Re: where am I supposed to put my rc.firewall?

2004-01-31 Thread Eric F Crist
On Friday 30 January 2004 11:02 pm, JJB wrote:
 How can it cause connections problems, you have never used it yet,
 so how can you say that.

I HAVE used it, and it is cause, primarily, DNS request problems.  DNS queries 
don't seem to have the ability to forward to other servers.

 Yes the rule set you posted is wide open.
 You could remove rule 200  300, pretty meaningless in an wide open
 config.

The wide-open config is a start.  I want to start with a working connection, 
and move to adding deny rules from there.

Thanks for the reply!

-- 
Eric F Crist
AdTech Integrated Systems, Inc
(612) 998-3588

pgp0.pgp
Description: signature


Re: where am I supposed to put my rc.firewall?

2004-01-31 Thread Peder Blom
On Fri, 30 Jan 2004 19:47:47 -0600
Eric F Crist [EMAIL PROTECTED] wrote:

 On Friday 30 January 2004 06:54 pm, Chuck Swiger wrote:
  Eric F Crist wrote:
   I'm trying to add IPFW support.  Where do I put my rc.firewall so
   that it gets read at boot time?  I've tried /usr/local/etc/rc.d
   and /etc but neither seems to get read.
 
  Specify the location of your firewall script in /etc/rc.conf like
  so:
 
  firewall_enable='YES'
  firewall_type='/etc/ERICS_firewall'
  firewall_flags='-p /usr/bin/cpp'
 
  [ You might choose to use some other preprocessor... ]
 
 Well, here's what I have now.  I have a file in /etc called
 grog.firewall.  It's contents are:
 
 grog# more grog.firewall
 ipfw -f flush
 ipfw add 100 pass all from any to any via lo0
 ipfw add 200 deny all from any to 127.0.0.0/8
 ipfw add 300 deny ip from 127.0.0.0/8 to any
 ipfw add 600 allow all from any to any
 
 In my /etc/rc.conf file, I have the following two entries pertaining
 to the firewall:
 
 firewall_enable=YES
 firewall_type=/etc/grog.firewall

Add this to your rc.conf: (instead of firewall_type=...):
firewall_script=/etc/grog.firewall

See /etc/defaults/rc.conf !


___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]


Re: where am I supposed to put my rc.firewall?

2004-01-31 Thread Chuck Swiger
Peder Blom wrote:
[ ... ]
Add this to your rc.conf: (instead of firewall_type=...):
firewall_script=/etc/grog.firewall
See /etc/defaults/rc.conf !
While I won't speak against looking at /etc/defaults/rc.conf, setting 
firewall_type works fine; see the end of /etc/rc.firewall:

*)
if [ -r ${firewall_type} ]; then
${fwcmd} ${firewall_flags} ${firewall_type}
fi
;;
--
-Chuck
___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]


Re: where am I supposed to put my rc.firewall?

2004-01-31 Thread Peder Blom
On Sat, 31 Jan 2004 10:50:19 -0500
Chuck Swiger [EMAIL PROTECTED] wrote:

 Peder Blom wrote:
 [ ... ]
  Add this to your rc.conf: (instead of firewall_type=...):
  firewall_script=/etc/grog.firewall
  
  See /etc/defaults/rc.conf !
 
 While I won't speak against looking at /etc/defaults/rc.conf, setting 
 firewall_type works fine; see the end of /etc/rc.firewall:
 
 *)
  if [ -r ${firewall_type} ]; then
  ${fwcmd} ${firewall_flags} ${firewall_type}
  fi
  ;;
 
 -- 
 -Chuck
 ___

Yes, that's the other way of doing it. The mentioning of scripts and the
fact that his file was in the form of a script made me assume that he
wanted to write his own script for setting up his firewall. On second
thought I realize that he might just as well want to do it your way and
define a set of rules to be read in by rc.firewall. (This might even be
the best solution).

