From owner-freebsd-ipfw Sun Jan 16 2:44:51 2000 Delivered-To: freebsd-ipfw@freebsd.org Received: from pogo.caustic.org (pogo.caustic.org [208.44.193.69]) by hub.freebsd.org (Postfix) with ESMTP id 093FC1526A for ; Sun, 16 Jan 2000 02:44:49 -0800 (PST) (envelope-from jan@caustic.org) Received: from localhost (jan@localhost) by pogo.caustic.org (8.9.3/ignatz) with ESMTP id CAA62578; Sun, 16 Jan 2000 02:45:34 -0800 (PST) Date: Sun, 16 Jan 2000 02:45:34 -0800 (PST) From: "f.johan.beisser" To: Olaf Hoyer Cc: freebsd-ipfw@FreeBSD.ORG Subject: Re: Simple router with basic firewall functionalioties In-Reply-To: <4.1.20000116041246.0097bd50@mail.rz.fh-wilhelmshaven.de> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG oof. make it hard ;) On Sun, 16 Jan 2000, Olaf Hoyer wrote: > >> I also thought about a SAMBA server, to ensure compatibility to exchanga > >> data with the M$ machines running here. Any security issues? > > > >yes, but i think a better question is why? > > We use a peer -to peer network here, with mostly M$ machines using > SMB/Netbeui/Netbios here. To transfer files, we mostly use the M$ directory > stuff to allow access and so. Its easy, and even the girls here can figure > it out... > BTW, it is explicitly forbidden here in our home to use stuff like FTP servers. hrm. ok, one solution is to forward $GOODPACKET through, perhaps have an explicitly allowed list of servers and such in your firewall ruleset. > >unless the machine is going to do more than just be a firewall... > That was my second thought, to capsule the main box completely from the > rest of the network. i cought the network map you made earlier.. ok, so it would be isolated/protected from the rest of the network, but with some access to support the various needed apps (divert and so on). i still look at this and think it's a Bad Idea (TM). unless.. well, i already mentioned filtering out everything except for a specific list of hosts you'd want to let in to your network segment. this might be the only real option. > >> Is it also possible to Send/receive the "messenging service" of NT, > >> respective the "Popups"? > SMB messenging (broadcast type, used by the "telephony/popup" application > in WIn3.x/Win9x/NT) well, i know for a fact that you can establish a connection through nat, while denying all incoming packets. this works for ftp (wich has two ports that it uses), and most other applications. -- jan +-----// f. johan beisser //------------------------------+ email: jan[at]caustic.org web: http://www.caustic.org/~jan "knowledge is power. power corrupts. study hard, be evil." To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Sun Jan 16 9:24: 5 2000 Delivered-To: freebsd-ipfw@freebsd.org Received: from intranova.net (blacklisted.intranova.net [209.3.31.70]) by hub.freebsd.org (Postfix) with SMTP id 4BDDF14F09 for ; Sun, 16 Jan 2000 09:24:00 -0800 (PST) (envelope-from oogali@intranova.net) Received: (qmail 90625 invoked from network); 16 Jan 2000 12:26:07 -0000 Received: from hydrant.intranova.net (user86987@209.201.95.10) by blacklisted.intranova.net with SMTP; 16 Jan 2000 12:26:07 -0000 Date: Sun, 16 Jan 2000 12:21:19 -0500 (EST) From: Omachonu Ogali To: "Rodney W. Grimes" Cc: Brian Gallucci , FreeBSD , ipfw@FreeBSD.ORG Subject: Re: Hmmm In-Reply-To: <200001141735.JAA36120@gndrsh.dnsmgr.net> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG Windows isn't that retarded, it doesn't send incorrect IP headers out onto the wire. Is your router connected to a hub at your ISP/uplink? Omachonu Ogali Intranova Networking Group On Fri, 14 Jan 2000, Rodney W. Grimes wrote: > > If you're connected to a hub then that means someone else on that hub has > > address space in that area, otherwise, something's barfing on you. > > It's just windblows braindamage, it likes to send netbios IP traffic > to really strange IP addresses using really strange source addresses > some times. > > Easy fix is to drop all any 138 to any 138, and any 137 to any 137, > unless your fool enough to want to run netbios over the internet, > in which case you'll have to allow some specifc IP's to work. > > > > > Omachonu Ogali > > Intranova Networking Group > > > > On