Re: ipfw question (FreeBSD 4.11)
You are so the man! That's it. You have no idea how long I've spend looking for this. Thanks again! - Original Message - From: "Andras Kende" <[EMAIL PROTECTED]> To: "'Gerard Meijer'" <[EMAIL PROTECTED]>; Sent: Monday, January 03, 2005 7:59 PM Subject: RE: ipfw question (FreeBSD 4.11) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gerard Meijer Sent: Monday, January 03, 2005 12:29 PM To: freebsd-questions@freebsd.org Subject: ipfw question (FreeBSD 4.11) I run apache webserver on my server with FreeBSD 4.11 I have a question about ipfw. I have the following rules in my /etc/ipfw.conf: $cmd 00200 allow tcp from any to any 80 out via $pif setup keep-state $cmd 00400 allow tcp from any to any 80 in via $pif setup keep-state (with $pif being my NIC) Now, everything works fine for me, but I get a lot (and I mean a lot) of these kind of messages in my log: [Date] [time] [host] /kernel: ipfw: 299 Deny TCP a.b.c.d:80 e.f.g.h:4472 out via em0 [Date] [time] [host] /kernel: ipfw: 499 Deny TCP e.f.g.h:1882 a.b.c.d:80 in via em0 (with a.b.c.d being my ip and e.f.g.h being somebody elses ip). I guess these people are not surfing through port 80??? Correct me if I'm wrong. How can I change ipfw's rules so that these people aren't blocked anymore? Thanks in advance! ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]" Hello, Im not 100% sure, but if I remember correctly you need to put "established" before the webserver rule : # Allow TCP through if setup succeeded: ${fwcmd} add pass tcp from any to any established # Allow setup of incoming http: ${fwcmd} add pass tcp from any to any 80 setup [Cc][Ll][Ii][Ee][Nn][Tt]) # This is a prototype setup that will protect your system somewhat # against people from outside your own network. # set these to your network and netmask and ip ip="aaa.bbb.ccc.ddd" setup_loopback # Allow TCP through if setup succeeded ${fwcmd} add pass tcp from any to any established # Allow IP fragments to pass through ${fwcmd} add pass all from any to any frag # Allow setup of incoming services ${fwcmd} add pass tcp from any to ${ip} 21,22,25,53,80,110,143,443,993,1 setup # Allow setup of PASV FTP ${fwcmd} add pass tcp from any to ${ip} 10001-10100 setup # Allow setup of outgoing TCP connections only ${fwcmd} add pass log tcp from ${ip} to any setup # Disallow setup of all other TCP connections ${fwcmd} add deny log tcp from any to any setup # Allow DNS queries ${fwcmd} add pass udp from any to any 53 ${fwcmd} add pass udp from any 53 to any # Allow NTP ${fwcmd} add pass udp from any to any 123 #ICMP ${fwcmd} add pass log icmp from any to any icmptypes 3,4,11,12 # Everything else is denied by default, unless the # IPFIREWALL_DEFAULT_TO_ACCEPT option is set in your kernel # config file. ;; Best regards, Andras Kende http://www.kende.com ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]" ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
RE: ipfw question (FreeBSD 4.11)
-Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gerard Meijer Sent: Monday, January 03, 2005 12:29 PM To: freebsd-questions@freebsd.org Subject: ipfw question (FreeBSD 4.11) I run apache webserver on my server with FreeBSD 4.11 I have a question about ipfw. I have the following rules in my /etc/ipfw.conf: $cmd 00200 allow tcp from any to any 80 out via $pif setup keep-state $cmd 00400 allow tcp from any to any 80 in via $pif setup keep-state (with $pif being my NIC) Now, everything works fine for me, but I get a lot (and I mean a lot) of these kind of messages in my log: [Date] [time] [host] /kernel: ipfw: 299 Deny TCP a.b.c.d:80 e.f.g.h:4472 out via em0 [Date] [time] [host] /kernel: ipfw: 499 Deny TCP e.f.g.h:1882 a.b.c.d:80 in via em0 (with a.b.c.d being my ip and e.f.g.h being somebody elses ip). I guess these people are not surfing through port 80??? Correct me if I'm wrong. How can I change ipfw's rules so that these people aren't blocked anymore? Thanks in advance! ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]" Hello, Im not 100% sure, but if I remember correctly you need to put "established" before the webserver rule : # Allow TCP through if setup succeeded: ${fwcmd} add pass tcp from any to any established # Allow setup of incoming http: ${fwcmd} add pass tcp from any to any 80 setup [Cc][Ll][Ii][Ee][Nn][Tt]) # This is a prototype setup that will protect your system somewhat # against people from outside your own network. # set these to your network and netmask and ip ip="aaa.bbb.ccc.ddd" setup_loopback # Allow TCP through if setup succeeded ${fwcmd} add pass tcp from any to any established # Allow IP fragments to pass through ${fwcmd} add pass all from any to any frag # Allow setup of incoming services ${fwcmd} add pass tcp from any to ${ip} 21,22,25,53,80,110,143,443,993,1 setup # Allow setup of PASV FTP ${fwcmd} add pass tcp from any to ${ip} 10001-10100 setup # Allow setup of outgoing TCP connections only ${fwcmd} add pass log tcp from ${ip} to any setup # Disallow setup of all other TCP connections ${fwcmd} add deny log tcp from any to any setup # Allow DNS queries ${fwcmd} add pass udp from any to any 53 ${fwcmd} add pass udp from any 53 to any # Allow NTP ${fwcmd} add pass udp from any to any 123 #ICMP ${fwcmd} add pass log icmp from any to any icmptypes 3,4,11,12 # Everything else is denied by default, unless the # IPFIREWALL_DEFAULT_TO_ACCEPT option is set in your kernel # config file. ;; Best regards, Andras Kende http://www.kende.com ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: ipfw question
On 2004-09-20 22:43, adrian kok <[EMAIL PROTECTED]> wrote: > > 1/ Recently, my mrtg graph showed many spikes > "Incoming" in outer interface of the router. > > ls it possible to log them and check? It is. A better approach is to block everything that you don't really need and then start logging legitimate connections only if the problems with ``traffic spikes'' continue. > If I log everthing, I am afraid to slow down the > network. What is the best way to do it? Don't do it. It will truly slow down things a lot. > 2/ I read some firewall docs. they said that it is > good to allow 5% bandwidth for icmp only > ls it true? I don't know what docs you read about firewalls. The Handbook has a fairly good section on firewalls. Have you read that? If not, you should definitely give it a look. For an early chance to read what the ``Firewalls'' section will soon be replaced with, you might also want to read this: http://freebsd.so14k.com/firewall/firewalls.html I'm working with a few other guys to get this into the Handbook as the new ``Firewalls'' section before 5.3-RELEASE, but if it does help you should definitely read it. Joseph J. Barbish has written a couple of excellent firewall tutorials and guides that I've read so far, and this one is really worth a careful read. Just note that the text at the above URL is probably going to change a bit during the next couple of days, so be patient if you see changes going in :-) > how can I do it? See above. Giorgos ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: ipfw question
Hi Reuben, Sorry for taking so long to reply. My workstation at work which still runs Fedora Core RC3 and not a real OS, like FreeBSD, decided to throw away all outgoing email this morning. Here's a repost extracted from my =posted mailbox in Mutt [...] On 2004-06-16 17:04, "Reuben A. Popp" <[EMAIL PROTECTED]> wrote: > I believe that what I have is correct, and everything seems to be > working well, with a few exceptions. For instance, ftp and ssh still > don't seem to make it into the logs, although the mail, web and > web-ssl do with no problems. Again, following this message is my > revised ruleset. Strange. All incoming they should be logged. Unless, of course, you mean ftp and ssh connections that *you* start to the outside world, in which case by reading the ruleset you will note that they are allowed unconditionally, without logging, by a rule higher up the chain: # Add all TCP connections that originate from us ipfw add allow tcp from any to any out setup keep-state # Pass and log all incoming ftp-data connections. ipfw add allow log tcp from any 20 to any in setup keep-state # Pass and log all incoming connections to: ftp, ssh, mail and www. ipfw add allow log tcp from any to any 21,22,25,80,443 in setup keep-state Since this doesn't log anything, all connections that your machine starts towards another machine are passed through without logging. If you want to log specific connections, you should use something