I've never done it this way, but in this case I assume that you just
define the rules in  '/etc/ERICS_firewall', thus:

--
add 100 pass all from any to any via lo0
add 200 deny all from any to 127.0.0.0/8
add 300 deny ip from 127.0.0.0/8 to any
add 600 allow all from any to any
--

Using your suggestions for rc.conf, of course.

Is this correct?


___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]


Re: where am I supposed to put my rc.firewall?

2004-01-31 Thread Chuck Swiger
Peder Blom wrote:
I've never done it this way, but in this case I assume that you just
define the rules in  '/etc/ERICS_firewall', thus:
--
add 100 pass all from any to any via lo0
add 200 deny all from any to 127.0.0.0/8
add 300 deny ip from 127.0.0.0/8 to any
add 600 allow all from any to any
--
Using your suggestions for rc.conf, of course.

Is this correct?
Exactly.  And then you add a preprocessor like cpp, and you can define:


# set these to your inside interface network and netmask and ip
#define IIF fxp0
#define INET 10.1.1.0/24
#define IIP 10.1.1.1
[ ...OIF info snipped... ]
# port number ranges
#define LOPORTS 1-1023
#define HIPORTS 1024-65535
# basic stuff
add 100 pass all from any to any via lo0
add deny all from any to 127.0.0.0/8
add deny ip from 127.0.0.0/8 to any
add deny all from INET to any in via OIF
add deny all from ONET to any in via IIF
...and go from there.

--
-Chuck
___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]


Re: where am I supposed to put my rc.firewall?

2004-01-31 Thread Chuck Swiger
Jack L. Stone wrote:
At 02:04 PM 1.31.2004 -0500, Chuck Swiger wrote:

# set these to your inside interface network and netmask and ip
#define IIF fxp0
#define INET 10.1.1.0/24
#define IIP 10.1.1.1
[ ...OIF info snipped... ]
# port number ranges
#define LOPORTS 1-1023
#define HIPORTS 1024-65535
A simple example would be:

# dynamic rules
add check-state
# permit some services inbound...
add pass tcp from any HIPORTS to INET 22,80,143,443,993,3128 setup keep-state
# ...but block most other services (ie, ones with root privs)
add deny tcp from any to INET LOPORTS
For a more complicated example, where PI is a mailserver which performs virus 
scanning and spamfiltering, PONG is an internal reader box:

INET --- [FW1] --DMZ + Mailserver PI-- [FW2] --Internal subnet + PONG

# on FW1:
add pass tcp from PI HIPORTS to any 25
add pass tcp from any 25 to PI HIPORTS established
add pass tcp from any HIPORTS to PI 25
add pass tcp from PI 25 to OIP HIPORTS established
add unreach filter-prohib log tcp from any to INET 25
# on FW2:
# permit SMTP exchange between pi and pong/fw
add pass tcp from PI HIPORTS to PONG 25
add pass tcp from PONG 25 to PI HIPORTS established
add pass tcp from PONG HIPORTS to PI 25
add pass tcp from PI 25 to PONG HIPORTS established
[ ... ]
# track SMTP from inside to outside and block SMTP from outside
add pass log logamount 20 tcp from INET HIPORTS to any 25 setup
add pass tcp from INET HIPORTS to any 25 established
add pass tcp from any 25 to INET HIPORTS established
--
-Chuck
___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]


Re: where am I supposed to put my rc.firewall?

2004-01-30 Thread Chuck Swiger
Eric F Crist wrote:
I'm trying to add IPFW support.  Where do I put my rc.firewall so that it gets 
read at boot time?  I've tried /usr/local/etc/rc.d and /etc but neither seems 
to get read.
Specify the location of your firewall script in /etc/rc.conf like so:

firewall_enable='YES'
firewall_type='/etc/ERICS_firewall'
firewall_flags='-p /usr/bin/cpp'
[ You might choose to use some other preprocessor... ]

--
-Chuck
___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]


Re: where am I supposed to put my rc.firewall?

