Re: Dumb IPFW Question
On Wed, 26 Sep 2007 20:46:29 +0100 Chris Yocum <[EMAIL PROTECTED]> wrote: > Just to explain a bit, I have installed a FreeBSD 6.2 system on a > machine to act as a natd router. I turned on the firewall and set the > firewall rule script to the one from the handbook > (http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/firewalls-ipfw.html) > (Example Ruleset #2 at the bottom). Despite lots of useful tips, especially regarding stateful rules, there are a number of problems with some of the information on that page, and I wouldn't rely on it as a substitute for a thorough study of ipfw(8). At the risk of being called on to submit a PR and diff, be particularly wary of the sections in which the word 'mandatory' appears, and perhaps compare those rulesets with those in /etc/rc.firewall. But anyway .. > After some investigation when I could not get www, I discovered > that somehow port 53 is blocked even when I explicitly open it. This > happens when I uncomment the rule "# Reject & Log all unauthorized out > going connections to the public Internet > $cmd 450 deny log all from any to any out via $pif". So essentially, > when I use that line, I loose my DNS and my www will not work anymore. I see Chuck already caught your use of 'setup' with udp, which was the immediate problem. In fact, the ruleset #2 you used as basis has a rule for TCP port 53 (needed if you need to transfer zone/s with an outside DNS server) but had entirely omitted UDP 53 (though the earlier examples included it), which it seems you must have already noticed. > Otherwise, it all works great and I could not be happier. Thank > you in advance for any help that you may be able to provide. I am > sure that it is some small blunder on my part. One thing lacking in that ruleset is stopping of _outbound_ spoofing of RFC 1918 etc addresses; refer to the 'simple' section of rc.firewall, particularly the placement of anti-spoofing rules wrt NATD diversion. > # Dup these lines if your ISP has more than one DNS server Or use an address list in one rule, like addr1,addr2,addr3 > # Get the IP addresses from /etc/resolv.conf file > $cmd 023 $skip udp from any to 53 out via $pif setup keep-state > $cmd 024 $skip udp from any to 53 out via $pif setup keep-state > $cmd 025 $skip udp from any to 53 out via $pif setup keep-state As you've found, dropping 'setup' will make these work. > # Allow out ping > $cmd 080 $skip icmp from any to any out via $pif keep-state I'm not sure if this is sufficient to allow icmptypes needed by TCP for MTU discovery? but I allow these types specifically and not statefully. > # Deny all Netbios service. 137=name, 138=datagram, 139=session > # Netbios is MS/Windows sharing services. > # Block MS/Windows hosts2 name server requests 81 > $cmd 320 deny tcp from any to any 137 in via $pif > $cmd 321 deny tcp from any to any 138 in via $pif > $cmd 322 deny tcp from any to any 139 in via $pif > $cmd 323 deny tcp from any to any 81 in via $pif I've noticed other people just copying these rules from this example, but 137 and 138 are on UDP, not TCP, while 139 is a TCP service. Still, unless you wanted to count these individually, the 'deny everything not specifically allowed' rule will catch these anyhow. And if you've got windows boxes NAT'd on the inside you should block these going OUT too. eg for TCP: #% first take out the VAST bulk of TCP bogons / background noise: crap="135,139,445,1433,2967,2968,4899,5900" crap="${crap},8000,8080,3128" ${fwadd} deny log $afew tcp from any to any ${crap} in via ${ext_if} setup # Reject&Log all other setup of incoming connections from the outside ${fwadd} deny log $lots tcp from any to any in via ${ext_if} setup and for UDP: #% first cut out most of the heavy duty noise (incl broken insiders) junk="137,138,1433,1434" junk="${junk},3544" # XP home calls home? MS ipV6 'Toredo' ${fwadd} deny udp from any to any ${junk} via ${ext_if} > #allow in information from the ISP's DNS > $cmd 361 allow udp from 53 to any in via $pif keep-state > $cmd 362 allow udp from 53 to any in via $pif keep-state These are not useful, since you're using outbound UDP keep-state on 53. If you're running a public DNS server, you'd need to allow inbound DNS in from anyone, not (just) your ISP. HTH, Ian ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Dumb IPFW Question
Hi, Yep, it was a blunder by me. Thank you very much! Chris On 9/26/07, Chuck Swiger <[EMAIL PROTECTED]> wrote: > On Sep 26, 2007, at 12:46 PM, Chris Yocum wrote: > [ ... ] > > I also get "Sep 26 20:09:17 routy kernel: ipfw: 450 Deny UDP > router outside IP>:53 :53 out via sis0" in my > > /var/log/security file. I have appended the ipfw rules below so you > > can see all the changes that I made from the original. > > The setup keyword should only be used with TCP packets; trying to use > it with UDP traffic will cause your pass-through rules (#23-25) to > not match the traffic you want them to match... > > -- > -Chuck > > ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Dumb IPFW Question
On Sep 26, 2007, at 12:46 PM, Chris Yocum wrote: [ ... ] I also get "Sep 26 20:09:17 routy kernel: ipfw: 450 Deny UDP :53 :53 out via sis0" in my /var/log/security file. I have appended the ipfw rules below so you can see all the changes that I made from the original. The setup keyword should only be used with TCP packets; trying to use it with UDP traffic will cause your pass-through rules (#23-25) to not match the traffic you want them to match... -- -Chuck ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Dumb IPFW Question
Hi Everyone, Just to explain a bit, I have installed a FreeBSD 6.2 system on a machine to act as a natd router. I turned on the firewall and set the firewall rule script to the one from the handbook (http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/firewalls-ipfw.html) (Example Ruleset #2 at the bottom). After some investigation when I could not get www, I discovered that somehow port 53 is blocked even when I explicitly open it. This happens when I uncomment the rule "# Reject & Log all unauthorized out going connections to the public Internet $cmd 450 deny log all from any to any out via $pif". So essentially, when I use that line, I loose my DNS and my www will not work anymore. I also get "Sep 26 20:09:17 routy kernel: ipfw: 450 Deny UDP :53 :53 out via sis0" in my /var/log/security file. I have appended the ipfw rules below so you can see all the changes that I made from the original. Otherwise, it all works great and I could not be happier. Thank you in advance for any help that you may be able to provide. I am sure that it is some small blunder on my part. Thanks!, Chris #!/bin/sh cmd="ipfw -q add" skip="skipto 800" pif="sis0" # public interface name of NIC # facing the public Internet # # No restrictions on Inside LAN Interface for private network # Change xl0 to your LAN NIC interface name # $cmd 005 allow all from any to any via xl0 # # No restrictions on Loopback Interface # $cmd 010 allow all from any to any via lo0 # # check if packet is inbound and nat address if it is # $cmd 014 divert natd ip from any to any in via $pif # # Allow the packet through if it has previous been added to the # the "dynamic" rules table by a allow keep-state statement. # $cmd 015 check-state # # Interface facing Public Internet (Outbound Section) # Interrogate session start requests originating from behind the # firewall on the private network or from this gateway server # destine for the public Internet. # # Allow out access to my ISP's Domain name server. # x.x.x.x must be the IP address of your ISP's DNS # Dup these lines if your ISP has more than one DNS server # Get the IP addresses from /etc/resolv.conf file $cmd 023 $skip udp from any to 53 out via $pif setup keep-state $cmd 024 $skip udp from any to 53 out via $pif setup keep-state $cmd 025 $skip udp from any to 53 out via $pif setup keep-state # Allow out access to my ISP's DHCP server for cable/DSL configurations. $cmd 030 $skip udp from any to 67 out via $pif keep-state # Allow out non-secure standard www function $cmd 040 $skip tcp from any to any 80 out via $pif setup keep-state # Allow out secure www function https over TLS SSL $cmd 050 $skip tcp from any to any 443 out via $pif setup keep-state # Allow out send & get email function $cmd 060 $skip tcp from any to any 25 out via $pif setup keep-state $cmd 061 $skip tcp from any to any 110 out via $pif setup keep-state #for some reason this is the university's IMAP setting $cmd 062 $skip tcp from any to any 993 out via $pif setup keep-state # Allow out FreeBSD (make install & CVSUP) functions # Basically give user root "GOD" privileges. $cmd 070 $skip tcp from me to any out via $pif setup keep-state uid root # Allow out ping $cmd 080 $skip icmp from any to any out via $pif keep-state # Allow out Time $cmd 090 $skip tcp from any to any 37 out via $pif setup keep-state # Allow out nntp news (i.e. news groups) $cmd 100 $skip tcp from any to any 119 out via $pif setup keep-state # Allow out secure FTP, Telnet, and SCP # This function is using SSH (secure shell) $cmd 110 $skip tcp from any to any 22 out via $pif setup keep-state # Allow out whois $cmd 120 $skip tcp from any to any 43 out via $pif setup keep-state # Allow ntp time server $cmd 130 $skip udp from any to any 123 out via $pif keep-state # allow out VPN $cmd 140 $skip tcp from any to any 1723 out via $pif keep-state # # Interface facing Public Internet (Inbound Section) # Interrogate packets originating from the public Internet # destine for this gateway server or the private network. # # Deny all inbound traffic from non-routable reserved address spaces $cmd 300 deny all from 192.168.0.0/16 to any in via $pif #RFC 191
Re: Silly IPFW question.
On Mon, 24 Sep 2007 17:47:31 -0400 "Grant Peel" <[EMAIL PROTECTED]> wrote: > Hi Jeff, > > I have a client to wants access to mysql on port 3306, but none (4) > of his computers have static IPs. So, answer your question, he wants > to access from several hops down the (internet) pipe. > > And I just DID find some talking about MAC address filtering in the > IPFW docs. However, If I remember erthernet connections right, it > would be the last MAC it came from ... and not the originating MAC. Yes, assuming the hops are routers. He probably should be using an ssh tunnel. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Silly IPFW question.