like this instead: # Log ftp and ssh connections that we make. ipfw add allow log tcp from any to any 21,22 out setup keep-state # Let any other outgoing connections through, unlogged. ipfw add allow tcp from any to any out setup keep-state Note that you also have some rules that are useless in there. Trim your ruleset a bit ;-) The general idea with stateful filtering is that you set up a few connections that are allowed to pass through and then let the packets related to those connections pass too, but *nothing* else. This is why the general form of a stateful firewall with IPFW should be: << rules that check states first >> << rules that selectively pass connections *and* create states >> << everything else blocked >> This way only the packets related to one of the states will pass through. Any other packets that require special handling (for instance, ICMP packets) can be handled by other rules. In your ruleset you have this: # First of all state checking. This will allow through any packet # that is marked as "legitimate" by one of the following rules. ipfw add check-state ipfw add deny tcp from any to any established # Add all TCP connections that originate from us ipfw add allow tcp from any to any out setup keep-state which should work without problems, and then you have: # Allow TCP through if setup succeeded ipfw add pass tcp from any to any established This rule will never match with anything, since packets that could possibly match are blocked by the 'established' rule right after check-state above. You can safely delete this rule. Then you have this rule, that handles fragments in a special manner, which is not very useful. # Allow IP fragments to pass through ipfw add pass all from any to any frag AFAIK, any fragment that is related to an existing connection should match with the check-state rule and will never reach this part of the ruleset. I think this can go too. Finally, this rule is absolutely *not* good. You've gone through all the trouble to set up a stateful firewall so as NOT to be forced to allow any incoming TCP connection through. This single rule lets all the connections through, effectively cancelling all of your filtering rules :-( # Allow setup of any other TCP connection ipfw add pass tcp from any to any setup You should definitely delete this one. IMHO, it's a good idea to replace it with a more strict rule like this: # BLock everything else. ipfw add deny ip from any to any If you're too worried that this might break applications or protocols that you're using now, try adding a "log" keyword to this last rule and watch your system logs for dropped packets that are useful and should have been allowed. Then add special rules just for those packets. Regards, - Giorgos ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: ipfw question
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi Giorgos, Thanks so much for the quick response on my question :). I more or less took your rules that you posted, and tacked on a few more. I belive that what I have is correct, and everything seems to be working well, with a few exceptions. For instance, ftp and ssh still don't seem to make it into the logs, although the mail, web and web-ssl do with no problems. Again, following this message is my revised ruleset. Thanks again, Reuben A. Popp - --->%-- #!/bin/sh - # # Setup system for firewall service. # # Suck in the configuration variables. if [ -z "${source_rc_confs_defined}" ]; then if [ -r /etc/defaults/rc.conf ]; then . /etc/defaults/rc.conf source_rc_confs elif [ -r /etc/rc.conf ]; then . /etc/rc.conf fi fi # Flush the existing ruleset echo "Flushing the existing ruleset, stand by..." ipfw -f flush # Setup Loopback ipfw add pass all from any to any via lo0 ipfw add deny all from any to 127.0.0.0/8 ipfw add deny ip from 127.0.0.0/8 to any # Stop RFC1918 nets on the outside interface ipfw add deny all from 10.0.0.0/8 to any via em0 ipfw add deny all from 172.16.0.0/12 to any via em0 ipfw add deny all from 192.168.0.0/16 to any via em0 # Stop draft-manning-dsua-03.txt (1 May 2000) nets (includes RESERVED-1, # DHCP auto-configuration, NET-TEST, MULTICAST (class D), and class E) # on the outside interface ipfw add deny all from 0.0.0.0/8 to any via em0 ipfw add deny all