Thu, 13 Jan 2000, Brian Gallucci wrote: > > > > > This is really weird -> > > > > > > ipfw: 1800 Deny UDP 216.174.91.28:138 216.174.91.31:138 in via xl0 > > > ipfw: 1800 Deny UDP 216.174.91.28:138 216.174.91.31:138 in via xl0 > > > ipfw: 1800 Deny UDP 216.174.91.28:138 216.174.91.31:138 in via xl0 > > > ipfw: 1800 Deny UDP 216.174.91.28:138 216.174.91.31:138 in via xl0 > > > ipfw: 1800 Deny UDP 216.174.91.28:137 216.174.91.31:137 in via xl0 > > > ipfw: 1800 Deny UDP 216.174.91.28:137 216.174.91.31:137 in via xl0 > > > ipfw: 1800 Deny UDP 216.174.91.28:137 216.174.91.31:137 in via xl0 > > > ipfw: 1800 Deny UDP 216.174.91.28:137 216.174.91.31:137 in via xl0 > > > ipfw: 1800 Deny UDP 216.174.91.28:138 216.174.91.31:138 in via xl0 > > > > > > We don't own any address space on 216.174.91.0 at all !! > > > > > > Can someone tell what this means ??? Am I missing something.. > > > > > > I think it should look something like - > > > > > > > ipfw: 1800 Deny UDP " OUR ADDRESS ":138 216.174.91.31:138 in via xl0 > > > ipfw: 1800 Deny UDP " OUR ADDRESS ":138 216.174.91.31:138 in via xl0 > > > > > > Thanks > > > -Brian > > > > > > > > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > > with "unsubscribe freebsd-ipfw" in the body of the message > > > > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-ipfw" in the body of the message > > > > > -- > Rod Grimes - KD7CAX @ CN85sl - (RWG25) rgrimes@gndrsh.dnsmgr.net > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Sun Jan 16 9:26:12 2000 Delivered-To: freebsd-ipfw@freebsd.org Received: from intranova.net (blacklisted.intranova.net [209.3.31.70]) by hub.freebsd.org (Postfix) with SMTP id 5C92B14CF5 for ; Sun, 16 Jan 2000 09:26:10 -0800 (PST) (envelope-from oogali@intranova.net) Received: (qmail 92403 invoked from network); 16 Jan 2000 12:28:19 -0000 Received: from hydrant.intranova.net (user23533@209.201.95.10) by blacklisted.intranova.net with SMTP; 16 Jan 2000 12:28:19 -0000 Date: Sun, 16 Jan 2000 12:23:31 -0500 (EST) From: Omachonu Ogali To: Jeff Lush Cc: freebsd-ipfw@freebsd.org Subject: Re: Appropriate list for ipfw question In-Reply-To: <00011412243704.01757@smithers.nerdpower.org> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG Yes, it is, fire away. Omachonu Ogali Intranova Networking Group On Fri, 14 Jan 2000, Jeff Lush wrote: > Hello, > > I am having difficulties with setting up ipfw and would like to know if this is > where I should direct my question. > > Thanks, > > Jeff Lush > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-ipfw" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Sun Jan 16 9:26:48 2000 Delivered-To: freebsd-ipfw@freebsd.org Received: from intranova.net (blacklisted.intranova.net [209.3.31.70]) by hub.freebsd.org (Postfix) with SMTP id E33B114EE8 for ; Sun, 16 Jan 2000 09:26:44 -0800 (PST) (envelope-from oogali@intranova.net) Received: (qmail 92899 invoked from network); 16 Jan 2000 12:28:53 -0000 Received: from hydrant.intranova.net (user23798@209.201.95.10) by blacklisted.intranova.net with SMTP; 16 Jan 2000 12:28:53 -0000 Date: Sun, 16 Jan 2000 12:24:06 -0500 (EST) From: Omachonu Ogali To: Yung Yi Cc: freebsd-ipfw@FreeBSD.org, freebsd-questions@FreeBSD.org Subject: Re: router statistics. In-Reply-To: <003901bf5ed6$b0a9e600$e3d50198@apan.snu.ac.kr> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=X-UNKNOWN Content-Transfer-Encoding: QUOTED-PRINTABLE Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG Do 'ipfw show' and look at the allow all rule (if you have one). Omachonu Ogali Intranova Networking Group On Sat, 15 Jan 2000, Yung Yi wrote: > Hi. >=20 > Is there any tools or programs in FreeBSD that > can show the statistics that how much traffic it handles when it is used = as a router? >=20 > N=85'=B2=E6=ECr=B8=9B{=EB=1E=9D=D9=9A=8A[h=99=A8=E8=AD=DA&=A0Z=DEx=14=83= =A2=B80=8A=D8n=9E=CB=9B=B1=CA=E2m=E7=EBy=E6=ECv=AB=9E=B2=D8=A8=9E=C8=A7=B6= =17=9B=A1=DC=A8~=D8^=99=EB,j=07 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Sun Jan 16 11:39:20 2000 Delivered-To: freebsd-ipfw@freebsd.org Received: from gndrsh.dnsmgr.net (GndRsh.dnsmgr.net [198.145.92.4]) by hub.freebsd.org (Postfix) with ESMTP id 00D0314DCC; Sun, 16 Jan 2000 