2004-01-30 Thread Eric F Crist
On Friday 30 January 2004 06:54 pm, Chuck Swiger wrote:
 Eric F Crist wrote:
  I'm trying to add IPFW support.  Where do I put my rc.firewall so that it
  gets read at boot time?  I've tried /usr/local/etc/rc.d and /etc but
  neither seems to get read.

 Specify the location of your firewall script in /etc/rc.conf like so:

 firewall_enable='YES'
 firewall_type='/etc/ERICS_firewall'
 firewall_flags='-p /usr/bin/cpp'

 [ You might choose to use some other preprocessor... ]

Well, here's what I have now.  I have a file in /etc called grog.firewall.  
It's contents are:

grog# more grog.firewall
ipfw -f flush
ipfw add 100 pass all from any to any via lo0
ipfw add 200 deny all from any to 127.0.0.0/8
ipfw add 300 deny ip from 127.0.0.0/8 to any
ipfw add 600 allow all from any to any

In my /etc/rc.conf file, I have the following two entries pertaining to the 
firewall:

firewall_enable=YES
firewall_type=/etc/grog.firewall

Now, this is a headless system, so I access it through the serial port.  I 
don't see any errors anywhere, but my ipfw show command, immediately after 
boot, shows:

65535 481 38684 deny ip from any to any

What have I done wrong?
-- 
Eric F Crist
AdTech Integrated Systems, Inc
(612) 998-3588

pgp0.pgp
Description: signature


Re: where am I supposed to put my rc.firewall?

2004-01-30 Thread Eric F Crist
On Friday 30 January 2004 09:34 pm, JJB wrote:
 firewall_type=/etc/grog.firewall

 is wrong,  replace it with

 firewall_srcipt='/etc/grog.firewall '

 -Original Message-
 From: [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED] Behalf Of Eric F
 Crist
 Sent: Friday, January 30, 2004 8:48 PM
 To: Chuck Swiger
 Cc: [EMAIL PROTECTED]
 Subject: Re: where am I supposed to put my rc.firewall?

 On Friday 30 January 2004 06:54 pm, Chuck Swiger wrote:
  Eric F Crist wrote:
   I'm trying to add IPFW support.  Where do I put my rc.firewall

 so that it

   gets read at boot time?  I've tried /usr/local/etc/rc.d and /etc

 but

   neither seems to get read.
 
  Specify the location of your firewall script in /etc/rc.conf like

 so:
  firewall_enable='YES'
  firewall_type='/etc/ERICS_firewall'
  firewall_flags='-p /usr/bin/cpp'
 
  [ You might choose to use some other preprocessor... ]

 Well, here's what I have now.  I have a file in /etc called
 grog.firewall.
 It's contents are:

 grog# more grog.firewall
 ipfw -f flush
 ipfw add 100 pass all from any to any via lo0
 ipfw add 200 deny all from any to 127.0.0.0/8
 ipfw add 300 deny ip from 127.0.0.0/8 to any
 ipfw add 600 allow all from any to any

 In my /etc/rc.conf file, I have the following two entries pertaining
 to the
 firewall:

 firewall_enable=YES
 firewall_type=/etc/grog.firewall

 Now, this is a headless system, so I access it through the serial
 port.  I
 don't see any errors anywhere, but my ipfw show command, immediately
 after
 boot, shows:

 65535 481 38684 deny ip from any to any

 What have I done wrong?
 --
 Eric F Crist
 AdTech Integrated Systems, Inc
 (612) 998-3588

Ok, I'll change that.  This script still seems to cause connection problems.  
Which rules do I need to change?  This should be a wide-open firewall script, 
right?

TIA

-- 
Eric F Crist
AdTech Integrated Systems, Inc
(612) 998-3588

pgp0.pgp
Description: signature