On Monday 24 September 2007 23:44:07 Chuck Swiger wrote: > On Sep 24, 2007, at 2:33 PM, Grant Peel wrote: > > Is there anyway to make a rule in IPFW that will match MAC > > addresses instead of IP or port numnbers (and no, I didnt see > > anything in the docs :-)) > > Search "man ipfw" for MAC. Something like this will: > >ipfw add 10 deny MAC any 10:20:30:40:50:60 > > ...block any traffic from that ethernet address. Be aware of the > net.link.ether.ipfw sysctl needed and advice in the section "PACKET > FLOW". Ok, been too long since I played with IPFW obviously. -- Mel ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Silly IPFW question.
On Mon, 24 Sep 2007 17:33:05 -0400 "Grant Peel" <[EMAIL PROTECTED]> wrote: > Hi all, > > I am sorry if this is a no-brainer > > Is there anyway to make a rule in IPFW that will match MAC addresses > instead of IP or port numnbers (and no, I didnt see anything in the > docs :-)) man ipfw and search for MAC Note that you need to set a sysctl for layer 2 - which is also covered in the man page. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Silly IPFW question.
Hi Jeff, I have a client to wants access to mysql on port 3306, but none (4) of his computers have static IPs. So, answer your question, he wants to access from several hops down the (internet) pipe. And I just DID find some talking about MAC address filtering in the IPFW docs. However, If I remember erthernet connections right, it would be the last MAC it came from ... and not the originating MAC. Forgive me if I am wronge above, but I am not a 'level' 1, 2, or 3, guru`! :-) -Grant - Original Message - From: Jeff Mohler To: Grant Peel Cc: freebsd-questions@freebsd.org Sent: Monday, September 24, 2007 5:34 PM Subject: Re: Silly IPFW question. Well..where is the mac you want to firewall from/against? On 9/24/07, Grant Peel <[EMAIL PROTECTED]> wrote: Hi all, I am sorry if this is a no-brainer Is there anyway to make a rule in IPFW that will match MAC addresses instead of IP or port numnbers (and no, I didnt see anything in the docs :-)) -Grant ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]" -- Total Control Panel Login To: [EMAIL PROTECTED] Message Score: 10 High (60): Pass From: [EMAIL PROTECTED] My Spam Blocking Level: High Medium (75): Pass Low (90): Pass Block messages from this sender (blacklist) This message was delivered because the content filter score did not exceed your filter level. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Silly IPFW question.
On Sep 24, 2007, at 2:33 PM, Grant Peel wrote: Is there anyway to make a rule in IPFW that will match MAC addresses instead of IP or port numnbers (and no, I didnt see anything in the docs :-)) Search "man ipfw" for MAC. Something like this will: ipfw add 10 deny MAC any 10:20:30:40:50:60 ...block any traffic from that ethernet address. Be aware of the net.link.ether.ipfw sysctl needed and advice in the section "PACKET FLOW". -- -Chuck ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Silly IPFW question.
On Monday 24 September 2007 23:33:05 Grant Peel wrote: > Is there anyway to make a rule in IPFW that will match MAC addresses > instead of IP or port numnbers (and no, I didnt see anything in the docs > :-)) Generally no, since IP FW works on IP level, not ethernet. That said, I just read about this: http://www.openbsd.org/faq/pf/tagging.html#ethernet I don't see a brconfig on FreeBSD though and don't know if there's something similar ported. -- Mel ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Silly IPFW question.
Well..where is the mac you want to firewall from/against? On 9/24/07, Grant Peel <[EMAIL PROTECTED]> wrote: > > Hi all, > > I am sorry if this is a no-brainer > > Is there anyway to make a rule in IPFW that will match MAC addresses > instead > of IP or port numnbers (and no, I didnt see anything in the docs :-)) > > -Grant > > ___ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to " > [EMAIL PROTECTED]" > ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Silly IPFW question.
Hi all, I am sorry if this is a no-brainer Is there anyway to make a rule in IPFW that will match MAC addresses instead of IP or port numnbers (and no, I didnt see anything in the docs :-)) -Grant ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: ipfw question (FreeBSD 4.11)
You are so the man! That's it. You have no idea how long I've spend looking for this. Thanks again! - Original Message - From: "Andras Kende" <[EMAIL PROTECTED]> To: "'Gerard Meijer'" <[EMAIL PROTECTED]>; Sent: Monday, January 03, 2005 7:59 PM Subject: RE: ipfw question (FreeBSD 4.11) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gerard Meijer Sent: Monday, January 03, 2005 12:29 PM To: freebsd-questions@freebsd.org Subject: ipfw question (FreeBSD 4.11) I run apache webserver on my server with FreeBSD 4.11 I have a question about ipfw. I have the following rules in my /etc/ipfw.conf: $cmd 00200 allow tcp from any to any 80 out via $pif setup keep-state $cmd 00400 allow tcp from any to any 80 in via $pif setup keep-state (with $pif being my NIC) Now, everything works fine for me, but I get a lot (and I mean a lot) of these kind of messages in my log: [Date] [time] [host] /kernel: ipfw: 299 Deny TCP a.b.c.d:80 e.f.g.h:4472 out via em0 [Date] [time] [host] /kernel: ipfw: 499 Deny TCP e.f.g.h:1882 a.b.c.d:80 in via em0 (with a.b.c.d being my ip and e.f.g.h being somebody elses ip). I guess these people are not surfing through port 80??? Correct me if I'm wrong. How can I change ipfw's rules so that these people aren't blocked anymore? Thanks in advance! ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]" Hello, Im not 100% sure, but if I remember correctly you need to put "established" before the webserver rule : # Allow TCP through if setup succeeded: ${fwcmd} add pass tcp from any to any established # Allow setup of incoming http: ${fwcmd} add pass tcp from any to any 80 setup [Cc][Ll][Ii][Ee][Nn][Tt]) # This is a prototype setup that will protect your system somewhat # against people from outside your own network. # set these to your network and netmask and ip ip="aaa.bbb.ccc.ddd" setup_loopback # Allow TCP through if setup succeeded ${fwcmd} add pass tcp from any to any established # Allow IP fragments to pass through ${fwcmd} add pass all from any to any frag # Allow setup of incoming services ${fwcmd} add pass tcp from any to ${ip} 21,22,25,53,80,110,143,443,993,1 setup # Allow setup of PASV FTP ${fwcmd} add pass tcp from any to ${ip} 10001-10100 setup # Allow setup of outgoing TCP connections only ${fwcmd} add pass log tcp from ${ip} to any setup # Disallow setup of all other TCP connections ${fwcmd} add deny log tcp from any to any setup # Allow DNS queries ${fwcmd} add pass udp from any to any 53 ${fwcmd} add pass udp from any 53 to any # Allow NTP ${fwcmd} add pass udp from any to any 123 #ICMP ${fwcmd} add pass log icmp from any to any icmptypes 3,4,11,12 # Everything else is denied by default, unless the # IPFIREWALL_DEFAULT_TO_ACCEPT option is set in your kernel # config file. ;; Best regards, Andras Kende http://www.kende.com ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]" ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
RE: ipfw question (FreeBSD 4.11)
-Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gerard Meijer Sent: Monday, January 03, 2005 12:29 PM To: freebsd-questions@freebsd.org Subject: ipfw question (FreeBSD 4.11) I run apache webserver on my server with FreeBSD 4.11 I have a question about ipfw. I have the following rules in my /etc/ipfw.conf: $cmd 00200 allow tcp from any to any 80 out via $pif setup keep-state $cmd 00400 allow tcp from any to any 80 in via $pif setup keep-state (with $pif being my NIC) Now, everything works fine for me, but I get a lot (and I mean a lot) of these kind of messages in my log: [Date] [time] [host] /kernel: ipfw: 299 Deny TCP a.b.c.d:80 e.f.g.h:4472 out via em0 [Date] [time] [host] /kernel: ipfw: 499 Deny TCP e.f.g.h:1882 a.b.c.d:80 in via em0 (with a.b.c.d being my ip and e.f.g.h being somebody elses ip). I guess these people are not surfing through port 80??? Correct me if I'm wrong. How can I change ipfw's rules so that these people aren't blocked anymore? Thanks in advance! ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]" Hello, Im not 100% sure, but if I remember correctly you need to put "established" before the webserver rule : # Allow TCP through if setup succeeded: ${fwcmd} add pass tcp from any to any established # Allow setup of incoming http: ${fwcmd} add pass tcp from any to any 80 setup [Cc][Ll][Ii][Ee][Nn][Tt]) # This is a prototype setup that will protect your system somewhat # against people from outside your own network. # set these to your network and netmask and ip ip="aaa.bbb.ccc.ddd" setup_loopback # Allow TCP through if setup succeeded ${fwcmd} add pass tcp from any to any established # Allow IP fragments to pass through ${fwcmd} add pass all from any to any frag # Allow setup of incoming services ${fwcmd} add pass tcp from any to ${ip} 21,22,25,53,80,110,143,443,993,1 setup # Allow setup of PASV FTP ${fwcmd} add pass tcp from any to ${ip} 10001-10100 setup # Allow setup of outgoing TCP connections only ${fwcmd} add pass log tcp from ${ip} to any setup # Disallow setup of all other TCP connections ${fwcmd} add deny log tcp from any to any setup # Allow DNS queries ${fwcmd} add pass udp from any to any 53 ${fwcmd} add pass udp from any 53 to any # Allow NTP ${fwcmd} add pass udp from any to any 123 #ICMP ${fwcmd} add pass log icmp from any to any icmptypes 3,4,11,12 # Everything else is denied by default, unless the # IPFIREWALL_DEFAULT_TO_ACCEPT option is set in your kernel # config file. ;; Best regards, Andras Kende http://www.kende.com ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
ipfw question (FreeBSD 4.11)
I run apache webserver on my server with FreeBSD 4.11 I have a question about ipfw. I have the following rules in my /etc/ipfw.conf: $cmd 00200 allow tcp from any to any 80 out via $pif setup keep-state $cmd 00400 allow tcp from any to any 80 in via $pif setup keep-state (with $pif being my NIC) Now, everything works fine for me, but I get a lot (and I mean a lot) of these kind of messages in my log: [Date] [time] [host] /kernel: ipfw: 299 Deny TCP a.b.c.d:80 e.f.g.h:4472 out via em0 [Date] [time] [host] /kernel: ipfw: 499 Deny TCP e.f.g.h:1882 a.b.c.d:80 in via em0 (with a.b.c.d being my ip and e.f.g.h being somebody elses ip). I guess these people are not surfing through port 80??? Correct me if I'm wrong. How can I change ipfw's rules so that these people aren't blocked anymore? Thanks in advance! ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: ipfw question
