Re: IPFW Firewall Question
Often discussed and adviced... On Thu, 4 Dec 2008 16:26:04 -0800 (PST), G magicman [EMAIL PROTECTED] wrote: here is part of the configuration file so far that the Co-lo people put in. [...] #!/usr/local/bin/bash When possible, use the STANDARD form: #!/bin/sh Declare #!/usr/local/bin/bash only if you're intentionally using BASH specifig functionalities that SH doesn't include. May save you lots of headache. 2. short of a reboot how do you start stop and restart the firewall You can use ipfw's rc.d script: # /etc/rc.d/ipfw start # /etc/rc.d/ipfw stop # /etc/rc.d/ipfw restart Just a small note, but I hope it will help you. -- Polytropon From Magdeburg, Germany Happy FreeBSD user since 4.0 Andra moi ennepe, Mousa, ... ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: IPFW Firewall Question
On Friday 05 December 2008 01:26:04 G magicman wrote: Why because of the following: 1. Hosts.access on freebsd works on the Application Layer instead of the Network Layer Therefore Hosts.allow/hosts.deny no longer works the way i want and i do not feel like running Sendmail and sshd out of Inetd which appearantly is the only way to be able to use hosts.allow/deny You're right about the application layer, but not about the rest. From sshd(8): /etc/hosts.allow /etc/hosts.deny Access controls that should be enforced by tcp-wrappers are defined here. Further details are described in hosts_access(5). 2. Next openssh doesnot have an AllowHosts directive like the Finnish one does it only has an AllowUsers directive so i need to protect the system from DDOS attacks Again, see above. and Hacking I already tried to block things using the Sendmail Access file but all that did was choak up the server with moronic shit. And i want to be able to use my sftp program but it opens random ports which can not be controlled so i need the Clearaddresses to be able to see all ports. For the firewall, pf user here, so others should help. ;) -- Mel Problem with today's modular software: they start with the modules and never get to the software part. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: IPFW Firewall Question
G magicman wrote: 1. I need help to reconfigure my firewall on the server using BSD's ipfw What part do you need to reconfigure? 2. short of a reboot how do you start stop and restart the firewall Very, very carefully. Until I gained some extensive experience with IPFW, I would wrap the firewall restart within a sleep/undo of some sort. That said, now I use table(s) and set(s), so I can update rules without having to restart the firewall entirely. Below is an example, that also will guide you in answering your next two questions. The man page and Google will explain how to use tables and sets. To answer your question however, depending on where your firewall script is, simply execute it at the command line, like this: # /etc/ipfw.rules Here is what i want : 1. i want all ports open to the ipaddresses in line 4 clearaddresses 2. I want to be able to control access to port 25 sendmail to be able to deny whole A B and C addresses #!/bin/sh flush=/sbin/ipfw -q flush cmd=/sbin/ipfw add table=/sbin/ipfw table $flush # Tables # Client/infrastructure IPs for allowing access $table 1 add 208.70.104.0/21 $table 1 add 64.39.160.0/19 $table 1 add 67.158.64.0/20 #...etc # SMTP ALLOWED OUTBOUND TABLE $table 2 add 208.70.104.202/32 $table 2 add 208.70.104.203/32 $table 2 add 208.70.104.205/32 #...etc # Block all inbound and outbound traffic for certain sites # ...review periodically to see if they are still valid $table 3 add 91.203.4.146/32# phishing # set 3 = specific deny/allow by ids # set 4 = SSH access # set 29 = for counting/testing traffic patterns # set 30 = forwarding # SET 3 # SQL $cmd 2 set 3 deny all from any to any 1433,1434 # NetBIOS $cmd 20100 set 3 allow tcp from 208.70.104.0/24 to 208.70.104.0/24 135,139,445,593 keep-state $cmd 20105 set 3 allow udp from 208.70.104.0/24 to 208.70.104.0/24 135,139,445,593 $cmd 20110 set 3 deny all from any to any 135,139,445,593 # SET 4 $cmd 4 set 4 allow tcp from table(1) to any 22 keep-state $cmd 40005 set 4 deny tcp from any to any 22 # SET 29 #$cmd 59000 set 29 count log logamount 100 tcp from any to any # SET 30 $cmd 6 set 30 fwd 208.70.104.3,53 all from any to 209.167.16.10 53 $cmd 60005 set 30 fwd 208.70.106.59,53 all from any to 209.167.16.30 53 $cmd 64998 deny all from table(3) to any $cmd 64999 deny all from any to table(3) ### end dummy ruleset ...if you want specific rule examples, just let me know. The above does pretty much what you want it to do. I've purposely left it up to you to do some further research. Tweaking a non-forgiving firewall remotely is not something you want to learn the hard way. The benefit of tables is that you can have one rule, but manually add/remove specific addresses or prefixes on the fly without having to reload the rule. With sets, you can disable an entire block of rules, modify it, and reload it without restarting IPFW, therefore destroying your existing established rules. Steve ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: IPFW Firewall Question