from 169.254.0.0/16 to any via em0 ipfw add deny all from 192.0.2.0/24 to any via em0 ipfw add deny all from 224.0.0.0/4 to any via em0 ipfw add deny all from 240.0.0.0/4 to any via em0 # Pass all ICMP messages through. # Make sure they're rate-limited by setting `net.inet.icmp.icmplim' ipfw add allow icmp from any to any # First of all state checking. This will allow through any packet # that is marked as "legitimate" by one of the following rules. ipfw add check-state ipfw add deny tcp from any to any established # Allow DNS or NTP sessions that originate from us. ipfw add allow udp from any to any 53,123 out keep-state # Add all TCP connections that originate from us ipfw add allow tcp from any to any out setup keep-state # Pass and log all incoming ftp-data connections. ipfw add allow log tcp from any 20 to any in setup keep-state # Pass and log all incoming connections to: ftp, ssh, mail and www. ipfw add allow log tcp from any to any 21,22,25,80,443 in setup keep-state # Allow TCP through if setup succeeded ipfw add pass tcp from any to any established # Allow IP fragments to pass through ipfw add pass all from any to any frag # Allow setup of any other TCP connection ipfw add pass tcp from any to any setup # Reject & Log all setup of incoming connections from the outside ipfw add deny log tcp from any to any in via em0 setup - --%<--- Thanks again, Reuben A. Popp Giorgos Keramidas (Giorgos Keramidas <[EMAIL PROTECTED]>) translated a message on Wednesday 16 June 2004 12:35 am into a binary format and sent it out among the ether in the search of "Reuben A. Popp" <[EMAIL PROTECTED]>. Upon being retranslated into ascii, it was discovered that message read: > On 2004-06-15 18:31, "Reuben A. Popp" <[EMAIL PROTECTED]> wrote: > > I was tinkering around trying to get my firewall set the way I wanted > > it, but seem to be running into an issue. I know that I have logging > > set in the kernel and in rc.conf, as well as in my ruleset, but for > > some odd reason, the firewall is not logging connections to the > > services I wanted watched (ftp, ssh, web, etc). > > That's because your ruleset uses the following rule: > > # Allow TCP through if setup succeeded > ipfw add 1200 pass tcp from any to any established > > before any of the other rules are reached. This lets every TCP packet > through without logging and you never get a chance of picking out what > to log or what to block :) > > A simplified version of your ruleset could be this one. Notice that > I've removed all explicit rule numbers. IPFW does a pretty good job at > automatically numbering the rules and you don't have too many rules for > it to work. On the other hand, having hardcoded numbers means that you > might miss some "reordering" of the rules and waste hours upon hours > trying to find out why it doesn't work like it's supposed to. Not a > good possibility... Anyway, here's a ruleset very similar to yours: > > # > # Part 1. Semi-standard stuff copied from rc.firewall. > # > > # Flush the existing ruleset > echo "Flushing the existing ruleset, stand by..." > ipfw -f flush > > # Only allow lo0 to send packets as 127.0.0.1 > ipfw add pass all from 127.0.0.1/32 to 127.0.0.1/32 via lo0 > ipfw add deny all from any to 127.0.0.0/8 > ipfw add deny
Re: ipfw question
On 2004-06-15 18:31, "Reuben A. Popp" <[EMAIL PROTECTED]> wrote: > I was tinkering around trying to get my firewall set the way I wanted > it, but seem to be running into an issue. I know that I have logging > set in the kernel and in rc.conf, as well as in my ruleset, but for > some odd reason, the firewall is not logging connections to the > services I wanted watched (ftp, ssh, web, etc). That's because your ruleset uses the following rule: # Allow TCP through if setup succeeded ipfw add 1200 pass tcp from any to any established before any of the other rules are reached. This lets every TCP packet through without logging and you never get a chance of picking out what to log or what to block :) A simplified version of your ruleset could be this one. Notice that I've removed all explicit rule numbers. IPFW does a pretty good job at automatically numbering the rules and you don't have too many rules for it to work. On the other hand, having hardcoded numbers means that you