: > From: Ian Smith > Subject: Re: ipfw: getsockopt(IP_FW_ADD): Invalid argument > To: "Unga" > Cc: freebsd-questions@freebsd.org > Date: Tuesday, July 5, 2011, 5:14 PM > In freebsd-questions Digest, Vol 370, > Issue 2, Message

Re: ipfw: getsockopt(IP_FW_ADD): Invalid argument

2011-07-05 Thread Ian Smith
In freebsd-questions Digest, Vol 370, Issue 2, Message: 14 On Mon, 4 Jul 2011 09:11:07 -0700 (PDT) Unga wrote: > --- On Mon, 7/4/11, Unga wrote: > > > From: Unga > > Subject: ipfw: getsockopt(IP_FW_ADD): Invalid argument > > To: freebsd-questions@freebsd.org > > Date: Monday, July 4, 2011

Re: ipfw: getsockopt(IP_FW_ADD): Invalid argument

2011-07-04 Thread Unga
--- On Mon, 7/4/11, Unga wrote: > From: Unga > Subject: ipfw: getsockopt(IP_FW_ADD): Invalid argument > To: freebsd-questions@freebsd.org > Date: Monday, July 4, 2011, 11:48 AM > Hi all > > Following ipfw rule develop error indicated in the subject > line: > ipfw add 100 fwd 127.0.0.1,1234 tcp

Re: ipfw nat inbound keep-state with net.inet.ip.fw.one_pass=0

2011-06-25 Thread Ian Smith
On Thu, 23 Jun 2011, umage wrote: > Some points: > 1) I did use the handbook as reference, and my ruleset mimics the layout used > there. Excuse the late response, I've been away. The best reference, apart from ipfw(8), is /etc/rc.firewall. 'Nuff said. > 2) Handbook uses divert natd, whic

Re: ipfw nat inbound keep-state with net.inet.ip.fw.one_pass=0

2011-06-23 Thread umage
Some points: 1) I did use the handbook as reference, and my ruleset mimics the layout used there. 2) Handbook uses divert natd, which I used until I switched to the kernel nat approach. 3) I did not find any concrete examples of ipfw nat rule usage, so I'm using them the old natd way. I did s

Re: ipfw nat inbound keep-state with net.inet.ip.fw.one_pass=0

2011-06-23 Thread Ian Smith
In freebsd-questions Digest, Vol 368, Issue 6, Message: 21 On Tue, 21 Jun 2011 20:16:32 +0200 umage wrote: > Hi, I'm an ipfw user that finally got the opportunity to set up NAT on > an interface with a public IP. I was doing some multi-homing experiments > using ipfw fwd combined with outbound

Re: IPFW at startup.

2010-11-15 Thread Ian Smith
In freebsd-questions Digest, Vol 337, Issue 2, Message: 26 On Mon, 15 Nov 2010 10:52:41 -0800 Dave Robison wrote: > I haven't seen someone use "firewall_type" as a path to the config file. It's not so uncommon. Anyone who's based their ruleset on the handbook section on IPFW will likely be u

Re: IPFW at startup.

2010-11-15 Thread David Kelly
On Mon, Nov 15, 2010 at 10:52:41AM -0800, Dave Robison wrote: > I haven't seen someone use "firewall_type" as a path to the config > file. If you check the default rc.firewall file, you will see several > types of default firewall settings, such as "open" and "closed". You > want to set "firewall_t

Re: IPFW at startup.

2010-11-15 Thread Chuck Swiger
Hi-- On Nov 15, 2010, at 10:52 AM, Dave Robison wrote: > I haven't seen someone use "firewall_type" as a path to the config file. If > you check the default rc.firewall file, you will see several types of default > firewall settings, such as "open" and "closed". You want to set > "firewall_type

Re: IPFW at startup.

2010-11-15 Thread Dave Robison
I haven't seen someone use "firewall_type" as a path to the config file. If you check the default rc.firewall file, you will see several types of default firewall settings, such as "open" and "closed". You want to set "firewall_type" in rc.conf to be "open" or whatever your firewall type is in

Re: IPFW at startup.

