Re: ipfw firewall questions
ipf & ipfw are something like iptables & ipchains ? both tools do the same job ? On Sunday 02 February 2003 20:26 Anno Domini, JoeB wrote using one of his keyboards: > There are 3 classes of rules in IPFW, each class has separate packet > interrogation abilities. Each proceeding class has greater packet > interrogation abilities than the previous one. These are stateless, > simple stateful, and advanced stateful. The advanced stateful rule > class is the only class having technically advanced interrogation > abilities capable of defending against the flood of different attack > methods currently employed by perpetrators. Stateless and Simple > Stateful IPFW firewall rules are inadequate to protect the users > system in today's internet environment and leaves the user > unknowingly believing they are protected when in reality they are > not. > > The advanced stateful rule option keep-state works as documented > only when used in a rule set that does not use the divert rule. > Simply stated the IPFW advanced stateful rule option keep-state does > not function correctly when used in a IPFW firewall that also is > using the IPFW built in NATD function. For the most complete > keep-state protection the other FIREWALL solution (IPFILTER) that > comes with FBSD should be used. Just checkout the IPFW list archives > and you will see this subject discussed in detail with out any > solution forthcoming. > > http://www.obfuscation.org/ipf/ > > http://www.obfuscation.org/ipf/ipf-howto.html > > > > > > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED]]On Behalf Of Petre > Bandac > Sent: Sunday, February 02, 2003 4:51 AM > To: [EMAIL PROTECTED] > Subject: ipfw firewall questions > > hello > > I'm about to "compose" my first ipfw firewall - and, since I have > worked quite > a lot with iptables, I'm interesed in a few minor similarities: > > 1 - the firewall is called by rc.conf ? or ca I call it at boot time > via > whatever *.sh placed in the right place > > 2 - the firewall can be a executable bash script (i.e. like a > regular linux > firewall, with variables like myIP="192.168.0.0") ? > > I guess the rest is covered in the docs I have carefully RTFM :-) > > thanks, > > petre -- Login: petreName: Petre Bandac Directory: /home/petre Shell: /usr/local/bin/zsh On since Sun Feb 2 13:56 (EET) on ttyv0, idle 8:51 (messages off) Last login Sun Feb 2 20:03 (EET) on ttyp0 from ns.rdsbv.ro No Mail. No Plan. To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-questions" in the body of the message
RE: ipfw firewall questions
There are 3 classes of rules in IPFW, each class has separate packet interrogation abilities. Each proceeding class has greater packet interrogation abilities than the previous one. These are stateless, simple stateful, and advanced stateful. The advanced stateful rule class is the only class having technically advanced interrogation abilities capable of defending against the flood of different attack methods currently employed by perpetrators. Stateless and Simple Stateful IPFW firewall rules are inadequate to protect the users system in today's internet environment and leaves the user unknowingly believing they are protected when in reality they are not. The advanced stateful rule option keep-state works as documented only when used in a rule set that does not use the divert rule. Simply stated the IPFW advanced stateful rule option keep-state does not function correctly when used in a IPFW firewall that also is using the IPFW built in NATD function. For the most complete keep-state protection the other FIREWALL solution (IPFILTER) that comes with FBSD should be used. Just checkout the IPFW list archives and you will see this subject discussed in detail with out any solution forthcoming. http://www.obfuscation.org/ipf/ http://www.obfuscation.org/ipf/ipf-howto.html -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Petre Bandac Sent: Sunday, February 02, 2003 4:51 AM To: [EMAIL PROTECTED] Subject: ipfw firewall questions hello I'm about to "compose" my first ipfw firewall - and, since I have worked quite a lot with iptables, I'm interesed in a few minor similarities: 1 - the firewall is called by rc.conf ? or ca I call it at boot time via whatever *.sh placed in the right place 2 - the firewall can be a executable bash script (i.e. like a regular linux firewall, with variables like myIP="192.168.0.0") ? I guess the rest is covered in the docs I have carefully RTFM :-) thanks, petre -- Login: petreName: Petre Bandac Directory: /home/petre Shell: /usr/local/bin/zsh On since Fri Jan 31 20:40 (EET) on ttyv1, idle 1 day 14:58 (messages off) On since Sun Feb 2 09:28 (EET) on ttyp0, idle 1:15, from :0 On since Sun Feb 2 09:43 (EET) on ttyp1, idle 1:31, from :0 On since Fri Jan 31 23:46 (EET) on ttyp2, idle 0:02, from :0 On since Sun Feb 2 11:07 (EET) on ttyp3, idle 0:24, from :0 No Mail. No Plan. To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-questions" in the body of the message To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-questions" in the body of the message