On 2004-09-20 22:43, adrian kok <[EMAIL PROTECTED]> wrote: > > 1/ Recently, my mrtg graph showed many spikes > "Incoming" in outer interface of the router. > > ls it possible to log them and check? It is. A better approach is to block everything that you don't really need and then start logging legitimate connections only if the problems with ``traffic spikes'' continue. > If I log everthing, I am afraid to slow down the > network. What is the best way to do it? Don't do it. It will truly slow down things a lot. > 2/ I read some firewall docs. they said that it is > good to allow 5% bandwidth for icmp only > ls it true? I don't know what docs you read about firewalls. The Handbook has a fairly good section on firewalls. Have you read that? If not, you should definitely give it a look. For an early chance to read what the ``Firewalls'' section will soon be replaced with, you might also want to read this: http://freebsd.so14k.com/firewall/firewalls.html I'm working with a few other guys to get this into the Handbook as the new ``Firewalls'' section before 5.3-RELEASE, but if it does help you should definitely read it. Joseph J. Barbish has written a couple of excellent firewall tutorials and guides that I've read so far, and this one is really worth a careful read. Just note that the text at the above URL is probably going to change a bit during the next couple of days, so be patient if you see changes going in :-) > how can I do it? See above. Giorgos ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
ipfw question
Dear all I have 2 questions 1/ Recently, my mrtg graph showed many spikes "Incoming" in outer interface of the router. ls it possible to log them and check? If I log everthing, I am afraid to slow down the network. What is the best way to do it? 2/ I read some firewall docs. they said that it is good to allow 5% bandwidth for icmp only ls it true? how can I do it? Thank you ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: ipfw question
Hi Reuben, Sorry for taking so long to reply. My workstation at work which still runs Fedora Core RC3 and not a real OS, like FreeBSD, decided to throw away all outgoing email this morning. Here's a repost extracted from my =posted mailbox in Mutt [...] On 2004-06-16 17:04, "Reuben A. Popp" <[EMAIL PROTECTED]> wrote: > I believe that what I have is correct, and everything seems to be > working well, with a few exceptions. For instance, ftp and ssh still > don't seem to make it into the logs, although the mail, web and > web-ssl do with no problems. Again, following this message is my > revised ruleset. Strange. All incoming they should be logged. Unless, of course, you mean ftp and ssh connections that *you* start to the outside world, in which case by reading the ruleset you will note that they are allowed unconditionally, without logging, by a rule higher up the chain: # Add all TCP connections that originate from us ipfw add allow tcp from any to any out setup keep-state # Pass and log all incoming ftp-data connections. ipfw add allow log tcp from any 20 to any in setup keep-state # Pass and log all incoming connections to: ftp, ssh, mail and www. ipfw add allow log tcp from any to any 21,22,25,80,443 in setup keep-state Since this doesn't log anything, all connections that your machine starts towards another machine are passed through without logging. If you want to log specific connections, you should use something like this instead: # Log ftp and ssh connections that we make. ipfw add allow log tcp from any to any 21,22 out setup keep-state # Let any other outgoing connections through, unlogged. ipfw add allow tcp from any to any out setup keep-state Note that you also have some rules that are useless in there. Trim your ruleset a bit ;-) The general idea with stateful filtering is that you set up a few connections that are allowed to pass through and then let the packets related to those connections pass too, but *nothing* else. This is why the general form of a stateful firewall with IPFW should be: << rules that check states first >> << rules that selectively pass connections *and* create states >> << everything else blocked >> This way only the packets related to one of the states will pass through. Any other packets that require special handling (for instance, ICMP packets) can be handled by other rules. In your ruleset you have this: # First of all state checking. This will allow through any packet # that is marked as "legitimate" by one of the following rules. ipfw add check-state ipfw add deny tcp from any to any established # Add all TCP connections that originate from us ipfw add allow tcp from any to any out setup keep-state which should work without problems, and then you have: # Allow TCP through if setup succeeded ipfw add pass tcp from any to any established This rule will never match with anything, since packets that could possibly match are blocked by the 'established' rule right after check-state above. You can safely delete this rule. Then you have this rule, that handles fragments in a special manner, which is not very useful. # Allow IP fragments to pass through ipfw add pass all from any to any frag AFAIK, any fragment that is related to an existing connection should match with the check-state rule and will never reach this part of the ruleset. I think this can go too. Finally, this rule is absolutely *not* good. You've gone through all the trouble to set up a stateful firewall so as NOT to be forced to allow any incoming TCP connection through. This single rule lets all the connections through, effectively cancelling all of your filtering rules :-( # Allow setup of any other TCP connection ipfw add pass tcp from any to any setup You should definitely delete this one. IMHO, it's a good idea to replace it with a more strict rule like this: # BLock everything else. ipfw add deny ip from any to any If you're too worried that this might break applications or protocols that you're using now, try adding a "log" keyword to this last rule and watch your system logs for dropped packets that are useful and should have been allowed. Then add special rules just for those packets. Regards, - Giorgos ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: ipfw question
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi Giorgos, Thanks so much for the quick response on my question :). I more or less took your rules that you posted, and tacked on a few more. I belive that what I have is correct, and everything seems to be working well, with a few exceptions. For instance, ftp and ssh still don't seem to make it into the logs, although the mail, web and web-ssl do with no problems. Again, following this message is my revised ruleset. Thanks again, Reuben A. Popp - --->%-- #!/bin/sh - # # Setup system for firewall service. # # Suck in the configuration variables. if [ -z "${source_rc_confs_defined}" ]; then if [ -r /etc/defaults/rc.conf ]; then . /etc/defaults/rc.conf source_rc_confs elif [ -r /etc/rc.conf ]; then . /etc/rc.conf fi fi # Flush the existing ruleset echo "Flushing the existing ruleset, stand by..." ipfw -f flush # Setup Loopback ipfw add pass all from any to any via lo0 ipfw add deny all from any to 127.0.0.0/8 ipfw add deny ip from 127.0.0.0/8 to any # Stop RFC1918 nets on the outside interface ipfw add deny all from 10.0.0.0/8 to any via em0 ipfw add deny all from 172.16.0.0/12 to any via em0 ipfw add deny all from 192.168.0.0/16 to any via em0 # Stop draft-manning-dsua-03.txt (1 May 2000) nets (includes RESERVED-1, # DHCP auto-configuration, NET-TEST, MULTICAST (class D), and class E) # on the outside interface ipfw add deny all from 0.0.0.0/8 to any via em0 ipfw add deny all from 169.254.0.0/16 to any via em0 ipfw add deny all from 192.0.2.0/24 to any via em0 ipfw add deny all from 224.0.0.0/4 to any via em0 ipfw add deny all from 240.0.0.0/4 to any via em0 # Pass all ICMP messages through. # Make sure they're rate-limited by setting `net.inet.icmp.icmplim' ipfw add allow icmp from any to any # First of all state checking. This will allow through any packet # that is marked as "legitimate" by one of the following rules. ipfw add check-state ipfw add deny tcp from any to any established # Allow DNS or NTP sessions that originate from us. ipfw add allow udp from any to any 53,123 out keep-state # Add all TCP connections that originate from us ipfw add allow tcp from any to any out setup keep-state # Pass and log all incoming ftp-data connections. ipfw add allow log tcp from any 20 to any in setup keep-state # Pass and log all incoming connections to: ftp, ssh, mail and www. ipfw add allow log tcp from any to any 21,22,25,80,443 in setup keep-state # Allow TCP through if setup succeeded ipfw add pass tcp from any to any established # Allow IP fragments to pass through ipfw add pass all from any to any frag # Allow setup of any other TCP connection ipfw add pass tcp from any to any setup # Reject & Log all setup of incoming connections from the outside ipfw add deny log tcp from any to any in via em0 setup - --%<--- Thanks again, Reuben A. Popp Giorgos Keramidas (Giorgos Keramidas <[EMAIL PROTECTED]>) translated a message on Wednesday 16 June 2004 12:35 am into a binary format and sent it out among the ether in the search of "Reuben A. Popp" <[EMAIL PROTECTED]>. Upon being retranslated into ascii, it was discovered that message read: > On 2004-06-15 18:31, "Reuben A. Popp" <[EMAIL PROTECTED]> wrote: > > I was tinkering around trying to get my firewall set the way I wanted > > it, but seem to be running into an issue. I know that I have logging > > set in the kernel and in rc.conf, as well as in my ruleset, but for > > some odd reason, the firewall is not logging connections to the > > services I wanted watched (ftp, ssh, web, etc). > > That's because your ruleset uses the following rule: > > # Allow TCP through if setup succeeded > ipfw add 1200 pass tcp from any to any established > > before any of the other rules are reached. This lets every TCP packet > through without logging and you never get a chance of picking out what > to log or what to block :) > > A simplified version of your ruleset could be this one. Notice that > I've removed all explicit rule numbers. IPFW does a pretty good job at > automatically numbering the rules and you don't have too many rules for > it to work. On the other hand, having hardcoded numbers means that you > might miss some "reordering" of the rules and waste hours upon hours > trying to find out why it doesn't work like it's supposed to. Not a > good possibility... Anyway, here's a ruleset very similar to yours: > > # > # Part 1. Semi-standard stuff copied from rc.firewall. > # > > # Flush the existing ruleset > echo "Flushing the existing ruleset, stand by..." > ipfw -f flush > > # Only allow lo0 to send packets as 127.0.0.1 > ipfw add pass all from 127.0.0.1/32 to 127.0.0.1/32 via lo0 > ipfw add deny all from any to 127.0.0.0/8 > ipfw add deny