I have tried this it did not work and the Co-Lo people are convinced that sshd and sendmail need to be run out of inetd.conf for this to work As i said i am used to BSDI and the Finnish SSHD Also here they are using the combined hosts.allow/deny with the deny inside which i never liked Thank you for your help on this Garrett --- On Fri, 12/5/08, Mel [EMAIL PROTECTED] wrote: From: Mel [EMAIL PROTECTED] Subject: Re: IPFW Firewall Question To: freebsd-questions@freebsd.org, [EMAIL PROTECTED] Date: Friday, December 5, 2008, 6:02 AM On Friday 05 December 2008 01:26:04 G magicman wrote: Why because of the following: 1. Hosts.access on freebsd works on the Application Layer instead of the Network Layer Therefore Hosts.allow/hosts.deny no longer works the way i want and i do not feel like running Sendmail and sshd out of Inetd which appearantly is the only way to be able to use hosts.allow/deny You're right about the application layer, but not about the rest. From sshd(8): /etc/hosts.allow /etc/hosts.deny Access controls that should be enforced by tcp-wrappers are defined here. Further details are described in hosts_access(5). 2. Next openssh doesnot have an AllowHosts directive like the Finnish one does it only has an AllowUsers directive so i need to protect the system from DDOS attacks Again, see above. and Hacking I already tried to block things using the Sendmail Access file but all that did was choak up the server with moronic shit. And i want to be able to use my sftp program but it opens random ports which can not be controlled so i need the Clearaddresses to be able to see all ports. For the firewall, pf user here, so others should help. ;) -- Mel Problem with today's modular software: they start with the modules and never get to the software part. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
IPFW Firewall Question
1. I need help to reconfigure my firewall on the server using BSD's ipfw here is part of the configuration file so far that the Co-lo people put in. 2. short of a reboot how do you start stop and restart the firewall #!/usr/local/bin/bash export IPF=ipfw -q add ports=11 21 22 23 25 37 42 43 53 63 69 70 80 101 109 110 115 119 123 143 443 4321 50001 clearaddresses=209.131.0.0/16 66.65.0.0/16 71.173.96.0/19 71.173.128.0/17 blah blah count=60 ipfw -q -f flush $IPF 10 allow all from any to any via lo0 $IPF 20 deny all from any to 127.0.0.0/8 $IPF 30 deny all from 127.0.0.0/8 to any $IPF 40 deny tcp from any to any frag $IPF 50 allow icmp from any to any for a in $clearaddresses; do $IPF $count allow ip from $a to any $IPF $(($count+1)) allow ip from any to $a count=$(($count+10)) done for p in $ports; do $IPF $count allow ip from any to any $p in $IPF $(($count+1)) allow ip from any to any $p out $IPF $(($count+2)) allow ip from any $p to any in $IPF $(($count+3)) allow ip from any $p to any out count=$(($count+10)) done $IPF 5000 deny log all from any to any echo Firewall created Here is what i want : 1. i want all ports open to the ipaddresses in line 4 clearaddresses 2. I want to be able to control access to port 25 sendmail to be able to deny whole A B and C addresses Why because of the following: 1. Hosts.access on freebsd works on the Application Layer instead of the Network Layer Therefore Hosts.allow/hosts.deny no longer works the way i want and i do not feel like running Sendmail and sshd out of Inetd which appearantly is the only way to be able to use hosts.allow/deny 2. Next openssh doesnot have an AllowHosts directive like the Finnish one does it only has an AllowUsers directive so i need to protect the system from DDOS attacks and Hacking I already tried to block things using the Sendmail Access file but all that did was choak up the server with moronic shit. And i want to be able to use my sftp program but it opens random ports which can not be controlled so i need the Clearaddresses to be able to see all ports. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
ng_netflow on PF + CARP firewall question
Hello all,
I'm trying to use ng_netflow module along with PF+CARP implementation on
freebsd 6.2.