might miss some "reordering" of the rules and waste hours upon hours trying to find out why it doesn't work like it's supposed to. Not a good possibility... Anyway, here's a ruleset very similar to yours: # # Part 1. Semi-standard stuff copied from rc.firewall. # # Flush the existing ruleset echo "Flushing the existing ruleset, stand by..." ipfw -f flush # Only allow lo0 to send packets as 127.0.0.1 ipfw add pass all from 127.0.0.1/32 to 127.0.0.1/32 via lo0 ipfw add deny all from any to 127.0.0.0/8 ipfw add deny ip from 127.0.0.0/8 to any # Stop RFC1918 nets on the outside interface ipfw add deny all from 10.0.0.0/8 to any via em0 ipfw add deny all from 172.16.0.0/12 to any via em0 ipfw add deny all from 192.168.0.0/16 to any via em0 # Stop draft-manning-dsua-03.txt (1 May 2000) nets (includes RESERVED-1, # DHCP auto-configuration, NET-TEST, MULTICAST (class D), and class E) # on the outside interface ipfw add deny all from 0.0.0.0/8 to any via $em0 ipfw add deny all from 169.254.0.0/16 to any via $em0 ipfw add deny all from 192.0.2.0/24 to any via $em0 ipfw add deny all from 224.0.0.0/4 to any via $em0 ipfw add deny all from 240.0.0.0/4 to any via $em0 # # Part 2. Local rules that allow and log selected TCP services. # # Pass all ICMP messages through. # Make sure they're rate-limited by setting `net.inet.icmp.icmplim' add allow icmp from any to any # First of all state checking. This will allow through any packet # that is marked as "legitimate" by one of the following rules. ipfw add check state ipfw add deny tcp from any to any established # Allow DNS or NTP sessions that originate from us. ipfw add allow udp from any to any 53,123 out keep-state # Add all TCP connections that originate from us ipfw add allow tcp from any to any out setup keep-state # Pass and log all incoming ftp-data connections. ipfw add allow tcp from any 20 to any in setup keep-state # Pass and log all incoming connections to: ftp, ssh, mail and www. ipfw add allow tcp from any to any 21,22,25,80,443 to in setup keep-state AFAIK, anything else can be blocked without stopping you from doing your real work. - Giorgos ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
RE: ipfw: question about keep-state on icmp
I think if you read closely you will find out the keep-state option does not work on the icmp protocol because icmp is stateless protocol. This does not mean that ipfw will give coding error if you code it. You have to have an icmp stateless rule to allow it out and another to allow it in. allow icmp from me to any out via xl0 allow icmp from any to me icmptype 0 in via xl0 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Geert Hendrickx Sent: Sunday, June 13, 2004 7:23 AM To: [EMAIL PROTECTED] Subject: ipfw: question about keep-state on icmp Hi, this is a fragment of my ipfw-config which should allow me to ping others, but not allow others to ping me: 00092 allow icmp from me to any keep-state 65535 deny ip from any to any Indeed, other hosts can't ping me... UNLESS I am pinging them at the same time! This is of course a result of keeping the state of icmp- traffic between these two hosts, and I can avoid this by changing it to: 00091 deny icmp from any to me icmptype 8<-- deny ping request to me 00092 allow icmp from me to any keep-state (icmptype 8 = ping request) But then I don't see the use for keep-state in 00092 anymore... The following seems equally valid to me: 00091 allow icmp from me to any 00092 allow icmp from any to me icmptype 0 <-- allow ping reply to me So what am I missing? And are errors as in the first example also possible with tcp-connections, e.g. ssh? GH ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]" ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: ipfw question...
At 12:40 3/19/2004, [EMAIL PROTECTED], wrote: >If you would >like I can post my IPFW rules. They are extemly simple for my SSH, POP3, >SMTP, NTP, IMAP, BIND8 setup... Please do! Could you also include plain English comments as well? There are a number of people that find these rules confusing. Some well documented descriptions would be very helpful. Thanks! Start Here to Find It Fast! -> http://www.US-Webmasters.com/best-start-page/ ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: ipfw question...