Re: ipfw question
On 2004-06-15 18:31, "Reuben A. Popp" <[EMAIL PROTECTED]> wrote: > I was tinkering around trying to get my firewall set the way I wanted > it, but seem to be running into an issue. I know that I have logging > set in the kernel and in rc.conf, as well as in my ruleset, but for > some odd reason, the firewall is not logging connections to the > services I wanted watched (ftp, ssh, web, etc). That's because your ruleset uses the following rule: # Allow TCP through if setup succeeded ipfw add 1200 pass tcp from any to any established before any of the other rules are reached. This lets every TCP packet through without logging and you never get a chance of picking out what to log or what to block :) A simplified version of your ruleset could be this one. Notice that I've removed all explicit rule numbers. IPFW does a pretty good job at automatically numbering the rules and you don't have too many rules for it to work. On the other hand, having hardcoded numbers means that you might miss some "reordering" of the rules and waste hours upon hours trying to find out why it doesn't work like it's supposed to. Not a good possibility... Anyway, here's a ruleset very similar to yours: # # Part 1. Semi-standard stuff copied from rc.firewall. # # Flush the existing ruleset echo "Flushing the existing ruleset, stand by..." ipfw -f flush # Only allow lo0 to send packets as 127.0.0.1 ipfw add pass all from 127.0.0.1/32 to 127.0.0.1/32 via lo0 ipfw add deny all from any to 127.0.0.0/8 ipfw add deny ip from 127.0.0.0/8 to any # Stop RFC1918 nets on the outside interface ipfw add deny all from 10.0.0.0/8 to any via em0 ipfw add deny all from 172.16.0.0/12 to any via em0 ipfw add deny all from 192.168.0.0/16 to any via em0 # Stop draft-manning-dsua-03.txt (1 May 2000) nets (includes RESERVED-1, # DHCP auto-configuration, NET-TEST, MULTICAST (class D), and class E) # on the outside interface ipfw add deny all from 0.0.0.0/8 to any via $em0 ipfw add deny all from 169.254.0.0/16 to any via $em0 ipfw add deny all from 192.0.2.0/24 to any via $em0 ipfw add deny all from 224.0.0.0/4 to any via $em0 ipfw add deny all from 240.0.0.0/4 to any via $em0 # # Part 2. Local rules that allow and log selected TCP services. # # Pass all ICMP messages through. # Make sure they're rate-limited by setting `net.inet.icmp.icmplim' add allow icmp from any to any # First of all state checking. This will allow through any packet # that is marked as "legitimate" by one of the following rules. ipfw add check state ipfw add deny tcp from any to any established # Allow DNS or NTP sessions that originate from us. ipfw add allow udp from any to any 53,123 out keep-state # Add all TCP connections that originate from us ipfw add allow tcp from any to any out setup keep-state # Pass and log all incoming ftp-data connections. ipfw add allow tcp from any 20 to any in setup keep-state # Pass and log all incoming connections to: ftp, ssh, mail and www. ipfw add allow tcp from any to any 21,22,25,80,443 to in setup keep-state AFAIK, anything else can be blocked without stopping you from doing your real work. - Giorgos ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
ipfw question
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Good afternoon all, I was tinkering around trying to get my firewall set the way I wanted it, but seem to be running into an issue. I know that I have logging set in the kernel and in rc.conf, as well as in my ruleset, but for some odd reason, the firewall is not logging connections to the services I wanted watched (ftp, ssh, web, etc). I'm enclosing a copy of my ruleset along with this message in case anyone has any ideas. Any help or suggestions would be greatly appreciated. Thanks in advance, Reuben A. Popp My ruleset: #!/bin/sh - # # Setup system for firewall service. # # Suck in the configuration variables. if [ -z "${source_rc_confs_defined}" ]; then if [ -r /etc/defaults/rc.conf ]; then . /etc/defaults/rc.conf source_rc_confs elif [ -r /etc/rc.conf ]; then . /etc/rc.conf fi fi # Flush the existing ruleset echo "Flushing the existing ruleset, stand by..." ipfw -f flush # Setup Loopback ipfw add 100 pass all from any to any via lo0 ipfw add 200 deny all from any to 127.0.0.0/8 ipfw add 300 deny ip from 127.0.0.0/8 to any # Stop RFC1918 nets on the outside interface ipfw add 400 deny all from 10.0.0.0/8 to any via em0 ipfw add 500 deny all from 172.16.0.0/12 to any via em0 ipfw add 600 deny all from 192.168.0.0/16 to any via em0 # Stop draft-manning-dsua-03.txt (1 May 2000) nets (includes RESERVED-1, # DHCP auto-configuration, NET-TEST, MULTICAST (class D), and class E) # on the outside interface ipfw add 700 deny all from 0.0.0.0/8 to any via $em0 ipfw add 800 deny all from 169.254.0.0/16 to any via $em0 ipfw add 900 deny all from 192.0.2.0/24 to any via $em0 ipfw add 1000 deny all from 224.0.0.0/4 to any via $em0 ipfw add 1100 deny all from 240.0.0.0/4 to any via $em0 # Allow TCP through if setup succeeded ipfw add 1200 pass tcp from any to any established # Allow IP fragments to pass through ipfw add 1300 pass all from any to any frag ipfw add 1400 check-state ipfw add 1401 deny tcp from any to any in established ipfw add 1402 allow tcp from any to any out setup keep-state # Allow DNS ipfw add 1403 allow udp from xx.xx.xxx.xxx 53 to any in recv em0 ipfw add 1404 allow udp from xxx.xxx.x.x 53 to any in recv em0 ipfw add 1405 allow udp from xxx.xxx.x.x 53 to any in recv em0 ipfw add 1406 allow udp from any to any out # Allow ftp and log it ipfw add 1407 allow log tcp from any to xx.xx.xxx.xxx 20,21 ipfw add 1408 allow log udp from any to xx.xx.xxx.xxx 20,21 # Allow ssh and log it ipfw add 1409 allow log tcp from any to xx.xx.xxx.xxx 22 # Allow mail and log it ipfw add 1410 allow log tcp from any to xx.xx.xxx.xxx 25 # Allow www and log it ipfw add 1411 allow log tcp from any to xx.xx.xxx.xxx keep-state ipfw add 1412 allow log tcp from any to xx.xx.xxx.xxx 443 keep-state ipfw add 1413 allow log udp from any to xx.xx.xxx.xxx 443 keep-state # Reject&Log all setup of incoming connections from the outside ipfw add 1414 deny log tcp from any to any in via em0 setup # Allow setup of any other TCP connection ipfw add 1415 pass tcp from any to any setup # Allow DNS queries out in the world ipfw add 1416 pass udp from xx.xx.xxx.xxx to any 53 keep-state # Allow NTP queries out in the world ipfw add 1417 pass udp from xx.xx.xxx.xxx to any 123 keep-state -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.4 (FreeBSD) iD8DBQFAz4b5d1N/Kyhy5tIRAqJ9AJ9iEqOXjagPqWalaksbQ+f3NwPjbQCgngUx EQQ6jITdKYJRpN6NWcsakvo= =AwhC -END PGP SIGNATURE- ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
RE: ipfw: question about keep-state on icmp
I think if you read closely you will find out the keep-state option does not work on the icmp protocol because icmp is stateless protocol. This does not mean that ipfw will give coding error if you code it. You have to have an icmp stateless rule to allow it out and another to allow it in. allow icmp from me to any out via xl0 allow icmp from any to me icmptype 0 in via xl0 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Geert Hendrickx Sent: Sunday, June 13, 2004 7:23 AM To: [EMAIL PROTECTED] Subject: ipfw: question about keep-state on icmp Hi, this is a fragment of my ipfw-config which should allow me to ping others, but not allow others to ping me: 00092 allow icmp from me to any keep-state 65535 deny ip from any to any Indeed, other hosts can't ping me... UNLESS I am pinging them at the same time! This is of course a result of keeping the state of icmp- traffic between these two hosts, and I can avoid this by changing it to: 00091 deny icmp from any to me icmptype 8<-- deny ping request to me 00092 allow icmp from me to any keep-state (icmptype 8 = ping request) But then I don't see the use for keep-state in 00092 anymore... The following seems equally valid to me: 00091 allow icmp from me to any 00092 allow icmp from any to me icmptype 0 <-- allow ping reply to me So what am I missing? And are errors as in the first example also possible with tcp-connections, e.g. ssh? GH ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]" ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
ipfw: question about keep-state on icmp
Hi, this is a fragment of my ipfw-config which should allow me to ping others, but not allow others to ping me: 00092 allow icmp from me to any keep-state 65535 deny ip from any to any Indeed, other hosts can't ping me... UNLESS I am pinging them at the same time! This is of course a result of keeping the state of icmp- traffic between these two hosts, and I can avoid this by changing it to: 00091 deny icmp from any to me icmptype 8<-- deny ping request to me 00092 allow icmp from me to any keep-state (icmptype 8 = ping request) But then I don't see the use for keep-state in 00092 anymore... The following seems equally valid to me: 00091 allow icmp from me to any 00092 allow icmp from any to me icmptype 0 <-- allow ping reply to me So what am I missing? And are errors as in the first example also possible with tcp-connections, e.g. ssh? GH ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: ipfw question...