I understand from different posts that ng_netflow module is performing quite
well and does not add so much cpu load since packets are processed in the
kernel.
However, ng_netflow documentation is very confusing for begginers and I'm
having a hard time to figure it out.
Like mentioned before, I have PF+CARP implementation along with
/usr/ports/net/ifstated port. This part is tested and is working fine. (If
anybody wants advice here feel free to ask:) )
I'm wonder if it's a good ideea to add ng_netflow on top of it or should I
use an additional system with TAP interface and just mirror incoming/outgoing
traffic from switch.
This is what I want to try for ng_netflow:
cat /boot/loader.conf
ng_ether_load=YES
ng_ksocket_load=YES
ng_tee_load=YES
ng_socket_load=YES
ng_netflow_load=YES
cat /etc/rc.conf |grep ng
ng_netflow_enable=YES
cat /usr/local/etc/rc.d/ng_netflow
#!/bin/sh
#
# PROVIDE: ng_netflow
# REQUIRE: DAEMON
. /etc/rc.subr
name=ng_netflow
rcvar=`set_rcvar`
ng_netflow_start()
{
echo Starting ${name}.
/usr/sbin/ngctl -f- -SEQ
mkpeer bge2: tee lower right
connect bge2: bge2:lower upper left
name bge2:lower bge2_tee
mkpeer bge2_tee: netflow left2right iface0
name bge2:lower.left2right netflow
connect bge2_tee: netflow: right2left iface1
msg netflow: setifindex { iface=0 index=2 }
msg netflow: setifindex { iface=1 index=1 }
mkpeer netflow: ksocket export inet/dgram/udp
msg netflow:export connect inet/127.0.0.1:8818
mkpeer bge1: tee lower right
connect bge1: bge1:lower upper left
name bge1:lower bge1_tee
mkpeer bge1_tee: netflow left2right iface2
name bge1:lower.left2right netflow0
msg netflow0: setifindex { iface=2 index=4 }
connect bge1_tee: netflow0: right2left iface3
msg netflow0: setifindex { iface=3 index=3 }
mkpeer netflow0: ksocket export inet/dgram/udp
msg netflow0:export connect inet/127.0.0.1:8818
SEQ
}
ng_netflow_stop()
{
echo Stopping ${name}.
/usr/sbin/ngctl -f- -SEQ
shutdown netflow:
SEQ
}
start_cmd=ng_netflow_start
stop_cmd=ng_netflow_stop
load_rc_config $name
: ${ng_netflow_enable=NO}
run_rc_command $1
As can be seen from above script I'm planning sending packets on localhost
port 8818 first.
Is the above configuration correct?
It will affect in any way PF+CARP implementation regardging the fact that I'm
not using CARP inetrfaces with ng_netflow but physical ones like bge1 and bge2?
(I want to mention here that I'm not planning using ng_netflow on pf_sync
interface)
Should I stick with solutions from ports like softflowd similar?
What could be cpu/memory requirements difference for 100Mbps traffic between
ng_netflow and with softflowd?
Thanks in advance for any help.
Senior Network/Security Administrator
Catalin Miclaus
Starcomms Ltd.
-
Be a better friend, newshound, and know-it-all with Yahoo! Mobile. Try it now.