Re: ipfw firewall questions
On Sun, Feb 02, 2003 at 11:50:52AM +0200, Petre Bandac wrote: > hello > > I'm about to "compose" my first ipfw firewall - and, since I have worked quite > a lot with iptables, I'm interesed in a few minor similarities: > > 1 - the firewall is called by rc.conf ? or ca I call it at boot time via > whatever *.sh placed in the right place A typical setup is that the /etc/rc.firewall script sets up firewalling for IPv4, possibly with /etc/rc.firewall6 doing the equivalent for IPv6. The rc.firewall script contains options to load various pre-canned ipfw(8) rulesets, or you can load a custom ipfw(8) ruleset through it. The rc.firewall{,6} script behaviours are controlled by setting variables in /etc/rc.conf. Default values (from /etc/defaults/rc.conf) are: % grep firewall /etc/defaults/rc.conf ### Basic network and firewall/security options: ### firewall_enable="NO"# Set to YES to enable firewall functionality firewall_script="/etc/rc.firewall" # Which script to run to set up the firewall firewall_type="UNKNOWN" # Firewall type (see /etc/rc.firewall) firewall_quiet="NO" # Set to YES to suppress rule display firewall_logging="NO" # Set to YES to enable events logging firewall_flags="" # Flags passed to ipfw when type is a file natd_enable="NO"# Enable natd (if firewall_enable == YES). ipv6_firewall_enable="NO" # Set to YES to enable IPv6 firewall ipv6_firewall_script="/etc/rc.firewall6" # Which script to run to set up the IPv6 firewall ipv6_firewall_type="UNKNOWN"# IPv6 Firewall type (see /etc/rc.firewall6) ipv6_firewall_quiet="NO"# Set to YES to suppress rule display ipv6_firewall_logging="NO" # Set to YES to enable events logging ipv6_firewall_flags="" # Flags passed to ip6fw when type is a file Although setting 'firewall_enable' to 'yes' will work with a standard system, by causing the ipfw.ko module to be loaded into a GENERIC kernel, check /usr/src/sys/i386/conf/LINT (FreeBSD 4.x) or /usr/src/sys/conf/NOTES (FreeBSD 5.0) for some extra functionality you can enable by building yourself a custom kernel. Alternatively you can use ipf(8) which is a second firewall flavour but with much the same functionality. If you aren't doing anything tricky like traffic shaping or QoS, which one you choose is mostly a matter of taste: % grep ipf defaults/rc.conf firewall_flags="" # Flags passed to ipfw when type is a file ipfilter_enable="NO"# Set to YES to enable ipfilter functionality ipfilter_program="/sbin/ipf"# where the ipfilter program lives ipfilter_rules="/etc/ipf.rules" # rules definition file for ipfilter, see # /usr/src/contrib/ipfilter/rules for examples ipfilter_flags="" # additional flags for ipfilter ipmon_enable="NO" # Set to YES for ipmon; needs ipfilter or ipnat ipmon_program="/sbin/ipmon" # where the ipfilter monitor program lives ipmon_flags="-Ds" # typically "-Ds" or "-D /var/log/ipflog" ipfs_enable="NO"# Set to YES to enable saving and restoring ipfs_program="/sbin/ipfs" # where the ipfs program lives ipfs_flags="" # additional flags for ipfs ipv6_ipfilter_rules="/etc/ipf6.rules" # rules definition file for ipfilter, # see /usr/src/contrib/ipfilter/rules The ipf(8) firewalling is started out of /etc/rc.network --- it's possible and sometimes useful to run ipfw(8) and ipf(8) simultaneously. Finally, you can write your own script and call it in place of rc.firewall by setting the 'firewall_script' variable. This method is generally used to run a skeleton firewall ruleset through a preprocessor to substitute in local interface addresses etc. > 2 - the firewall can be a executable bash script (i.e. like a regular linux > firewall, with variables like myIP="192.168.0.0") ? Basically, yes. However bash is not supplied with the FreeBSD system --- you can install it as /usr/local/bin/bash from ports, or (preferably) use the system supplied /bin/sh for writing startup scripts. /bin/sh is a POSIX compliant Bourne Shell with broadly equivalent *programming* capabilities to bash (/bin/sh doesn't have the same sort of support for interactive use though). Syntax is very similar to bash with a few significant differences to keep you on your toes. Cheers, Matthew -- Dr Matthew J Seaman MA, D.Phil. 26 The Paddocks Savill Way PGP: http://www.infracaninophile.co.uk/pgpkey Marlow Tel: +44 1628 476614 Bucks., SL7 1TH UK To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-questions" in the body of the message