At 12:40 3/19/2004, [EMAIL PROTECTED], wrote: >If you would >like I can post my IPFW rules. They are extemly simple for my SSH, POP3, >SMTP, NTP, IMAP, BIND8 setup... Please do! Could you also include plain English comments as well? There are a number of people that find these rules confusing. Some well documented descriptions would be very helpful. Thanks! Start Here to Find It Fast! -> http://www.US-Webmasters.com/best-start-page/ ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: ipfw question...
> Hi list, I've this network configuration: > > router (169.158.120.177) > server1 (169.158.120.178) running bind (named), tacacs+, exim, and a pop3 > server > server2 (169.158.120.179) running squid, apache2, mysql, proftpd (is > acting > as a GATEWAY) > > I've a LAN (192.168.1.0/24) and a breaking apart "LAN" (192.168.2.0/8, > 192.168.2.8/8, 192.168.2.16/8), my question is: I want to protect my LAN, > "LAN" and servers from the outside, I want to use ipfw, I have compiled a > kernel in server2 (FreeBSD-4.8 on both servers) and I'm blocked (in & > out), > I've some doubts about adding rules 'cause I've been seeing so many > samples > on the net and I'm a little bit confused...any suggestion about > configuration ??? one thing that I learned was to make sure when you start opening ports (IE you have DENY ALL as default) that you start with the lowest port number.. I for the life of me could not get SMTP working, so I moved it from the bottom of my IPFW rules to the top, and walla it worked. If you would like I can post my IPFW rules. They are extemly simple for my SSH, POP3, SMTP, NTP, IMAP, BIND8 setup... ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
ipfw question...
Hi list, I've this network configuration: router (169.158.120.177) server1 (169.158.120.178) running bind (named), tacacs+, exim, and a pop3 server server2 (169.158.120.179) running squid, apache2, mysql, proftpd (is acting as a GATEWAY) I've a LAN (192.168.1.0/24) and a breaking apart "LAN" (192.168.2.0/8, 192.168.2.8/8, 192.168.2.16/8), my question is: I want to protect my LAN, "LAN" and servers from the outside, I want to use ipfw, I have compiled a kernel in server2 (FreeBSD-4.8 on both servers) and I'm blocked (in & out), I've some doubts about adding rules 'cause I've been seeing so many samples on the net and I'm a little bit confused...any suggestion about configuration ??? ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: IPFW question
Thanks for all, it has been a great help. MikeM wrote: Since I reload the firewall rules remotely, I need the -q option on the ipfw command, e.g.: ipfw -q /etc/ipfw.conf otherwise I lose my ssh connection to the box. See man ipfw(8) for details on -q On 3/10/2004 at 8:27 PM Thomas Vogt wrote: |Hi | |ipfw flush # deletes all |ipfw /etc/ipfw.conf # loads all | |regards |Thomas | |Nagy László Zsolt wrote: |> |> Hi! |> |> I'm using my own ip firewall (firewall_type="/etc/ipfw.conf") on my |> FreeBSD 5.2 system. My problem is, how can I reload the whole thing? The |> ipfw command is for creating and deleting individual rules. What I would |> like to do is to create profiles (different config files) and reload the |> whole firewall configuration anytime. Is there a command for this? What |> I do now is that I reboot my box every time I change firewall |> configuration. But of course this is clumsy and very bad. I may start |> services on the server which will not allow me to reboot daily. Thanks |> in advance. |> |> Laci 2.0 |> |> ___ |> [EMAIL PROTECTED] mailing list |> http://lists.freebsd.org/mailman/listinfo/freebsd-questions |> To unsubscribe, send any mail to |> "[EMAIL PROTECTED]" |> |> | |___ |[EMAIL PROTECTED] mailing list |http://lists.freebsd.org/mailman/listinfo/freebsd-questions |To unsubscribe, send any mail to |"[EMAIL PROTECTED]" = ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]" ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: IPFW question
Since I reload the firewall rules remotely, I need the -q option on the ipfw command, e.g.: ipfw -q /etc/ipfw.conf otherwise I lose my ssh connection to the box. See man ipfw(8) for details on -q On 3/10/2004 at 8:27 PM Thomas Vogt wrote: |Hi | |ipfw flush # deletes all |ipfw /etc/ipfw.conf # loads all | |regards |Thomas | |Nagy László Zsolt wrote: |> |> Hi! |> |> I'm using my own ip firewall (firewall_type="/etc/ipfw.conf") on my |> FreeBSD 5.2 system. My problem is, how can I reload the whole thing? The |> ipfw command is for creating and deleting individual rules. What I would |> like to do is to create profiles (different config files) and reload the |> whole firewall configuration anytime. Is there a command for this? What |> I do now is that I reboot my box every time I change firewall |> configuration. But of course this is clumsy and very bad. I may start |> services on the server which will not allow me to reboot daily. Thanks |> in advance. |> |> Laci 2.0 |> |> ___ |> [EMAIL PROTECTED] mailing list |> http://lists.freebsd.org/mailman/listinfo/freebsd-questions |> To unsubscribe, send any mail to |> "[EMAIL PROTECTED]" |> |> | |___ |[EMAIL PROTECTED] mailing list |http://lists.freebsd.org/mailman/listinfo/freebsd-questions |To unsubscribe, send any mail to |"[EMAIL PROTECTED]" = ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: IPFW question
On Wed, Mar 10, 2004 at 07:52:06PM +0100, Nagy László Zsolt wrote: > FreeBSD 5.2 system. My problem is, how can I reload the whole thing? The /sbin/ipfw -q /path/to/your/custom/rulesetfile No RTFM intended - there are further options, plese have a look at the ipfw(8) man page. Regards, Martin -- ,,Oh, there's a lot of opportunities, if you're knowing to take them, you know, there's a lot of opportunities, if there aren't you can make them, make or break them!'' (Tennant/Lowe) ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: IPFW question
Hi ipfw flush # deletes all ipfw /etc/ipfw.conf # loads all regards Thomas Nagy László Zsolt wrote: Hi! I'm using my own ip firewall (firewall_type="/etc/ipfw.conf") on my FreeBSD 5.2 system. My problem is, how can I reload the whole thing? The ipfw command is for creating and deleting individual rules. What I would like to do is to create profiles (different config files) and reload the whole firewall configuration anytime. Is there a command for this? What I do now is that I reboot my box every time I change firewall configuration. But of course this is clumsy and very bad. I may start services on the server which will not allow me to reboot daily. Thanks in advance. Laci 2.0 ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]" ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: IPFW question
On Mar 10, 2004, at 1:52 PM, Nagy László Zsolt wrote: I'm using my own ip firewall (firewall_type="/etc/ipfw.conf") on my FreeBSD 5.2 system. My problem is, how can I reload the whole thing? Try "sh /etc/rc.firewall", or "ipfw -p /bin/cat /etc/ipfw.conf". If you are not on the console of the machine, it might be advisable to use nohup or an & to background the command while running -- -Chuck ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
IPFW question
Hi! I'm using my own ip firewall (firewall_type="/etc/ipfw.conf") on my FreeBSD 5.2 system. My problem is, how can I reload the whole thing? The ipfw command is for creating and deleting individual rules. What I would like to do is to create profiles (different config files) and reload the whole firewall configuration anytime. Is there a command for this? What I do now is that I reboot my box every time I change firewall configuration. But of course this is clumsy and very bad. I may start services on the server which will not allow me to reboot daily. Thanks in advance. Laci 2.0 ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: ipfw question - ICMP
On Tue, Mar 02, 2004 at 10:39:42PM +0100, C. Kukulies wrote: > I have setup my FreeBSD box with ASDL (pppoe) and ipfw (rc.firewall with > type 'simple'). > > I have finetuned to allow ssh from certain addresses outside, sendmail works, > but I cannot ping either from inside or from outside. > > What does the rule for ICMP look like? Something like: ipfw add allow icmp from any to any or ipfw add allow icmp from any to any icmptype 0,3,8,11,12 Cheers. -- Jonathan Chen <[EMAIL PROTECTED]> -- "Nyuck, nyuck, nyuck" - Curly ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
ipfw question - ICMP
I have setup my FreeBSD box with ASDL (pppoe) and ipfw (rc.firewall with type 'simple'). I have finetuned to allow ssh from certain addresses outside, sendmail works, but I cannot ping either from inside or from outside. What does the rule for ICMP look like? -- Chris Christoph P. U. Kukulies kuku_at_physik.rwth-aachen.de ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: ipfw question
On Tue, 11 Nov 2003 12:00:10 - "Simon Gray" <[EMAIL PROTECTED]> probably wrote: > >630000 0 deny log logamount 100 udp from any to any 119 via > sis0 > >63000 24 1152 deny log logamount 100 tcp from any to any 135 via sis0 > >630000 0 deny log logamount 100 udp from any to any 135 via > sis0 > > >63000 is the rule number correct? > >IM wondering what the other 2 places are.. > >24 and 1152 > if you're getting 0 on the other rules, it probably means its not running > those rules. > So therefore it won't actually log if it isn't get to that rule. > > also from the looks of things, if you're trying to block windows > filesharing/smb you > might want to block 135 - 139 both tcp/udp (instead of specifiying 135 in > the rule add '135-139') > rather than just 135 tcp/udp > > >Are they inbound and outbound? > well depends (could be both yes), anything thats aimed at tcp 135 will be > denied and > logged These are counts in packets and bytes. > > >Do I make any sence? > > Not really :/ whats the question? > > ___ > [EMAIL PROTECTED] mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to "[EMAIL PROTECTED]" > -- DoubleF BLISS is ignorance pgp0.pgp Description: PGP signature