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Firewall question
On Thu, Aug 02, 2007 at 10:04:20AM -0400, [EMAIL PROTECTED] wrote: It might not be as challenging as rolling your own... but have you considered using one of the ready-to-install BSD firewall/router packages like m0n0wall ? http://m0n0.ch/wall/ I have thinked about it. I have tried monowall just with firewall router and it's a good choice. The down-thing is that you can't setup the dhcp as freely as I wan to do (e.g. setup the dhcpd for pxeboot for diskless for example). And there is not so much to do to secure the firewall further than the monowall group already have done. I don't know if it supports the 3rd interface, but it does run on Soekris hardware. Well, it does. And there is a good description for a dmz also. /Regards ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Firewall question
Hi What I want to accomplish is a DMZ on the third ethernet on my soekrisbox. I have done this before with OpenBSD and PF but now I want to do it with FreeBSD and ipfw. My isp uses dhcp but they don't change my ip so very often (almost never) so you can see it like I have a static ip. First the ipnumbers on the three cards in the box. sis0 have 83.x.x.x sis1 have 192.168.0.1 , and this is the lan. sis2 have 10.0.0.1 , and this is meant to be a dmz. Another box with ip 10.0.0.2 is connected to sis2 and is configured as a webserver. I have a working firewall in the soekris-box with ipfw. What I want to do is redirect incoming on port 80 to 10.0.0.2. I have tried this in my /etc/natd.conf redirect_port tcp 10.0.0.2:80 80 In combination with an opening for incoming in the firewall for port 80 (any to any). I also opened for it in hosts.allow. I can see the website on my local lan and I can see it from the firewall, but not from outside. I use my cellphone to check if it's reachable (and that worked under OpenBSD and pf). In my rc.conf I have the natd_flags=-f /etc/natd.conf after the firewall, I want the firewall early in the file before the ethernets are configured. I then tried to do the natd directly in my ipfw_rules (my ipfw rules file) with this natd -redirect_port tcp 10.0.0.2:80 80 which gave me this natd:instance default: aliasing address not given. The hand book says The external IP address on the natd machine must be active and aliased to the external interface. Look at rc.conf (5) to do so. Well ifconfig_sis0_alias0=inet 10.0.0.2 netmask 255.255.255.255 would not make it (I have tried other netmasks as well). I have googled around and seen that others have had the same problem, but no solutions or suggestions that leads in the right direction. Someone must have done this before I assume? Or if someone have some ideas I will be very happy. /Regards from Sweden. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Simple firewall question: Blocking a handful of IPs
On Thursday 27 April 2006 03:10, fbsd wrote: -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of H. Wade Minter .. I want all traffic allowed unfettered, except traffic from particular IPs to be completely blocked coming in. Can someone show me which ipf rules to use to get that result? block in quick on rl0 from x.x.x.x to any Unless the syntax is the same, that looks more like pf than ipf. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Simple firewall question: Blocking a handful of IPs
On Thursday 27 April 2006 17:53, RW wrote: On Thursday 27 April 2006 03:10, fbsd wrote: -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of H. Wade Minter .. I want all traffic allowed unfettered, except traffic from particular IPs to be completely blocked coming in. Can someone show me which ipf rules to use to get that result? block in quick on rl0 from x.x.x.x to any Unless the syntax is the same, that looks more like pf than ipf. Sorry, I see the syntax is the same. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Simple firewall question: Blocking a handful of IPs
On 2006-04-27 17:53, RW [EMAIL PROTECTED] wrote: On Thursday 27 April 2006 03:10, fbsd wrote: H. Wade Minter wrote: I want all traffic allowed unfettered, except traffic from particular IPs to be completely blocked coming in. Can someone show me which ipf rules to use to get that result? block in quick on rl0 from x.x.x.x to any Unless the syntax is the same, that looks more like pf than ipf. The syntax *is* the same, in this case. The only ipf syntax feature that ipf users are likely to miss from pf syntax is the use of rule `groups', but this is not used here. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Simple firewall question: Blocking a handful of IPs