> Hi list, I've this network configuration: > > router (169.158.120.177) > server1 (169.158.120.178) running bind (named), tacacs+, exim, and a pop3 > server > server2 (169.158.120.179) running squid, apache2, mysql, proftpd (is > acting > as a GATEWAY) > > I've a LAN (192.168.1.0/24) and a breaking apart "LAN" (192.168.2.0/8, > 192.168.2.8/8, 192.168.2.16/8), my question is: I want to protect my LAN, > "LAN" and servers from the outside, I want to use ipfw, I have compiled a > kernel in server2 (FreeBSD-4.8 on both servers) and I'm blocked (in & > out), > I've some doubts about adding rules 'cause I've been seeing so many > samples > on the net and I'm a little bit confused...any suggestion about > configuration ??? one thing that I learned was to make sure when you start opening ports (IE you have DENY ALL as default) that you start with the lowest port number.. I for the life of me could not get SMTP working, so I moved it from the bottom of my IPFW rules to the top, and walla it worked. If you would like I can post my IPFW rules. They are extemly simple for my SSH, POP3, SMTP, NTP, IMAP, BIND8 setup... ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: IPFW question
Thanks for all, it has been a great help. MikeM wrote: Since I reload the firewall rules remotely, I need the -q option on the ipfw command, e.g.: ipfw -q /etc/ipfw.conf otherwise I lose my ssh connection to the box. See man ipfw(8) for details on -q On 3/10/2004 at 8:27 PM Thomas Vogt wrote: |Hi | |ipfw flush # deletes all |ipfw /etc/ipfw.conf # loads all | |regards |Thomas | |Nagy László Zsolt wrote: |> |> Hi! |> |> I'm using my own ip firewall (firewall_type="/etc/ipfw.conf") on my |> FreeBSD 5.2 system. My problem is, how can I reload the whole thing? The |> ipfw command is for creating and deleting individual rules. What I would |> like to do is to create profiles (different config files) and reload the |> whole firewall configuration anytime. Is there a command for this? What |> I do now is that I reboot my box every time I change firewall |> configuration. But of course this is clumsy and very bad. I may start |> services on the server which will not allow me to reboot daily. Thanks |> in advance. |> |> Laci 2.0 |> |> ___ |> [EMAIL PROTECTED] mailing list |> http://lists.freebsd.org/mailman/listinfo/freebsd-questions |> To unsubscribe, send any mail to |> "[EMAIL PROTECTED]" |> |> | |___ |[EMAIL PROTECTED] mailing list |http://lists.freebsd.org/mailman/listinfo/freebsd-questions |To unsubscribe, send any mail to |"[EMAIL PROTECTED]" = ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]" ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: IPFW question
Since I reload the firewall rules remotely, I need the -q option on the ipfw command, e.g.: ipfw -q /etc/ipfw.conf otherwise I lose my ssh connection to the box. See man ipfw(8) for details on -q On 3/10/2004 at 8:27 PM Thomas Vogt wrote: |Hi | |ipfw flush # deletes all |ipfw /etc/ipfw.conf # loads all | |regards |Thomas | |Nagy László Zsolt wrote: |> |> Hi! |> |> I'm using my own ip firewall (firewall_type="/etc/ipfw.conf") on my |> FreeBSD 5.2 system. My problem is, how can I reload the whole thing? The |> ipfw command is for creating and deleting individual rules. What I would |> like to do is to create profiles (different config files) and reload the |> whole firewall configuration anytime. Is there a command for this? What |> I do now is that I reboot my box every time I change firewall |> configuration. But of course this is clumsy and very bad. I may start |> services on the server which will not allow me to reboot daily. Thanks |> in advance. |> |> Laci 2.0 |> |> ___ |> [EMAIL PROTECTED] mailing list |> http://lists.freebsd.org/mailman/listinfo/freebsd-questions |> To unsubscribe, send any mail to |> "[EMAIL PROTECTED]" |> |> | |___ |[EMAIL PROTECTED] mailing list |http://lists.freebsd.org/mailman/listinfo/freebsd-questions |To unsubscribe, send any mail to |"[EMAIL PROTECTED]" = ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: IPFW question
On Wed, Mar 10, 2004 at 07:52:06PM +0100, Nagy László Zsolt wrote: > FreeBSD 5.2 system. My problem is, how can I reload the whole thing? The /sbin/ipfw -q /path/to/your/custom/rulesetfile No RTFM intended - there are further options, plese have a look at the ipfw(8) man page. Regards, Martin -- ,,Oh, there's a lot of opportunities, if you're knowing to take them, you know, there's a lot of opportunities, if there aren't you can make them, make or break them!'' (Tennant/Lowe) ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: IPFW question
