Re: setting up ipfw

2003-07-02 Thread Jamie




On Tue, 1 Jul 2003, Kevin Kinsey, DaleCo, S.P. wrote:

 CORRECTION:

 That last rule I quoted is actually:

 00050  allow tcp from any to my.ip.ad.res 22 setup
  ^^
 Makes it work much better for SSH...



   Well, I finally met with success this morning. The box is up to the
point where I can start playing around with rulesets. I was able to get
things rolling with the config Kevin sent, but I had to add a couple of
udp entries for port 53 like David suggested as ssh has to resolve the IP
before it allows connections to port 22.

   Thanks for the help.


   - Jamie






 - Original Message -
 From: Kevin Kinsey, DaleCo, S.P. [EMAIL PROTECTED]
 To: Jamie [EMAIL PROTECTED]; [EMAIL PROTECTED]
 Sent: Tuesday, July 01, 2003 8:29 PM
 Subject: Re: setting up ipfw


  From: Jamie [EMAIL PROTECTED]
  To: [EMAIL PROTECTED]
  Sent: Tuesday, July 01, 2003 8:01 PM
  Subject: setting up ipfw
 
 
  I am having a very difficult time setting up ipfw on a 4.8
   installation. Was wondering if anyone might be able to shed some
  light on
   this.
  
  I followed the directions in the handbook, and I compiled a
 new
  kernel
   with these options, ( am going for a deny all by default, open
  services
   as necessary philosophy):
  
   options IPFIREWALL
   options IPFIREWALL_VERBOSE
   options IPFIREWALL_VERBOSE_LIMIT=10
  
  Upon rebooting, I was unable to access the machine from
  anywhere, which
   is fine, because I have console access.
  
  Output of ifconfig -a looks like this:
  
ifconfig -a
   fxp0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500
   inet 200.88.54.93 netmask 0xff00 broadcast
  200.88.54.255
   inet6 fe80::203:47ff:fe77:8169%fxp0 prefixlen 64 scopeid
  0x1
   ether 00:03:47:77:81:69
   media: Ethernet autoselect (100baseTX full-duplex)
   status: active
   lp0: flags=8810POINTOPOINT,SIMPLEX,MULTICAST mtu 1500
   lo0: flags=8049UP,LOOPBACK,RUNNING,MULTICAST mtu 16384
   inet6 ::1 prefixlen 128
   inet6 fe80::1%lo0 prefixlen 64 scopeid 0x3
   inet 127.0.0.1 netmask 0xff00
   ppp0: flags=8010POINTOPOINT,MULTICAST mtu 1500
   sl0: flags=c010POINTOPOINT,LINK2,MULTICAST mtu 552
   faith0: flags=8002BROADCAST,MULTICAST mtu 1500
  
  the name of the machine is power.bar.com
  
  
  I want to ssh in from another machine: foo.bar.com with IP
  address
   200.88.34.12.
  
  
  
 This is the rule I am adding:
  
  
   ipfw add allow tcp from 200.88.34.12 to power.bar.com 22
  
  
  It tells me it can't resolve power.bar.com!
  
   So, I try:
  
   ipfw add allow tcp from 200.88.34.12 to 200.88.54.93 22
  
  It accepts the rule, but I still cannot connect from
  foo.bar.com.
  
  Anyone have any ideas?
 
  Are you allowing ip OUT from 200.88.54.93?
 
  Please post output of ipfw show (not that it's
  not implicit, I guess...) and describe your network
  topography.
 
  FWIW, here's my top few rules:
 
  00010 allow ip from my.ip.ad.dres to any out
  00020 deny log logamount 20 ip from any to any out
  00030  allow tcp from any to any established
  00040  allow ip from any to any frag
  00050  allow tcp from any to my.ip.ad.res setup
 
  Kevin Kinsey
  DaleCo, S.P.
 
 
  ___
  [EMAIL PROTECTED] mailing list
  http://lists.freebsd.org/mailman/listinfo/freebsd-questions
  To unsubscribe, send any mail to
 [EMAIL PROTECTED]
 




A friend is someone who lets you have total freedom to be yourself.

___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]


Re: setting up ipfw

2003-07-02 Thread W. D.
At 11:35 7/2/2003, Jamie, wrote:




On Tue, 1 Jul 2003, Kevin Kinsey, DaleCo, S.P. wrote:

 CORRECTION:

 That last rule I quoted is actually:

 00050  allow tcp from any to my.ip.ad.res 22 setup
  ^^
 Makes it work much better for SSH...



   Well, I finally met with success this morning. The box is up to the
point where I can start playing around with rulesets. I was able to get
things rolling with the config Kevin sent, but I had to add a couple of
udp entries for port 53 like David suggested as ssh has to resolve the IP
before it allows connections to port 22.

   Thanks for the help.


   - Jamie

Is there some guide to translate IPFW rules to English so that they
are understandable?

Start Here to Find It Fast!™ - http://www.US-Webmasters.com/best-start-page/

___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]


Re: setting up ipfw

2003-07-02 Thread Chuck Swiger
W. D. wrote:
[ ... ]
 00050  allow tcp from any to my.ip.ad.res 22 setup

 Is there some guide to translate IPFW rules to English so that they
 are understandable?
Well, the above could be written:

	allow tcp from any to me ssh setup

...is that better?