2010-11-15 Thread Коньков Евгений
Здравствуйте, Grant. Вы писали 15 ноября 2010 г., 0:50:47: GP> Hi all, GP> I seem to have one server that does not flush the /etc/rc.firewall rules GP> when the script taken from "firewall_type" starts up. That is to say when I GP> boot the machine, 3 rules seem to be still in the list when I d

Re: IPFW at startup.

2010-11-15 Thread Ian Smith
In freebsd-questions Digest, Vol 337, Issue 1, Message: 15 On Sun, 14 Nov 2010 17:50:47 -0500 "Grant Peel" wrote: > > I seem to have one server that does not flush the /etc/rc.firewall rules > when the script taken from "firewall_type" starts up. That is to say when I > boot the machine, 3

Re: IPFW at startup.

2010-11-15 Thread Chris Rees
It's not a great idea to hack the rc.d scripts, they can be clobbered when updating. Chris Sorry for top-posting, Android won't let me quote, but K-9 can't yet do threading. On 15 Nov 2010 08:45, "Wojciech Puchar" wrote: simply edit /etc/rc.d/ipfw and make it doing only what you want

Re: IPFW at startup.

2010-11-15 Thread Wojciech Puchar
simply edit /etc/rc.d/ipfw and make it doing only what you want. On Sun, 14 Nov 2010, Grant Peel wrote: Hi all, I seem to have one server that does not flush the /etc/rc.firewall rules when the script taken from "firewall_type" starts up. That is to say when I boot the machine, 3 rules seem

Re: IPFW firewall and TCP ports

2010-09-30 Thread Ian Smith
On Thu, 30 Sep 2010, Ian Smith wrote: > countries are long gone. For some scientific (and policy) rationale of > the increasingly fragmented nature of new allocations down to /22 (ie 64 > IP addresses) have a look at http://www.potaroo.net/tools/ipv4/ Oops; a /22 allocation is of course 4 t

Re: IPFW firewall and TCP ports

2010-09-30 Thread Ian Smith
In freebsd-questions Digest, Vol 330, Issue 5, Message: 1 On Wed, 29 Sep 2010 08:16:47 -0400 Carmel wrote: > While perusing my Apache httpd-error.log, I noticed a large number of > attempts to access my phpmyadmin directory, as well as a few less know > others. Most of these probes originated

Re: IPFW firewall and TCP ports

2010-09-29 Thread Bas Smeelen
On 09/29/2010 02:16 PM, Carmel wrote: > While perusing my Apache httpd-error.log, I noticed a large number of > attempts to access my phpmyadmin directory, as well as a few less know > others. Most of these probes originated from China. Since I have no > legitimate business dealing with that region

Re: ipfw fwd for transparent proxy (squid) - but, not on loopback

2010-09-13 Thread Nathan Vidican
On Mon, Sep 13, 2010 at 11:53 AM, Nathan Vidican wrote: > > Hey all - I've been trying to implement a transparent proxy for all outgoing > traffic to port 80 to forward to a proxy server. The problem is that the > proxy itself resides on a different host than the forward rule does. Has > anyone

Re: ipfw fwd and ipfw allow

2010-09-12 Thread Victor Sudakov
per...@pluto.rain.com wrote: > > > ... the 'fwd ... keep-state' statement does create a useful > > dynamic rule. It contradicts the ipfw(8) man page but works ... > > Hopefully someone who understands all this will submit a patch > for the man page :) The man page says that the "Dynamic rules wi

Re: ipfw fwd and ipfw allow

2010-09-11 Thread perryh
Victor Sudakov wrote: > ... the 'fwd ... keep-state' statement does create a useful > dynamic rule. It contradicts the ipfw(8) man page but works ... Hopefully someone who understands all this will submit a patch for the man page :) ___ freebsd-questio