11:39:11 -0800 (PST) (envelope-from freebsd@gndrsh.dnsmgr.net) Received: (from freebsd@localhost) by gndrsh.dnsmgr.net (8.9.3/8.9.3) id LAA42975; Sun, 16 Jan 2000 11:39:04 -0800 (PST) (envelope-from freebsd) From: "Rodney W. Grimes" Message-Id: <200001161939.LAA42975@gndrsh.dnsmgr.net> Subject: Re: Hmmm In-Reply-To: from Omachonu Ogali at "Jan 16, 2000 12:21:19 pm" To: oogali@intranova.net (Omachonu Ogali) Date: Sun, 16 Jan 2000 11:39:04 -0800 (PST) Cc: briang@expnet.net (Brian Gallucci), freebsd-questions@FreeBSD.ORG (FreeBSD), ipfw@FreeBSD.ORG X-Mailer: ELM [version 2.4ME+ PL54 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG > Windows isn't that retarded, it doesn't send incorrect IP headers out onto > the wire. Is your router connected to a hub at your ISP/uplink? Yes windows is that retarded. And no these are not comming from the ISP upstream. I've seen enough of these in tcpdumps that I some times bother to track down the MAC they come from and fix the windblows network configuration to eliminate them, though that has become tedious so I just drop them on the floor at routers now. > > Omachonu Ogali > Intranova Networking Group > > On Fri, 14 Jan 2000, Rodney W. Grimes wrote: > > > > If you're connected to a hub then that means someone else on that hub has > > > address space in that area, otherwise, something's barfing on you. > > > > It's just windblows braindamage, it likes to send netbios IP traffic > > to really strange IP addresses using really strange source addresses > > some times. > > > > Easy fix is to drop all any 138 to any 138, and any 137 to any 137, > > unless your fool enough to want to run netbios over the internet, > > in which case you'll have to allow some specifc IP's to work. > > > > > > > > Omachonu Ogali > > > Intranova Networking Group > > > > > > On Thu, 13 Jan 2000, Brian Gallucci wrote: > > > > > > > This is really weird -> > > > > > > > > ipfw: 1800 Deny UDP 216.174.91.28:138 216.174.91.31:138 in via xl0 > > > > ipfw: 1800 Deny UDP 216.174.91.28:138 216.174.91.31:138 in via xl0 > > > > ipfw: 1800 Deny UDP 216.174.91.28:138 216.174.91.31:138 in via xl0 > > > > ipfw: 1800 Deny UDP 216.174.91.28:138 216.174.91.31:138 in via xl0 > > > > ipfw: 1800 Deny UDP 216.174.91.28:137 216.174.91.31:137 in via xl0 > > > > ipfw: 1800 Deny UDP 216.174.91.28:137 216.174.91.31:137 in via xl0 > > > > ipfw: 1800 Deny UDP 216.174.91.28:137 216.174.91.31:137 in via xl0 > > > > ipfw: 1800 Deny UDP 216.174.91.28:137 216.174.91.31:137 in via xl0 > > > > ipfw: 1800 Deny UDP 216.174.91.28:138 216.174.91.31:138 in via xl0 > > > > > > > > We don't own any address space on 216.174.91.0 at all !! > > > > > > > > Can someone tell what this means ??? Am I missing something.. > > > > > > > > I think it should look something like - > > > > > > > > > ipfw: 1800 Deny UDP " OUR ADDRESS ":138 216.174.91.31:138 in via xl0 > > > > ipfw: 1800 Deny UDP " OUR ADDRESS ":138 216.174.91.31:138 in via xl0 > > > > > > > > Thanks > > > > -Brian > > > > > > > > > > > > > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > > > with "unsubscribe freebsd-ipfw" in the body of the message > > > > > > > > > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > > with "unsubscribe freebsd-ipfw" in the body of the message > > > > > > > > > -- > > Rod Grimes - KD7CAX @ CN85sl - (RWG25) rgrimes@gndrsh.dnsmgr.net > > > > -- Rod Grimes - KD7CAX @ CN85sl - (RWG25) rgrimes@gndrsh.dnsmgr.net To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Sun Jan 16 12:26:36 2000 Delivered-To: freebsd-ipfw@freebsd.org Received: from expnet.net (mail.expnet.net [216.174.90.22]) by hub.freebsd.org (Postfix) with ESMTP id A6F0415102; Sun, 16 Jan 2000 12:26:25 -0800 (PST) (envelope-from briang@expnet.net) Received: from briangdesktop [216.174.90.9] by expnet.net (SMTPD32-5.08) id AC93F42E029C; Sun, 16 Jan 2000 12:39:47 -0800 Message-ID: <004501bf6061$e9c41820$095aaed8@expnet.net> Reply-To: "Brian Gallucci" From: "Brian Gallucci" To: "Omachonu Ogali" , "Rodney W. Grimes" Cc: "FreeBSD" , References: Subject: Re: Hmmm Date: Sun, 16 Jan 2000 12:40:23 -0800 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.00.2615.200 X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2615.200 Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG No it's connected to a Cisco 5500 switch. Thanks -Brian ----- Original Message ----- From: Omachonu Ogali To: Rodney W. Grimes Cc: Brian Gallucci ; FreeBSD ; Sent: Sunday, January 16, 2000 9:21 AM Subject: Re: Hmmm > Windows isn't that retarded, it doesn't send incorrect IP headers out onto > the wire. Is your router connected to a hub at your ISP/uplink? > > Omachonu Ogali > Intranova Networking Group > > On Fri, 14 Jan 2000, Rodney W. Grimes wrote: > > > > If you're connected to a hub then that means someone else on that hub has > > > address space in that area, otherwise, something's barfing on you. > > > > It's just windblows braindamage, it likes to send netbios IP traffic > > to really strange IP addresses using really strange source addresses > > some times. > > > > Easy fix is to drop all any 138 to any 138, and any 137 to any 137, > > unless your fool enough to want to run netbios over the internet, > > in which case you'll have to allow some specifc IP's to work. > > > > > > > > Omachonu Ogali > > > Intranova Networking Group > > > > > > On Thu, 13 Jan 2000, Brian Gallucci wrote: > > > > > > > This is really weird -> > > > > > > > > ipfw: 1800 Deny UDP 216.174.91.28:138 216.174.91.31:138 in via xl0 > > > > ipfw: 1800 Deny UDP 216.174.91.28:138 216.174.91.31:138 in via xl0 > > > > ipfw: 1800 Deny UDP 216.174.91.28:138 216.174.91.31:138 in via xl0 > > > > ipfw: 1800 Deny UDP 216.174.91.28:138 216.174.91.31:138 in via xl0 > > > > ipfw: 1800 Deny UDP 216.174.91.28:137 216.174.91.31:137 in via xl0 > > > > ipfw: 1800 Deny UDP 216.174.91.28:137 216.174.91.31:137 in via xl0 > > > > ipfw: 1800 Deny UDP 216.174.91.28:137 216.174.91.31:137 in via xl0 > > > > ipfw: 1800 Deny UDP 216.174.91.28:137 216.174.91.31:137 in via xl0 > > > > ipfw: 1800 Deny UDP 216.174.91.28:138 216.174.91.31:138 in via xl0 > > > > > > > > We don't own any address space on 216.174.91.0 at all !! > > > > > > > > Can someone tell what this means ??? Am I missing something.. > > > > > > > > I think it should look something like - > > > > > > > > > ipfw: 1800 Deny UDP " OUR ADDRESS ":138 216.174.91.31:138 in via xl0 > > > > ipfw: 1800 Deny UDP " OUR ADDRESS ":138 216.174.91.31:138 in via xl0 > > > > > > > > Thanks > > > > -Brian > > > > > > > > > > > > > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > > > with "unsubscribe freebsd-ipfw" in the body of the message > > > > > > > > > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > > with "unsubscribe freebsd-ipfw" in the body of the message > > > > > > > > > -- > > Rod Grimes - KD7CAX @ CN85sl - (RWG25) rgrimes@gndrsh.dnsmgr.net > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Sun Jan 16 16:22:31 2000 Delivered-To: freebsd-ipfw@freebsd.org Received: from altair.origenbio.com (altair.origenbio.com [216.30.62.130]) by hub.freebsd.org (Postfix) with ESMTP id 3259D14D98 for ; Sun, 16 Jan 2000 16:22:29 -0800 (PST) (envelope-from dmartin@origen.com) Received: from origen.com (dubhe.origen [192.168.0.5]) by altair.origenbio.com (8.9.3/8.9.3) with ESMTP id SAA33159 for ; Sun, 16 Jan 2000 18:22:28 -0600 (CST) (envelope-from dmartin@origen.com) Message-ID: <3882608D.E77903EE@origen.com> Date: Sun, 16 Jan 2000 18:21:33 -0600 From: Richard Martin X-Mailer: Mozilla 4.6 [en] (WinNT; I) X-Accept-Language: en MIME-Version: 1.0 To: freebsd-ipfw@FreeBSD.ORG Subject: loss of setup option in ipfw Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG I am setting up a new server with ipfw packet filtering and I have a couple of questions about some quirks. First, I cannot now use the 'setup' option for TCP packets. Whether the line is in the script or entered at the command line, if it has 'setup' in the option position, the rule fails. I have added a few ports since I first set up the firewall - Tripwire, LSOF, a few others- and somewhere along the way, something seems to have affected ipfw, because it was working OK before. Now when the script runs, even at reboot, the firewall lines with 'setup' at the end fail. A TCP rule with setup entered at the command line fails, but removing 'setup' allows it to be added to the