Hi ipfw flush # deletes all ipfw /etc/ipfw.conf # loads all regards Thomas Nagy László Zsolt wrote: Hi! I'm using my own ip firewall (firewall_type="/etc/ipfw.conf") on my FreeBSD 5.2 system. My problem is, how can I reload the whole thing? The ipfw command is for creating and deleting individual rules. What I would like to do is to create profiles (different config files) and reload the whole firewall configuration anytime. Is there a command for this? What I do now is that I reboot my box every time I change firewall configuration. But of course this is clumsy and very bad. I may start services on the server which will not allow me to reboot daily. Thanks in advance. Laci 2.0 ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]" ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: IPFW question
On Mar 10, 2004, at 1:52 PM, Nagy László Zsolt wrote: I'm using my own ip firewall (firewall_type="/etc/ipfw.conf") on my FreeBSD 5.2 system. My problem is, how can I reload the whole thing? Try "sh /etc/rc.firewall", or "ipfw -p /bin/cat /etc/ipfw.conf". If you are not on the console of the machine, it might be advisable to use nohup or an & to background the command while running -- -Chuck ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: ipfw question - ICMP
On Tue, Mar 02, 2004 at 10:39:42PM +0100, C. Kukulies wrote: > I have setup my FreeBSD box with ASDL (pppoe) and ipfw (rc.firewall with > type 'simple'). > > I have finetuned to allow ssh from certain addresses outside, sendmail works, > but I cannot ping either from inside or from outside. > > What does the rule for ICMP look like? Something like: ipfw add allow icmp from any to any or ipfw add allow icmp from any to any icmptype 0,3,8,11,12 Cheers. -- Jonathan Chen <[EMAIL PROTECTED]> -- "Nyuck, nyuck, nyuck" - Curly ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: ipfw question
On Tue, 11 Nov 2003 12:00:10 - "Simon Gray" <[EMAIL PROTECTED]> probably wrote: > >630000 0 deny log logamount 100 udp from any to any 119 via > sis0 > >63000 24 1152 deny log logamount 100 tcp from any to any 135 via sis0 > >630000 0 deny log logamount 100 udp from any to any 135 via > sis0 > > >63000 is the rule number correct? > >IM wondering what the other 2 places are.. > >24 and 1152 > if you're getting 0 on the other rules, it probably means its not running > those rules. > So therefore it won't actually log if it isn't get to that rule. > > also from the looks of things, if you're trying to block windows > filesharing/smb you > might want to block 135 - 139 both tcp/udp (instead of specifiying 135 in > the rule add '135-139') > rather than just 135 tcp/udp > > >Are they inbound and outbound? > well depends (could be both yes), anything thats aimed at tcp 135 will be > denied and > logged These are counts in packets and bytes. > > >Do I make any sence? > > Not really :/ whats the question? > > ___ > [EMAIL PROTECTED] mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to "[EMAIL PROTECTED]" > -- DoubleF BLISS is ignorance pgp0.pgp Description: PGP signature
Re: ipfw question
Shawn Guillemette wrote: Looking at ipfw show 630000 0 deny log logamount 100 udp from any to any 119 via sis0 63000 24 1152 deny log logamount 100 tcp from any to any 135 via sis0 630000 0 deny log logamount 100 udp from any to any 135 via sis0 63000 is the rule number correct? Yes it is; but I'm not sure how ipfw reacts when you have 3 rules that all have the same number ... I'd test it thoroughly at the very least. IM wondering what the other 2 places are.. 24 and 1152 IIRC (and maybe I don't) that is the number of packets received that match this rule (24) and the total size of those packets (in Bytes??) Are they inbound and outbound? No. Do I make any sence? Some ;-) There is no place like 127.0.0.1 Don't you mean "There's no place like '~' ??? Kevin Kinsey DaleCo, S.P. ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: ipfw question
thank you.. Im realy only blocking 135 due to the MSBlaster and others... no Samba yet - Original Message - From: "Simon Gray" <[EMAIL PROTECTED]> To: "Shawn Guillemette" <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]> Sent: Tuesday, November 11, 2003 7:00 AM Subject: Re: ipfw question > >630000 0 deny log logamount 100 udp from any to any 119 via > sis0 > >63000 24 1152 deny log logamount 100 tcp from any to any 135 via sis0 > >630000 0 deny log logamount 100 udp from any to any 135 via > sis0 > > >63000 is the rule number correct? > >IM wondering what the other 2 places are.. > >24 and 1152 > if you're getting 0 on the other rules, it probably means its not running > those rules. > So therefore it won't actually log if it isn't get to that rule. > > also from the looks of things, if you're trying to block windows > filesharing/smb you > might want to block 135 - 139 both tcp/udp (instead of specifiying 135 in > the rule add '135-139') > rather than just 135 tcp/udp > > >Are they inbound and outbound? > well depends (could be both yes), anything thats aimed at tcp 135 will be > denied and > logged > > >Do I make any sence? > > Not really :/ whats the question? > > ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: ipfw question