Re: ipfw question
Shawn Guillemette wrote: Looking at ipfw show 630000 0 deny log logamount 100 udp from any to any 119 via sis0 63000 24 1152 deny log logamount 100 tcp from any to any 135 via sis0 630000 0 deny log logamount 100 udp from any to any 135 via sis0 63000 is the rule number correct? Yes it is; but I'm not sure how ipfw reacts when you have 3 rules that all have the same number ... I'd test it thoroughly at the very least. IM wondering what the other 2 places are.. 24 and 1152 IIRC (and maybe I don't) that is the number of packets received that match this rule (24) and the total size of those packets (in Bytes??) Are they inbound and outbound? No. Do I make any sence? Some ;-) There is no place like 127.0.0.1 Don't you mean "There's no place like '~' ??? Kevin Kinsey DaleCo, S.P. ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: ipfw question
thank you.. Im realy only blocking 135 due to the MSBlaster and others... no Samba yet - Original Message - From: "Simon Gray" <[EMAIL PROTECTED]> To: "Shawn Guillemette" <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]> Sent: Tuesday, November 11, 2003 7:00 AM Subject: Re: ipfw question > >630000 0 deny log logamount 100 udp from any to any 119 via > sis0 > >63000 24 1152 deny log logamount 100 tcp from any to any 135 via sis0 > >630000 0 deny log logamount 100 udp from any to any 135 via > sis0 > > >63000 is the rule number correct? > >IM wondering what the other 2 places are.. > >24 and 1152 > if you're getting 0 on the other rules, it probably means its not running > those rules. > So therefore it won't actually log if it isn't get to that rule. > > also from the looks of things, if you're trying to block windows > filesharing/smb you > might want to block 135 - 139 both tcp/udp (instead of specifiying 135 in > the rule add '135-139') > rather than just 135 tcp/udp > > >Are they inbound and outbound? > well depends (could be both yes), anything thats aimed at tcp 135 will be > denied and > logged > > >Do I make any sence? > > Not really :/ whats the question? > > ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: ipfw question
>630000 0 deny log logamount 100 udp from any to any 119 via sis0 >63000 24 1152 deny log logamount 100 tcp from any to any 135 via sis0 >630000 0 deny log logamount 100 udp from any to any 135 via sis0 >63000 is the rule number correct? >IM wondering what the other 2 places are.. >24 and 1152 if you're getting 0 on the other rules, it probably means its not running those rules. So therefore it won't actually log if it isn't get to that rule. also from the looks of things, if you're trying to block windows filesharing/smb you might want to block 135 - 139 both tcp/udp (instead of specifiying 135 in the rule add '135-139') rather than just 135 tcp/udp >Are they inbound and outbound? well depends (could be both yes), anything thats aimed at tcp 135 will be denied and logged >Do I make any sence? Not really :/ whats the question? ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
ipfw question
Looking at ipfw show 630000 0 deny log logamount 100 udp from any to any 119 via sis0 63000 24 1152 deny log logamount 100 tcp from any to any 135 via sis0 630000 0 deny log logamount 100 udp from any to any 135 via sis0 63000 is the rule number correct? IM wondering what the other 2 places are.. 24 and 1152 Are they inbound and outbound? Do I make any sence? There is no place like 127.0.0.1 ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: ipfw question
On Fri, Mar 28, 2003 at 10:34:16AM -0500, Walter wrote: Date: Fri, 28 Mar 2003 10:34:16 -0500 From: Walter <[EMAIL PROTECTED]> To: Questions <[EMAIL PROTECTED]> Subject: ipfw question Hi all, I see a strange entry in my mail log from the ipfw log output. I don't really have a firm grasp on ipfw yet and need help understanding how this log entry came about (17 times), below: > ipfw: 1700 Deny TCP 0.0.0.0:80 192.168.xxx.xxx:49339 in via fxp0 The output of "ipfw list" starts as: 00100 allow ip from any to any via lo0 00200 deny log logamount 100 ip from any to 127.0.0.0/8 00300 deny log logamount 100 ip from 192.168.1.0/24 to any in recv fxp0 00400 deny log logamount 100 ip from 24.170.166.0/24 to any in recv ep0 00500 deny log logamount 100 ip from any to 10.0.0.0/8 via fxp0 00600 deny log logamount 100 ip from any to 172.16.0.0/12 via fxp0 00700 deny log logamount 100 ip from any to 192.168.0.0/16 via fxp0 00800 deny log logamount 100 ip from any to 0.0.0.0/8 via fxp0 00900 deny log logamount 100 ip from any to 169.254.0.0/16 via fxp0 01000 deny log logamount 100 ip from any to 192.0.2.0/24 via fxp0 01100 deny log logamount 100 ip from any to 224.0.0.0/4 via fxp0 01200 deny log logamount 100 ip from any to 240.0.0.0/4 via fxp0 01300 divert 8668 ip from any to any via fxp0 01400 deny log logamount 100 ip from 10.0.0.0/8 to any via fxp0 01500 deny log logamount 100 ip from 172.16.0.0/12 to any via fxp0 01600 deny log logamount 100 ip from 192.168.0.0/16 to any via fxp0 01700 deny log logamount 100 ip from 0.0.0.0/8 to any via fxp0 01800 deny log logamount 100 ip from 169.254.0.0/16 to any via fxp0 01900 deny log logamount 100 ip from 192.0.2.0/24 to any via fxp0 02000 deny log logamount 100 ip from 224.0.0.0/4 to any via fxp0 02100 deny log logamount 100 ip from 240.0.0.0/4 to any via fxp0 My question is how come rule 00700 did not kick out the prober, rather falling to rule 01700?? I realize the log Because the original packet was from 0.0.0.0 to YOUR_PUBLIC_IP and natd (rule 1300) rewrite destination address YOUR_PUBLIC_IP with your private IP address. You should have to find who sends this kind of packets from your net to outside world, because they are not very regular. amounts are limited, but how did rule 01700 get activated when rule 00700, seems to me, should have knocked out the packet? Is this evidence of someone having broken into my FBSD router, as there are no other entries I've seen to other possible internal IP's, or was someone just lucky? Thanks. Walter ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]" -- Regards, Dancho Penev ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
ipfw question
Hi all, I see a strange entry in my mail log from the ipfw log output. I don't really have a firm grasp on ipfw yet and need help understanding how this log entry came about (17 times), below: > ipfw: 1700 Deny TCP 0.0.0.0:80 192.168.xxx.xxx:49339 in via fxp0 The output of "ipfw list" starts as: 00100 allow ip from any to any via lo0 00200 deny log logamount 100 ip from any to 127.0.0.0/8 00300 deny log logamount 100 ip from 192.168.1.0/24 to any in recv fxp0 00400 deny log logamount 100 ip from 24.170.166.0/24 to any in recv ep0 00500 deny log logamount 100 ip from any to 10.0.0.0/8 via fxp0 00600 deny log logamount 100 ip from any to 172.16.0.0/12 via fxp0 00700 deny log logamount 100 ip from any to 192.168.0.0/16 via fxp0 00800 deny log logamount 100 ip from any to 0.0.0.0/8 via fxp0 00900 deny log logamount 100 ip from any to 169.254.0.0/16 via fxp0 01000 deny log logamount 100 ip from any to 192.0.2.0/24 via fxp0 01100 deny log logamount 100 ip from any to 224.0.0.0/4 via fxp0 01200 deny log logamount 100 ip from any to 240.0.0.0/4 via fxp0 01300 divert 8668 ip from any to any via fxp0 01400 deny log logamount 100 ip from 10.0.0.0/8 to any via fxp0 01500 deny log logamount 100 ip from 172.16.0.0/12 to any via fxp0 01600 deny log logamount 100 ip from 192.168.0.0/16 to any via fxp0 01700 deny log logamount 100 ip from 0.0.0.0/8 to any via fxp0 01800 deny log logamount 100 ip from 169.254.0.0/16 to any via fxp0 01900 deny log logamount 100 ip from 192.0.2.0/24 to any via fxp0 02000 deny log logamount 100 ip from 224.0.0.0/4 to any via fxp0 02100 deny log logamount 100 ip from 240.0.0.0/4 to any via fxp0 My question is how come rule 00700 did not kick out the prober, rather falling to rule 01700?? I realize the log amounts are limited, but how did rule 01700 get activated when rule 00700, seems to me, should have knocked out the packet? Is this evidence of someone having broken into my FBSD router, as there are no other entries I've seen to other possible internal IP's, or was someone just lucky? Thanks. Walter ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: IPFW question in 2.2.8 release?
>IPFW question in 2.2.8 release? Ouch! Dummynet was very new and probably best classed as "experimental" in 2.2.8, and even in most of the 3.x line it was a bit flakey. I'm not surprised you are having trouble with it and I'm also not surprised Luigi is unwilling or unable to debug obsolete code. 2.2.8 was EOL'd ages ago and you will be unlikely get any help from anyone without upgrading to a recent 4.x version. Greg. To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-questions" in the body of the message
IPFW question in 2.2.8 release?