chain. ************ Second, I have noticed that replies packets coming our of our LAN (like ftp data) behind the firewall are addressed back to the internal LAN IPs. This is odd: other NAT/masquerading systems I have used have the replies come back to the external IP and a table is kept for replies to rout the packets back to the right address. Do I have something misconfigured. or is this just the way NATD works in F'BSD? Thanks -- Richard Martin dmartin@origen.com OriGen Biomedical Tel: +1 512 474 7278 2525 Hartford Rd. Fax: +1 512 708 8522 Austin, TX 78703 http://www.formed.net To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Sun Jan 16 17:55:20 2000 Delivered-To: freebsd-ipfw@freebsd.org Received: from apollo.ocsny.com (apollo.ocsny.com [204.107.76.2]) by hub.freebsd.org (Postfix) with ESMTP id EF2A715204 for ; Sun, 16 Jan 2000 17:55:17 -0800 (PST) (envelope-from mikel@ocsny.com) Received: from ocsny.com (ppp-009.ocsny.com [204.107.76.36]) by apollo.ocsny.com (8.9.2/8.9.3) with ESMTP id UAA50036; Sun, 16 Jan 2000 20:52:41 -0500 (EST) Message-ID: <388276FF.ECCE3574@ocsny.com> Date: Sun, 16 Jan 2000 20:57:19 -0500 From: Mikel Organization: Optimized Computer Solutions, Inc. X-Mailer: Mozilla 4.6 [en] (Win98; I) X-Accept-Language: en MIME-Version: 1.0 To: Jeff Lush Cc: freebsd-ipfw@FreeBSD.ORG Subject: Re: Appropriate list for ipfw question References: <00011412243704.01757@smithers.nerdpower.org> Content-Type: multipart/mixed; boundary="------------3727899BCC3E3EECF31980E6" Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG This is a multi-part message in MIME format. --------------3727899BCC3E3EECF31980E6 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit what sort of problem are you having? Jeff Lush wrote: > Hello, > > I am having difficulties with setting up ipfw and would like to know if this is > where I should direct my question. > > Thanks, > > Jeff Lush > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-ipfw" in the body of the message -- Cheers, Mikel +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~+ | Optimized Computer Solutions, Inc http://www.ocsny.com | 39 W14th Street, Suite 203 212 727 2238 x132 | New York, NY 10011 +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~+ | Labor rates: Tech $125 hourly | Net Engineer $150 hourly | Phone Support $ 33 quarter hourly | Lost Password $ 45 per incedent +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~+ | http://www.ocsny.com/~mikel +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~+ --------------3727899BCC3E3EECF31980E6 Content-Type: text/x-vcard; charset=us-ascii; name="mikel.vcf" Content-Transfer-Encoding: 7bit Content-Description: Card for Mikel Content-Disposition: attachment; filename="mikel.vcf" begin:vcard n:King;Mikel x-mozilla-html:TRUE org:Optimized Computer Solutions version:2.1 email;internet:mikel@ocsny.com title:Procurement Manager tel;fax:2124638402 tel;home:http://www.upan.org/vizkr tel;work:2127272100 adr;quoted-printable:;;39 W14th St.=0D=0ASte 203;New York;NY;10011;US x-mozilla-cpt:;0 fn:Mikel King end:vcard --------------3727899BCC3E3EECF31980E6-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Mon Jan 17 11:18:30 2000 Delivered-To: freebsd-ipfw@freebsd.org Received: from mail02.rapidsite.net (mail02.rapidsite.net [207.158.192.68]) by hub.freebsd.org (Postfix) with SMTP id 26C1514FEC for ; Mon, 17 Jan 2000 11:18:24 -0800 (PST) (envelope-from usebsd@free.fr) Received: from www.nettoll.com (209.130.51.127) by mail02.rapidsite.net (RS ver 1.0.53) with SMTP id 013873; Mon, 17 Jan 2000 13:35:59 -0500 (EST) From: "mouss" To: "Robert Watson" , Subject: RE: Two-way transparency Date: Mon, 17 Jan 2000 19:45:39 +0100 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2910.0) X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2615.200 Importance: Normal In-Reply-To: X-Loop-Detect: 1 Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG This is easily done by making the proxy to bind() its client socket to the address of the original client, before calling connect() and in the case of unconnected sokets, before calling any send() function. more precisely, a proxy will have two socket descriptors: client_fd: socket used between client and proxy server_fd: socket between proxy and remote server. a getpeername(client_fd, ...) yieds the IP address of the client (among other things). store this in a struct sockaddr variable "client_addr". Then just call error = bind(remote_fd, &client_addr, client_addr_len); if (error < 0) { unhappy("cannot bind it...."); } This makes the proxy uses the IP client address as its "outgoing" address. This works because the TCP/IP stack doesn't normally check that the address you bind to is local or not. There are three notes here: 1- you can't force the arbitrary source port to that of the client, since the port is not necessarily free on the gateway host. anyway, there's no reason to force an arbitrary port! 2- You'll have to check your packet filter config carefully to make sure that responses to proxy packets will be returned to the proxy! Indeed, since you're using the client IP address to send packets, responses will be directed to the client. you then have to divert these responses to the proxy and make sure there is no other route to the client. otherwise, you'll end with "dangling connections"! 3- Under Solaris (this doesn't concern BSD but is worth to be noted), if you call rresvport() to use a reserved port, then the bind() above will fail. I am not sure if this was bug and whether it has been fixed, but an easy workaround is to copy the BSD version of rresvport() and call it instead of that of the system. While I am in, I am in the process of writing new proxies (with the above functionality and other functionalities as well). The fwtk is getting old and NAI are MS-oriented. I am planning to implement this in C (but I am open to using C++ instead, if there are enough arguments) and have many ideas in mind. Are there any volounteers? Regards, mouss > -----Original Message----- > From: owner-freebsd-ipfw@FreeBSD.ORG > [mailto:owner-freebsd-ipfw@FreeBSD.ORG]On Behalf Of Robert Watson > Sent: Friday, January 07, 2000 2:45 PM > To: freebsd-ipfw@freebsd.org > Subject: Two-way transparency > > > > Last night at the fug-washdc meeting, we discussed expansions to ipfw that > might be useful--not doubt someone will post a summary soon. One of the > issues I raised and am interested in is the ability to have userland > proxies filter traffic in a completely transparent way -- i.e., two way > transparency. Right now with NAT and divert sockets, fwds, etc, it's easy > to do transparency from the perspective of a client application *making* a > connection, but I'm not sure how to go about allowing the proxy to go > about making an outgoing connection that appears to come from the client. > > There are a number of applications where this would be useful, including > transparent local firewalls on multi-user machines, filtering incoming > connections, firewalls for protocols that bind address information into > their connections, etc. It would allow a userland proxy-based firewall > (such as fwtk, etc) to look more like a traditional packet filter not > running with NAT. > > Anyone have any thoughts on this? :-) > > Robert N M Watson > > robert@fledge.watson.org http://www.watson.org/~robert/ > PGP key fingerprint: AF B5 5F FF A6 4A 79 37 ED 5F 55 E9 58 04 6A B1 > TIS Labs at Network Associates, Safeport Network Services > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-ipfw" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Mon Jan 17 17:48:50 2000 Delivered-To: freebsd-ipfw@freebsd.org Received: from cc942873-a.ewndsr1.nj.home.com (cc942873-a.ewndsr1.nj.home.com [24.2.89.207]) by hub.freebsd.org (Postfix) with ESMTP id 786F014D2D for ; Mon, 17 Jan 2000 17:48:48 -0800 (PST) (envelope-from cjc@cc942873-a.ewndsr1.nj.home.com) Received: (from cjc@localhost) by cc942873-a.ewndsr1.nj.home.com (8.9.3/8.9.3) id UAA63707; Mon, 17 Jan 2000 20:52:43 -0500 (EST) (envelope-from cjc) Date: Mon, 17 Jan 2000 20:52:43 -0500 From: "Crist J. Clark" To: Richard Martin Cc: freebsd-ipfw@FreeBSD.ORG Subject: Re: loss of setup option in ipfw Message-ID: <20000117205243.A63571@cc942873-a.ewndsr1.nj.home.com> References: <3882608D.E77903EE@origen.