Re: ipfw fwd and ipfw allow

2010-09-10 Thread Victor Sudakov
Nikos Vassiliadis wrote: > >A packet generated locally 1) should be forwarded by a 'fwd' > >rule and 2) should create a dynamic 'allow' rule for returning > >traffic. Could you please suggest a ruleset for this. > > The fw has the 10.0.0.1 IP address. > The 10.0.0.100 IP address belongs to anothe

Re: ipfw fwd and ipfw allow

2010-09-08 Thread Nikos Vassiliadis
On 9/7/2010 5:52 PM, Victor Sudakov wrote: A packet generated locally 1) should be forwarded by a 'fwd' rule and 2) should create a dynamic 'allow' rule for returning traffic. Could you please suggest a ruleset for this. The fw has the 10.0.0.1 IP address. The 10.0.0.100 IP address belongs to

Re: ipfw fwd and ipfw allow

2010-09-07 Thread Victor Sudakov
Nikos Vassiliadis wrote: > >>>Am I asking something unreasonable? > >> > >>Not really, but if you ask, one could say that IPFW is a "first > >>match wins" firewall, so a fwd or an allow action would be the > >>terminal one. You must design your rules accordingly. > >> > >>There is also the skipto a

Re: ipfw fwd and ipfw allow

2010-09-07 Thread Nikos Vassiliadis
On 9/7/2010 2:00 PM, Victor Sudakov wrote: Nikos Vassiliadis wrote: Am I asking something unreasonable? Not really, but if you ask, one could say that IPFW is a "first match wins" firewall, so a fwd or an allow action would be the terminal one. You must design your rules accordingly. There is

Re: ipfw fwd and ipfw allow

2010-09-07 Thread Victor Sudakov
Nikos Vassiliadis wrote: > >Am I asking something unreasonable? > > Not really, but if you ask, one could say that IPFW is a "first > match wins" firewall, so a fwd or an allow action would be the > terminal one. You must design your rules accordingly. > > There is also the skipto action which ca

Re: ipfw fwd and ipfw allow

2010-09-07 Thread Nikos Vassiliadis
On 9/7/2010 12:00 PM, Victor Sudakov wrote: Am I asking something unreasonable? Not really, but if you ask, one could say that IPFW is a "first match wins" firewall, so a fwd or an allow action would be the terminal one. You must design your rules accordingly. There is also the skipto action w

Re: ipfw fwd and ipfw allow

2010-09-07 Thread Victor Sudakov
Am I asking something unreasonable? Victor Sudakov wrote: > > What tricks do you use if you need to allow a packet and then fwd > it (or vice versa)? The search terminates and the packet quits ipfw on > "fwd" as well as on "allow". > > How do I allow a packet and then policy route it? An example

Re: ipfw

2010-08-26 Thread Matthew Seaman
On 26/08/2010 12:56, Grant Peel wrote: > I am running FreeBSD 8, and am assuming I am using ipfw2 > > How does one find the current version of IPFW being used? Base system utilities generally don't have a separate version number -- other than the SVN revision numbers of their source code files.

Re: IPFW with MAC address configuration

2010-07-31 Thread Ian Smith
In freebsd-questions Digest, Vol 321, Issue 12, Message: 31 On Fri, 30 Jul 2010 07:18:40 -0400 Carmel wrote: > I am trying to set up a rule using IPFW that utilizes a MAC address > rather than an IP one. > > ipfw -q allow log tcp from MAC 00-14-A4-43-8E-BA to me 137 in via nfe0 setup > kee

Re: IPFW with MAC address configuration

2010-07-30 Thread Bas Smeelen
> On 07/30/2010 01:18 PM, Carmel wrote: > >> I am trying to set up a rule using IPFW that utilizes a MAC address >> rather than an IP one. >> >> ipfw -q allow log tcp from MAC 00-14-A4-43-8E-BA to me 137 in via nfe0 setup >> keep-state >> >> Would that work, assuming the machine I want to allo

Re: IPFW with MAC address configuration

2010-07-30 Thread Bas Smeelen
On 07/30/2010 01:18 PM, Carmel wrote: > I am trying to set up a rule using IPFW that utilizes a MAC address > rather than an IP one. > > ipfw -q allow log tcp from MAC 00-14-A4-43-8E-BA to me 137 in via nfe0 setup > keep-state > > Would that work, assuming the machine I want to allow access has th

Re: ipfw nat and jails on loopback - is it possible?

