Re: ipfw firewall questions

[Petre Bandac]

ipf & ipfw are something like iptables & ipchains ? both tools do the same job 
?



On Sunday 02 February 2003 20:26 Anno Domini, JoeB wrote using one of his 
keyboards:
> There are 3 classes of rules in IPFW, each class has separate packet
> interrogation abilities. Each proceeding class has greater packet
> interrogation abilities than the previous one. These are stateless,
> simple stateful, and advanced stateful. The advanced stateful rule
> class is the only class having technically advanced interrogation
> abilities capable of defending against the flood of different attack
> methods currently employed by perpetrators. Stateless and Simple
> Stateful IPFW firewall rules are inadequate to protect the users
> system in today's internet environment and leaves the user
> unknowingly believing they are protected when in reality they are
> not.
>
> The advanced stateful rule option keep-state works as documented
> only when used in a rule set that does not use the divert rule.
> Simply stated the IPFW advanced stateful rule option keep-state does
> not function correctly when used in a IPFW firewall that also is
> using the IPFW built in NATD function. For the most complete
> keep-state protection the other FIREWALL solution (IPFILTER) that
> comes with FBSD should be used. Just checkout the IPFW list archives
> and you will see this subject discussed in detail with out any
> solution forthcoming.
>
> http://www.obfuscation.org/ipf/
>
> http://www.obfuscation.org/ipf/ipf-howto.html
>
>
>
>
>
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED]]On Behalf Of Petre
> Bandac
> Sent: Sunday, February 02, 2003 4:51 AM
> To: [EMAIL PROTECTED]
> Subject: ipfw firewall questions
>
> hello
>
> I'm about to "compose" my first ipfw firewall - and, since I have
> worked quite
> a lot with iptables, I'm interesed in a few minor similarities:
>
> 1 - the firewall is called by rc.conf ? or ca I call it at boot time
> via
> whatever *.sh placed in the right place
>
> 2 - the firewall can be a executable bash script (i.e. like a
> regular linux
> firewall, with variables like myIP="192.168.0.0") ?
>
> I guess the rest is covered in the docs I have carefully RTFM :-)
>
> thanks,
>
> petre

-- 
Login: petreName: Petre Bandac
Directory: /home/petre  Shell: /usr/local/bin/zsh
On since Sun Feb  2 13:56 (EET) on ttyv0, idle 8:51 (messages off)
Last login Sun Feb  2 20:03 (EET) on ttyp0 from ns.rdsbv.ro
No Mail.
No Plan.


To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-questions" in the body of the message

RE: ipfw firewall questions

[JoeB]

There are 3 classes of rules in IPFW, each class has separate packet
interrogation abilities. Each proceeding class has greater packet
interrogation abilities than the previous one. These are stateless,
simple stateful, and advanced stateful. The advanced stateful rule
class is the only class having technically advanced interrogation
abilities capable of defending against the flood of different attack
methods currently employed by perpetrators. Stateless and Simple
Stateful IPFW firewall rules are inadequate to protect the users
system in today's internet environment and leaves the user
unknowingly believing they are protected when in reality they are
not.

The advanced stateful rule option keep-state works as documented
only when used in a rule set that does not use the divert rule.
Simply stated the IPFW advanced stateful rule option keep-state does
not function correctly when used in a IPFW firewall that also is
using the IPFW built in NATD function. For the most complete
keep-state protection the other FIREWALL solution (IPFILTER) that
comes with FBSD should be used. Just checkout the IPFW list archives
and you will see this subject discussed in detail with out any
solution forthcoming.

http://www.obfuscation.org/ipf/

http://www.obfuscation.org/ipf/ipf-howto.html





-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]On Behalf Of Petre
Bandac
Sent: Sunday, February 02, 2003 4:51 AM
To: [EMAIL PROTECTED]
Subject: ipfw firewall questions

hello

I'm about to "compose" my first ipfw firewall - and, since I have
worked quite
a lot with iptables, I'm interesed in a few minor similarities:

1 - the firewall is called by rc.conf ? or ca I call it at boot time
via
whatever *.sh placed in the right place

2 - the firewall can be a executable bash script (i.e. like a
regular linux
firewall, with variables like myIP="192.168.0.0") ?

I guess the rest is covered in the docs I have carefully RTFM :-)

thanks,

petre


--
Login: petreName: Petre Bandac
Directory: /home/petre  Shell: /usr/local/bin/zsh
On since Fri Jan 31 20:40 (EET) on ttyv1, idle 1 day 14:58 (messages
off)
On since Sun Feb  2 09:28 (EET) on ttyp0, idle 1:15, from :0
On since Sun Feb  2 09:43 (EET) on ttyp1, idle 1:31, from :0
On since Fri Jan 31 23:46 (EET) on ttyp2, idle 0:02, from :0
On since Sun Feb  2 11:07 (EET) on ttyp3, idle 0:24, from :0
No Mail.
No Plan.