I'm not extremely comfortable with doing firewall testing remotely on production systems, but I need to set up some incoming IP blocks. I've got a FreeBSD RELENG_5_4 system with public interface rl0. I want all traffic allowed unfettered, except traffic from particular IPs to be completely blocked coming in. Can someone show me which ipf rules to use to get that result? Thanks, Wade ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
RE: Simple firewall question: Blocking a handful of IPs
block in quick on rl0 from x.x.x.x to any -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of H. Wade Minter Sent: Wednesday, April 26, 2006 8:47 PM To: [EMAIL PROTECTED] Subject: Simple firewall question: Blocking a handful of IPs I'm not extremely comfortable with doing firewall testing remotely on production systems, but I need to set up some incoming IP blocks. I've got a FreeBSD RELENG_5_4 system with public interface rl0. I want all traffic allowed unfettered, except traffic from particular IPs to be completely blocked coming in. Can someone show me which ipf rules to use to get that result? Thanks, Wade ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
probably a simple routing or firewall question
Hello, Hello, I've got a 5.4 box acting as a gateway/router and i have to set up another for another network. This one will rely on a different ip range, so i thought i'd hand it out while i'm doing the install via my dhcp server, this part works but the box can't get to the net to retrieve ports and so forth. I'm suspecting either a routing or firewall issue. I'm using pf and am natting all traffic from this new box to my external interface and passing all traffic, that should be working. My network range is 10.8.0.0 and the range for this new box is 10.10.0.0 i believe my problem is here, i'm not sure where to fix it at, my gateway, this new box or both? I'd rather not make to many modifications to this new machine save what it needs to get going, ideally i'd like to hand it over, and have it be dropped in and go. It needs to be that simple, the person whose getting it has an impulsive habbit especially if something doesn't work right out of the box. Any help appreciated. Thanks. Dave. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: probably a simple routing or firewall question
On Oct 25, 2005, at 9:59 AM, Dave wrote: Hello, Hello, I've got a 5.4 box acting as a gateway/router and i have to set up another for another network. This one will rely on a different ip range, so i thought i'd hand it out while i'm doing the install via my dhcp server, this part works but the box can't get to the net to retrieve ports and so forth. I'm suspecting either a routing or firewall issue. I'm using pf and am natting all traffic from this new box to my external interface and passing all traffic, that should be working. My network range is 10.8.0.0 and the range for this new box is 10.10.0.0 i believe my problem is here, i'm not sure where to fix it at, my gateway, this new box or both? I'd rather not make to many modifications to this new machine save what it needs to get going, ideally i'd like to hand it over, and have it be dropped in and go. It needs to be that simple, the person whose getting it has an impulsive habbit especially if something doesn't work right out of the box. Any help appreciated. Thanks. Dave. what is your netmask for the two boxes? Your default router needs to be on the same network as the machines that need to access it. ___ Eric F Crist I am so smart, S.M.R.T! Secure Computing Networks -Homer J Simpson ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: probably a simple routing or firewall question
On Oct 25, 2005, at 2:00 PM, Dave wrote: Hi, The netmask for my working setup is 255.255.0.0 same for the nonworking setup. I am starting to wondering since the boxes are in two different subnets if they need a route to each other? Thanks. Dave. Yes, they do. ___ Eric F Crist I am so smart, S.M.R.T! Secure Computing Networks -Homer J Simpson ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Proxy/Firewall Question
On Sat, 11 Sep 2004 22:48:50 -0700 (PDT), JP [EMAIL PROTECTED] wrote: Hello Gang, I am a novice at this so please bear with me. I have successfully configured Squid, Nylon and my firewall, my question is how do I disable any net traffic that is not going through the proxy? It would be best for all LAN traffic (telnet, ftp, chat, socks, etc) to pass through the proxy otherwise get dropped. I would imagine its a Windows configuration thing but I am not for certain. Thanks, JP disable NATting. using firewall allow connections to ports on which squid and/or nylon is listening. BTW, which firewall are you using? Shantanoo ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Proxy/Firewall Question