[ If you don't understand TCP/IP, service names/port numbers, and such, well, 
you'll need to know about such things or else you won't have necessary 
background to understand firewalls. ]

--
-Chuck
___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]


Re: setting up ipfw

2003-07-01 Thread Kevin Kinsey, DaleCo, S.P.
From: Jamie [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Tuesday, July 01, 2003 8:01 PM
Subject: setting up ipfw


I am having a very difficult time setting up ipfw on a 4.8
 installation. Was wondering if anyone might be able to shed some
light on
 this.

I followed the directions in the handbook, and I compiled a new
kernel
 with these options, ( am going for a deny all by default, open
services
 as necessary philosophy):

 options IPFIREWALL
 options IPFIREWALL_VERBOSE
 options IPFIREWALL_VERBOSE_LIMIT=10

Upon rebooting, I was unable to access the machine from
anywhere, which
 is fine, because I have console access.

Output of ifconfig -a looks like this:

  ifconfig -a
 fxp0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500
 inet 200.88.54.93 netmask 0xff00 broadcast
200.88.54.255
 inet6 fe80::203:47ff:fe77:8169%fxp0 prefixlen 64 scopeid
0x1
 ether 00:03:47:77:81:69
 media: Ethernet autoselect (100baseTX full-duplex)
 status: active
 lp0: flags=8810POINTOPOINT,SIMPLEX,MULTICAST mtu 1500
 lo0: flags=8049UP,LOOPBACK,RUNNING,MULTICAST mtu 16384
 inet6 ::1 prefixlen 128
 inet6 fe80::1%lo0 prefixlen 64 scopeid 0x3
 inet 127.0.0.1 netmask 0xff00
 ppp0: flags=8010POINTOPOINT,MULTICAST mtu 1500
 sl0: flags=c010POINTOPOINT,LINK2,MULTICAST mtu 552
 faith0: flags=8002BROADCAST,MULTICAST mtu 1500

the name of the machine is power.bar.com


I want to ssh in from another machine: foo.bar.com with IP
address
 200.88.34.12.



   This is the rule I am adding:


 ipfw add allow tcp from 200.88.34.12 to power.bar.com 22


It tells me it can't resolve power.bar.com!

 So, I try:

 ipfw add allow tcp from 200.88.34.12 to 200.88.54.93 22

It accepts the rule, but I still cannot connect from
foo.bar.com.

Anyone have any ideas?

Are you allowing ip OUT from 200.88.54.93?

Please post output of ipfw show (not that it's
not implicit, I guess...) and describe your network
topography.

FWIW, here's my top few rules:

00010 allow ip from my.ip.ad.dres to any out
00020 deny log logamount 20 ip from any to any out
00030  allow tcp from any to any established
00040  allow ip from any to any frag
00050  allow tcp from any to my.ip.ad.res setup

Kevin Kinsey
DaleCo, S.P.


___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]


Re: setting up ipfw

2003-07-01 Thread David Kelly
On Tuesday 01 July 2003 08:01 pm, Jamie wrote:
I am having a very difficult time setting up ipfw on a 4.8
 installation. Was wondering if anyone might be able to shed some
 light on this.

[...]

I want to ssh in from another machine: foo.bar.com with IP address
 200.88.34.12.



   This is the rule I am adding:


 ipfw add allow tcp from 200.88.34.12 to power.bar.com 22


It tells me it can't resolve power.bar.com!

Well, *when* is the above rule added? Is DNS up and working then? You 
know you can't make DNS queries until after the ipfw rules allowing DNS 
have been applied?

If your machine is power.bar.com and if you have more than one interface 
you don't care if 200.88.34.12 could connect on any interface then the 
following is a better rule where 1234 is some position in your ruleset:

ipfw add 1234 allow tcp from 200.88.34.12 to me 22 setup

For setup to work you need an rule (usually early to minimize 
processing overhead) like this:

ipfw add 400 allow tcp from any to any established

 So, I try:

 ipfw add allow tcp from 200.88.34.12 to 200.88.54.93 22

It accepts the rule, but I still cannot connect from foo.bar.com.

Anyone have any ideas?

Plenty. Can you ssh from anywhere else to your machine? Can you ssh from 
that machine to itself? In other words, Is sshd running?

You didn't list an ipfw rule number in your above example. So where is 
it inserting in the ruleset? Very likely its after a deny rule which 
otherwise blocked the connection. Believe ipfw inserts unnumbered rules 
100 beyond the last rule entered, so the above probably landed after 
any deny rule. The first rule to hit ends ipfw processing of the packet 
(except for divert).

For quick ipfw debugging, ipfw zero to clear the hit counts. Try the 
failed ssh attempt, then ipfw -a list and see which rules got hits. 
If you suspect a deny rule is blocking the connection then insert a new 
copy of that deny rule just prior and with the log modifier. Repeat. 
And look at /var/log/security for additional details. And speaking to 
posterity and the list, you already know that you can simply type the 
rule at the keyboard, don't have to modify your firewall script file 
until you want the change made permanent, don't have to reboot.

Stylistically I'd recommend your rule(s) include the setup modifier, 
and earlier you have a pass all established rule. This is the way its 
done in the /etc/rc.firewall example. With setup and log you get 
only one hit in /var/log/security when the connection is made. Without 
setup you get an entry for each and every packet until your VERBOSE 
limit is hit (I think, as I don't use the verbose limiter).

-- 
David Kelly N4HHE, [EMAIL PROTECTED]
=
The human mind ordinarily operates at only ten percent of its
capacity -- the rest is overhead for the operating system.
___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]