To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-questions" in the body of the message


To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-questions" in the body of the message

Re: ipfw firewall questions

[Matthew Seaman]

On Sun, Feb 02, 2003 at 11:50:52AM +0200, Petre Bandac wrote:
> hello
> 
> I'm about to "compose" my first ipfw firewall - and, since I have worked quite 
> a lot with iptables, I'm interesed in a few minor similarities:
> 
> 1 - the firewall is called by rc.conf ? or ca I call it at boot time via 
> whatever *.sh placed in the right place 

A typical setup is that the /etc/rc.firewall script sets up
firewalling for IPv4, possibly with /etc/rc.firewall6 doing the
equivalent for IPv6.  The rc.firewall script contains options to load
various pre-canned ipfw(8) rulesets, or you can load a custom ipfw(8)
ruleset through it.

The rc.firewall{,6} script behaviours are controlled by setting
variables in /etc/rc.conf.  Default values (from
/etc/defaults/rc.conf) are:

% grep firewall /etc/defaults/rc.conf 
### Basic network and firewall/security options: ###
firewall_enable="NO"# Set to YES to enable firewall functionality
firewall_script="/etc/rc.firewall" # Which script to run to set up the firewall
firewall_type="UNKNOWN" # Firewall type (see /etc/rc.firewall)
firewall_quiet="NO" # Set to YES to suppress rule display
firewall_logging="NO"   # Set to YES to enable events logging
firewall_flags=""   # Flags passed to ipfw when type is a file
natd_enable="NO"# Enable natd (if firewall_enable == YES).
ipv6_firewall_enable="NO"   # Set to YES to enable IPv6 firewall
ipv6_firewall_script="/etc/rc.firewall6" # Which script to run to set up the IPv6 
firewall
ipv6_firewall_type="UNKNOWN"# IPv6 Firewall type (see /etc/rc.firewall6)
ipv6_firewall_quiet="NO"# Set to YES to suppress rule display
ipv6_firewall_logging="NO"  # Set to YES to enable events logging
ipv6_firewall_flags=""  # Flags passed to ip6fw when type is a file

Although setting 'firewall_enable' to 'yes' will work with a standard
system, by causing the ipfw.ko module to be loaded into a GENERIC
kernel, check /usr/src/sys/i386/conf/LINT (FreeBSD 4.x) or
/usr/src/sys/conf/NOTES (FreeBSD 5.0) for some extra functionality you
can enable by building yourself a custom kernel.

Alternatively you can use ipf(8) which is a second firewall flavour
but with much the same functionality.  If you aren't doing anything
tricky like traffic shaping or QoS, which one you choose is mostly a
matter of taste:

% grep ipf defaults/rc.conf 
firewall_flags=""   # Flags passed to ipfw when type is a file
ipfilter_enable="NO"# Set to YES to enable ipfilter functionality
ipfilter_program="/sbin/ipf"# where the ipfilter program lives
ipfilter_rules="/etc/ipf.rules" # rules definition file for ipfilter, see
# /usr/src/contrib/ipfilter/rules for examples
ipfilter_flags=""   # additional flags for ipfilter
ipmon_enable="NO"   # Set to YES for ipmon; needs ipfilter or ipnat
ipmon_program="/sbin/ipmon" # where the ipfilter monitor program lives
ipmon_flags="-Ds"   # typically "-Ds" or "-D /var/log/ipflog"
ipfs_enable="NO"# Set to YES to enable saving and restoring
ipfs_program="/sbin/ipfs"   # where the ipfs program lives
ipfs_flags=""   # additional flags for ipfs
ipv6_ipfilter_rules="/etc/ipf6.rules"   # rules definition file for ipfilter,
# see /usr/src/contrib/ipfilter/rules

The ipf(8) firewalling is started out of /etc/rc.network --- it's
possible and sometimes useful to run ipfw(8) and ipf(8)
simultaneously.

Finally, you can write your own script and call it in place of
rc.firewall by setting the 'firewall_script' variable.  This method is
generally used to run a skeleton firewall ruleset through a
preprocessor to substitute in local interface addresses etc.

> 2 - the firewall can be a executable bash script (i.e. like a regular linux 
> firewall, with variables like myIP="192.168.0.0") ?

Basically, yes.  However bash is not supplied with the FreeBSD system
--- you can install it as /usr/local/bin/bash from ports, or
(preferably) use the system supplied /bin/sh for writing startup
scripts.  /bin/sh is a POSIX compliant Bourne Shell with broadly
equivalent *programming* capabilities to bash (/bin/sh doesn't have
the same sort of support for interactive use though).  Syntax is very
similar to bash with a few significant differences to keep you on your
toes.

Cheers,

Matthew

-- 
Dr Matthew J Seaman MA, D.Phil.   26 The Paddocks
  Savill Way
PGP: http://www.infracaninophile.co.uk/pgpkey Marlow
Tel: +44 1628 476614  Bucks., SL7 1TH UK

To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-questions" in the body of the message