Thank you, I am using the standard firewall and firewall script that came with FreeBSD. By default, everything on the firewall is set to open. I attempting what you suggested (disabling nat) and I could no longer get ou to see the net. I could ping the FreeBSD box just fine, but nothing beyond that. Suggestions? --- Shantanoo [EMAIL PROTECTED] wrote: On Sat, 11 Sep 2004 22:48:50 -0700 (PDT), JP [EMAIL PROTECTED] wrote: Hello Gang, I am a novice at this so please bear with me. I have successfully configured Squid, Nylon and my firewall, my question is how do I disable any net traffic that is not going through the proxy? It would be best for all LAN traffic (telnet, ftp, chat, socks, etc) to pass through the proxy otherwise get dropped. I would imagine its a Windows configuration thing but I am not for certain. Thanks, JP disable NATting. using firewall allow connections to ports on which squid and/or nylon is listening. BTW, which firewall are you using? Shantanoo ___ Do you Yahoo!? Express yourself with Y! Messenger! Free. Download now. http://messenger.yahoo.com ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Proxy/Firewall Question
That is expected. After all that is all about proxy. When NAT is enabled then you can ping outside world, that is fine. If you want to provide transparent access to the clients, then you need to enable NAT. You can control the type of access provided (browsing, IRC, IMs, etc) by blocking(opening) the required ports from the firewall. Alternatively, as you say...PROXY, you wont be able to ping outside and the clients have to explicitly configure their softwares to use the proxy running on the BSD Box. Regards S. On Sun, 12 Sep 2004 00:31:41 -0700 (PDT), JP [EMAIL PROTECTED] wrote: Thank you, I am using the standard firewall and firewall script that came with FreeBSD. By default, everything on the firewall is set to open. I attempting what you suggested (disabling nat) and I could no longer get ou to see the net. I could ping the FreeBSD box just fine, but nothing beyond that. Suggestions? --- Shantanoo [EMAIL PROTECTED] wrote: On Sat, 11 Sep 2004 22:48:50 -0700 (PDT), JP [EMAIL PROTECTED] wrote: Hello Gang, I am a novice at this so please bear with me. I have successfully configured Squid, Nylon and my firewall, my question is how do I disable any net traffic that is not going through the proxy? It would be best for all LAN traffic (telnet, ftp, chat, socks, etc) to pass through the proxy otherwise get dropped. I would imagine its a Windows configuration thing but I am not for certain. Thanks, JP disable NATting. using firewall allow connections to ports on which squid and/or nylon is listening. BTW, which firewall are you using? Shantanoo ___ Do you Yahoo!? Express yourself with Y! Messenger! Free. Download now. http://messenger.yahoo.com ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] -- Subhro Sankha Kar School of Information Technology Block AQ-13/1 Sector V ZIP 700091 India ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Proxy/Firewall Question
Hello Gang, I am a novice at this so please bear with me. I have successfully configured Squid, Nylon and my firewall, my question is how do I disable any net traffic that is not going through the proxy? It would be best for all LAN traffic (telnet, ftp, chat, socks, etc) to pass through the proxy otherwise get dropped. I would imagine its a Windows configuration thing but I am not for certain. Thanks, JP __ Do you Yahoo!? New and Improved Yahoo! Mail - 100MB free storage! http://promotions.yahoo.com/new_mail ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Newbie firewall question
On Wed, 28 Jan 2004 07:15:46 +0100 Nicolas [EMAIL PROTECTED] wrote: Hello. I have just installed 5.2 on my machine and everything works. Now I am trying to configure it and I want to put up a firewall but a everything I read seem to refer to a dial up connection, I have a LAN connection.So my question(s) is: is there a difference between a firewall for a dial up connection and a Lan connection.? And if so what is the difference, where can I read about it and is there any good sites to look at? I have The Complete FreeBSD, the handbook, Absolute FreeBSD.. I would be very grateful for some help or directions where to look. Many Thanks!! Check out ipfw. Should not really matter what the connection is over... unless you specifically want a rule to apply to a device... ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Newbie firewall question