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0i In-Reply-To: <3882608D.E77903EE@origen.com>; from dmartin@origen.com on Sun, Jan 16, 2000 at 06:21:33PM -0600 Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG On Sun, Jan 16, 2000 at 06:21:33PM -0600, Richard Martin wrote: > I am setting up a new server with ipfw packet filtering and I have a couple of > questions about some quirks. > > First, I cannot now use the 'setup' option for TCP packets. Whether the line > is in the script or entered at the command line, if it has 'setup' in the > option position, the rule fails. And the error message is...? > I have added a few ports since I first set up the firewall - Tripwire, LSOF, a > few others- and somewhere along the way, something seems to have affected > ipfw, because it was working OK before. Now when the script runs, even at > reboot, the firewall lines with 'setup' at the end fail. A TCP rule with setup > entered at the command line fails, but removing 'setup' allows it to be added > to the chain. And command lines and the error messages are...? > ************ > > Second, I have noticed that replies packets coming our of our LAN (like ftp > data) behind the firewall are addressed back to the internal LAN IPs. This is > odd: other NAT/masquerading systems I have used have the replies come back to > the external IP and a table is kept for replies to rout the packets back to > the right address. > > Do I have something misconfigured. or is this just the way NATD works in > F'BSD? The packets with addresses of your private address-space are leaking out onto the net? That should not be happening. How is natd configured and how is your network setup? What are your firewall rules? -- Crist J. Clark cjclark@home.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Mon Jan 17 19:37:15 2000 Delivered-To: freebsd-ipfw@freebsd.org Received: from altair.origenbio.com (altair.origenbio.com [216.30.62.130]) by hub.freebsd.org (Postfix) with ESMTP id DF3AC1503A for ; Mon, 17 Jan 2000 19:37:12 -0800 (PST) (envelope-from dmartin@origen.com) Received: from origen.com (dubhe.origen [192.168.0.5]) by altair.origenbio.com (8.9.3/8.9.3) with ESMTP id VAA07640; Mon, 17 Jan 2000 21:37:09 -0600 (CST) (envelope-from dmartin@origen.com) Message-ID: <3883DFAC.9129CCBA@origen.com> Date: Mon, 17 Jan 2000 21:36:12 -0600 From: Richard Martin X-Mailer: Mozilla 4.6 [en] (WinNT; I) X-Accept-Language: en MIME-Version: 1.0 To: "Crist J. Clark" Cc: freebsd-ipfw@FreeBSD.ORG Subject: Re: loss of setup option in ipfw References: <3882608D.E77903EE@origen.com> <20000117205243.A63571@cc942873-a.ewndsr1.nj.home.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG > > I cannot now use the 'setup' option for TCP packets. > > And the error message is...? When this line is run /sbin/ipfw add pass tcp from any to {$oip} 25 setup I get: ipfw: error: extraneous filename arguments usage: ipfw [options] [pipe] flush add [number] rule [pipe] delete number ... [pipe] list [number ...] [pipe] show [number ...] zero [number ...] Continuing syntax suggestions from ipfw including established/setup option.. however, when the word 'setup' is dropped, the rule is added to the set. Very puzzling, I get the same error when I try to load the default rc.firewall script which came with the package. I am about ready to set up another system and retrace my steps to see where the conflict came in. > > > ************ > > > > reply packets coming back to our LAN are addressed back to the > > internal LAN IPs. I though natd woudl give them the external IP > > The packets with addresses of your private address-space are leaking > out onto the net? That should not be happening. How is natd configured > and how is your network setup? What are your firewall rules? the natd line is 2nd in the set after the flush command /sbin/ipfw add divert natd all from any to any via xl0 xl0 being the external NIC; vx0 the internal LAN ps reports natd is running with the -n flag on xl0 -- Richard Martin dmartin@origen.com OriGen Biomedical Tel: +1 512 474 7278 2525 Hartford Rd. Fax: +1 512 708 8522 Austin, TX 78703 http://www.formed.net To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Mon Jan 17 20:58:53 2000 Delivered-To: freebsd-ipfw@freebsd.org