2010-07-19 Thread Michael
On 19/07/2010 10:05, Aiza wrote: you have to put your hosts /etc/resolve.conf in each jail before you can get network connection. I did. It contains: nameserver 208.67.222.222 nameserver 208.67.220.220 I believe that it's not a problem with jail configuration because NAT works fine on the

Re: ipfw nat and jails on loopback - is it possible?

2010-07-19 Thread Aiza
Michael wrote: Hello. Does anybody has a working configuration with ipfw nated jails on loopback interface? It simply doesn't work on my system. I can not get any connections to outside world from within a jail. FreeBSD 8.0-p3 amd64 laptop connected to internet via wlan0 (ath0) with 192.168

Re: ipfw nat and jails on loopback - is it possible?

2010-07-09 Thread Randal L. Schwartz
> "Michael" == Michael writes: Michael> Does anybody has a working configuration with ipfw nated jails Michael> on loopback interface? I noticed in my pf.conf that I had "set skip on lo". I changed that to "set skip on lo0" (still advisable), and then created an "lo1" using ipv4_addrs_l

Re: ipfw/natd in 8.1

2010-05-28 Thread Коньков Евгений
Здравствуйте, Casey. 00300 0 0 deny ip from 192.168.0.0/16 to any in via fxp0 00301 0 0 deny ip from 172.16.0.0/12 to any in via fxp0 00302 0 0 deny ip from 10.0.0.0/8 to any in via fxp0 00303 0 0 deny ip from 127.0.0.0/8 to any in via fxp0 00304 0

Re: ipfw natd rules not loading on startup

2010-05-14 Thread Polytropon
Just a sidenote: On Sat, 15 May 2010 02:33:10 +0200, umage wrote: > However, if I > run the script manually, or call it from the end of /etc/rc, it will add > these rules as well. Currently I am using a workaround. It's not a good idea to modify /etc/rc. In your case, using the mechanism s of /e

Re: ipfw natd rules not loading on startup

2010-05-14 Thread Jonathan Chen
On Sat, May 15, 2010 at 02:33:10AM +0200, umage wrote: > I performed a kernel+world update of my freebsd router, RELENG_8 branch, > apparently from the version 6 months ago to current. I use ipfw and a > shell script that gets loaded at startup. I noticed after rebooting that > ipfw did not load tw

Re: IPFW and separate data files.

2010-04-13 Thread Steve Bertrand
On 2010.04.12 14:15, Jerry wrote: > On Mon, 12 Apr 2010 10:04:48 -0400, Steve Bertrand > articulated: > >> On 2010.04.11 11:57, Jerry wrote: >>> I am using IPFW on a FreeBSD-7.3 machine. Presently, I am loading >>> several tables for IPFW. So far, I have just keep the data for the >>> tables in t

Re: IPFW and separate data files.

2010-04-12 Thread Steve Bertrand
On 2010.04.11 11:57, Jerry wrote: > I am using IPFW on a FreeBSD-7.3 machine. Presently, I am loading > several tables for IPFW. So far, I have just keep the data for the > tables in the actual "ipfw-rules" referenced in the 'rc.conf' file > itself. What I would like to do is keep the data for thes

Re: IPFW and Fail2Ban

2010-04-03 Thread Mike L
On Sat, Apr 3, 2010 at 6:29 AM, Carmel NY wrote: > I am having an exceedingly hard time finding documentation on Fail2Ban > on FreeBSD. In fact, documentation on Fail2Ban seems rather sparse to > begin with. > > In any case, does Fail2Ban work with the IPFW firewall on FreeBSD? Does > it do it na

Re: IPFW and Fail2Ban

2010-04-03 Thread Adam Vande More
On Sat, Apr 3, 2010 at 7:30 AM, Carmel NY wrote: > > > Nothing at all, I am just exploring other avenues. Fail2Ban can > potentially block more attacks than denyhosts can though. > In what way? denyhosts can do more than simply ssh monitoring/blocking. It has a plugin system for extensibility.