On Wed, 28 Jan 2004 07:15:46 +0100 Nicolas [EMAIL PROTECTED] wrote: Hello. I have just installed 5.2 on my machine and everything works. Now I am trying to configure it and I want to put up a firewall but a everything I read seem to refer to a dial up connection, I have a LAN connection.So my question(s) is: is there a difference between a firewall for a dial up connection and a Lan connection.? And if so what is the difference, where can I read about it and is there any good sites to look at? I have The Complete FreeBSD, the handbook, Absolute FreeBSD.. I would be very grateful for some help or directions where to look. Many Thanks!! ___ If what you want is to set up a simple firewall for a standalone computer connected via LAN to an ISP there are a number of informative articles by Dru Lavigne on http://www.onlamp.com/pub/ct/15 ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Newbie firewall question
Nicolas wrote: I have just installed 5.2 on my machine and everything works. Now I am trying to configure it and I want to put up a firewall but a everything I read seem to refer to a dial up connection, I have a LAN connection.So my question(s) is: is there a difference between a firewall for a dial up connection and a Lan connection.? And if so what is the difference, where can I read about it and is there any good sites to look at? I have The Complete FreeBSD, the handbook, Absolute FreeBSD.. I would be very grateful for some help or directions where to look. Hi, Nicolas: I just set up something similar. Not sure what kind of configuration that you're looking for, but here's an article that helped me a lot in setting up my PC. It's an article on setting up a firewall/gateway using PPPoE.. On a side note, setting up PPPoE in FreeBSD was infinately simpler then my old Linux box.. That aside, this as well as the IPFW HOWTO got me all setup and running.. http://www.unixcircle.com/features/freebsd_pppoe.php Good luck! Kurt -- Kurt Claussen [EMAIL PROTECTED] SDF Public Access Unix System -- http://sdf.lonestar.org ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Newbie firewall question
Hello. I have just installed 5.2 on my machine and everything works. Now I am trying to configure it and I want to put up a firewall but a everything I read seem to refer to a dial up connection, I have a LAN connection.So my question(s) is: is there a difference between a firewall for a dial up connection and a Lan connection.? And if so what is the difference, where can I read about it and is there any good sites to look at? I have The Complete FreeBSD, the handbook, Absolute FreeBSD.. I would be very grateful for some help or directions where to look. Many Thanks!! ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
firewall question...
Hi list, I've two servers running some services, now I want to firewall both them, do I need to build it on router or in the FreeBSD box...thanks. ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: firewall question...
Xpression wrote: Hi list, I've two servers running some services, now I want to firewall both them, do I need to build it on router or in the FreeBSD box...thanks. What's your network look like? If each box has a publicly routable IP address, I'd definitely put the firewall on each of them. If they're on a private network behind a router, then a firewall on the router would be a basic level of security, and running a firewall on the servers themselves would be icing on the cake. Kevin Kinsey DaleCo, S.P. ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: firewall question...
On Wed, 31 Dec 2003, Xpression wrote: Hi list, I've two servers running some services, now I want to firewall both them, do I need to build it on router or in the FreeBSD box...thanks. That is totally up to you. If you plan to do it on one of your FreeBSD machines I believe you will need to have two NICs. At least that I believe is the easiest way to do it. There are some parameters you need in your kernel to use IPFW. Not sure if PF needs kernel changes. You very likely should be able to find previous posts and/or tutorials online with how to setup either one, IPFW or PF. I do recommend though you get yourself a good book on security so you understand all the parameters and options you are going to need to deal with. Take a look at /etc/rc.firewall. I believe they mention a book or two there that you may want to consider reading. ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: firewall question...