Hi, I'm sorry to bother you all, but I have the following questions, I'm using freebsd 2.2.8 with custom gated daemon that supports QoSR, I was told to some tests with ipfw using dummynet "extension" all goes whell when after 5 or 6 minutes of test and I thing IPFW fails, if I do ipfw -a l I got this result: 00100 482 31538 pipe 1 tcp from any to any 00100 482 0 pipe 2 tcp from any to any 00100 84236 123463858 pipe 3 tcp from any to any 00100 83898 123450062 pipe 4 tcp from any 00100 794 31538 deny ip from any to any My guess is the firewall queues are full and it stops forwarding packets? I cannot upgrade the freebsd version on any off the machines :( can someone give me some hint on how to resolve this? I requested some help to Luigi Rizio but I still haven't received reply... This was the message I sen't him(with a more elaborated question, but still the same problem): I'm testing a QoS Routing prototype that we have implemented in Gated. I'm running five minutes test's, every five experiences of five minutes, I change parameters in our changed gated, without ipfw I've reached a pretty good solution. But my problem is when I use ipfw to simulate Wan effect's such as delay, bandwidth, loss, etc... Until this point I'm solving the problem with following sequence of events in my dummynet routers. stop gated; clear all in ipfw(including the pipes); construct the ipfw pipes, and then start gated again. my problem is that after 10 minutes of testing the queues get to full in ipfw and i stop communication between dummynet routers and my normal routers(that's what I thinnk is happening). Rx - means router x DRy - means dummynet router y On R1 and R5 I have 4 endpoint's attached each through a switch in each one, which I use to generate and receive the traffic for further study. / R2 - - - - DR1\ / \ / \ 4 Endp's - - - R1 - - - R3 - - - - DR2- R5 - - - - - 4 Endp's. \ / \/ \ R4 - - - - DR3 / I'm using the ipfw that comes with freebsd 2.2.8 , hosts are DR1 - Intel celeron 333 , 128 Mg, freebsd 2.2.8 , original gated 3.5.11 DR2 - Intel celeron 333 , 128 Mg, freebsd 2.2.8 , original gated 3.5.11 DR3 - Intel celeron 333 , 128 Mg, freebsd 2.2.8 , original gated 3.5.11 R1 - Intel celeron 466 , 128 Mg, freebsd 2.2.8 , changed gated 3.5.11 R2 - Intel celeron 466 , 128 Mg, freebsd 2.2.8 , changed gated 3.5.11 R3 - Intel celeron 466 , 128 Mg, freebsd 2.2.8 , changed gated 3.5.11 R4 - Intel celeron 466 , 128 Mg, freebsd 2.2.8 , changed gated 3.5.11 R5 - Intel celeron 466 , 128 Mg, freebsd 2.2.8 , changed gated 3.5.11 ipfw rules are simple: ipfw add pipe 1 ip from any to any via xl0 ipfw add pipe 2 ip from any to any ipfw pipe 1 config delay 30ms ipfw pipe 2 config delay 0ms where xl0 connection is between(DR1<->R5, DR2<->R5, DR3<->R5) this is an example output of of ipfw show, after the "failure": 00100 320097 475909018 pipe 1 ip from any to any via xl0 00200 319874 475892138 pipe 2 ip from any to any 65535 230 16756 deny ip from any to any I'm saying that the problem is in ipfw, cause I'm figuring that it's not working hat it's supposed too :( I'm trying to say that after a while it stops bridging packets from on interface to the other, or that it doesn't forward the packets after some amount of traffic going by. I think I'm using all the modules that I need, I read your documentation carefully and more than once, although I think that the documentation you have online is for a more recent freedbsd version(the option bridged only works in freebsd 4.0 or higher). Any help will be great, and once again sorry to bother you :( P.S. I'm generating traffic with netiq tool chariot. I have tools for checking the traffic in routers R1,R3,R4 and R5 I see traffic arriving/leaving on R1,R3,R4 but it doesn't reach R5. To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-questions" in the body of the message
Re: "simple" ipfw question
> > Greetings, > > > > I am attempting to build a dual-homed firewall using FreeBSD 4.7 > > RELEASE. The PC is presently connected to a corporate LAN with DHCP and > > DNS servers and a broadband connection to the Internet. > > > > The outside interface (rl0) is configured as follows: > > IP address: a.b.148.62 (dynamically assigned) > > Subnet: 255.255.248.0 > > Gateway: a.b.144.254 > > DNS: a.b.144.1 > > > > The inside interface (rl1) is configured as follows: > > IP address: 192.168.1.1 > > Subnet: 255.255.255.0 > > > > My private network consists of one workstation which is set up as > > follows: > > IP address: 192.168.1.2 > > Subnet: 255.255.255.0 > > Gateway: 192.168.168.1 > > DNS: a.b.144.1 > > > > When I use the "open" ruleset in /etc/rc.firewall, the workstation on my > > private network can get through the firewall to the LAN and the > > Internet. When I switch to the "simple" ruleset, the firewall stops > > forwarding packets. From the console, I can ping the outside and inside > > interfaces, but nothing else. Everything looks normal in dmesg. > > Additional info upon request! > > Did you tweak the /etc/rc.firewall script to insert your IP address ranges > into it? (look for the "simple" section of the script and tweak the iif, > iip, oif, oip, etc ... values) > If that doesn't help, try posting the output of 'ipfw show' to the list. > It'll make it a lot easier for folks to diagnose. > > -- > Bill Moran > Potential Technologies > http://www.potentialtech.com > Hope this helps: /etc/rc.firewall: [simple section] oif="rl0" onet="a.b.144.0" omask="255.255.248.0" oip="a.b.148.62" iif="rl1" inet="192.168.1.0" imask="255.255.255.0" iip="192.168.1.1" /etc/rc.conf: gateway_enable="YES" hostname="(hostname.domain)" ifconfig_rl0="DHCP" kern_securelevel="2" kern_securelevel_enable="YES" moused_enable="YES" nfs_server_enable="NO" saver="green" sendmail_enable="NO" sshd_enable="NO" ifconfig_rl1="inet 192.168.1.1 netmask 255.255.255.0" firewall_enable="YES" firewall_type="simple" natd_enable="YES" natd_interface="rl0" defaultrouter="a.b.144.254" natd_flags="-dynamic" Compiled kernel with these options: options IPDIVERT options IPFIREWALL options IPFIREWALL_VERBOSE options IPFIREWALL_VERBOSE_LIMIT=10 ipfw show: 00100 00 allow ip from any to any via 1o0 00200 00 deny ip from any to 127.0.0.0/0 00300 00 deny ip from 127.0.0.0/8 to any 00400 00 deny ip from 192.168.1.0/24 to any in recv rl0 00500 00 deny ip from a.b.144.0/21 to any in recv rl1 00600 00 deny ip from any to 10.0.0.0/8 via rl0 00700 00 deny ip from any to 172.16.0.0/12 via rl0 00800 00 deny ip from any to 192.168.0.0/16 via rl0 00900 00 deny ip from any to 0.0.0.0/8 via rl0 01000 00 deny ip from any to 169.254.0.0/16 via rl0 01100 00 deny ip from any to 192.0.2.0/24 via rl0 01200 00 deny ip from any to 224.0.0.0/4 via rl0 01300 9 773 deny ip from any to 240.0.0.0/24 via rl0 01400 73 9535 divert 8668 ip from any to any via rl0 01500 00 deny ip from 10.0.0.0/8 to any via rl0 01600 00 deny ip from 172.16.0.0/12 to any via rl0 01700 00 deny ip from 192.168.0.0/16 to any via rl0 01800 00 deny ip 0.0.0.0/8 to any via rl0 01900 00 169.254.0.0/16 to any via rl0 02000 00 deny ip from 192.0.2.0/24 to any via rl0 02100 00 deny ip from 224.0.0.0/4 to any via rl0 02200 00 deny ip from 240.0.0.0/4 to any via rl0 02300 00 allow tcp form any to any established 02400 00 allow ip from any to any frag 02500 00 allow tcp from any to a.b.148.62 25 setup 02600 00 allow tcp from any to a.b.148.62 53 setup 02700 00 allow udp from any to a.b.148.62 53 02800 00 allow udp from a.b.148.62 53 to any 02900 00 allow tcp from any to a.b.148.62 80 setup 03000 00 deny log logamount 10 tcp from any to any in recv rl0 setup 03100 00 allow tcp from any to any setup 03200 26 1912 allow udp from a.b.148.62 to any 53 keep-state 03300 00 allow udp from a.b.148.62 to any 123 keep-state 65535 58 9215 deny ip from any to any The counts for rules 1300, 1400, 3200 and 65535 keep incrementing. All other rules are goose eggs. BTW, I run 'ifconfig rl0' occasionally to make sure my dynamic IP address has not changed. To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-questions" in the body of the message
Re: "simple" ipfw question
Brian Davis wrote: Greetings, I am attempting to build a dual-homed firewall using FreeBSD 4.7 RELEASE. The PC is presently connected to a corporate LAN with DHCP and DNS servers and a broadband connection to the Internet. The outside interface (rl0) is configured as follows: IP address: a.b.148.62 (dynamically assigned) Subnet: 255.255.248.0 Gateway: a.b.144.254 DNS: a.b.144.1 The inside interface (rl1) is configured as follows: IP address: 192.168.1.1 Subnet: 255.255.255.0 My private network consists of one workstation which is set up as follows: IP address: 192.168.1.2 Subnet: 255.255.255.0 Gateway: 192.168.168.1 DNS: a.b.144.1 When I use the "open" ruleset in /etc/rc.firewall, the workstation on my private network can get through the firewall to the LAN and the Internet. When I switch to the "simple" ruleset, the firewall stops forwarding packets. From the console, I can ping the outside and inside interfaces, but nothing else. Everything looks normal in dmesg. Additional info upon request! Did you tweak the /etc/rc.firewall script to insert your IP address ranges into it? (look for the "simple" section of the script and tweak the iif, iip, oif, oip, etc ... values) If that doesn't help, try posting the output of 'ipfw show' to the list. It'll make it a lot easier for folks to diagnose. -- Bill Moran Potential Technologies http://www.potentialtech.com To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-questions" in the body of the message