Re: IPFW and Fail2Ban

2010-04-03 Thread Carmel NY
On Sat, 3 Apr 2010 06:49:33 -0600, Adam Vande More articulated: > On Sat, Apr 3, 2010 at 4:29 AM, Carmel NY > wrote: > > > I am having an exceedingly hard time finding documentation on > > Fail2Ban on FreeBSD. In fact, documentation on Fail2Ban seems > > rather sparse to begin with. > > > > In

Re: IPFW and Fail2Ban

2010-04-03 Thread Adam Vande More
On Sat, Apr 3, 2010 at 4:29 AM, Carmel NY wrote: > I am having an exceedingly hard time finding documentation on Fail2Ban > on FreeBSD. In fact, documentation on Fail2Ban seems rather sparse to > begin with. > > In any case, does Fail2Ban work with the IPFW firewall on FreeBSD? Does > it do it na

RE: ipfw weirdness after csup/buildworld

2010-04-01 Thread Terrence Koeman
I've seen the same, see: http://forums.freebsd.org/showthread.php?p=75765 -- Regards, T. Koeman, MTh/BSc/BPsy; Technical Monk MediaMonks B.V. (www.mediamonks.com) Please quote all replies in correspondence. > -Original Message- > From: owner-freebsd-questi...@freebsd.org [mailto:owner-f

Re: ipfw and ssh problem

2010-03-26 Thread Tongai. T Zimbiti
Thanks Peter, will give that a try. regards Tongai Peter wrote: Hi guys, I have searched everywhere and failed to find a solution, hence I write you. I have installed 8.0-RELEASE FreeBSD 8.0-RELEASE #0: Sat Nov 21 15:02:08 UTC 2009 r...@mason.cse.buffalo.edu:/usr/obj/usr/src/sys/GENERI

Re: ipfw and ssh problem

2010-03-26 Thread krad
On 26 March 2010 08:02, Peter wrote: > > Hi guys, > > > > I have searched everywhere and failed to find a solution, hence I write > > you. > > I have installed 8.0-RELEASE FreeBSD 8.0-RELEASE #0: Sat Nov 21 15:02:08 > > UTC 2009 r...@mason.cse.buffalo.edu:/usr/obj/usr/src/sys/GENERIC > > amd6

Re: ipfw and ssh problem

2010-03-26 Thread Peter
> Hi guys, > > I have searched everywhere and failed to find a solution, hence I write > you. > I have installed 8.0-RELEASE FreeBSD 8.0-RELEASE #0: Sat Nov 21 15:02:08 > UTC 2009 r...@mason.cse.buffalo.edu:/usr/obj/usr/src/sys/GENERIC > amd64 > together with ipfw. The problem I have is this, i

Re: ipfw: limit bandwidth

2010-01-29 Thread Martin Schweizer
Hello Sorry for the delay. I read again the man page an used the example which is described there and, how every, now it works as expected (I tried it many, many times). Thank again. Regards, Êîíüêîâ Åâãåíèé schrieb: Hello, Martin. First of all you must decide you want your shaper rule ac

Re: ipfw: limit bandwidth

2010-01-27 Thread Коньков Евгений
Hello, Martin. First of all you must decide you want your shaper rule act as allow rule or not: kes# sysctl -a | grep one_pass net.inet.ip.fw.one_pass: 0 or 1 man ipfw pipe pipe_nr Pass packet to a dummynet(4) ``pipe'' (for bandwidth limitation, delay, etc.). See t

Re: ipfw breaking smtp conversations

2009-11-04 Thread krad
2009/11/4 Alex Teslik > Hi List, > > I'm having trouble with mail deliveries. I'm getting lots of error > messages like: > > timeout writing message to mx3.comcast.net.: Broken pipe > timeout writing message to mailserver2.telmex.net.co.: Resource > temporarily > unavailable > > After looking e

  1   2   3   4   5   6   7   8   >