On Wed, 31 Dec 2003 09:59:10 -0500 Xpression [EMAIL PROTECTED] wrote: Hi list, I've two servers running some services, now I want to firewall both them, do I need to build it on router or in the FreeBSD box...thanks. ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] Although it depends, use your spare time to install on both, i.e. on three boxen. I say this the firewall(s) on router cannot always do fine grained host by host setups, connections from/to internal lan in particular. horio shoichi ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Newbie Firewall Question
Q1: i just setup my first ipfw/with natd firewall :-) i run the preconfigured firewalltype called simple can anyone help me make a ruleset that blocks all to inside (except dhcp from my isp ssh from inside) and allows everything out? when i try to learn, and look at the simple configuration ruleset in rc.firewall i go nuts i mean, why is there natd rules? isnt natd transparent? if i block all in it should block all in for natd aswell (?) Q2: What means by statefull inspection? i guess ipfw doesnt have suport for that. im sorry for being such a lamer and dont read manuals better, but i guess this list is for people like me :-) anyway, feel free to answer me, and here is the information you need to know outside interface ep0 DHCP inside interface fxp0 192.168.0.1 / Mempheria ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Newbie Firewall Question
On Sat, Jul 12, 2003 at 12:33:47AM +0200, mempheria wrote: Q1: i just setup my first ipfw/with natd firewall :-) i run the preconfigured firewalltype called simple can anyone help me make a ruleset that blocks all to inside (except dhcp from my isp ssh from inside) and allows everything out? outside interface ep0 DHCP inside interface fxp0 192.168.0.1 when i try to learn, and look at the simple configuration ruleset in rc.firewall i go nuts i mean, why is there natd rules? isnt natd transparent? if i block all in it should block all in for natd aswell (?) Answering your last questions first, natd isn't transparent because: - it runs in userland (rather than kernelspace), so it doesn't see anything before the firewall. - the flexibility to not run it, or closely control how it runs is appreciated in many situations (multiple divert rules, for example). In other words, it could be transparent but that would annoy those of us with wierd/complex setups! The trick with natd/ipfw is to realise that as soon as your divert rule runs, you can ignore natd in your firewall rules: after the divert rule, all packets show up with correct endpoints. Generally, that means running natd early. A really basic firewall script to allow outbound traffic and deny inbound would look something like this: --- (snip) # Clear the firewall ipfw flush # Run natd ipfw add divert natd all from any to any via ep0 # Allow established TCP sessions ipfw add allow tcp from any to any established # Allow TCP setup from local to anywhere ipfw add allow tcp from 192.168.0.0/24 to any setup # Allow SSH administration from inside ipfw add allow tcp from 192.168.0.0/24 to me 22 setup # Block all TCP that didn't match the above rules ipfw add deny tcp from any to 192.168.0.0/24 # Allow DNS ipfw add allow udp from any 53 to any ipfw add allow udp from any to any 53 # Allow DHCP ipfw add allow udp from any to any 546 ipfw add allow udp from any to any 547 ipfw add allow udp from any to any 67 ipfw add allow udp from any to any 68 # Block stupid MS UDP traffic ipfw add deny udp from any to any 137-139 # Block low port UDP (safety measure optional) ipfw deny udp from any to 192.168.0.0/24 1-1024 # Allow all udp (I generally don't do this!) ipfw add allow udp from any to any # Allow all icmp ipfw add allow icmp from any to any --- (snip) This is from memory, so there may be something wrong with it. I strongly recommend taking a look at the FreeBSD cheat sheets, http://www.mostgraveconcern.com/freebsd/ , the handbook at freebsd.org, man ipfw, and man natd. Q2: What means by statefull inspection? i guess ipfw doesnt have suport for that. Stateful inspection means that the firewall keeps state - in other words, it remembers which connections are supposed to be allowed, rather than taking the protocol's word for it; that way it can't be tricked into allowing certain scans that work by faking the established flag in TCP connections. ipfw has had this for a long time! (see man ipfw for details) A non-stateful ruleset to allow only outgoing TCP traffic: ipfw add allow tcp from any to any established ipfw add allow tcp from 192.168.0.0/24 to any setup ipfw add deny tcp from any to any A stateful version of the same thing: ipfw add check-state ipfw add allow tcp from 192.168.0.0/24 to any setup keep-state ipfw add deny tcp from any to any The first set of rules will allow any TCP packet market as being part of an ongoing connection, and can be tricked into allowing certain scans as a result. The second set automagically adds an ipfw rule for each connection that passes the keep-state rule - in this case, any TCP connection setup originating in the local subnet. Scans that attempt to get in because they are marked established fail, because check-state doesn't see a rule created by a matching outbound connection. Note that there is a performance hit for using stateful rules. It isn't huge, but for a busy firewall it is noticable. Also note that natd and check-state/keep-state don't like one another. FreeBSD has two other firewalls (pf and ipf) to try if you really need this functionality (you almost certainly don't!). -- Herbert. ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