>630000 0 deny log logamount 100 udp from any to any 119 via sis0 >63000 24 1152 deny log logamount 100 tcp from any to any 135 via sis0 >630000 0 deny log logamount 100 udp from any to any 135 via sis0 >63000 is the rule number correct? >IM wondering what the other 2 places are.. >24 and 1152 if you're getting 0 on the other rules, it probably means its not running those rules. So therefore it won't actually log if it isn't get to that rule. also from the looks of things, if you're trying to block windows filesharing/smb you might want to block 135 - 139 both tcp/udp (instead of specifiying 135 in the rule add '135-139') rather than just 135 tcp/udp >Are they inbound and outbound? well depends (could be both yes), anything thats aimed at tcp 135 will be denied and logged >Do I make any sence? Not really :/ whats the question? ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: ipfw question
On Fri, Mar 28, 2003 at 10:34:16AM -0500, Walter wrote: Date: Fri, 28 Mar 2003 10:34:16 -0500 From: Walter <[EMAIL PROTECTED]> To: Questions <[EMAIL PROTECTED]> Subject: ipfw question Hi all, I see a strange entry in my mail log from the ipfw log output. I don't really have a firm grasp on ipfw yet and need help understanding how this log entry came about (17 times), below: > ipfw: 1700 Deny TCP 0.0.0.0:80 192.168.xxx.xxx:49339 in via fxp0 The output of "ipfw list" starts as: 00100 allow ip from any to any via lo0 00200 deny log logamount 100 ip from any to 127.0.0.0/8 00300 deny log logamount 100 ip from 192.168.1.0/24 to any in recv fxp0 00400 deny log logamount 100 ip from 24.170.166.0/24 to any in recv ep0 00500 deny log logamount 100 ip from any to 10.0.0.0/8 via fxp0 00600 deny log logamount 100 ip from any to 172.16.0.0/12 via fxp0 00700 deny log logamount 100 ip from any to 192.168.0.0/16 via fxp0 00800 deny log logamount 100 ip from any to 0.0.0.0/8 via fxp0 00900 deny log logamount 100 ip from any to 169.254.0.0/16 via fxp0 01000 deny log logamount 100 ip from any to 192.0.2.0/24 via fxp0 01100 deny log logamount 100 ip from any to 224.0.0.0/4 via fxp0 01200 deny log logamount 100 ip from any to 240.0.0.0/4 via fxp0 01300 divert 8668 ip from any to any via fxp0 01400 deny log logamount 100 ip from 10.0.0.0/8 to any via fxp0 01500 deny log logamount 100 ip from 172.16.0.0/12 to any via fxp0 01600 deny log logamount 100 ip from 192.168.0.0/16 to any via fxp0 01700 deny log logamount 100 ip from 0.0.0.0/8 to any via fxp0 01800 deny log logamount 100 ip from 169.254.0.0/16 to any via fxp0 01900 deny log logamount 100 ip from 192.0.2.0/24 to any via fxp0 02000 deny log logamount 100 ip from 224.0.0.0/4 to any via fxp0 02100 deny log logamount 100 ip from 240.0.0.0/4 to any via fxp0 My question is how come rule 00700 did not kick out the prober, rather falling to rule 01700?? I realize the log Because the original packet was from 0.0.0.0 to YOUR_PUBLIC_IP and natd (rule 1300) rewrite destination address YOUR_PUBLIC_IP with your private IP address. You should have to find who sends this kind of packets from your net to outside world, because they are not very regular. amounts are limited, but how did rule 01700 get activated when rule 00700, seems to me, should have knocked out the packet? Is this evidence of someone having broken into my FBSD router, as there are no other entries I've seen to other possible internal IP's, or was someone just lucky? Thanks. Walter ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]" -- Regards, Dancho Penev ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: IPFW question in 2.2.8 release?
>IPFW question in 2.2.8 release? Ouch! Dummynet was very new and probably best classed as "experimental" in 2.2.8, and even in most of the 3.x line it was a bit flakey. I'm not surprised you are having trouble with it and I'm also not surprised Luigi is unwilling or unable to debug obsolete code. 2.2.8 was EOL'd ages ago and you will be unlikely get any help from anyone without upgrading to a recent 4.x version. Greg. To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-questions" in the body of the message