"simple" ipfw question
Greetings, I am attempting to build a dual-homed firewall using FreeBSD 4.7 RELEASE. The PC is presently connected to a corporate LAN with DHCP and DNS servers and a broadband connection to the Internet. The outside interface (rl0) is configured as follows: IP address: a.b.148.62 (dynamically assigned) Subnet: 255.255.248.0 Gateway: a.b.144.254 DNS: a.b.144.1 The inside interface (rl1) is configured as follows: IP address: 192.168.1.1 Subnet: 255.255.255.0 My private network consists of one workstation which is set up as follows: IP address: 192.168.1.2 Subnet: 255.255.255.0 Gateway: 192.168.168.1 DNS: a.b.144.1 When I use the "open" ruleset in /etc/rc.firewall, the workstation on my private network can get through the firewall to the LAN and the Internet. When I switch to the "simple" ruleset, the firewall stops forwarding packets. From the console, I can ping the outside and inside interfaces, but nothing else. Everything looks normal in dmesg. Additional info upon request! Brian Davis To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-questions" in the body of the message
ipfw question (was: Re[2]: Question)
Dear/Beste Steve, Monday, January 13, 2003, 3:07:53 AM, you wrote: >>Dear/Beste Steve, >> >>Monday, January 13, 2003, 12:23:09 AM, you wrote: >> >>> Hey people, >> >>> I'm having trouble limiting users to certain services on my LAN. >> >>> Here's what im trying to do. >> >>> Based on group membership, allow or deny certain users access to certain >>> outgoing services (www, telnet, ftp, ssh, ping, traceroute, etc). Again > this >>> is not IP based, but based on group membership. Everyone can log into any > PC >>> on the LAN. I've seen something like this done in Novell, where based on > a >>> users group context, their access is limited to certain services. >> > Can it be done based on groups? These people don't have static ips Yes but you use the account on the server machine. Just check out the 'man ipfw'. I'm not an expert on this; just try it out. -- Best regards/Met vriendelijke groet, Alex To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-questions" in the body of the message
Re: NAT + IPFW question
- Original Message - From: "Flemming Frøkjær" <[EMAIL PROTECTED]> To: "Alvaro Rosales R." <[EMAIL PROTECTED]> Cc: <[EMAIL PROTECTED]> Sent: Tuesday, November 26, 2002 8:29 AM Subject: Re: NAT + IPFW question > Alvaro Rosales R. wrote: > > Hi fellows I have setup natd in my freeBSD BOX (using firewall =OPEN) > > and it is working fine. > > Now I want to close my firewall so that the only computer that is using > > NATD would the the only one that could accept connections from the > > internet.But when I try to telnet to the natd box I cant connect to it.What > > Am I doing wrong? > > Those are my ipfw rules > > 10.10.1.91 (natd box) > > 10.10.1.2 (my box) > > > > 00050 5816 2829686 divert 8668 ip from any to any via rl1 > > 00100 2412 168334 allow ip from any to any via lo0 > > 00200 00 deny ip from any to 127.0.0.0/8 > > 00300 00 deny ip from 127.0.0.0/8 to any > > 00800 5609 6342173 allow ip from 10.10.1.91 to 130.102.1.2 > > 00801 3580 143970 allow ip from 10.10.1.2 to 130.102.1.91 > > 01000 430772 59326512 deny ip from any to any > > 65000 00 allow ip from any to 10.10.1.2 > > 65535 17161 5967606 allow ip from any to any > > > > To Unsubscribe: send mail to [EMAIL PROTECTED] > > with "unsubscribe freebsd-questions" in the body of the message > > You need to tell natd to forward port 23 (telnet) to 10.10.1.2 > man natd This is only necessary if the poster wants to connect to "his box". As I understand it, he wishes to telnet to the natd box which is 10.10.1.91. In this case, no forward is required. Cheers, Drew > \Flemming > > To Unsubscribe: send mail to [EMAIL PROTECTED] > with "unsubscribe freebsd-questions" in the body of the message > > To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-questions" in the body of the message
Re: NAT + IPFW question
Alvaro Rosales R. wrote: > Hi fellows I have setup natd in my freeBSD BOX (using firewall =OPEN) > and it is working fine. > Now I want to close my firewall so that the only computer that is using > NATD would the the only one that could accept connections from the > internet.But when I try to telnet to the natd box I cant connect to it.What > Am I doing wrong? > Those are my ipfw rules > 10.10.1.91 (natd box) > 10.10.1.2 (my box) > > 00050 5816 2829686 divert 8668 ip from any to any via rl1 > 00100 2412 168334 allow ip from any to any via lo0 > 00200 00 deny ip from any to 127.0.0.0/8 > 00300 00 deny ip from 127.0.0.0/8 to any > 00800 5609 6342173 allow ip from 10.10.1.91 to 130.102.1.2 > 00801 3580 143970 allow ip from 10.10.1.2 to 130.102.1.91 > 01000 430772 59326512 deny ip from any to any > 65000 00 allow ip from any to 10.10.1.2 > 65535 17161 5967606 allow ip from any to any > > To Unsubscribe: send mail to [EMAIL PROTECTED] > with "unsubscribe freebsd-questions" in the body of the message You need to tell natd to forward port 23 (telnet) to 10.10.1.2 man natd \Flemming To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-questions" in the body of the message
Re: NAT + IPFW question
- Original Message - From: "Drew Tomlinson" <[EMAIL PROTECTED]> To: "Alvaro Rosales R." <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]> Sent: Monday, November 25, 2002 3:01 PM Subject: Re: NAT + IPFW question > - Original Message - > From: "Alvaro Rosales R." <[EMAIL PROTECTED]> > To: <[EMAIL PROTECTED]> > Sent: Monday, November 25, 2002 2:42 PM > Subject: NAT + IPFW question > > > > Hi fellows I have setup natd in my freeBSD BOX (using firewall =OPEN) > > and it is working fine. > > Now I want to close my firewall so that the only computer that is > using > > NATD would the the only one that could accept connections from the > > internet.But when I try to telnet to the natd box I cant connect to > it.What > > Am I doing wrong? > > By default, telent is disabled in recent versions of FBSD. Have you > enabled (uncommented) it in inetd.conf? > > Cheers, > > Drew > > > Those are my ipfw rules > > 10.10.1.91 (natd box) > > 10.10.1.2 (my box) > > > > 00050 5816 2829686 divert 8668 ip from any to any via rl1 > > 00100 2412 168334 allow ip from any to any via lo0 > > 00200 00 deny ip from any to 127.0.0.0/8 > > 00300 00 deny ip from 127.0.0.0/8 to any > > 00800 5609 6342173 allow ip from 10.10.1.91 to 130.102.1.2 > > 00801 3580 143970 allow ip from 10.10.1.2 to 130.102.1.91 > > 01000 430772 59326512 deny ip from any to any > > 65000 00 allow ip from any to 10.10.1.2 > > 65535 17161 5967606 allow ip from any to any OK, Telnet is enabled. You have to allow port 23 open on your firewall. Something like 'ipfw add 802 allow ip from any to 23'. HTH, Drew To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-questions" in the body of the message
Re: NAT + IPFW question
- Original Message - From: "Alvaro Rosales R." <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Monday, November 25, 2002 2:42 PM Subject: NAT + IPFW question > Hi fellows I have setup natd in my freeBSD BOX (using firewall =OPEN) > and it is working fine. > Now I want to close my firewall so that the only computer that is using > NATD would the the only one that could accept connections from the > internet.But when I try to telnet to the natd box I cant connect to it.What > Am I doing wrong? By default, telent is disabled in recent versions of FBSD. Have you enabled (uncommented) it in inetd.conf? Cheers, Drew > Those are my ipfw rules > 10.10.1.91 (natd box) > 10.10.1.2 (my box) > > 00050 5816 2829686 divert 8668 ip from any to any via rl1 > 00100 2412 168334 allow ip from any to any via lo0 > 00200 00 deny ip from any to 127.0.0.0/8 > 00300 00 deny ip from 127.0.0.0/8 to any > 00800 5609 6342173 allow ip from 10.10.1.91 to 130.102.1.2 > 00801 3580 143970 allow ip from 10.10.1.2 to 130.102.1.91 > 01000 430772 59326512 deny ip from any to any > 65000 00 allow ip from any to 10.10.1.2 > 65535 17161 5967606 allow ip from any to any > > To Unsubscribe: send mail to [EMAIL PROTECTED] > with "unsubscribe freebsd-questions" in the body of the message > > To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-questions" in the body of the message
NAT + IPFW question
Hi fellows I have setup natd in my freeBSD BOX (using firewall =OPEN) and it is working fine. Now I want to close my firewall so that the only computer that is using NATD would the the only one that could accept connections from the internet.But when I try to telnet to the natd box I cant connect to it.What Am I doing wrong? Those are my ipfw rules 10.10.1.91 (natd box) 10.10.1.2 (my box) 00050 5816 2829686 divert 8668 ip from any to any via rl1 00100 2412 168334 allow ip from any to any via lo0 00200 00 deny ip from any to 127.0.0.0/8 00300 00 deny ip from 127.0.0.0/8 to any 00800 5609 6342173 allow ip from 10.10.1.91 to 130.102.1.2 00801 3580 143970 allow ip from 10.10.1.2 to 130.102.1.91 01000 430772 59326512 deny ip from any to any 65000 00 allow ip from any to 10.10.1.2 65535 17161 5967606 allow ip from any to any To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-questions" in the body of the message