Received: from cc942873-a.ewndsr1.nj.home.com (cc942873-a.ewndsr1.nj.home.com [24.2.89.207]) by hub.freebsd.org (Postfix) with ESMTP id F01F0150E4 for ; Mon, 17 Jan 2000 20:58:50 -0800 (PST) (envelope-from cjc@cc942873-a.ewndsr1.nj.home.com) Received: (from cjc@localhost) by cc942873-a.ewndsr1.nj.home.com (8.9.3/8.9.3) id AAA64398; Tue, 18 Jan 2000 00:03:01 -0500 (EST) (envelope-from cjc) Date: Tue, 18 Jan 2000 00:03:01 -0500 From: "Crist J. Clark" To: Richard Martin Cc: freebsd-ipfw@FreeBSD.ORG Subject: Re: loss of setup option in ipfw Message-ID: <20000118000301.C63571@cc942873-a.ewndsr1.nj.home.com> References: <3882608D.E77903EE@origen.com> <20000117205243.A63571@cc942873-a.ewndsr1.nj.home.com> <3883DFAC.9129CCBA@origen.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0i In-Reply-To: <3883DFAC.9129CCBA@origen.com>; from dmartin@origen.com on Mon, Jan 17, 2000 at 09:36:12PM -0600 Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG On Mon, Jan 17, 2000 at 09:36:12PM -0600, Richard Martin wrote: > > > > I cannot now use the 'setup' option for TCP packets. > > > > And the error message is...? > > When this line is run > > /sbin/ipfw add pass tcp from any to {$oip} 25 setup > > I get: > > ipfw: error: extraneous filename arguments Wow... I can't believe this one. ipfw(8) thinks that you are trying to use the, ipfw [-q] [-p preproc [-D macro[=value]] [-U macro]] file Format for the command. You would not happen to have a file named 'setup' in the pwd you are trying to execute ipfw from? From the looks of the code (/usr/src/sbin/ipfw.c), if (ac > 1 && access(av[ac - 1], R_OK) == 0) { Where 'ac' is what we ususally call 'argc' and 'av' is 'argv,' if the last argument on the command line is a readable file, ipfw thinks it is supposed to use it as a ipfw config-file. That is _really_ not an ideal way to figure out how to handle the command line. -- Crist J. Clark cjclark@home.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Mon Jan 17 21: 0:27 2000 Delivered-To: freebsd-ipfw@freebsd.org Received: from int-mail.syd.fl.net.au (int-mail.syd.fl.net.au [202.181.0.28]) by hub.freebsd.org (Postfix) with ESMTP id 5BF9F151A1 for ; Mon, 17 Jan 2000 21:00:23 -0800 (PST) (envelope-from als@fl.net.au) Received: from stimpy (stimpy.snowville.fl.net.au [202.181.1.254]) by int-mail.syd.fl.net.au (Postfix) with SMTP for id 9CFC41685E; Tue, 18 Jan 2000 16:00:19 +1100 (EST) From: "Andrew Snow" To: Subject: RE: loss of setup option in ipfw Date: Tue, 18 Jan 2000 16:00:20 +1100 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2910.0) X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2615.200 Importance: Normal In-Reply-To: <20000118000301.C63571@cc942873-a.ewndsr1.nj.home.com> Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG > > /sbin/ipfw add pass tcp from any to {$oip} 25 setup Is it perhaps supposed to be ${oip} ? ---- Andrew Snow als@fl.net.au To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Mon Jan 17 22:53:56 2000 Delivered-To: freebsd-ipfw@freebsd.org Received: from lunatic.oneinsane.net (lunatic.oneinsane.net [207.113.133.231]) by hub.freebsd.org (Postfix) with ESMTP id 632D314D24 for ; Mon, 17 Jan 2000 22:53:54 -0800 (PST) (envelope-from insane@lunatic.oneinsane.net) Received: by lunatic.oneinsane.net (Postfix, from userid 1000) id 696FB1AC; Mon, 17 Jan 2000 22:53:52 -0800 (PST) Date: Mon, 17 Jan 2000 22:53:52 -0800 From: Ron 'The InSaNe One' Rosson To: freebsd-ipfw@freebsd.org Subject: incorporating ipfilter Message-ID: <20000117225352.A9148@lunatic.oneinsane.net> Reply-To: Ron Rosson Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0i X-Operating-System: FreeBSD lunatic.oneinsane.net 3.4-STABLE X-Moon: The Moon is Waxing Gibbous (88% of Full) X-Opinion: What you read here is my IMHO X-Disclaimer: I am a firm believer in RTFM X-WWW: http://www.oneinsane.net X-PGP-KEY: http://www.oneinsane.net/~insane/insane2-pgp5i.txt X-Uptime: 10:49PM up 7:16, 1 user, load averages: 0.05, 0.12, 0.08 Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG I come from using IPFW but wantto learn and experiment with ipfilter. I guess you can say I have grown accustomed to /etc/rc.conf and /etc/rc.firewall to do all the work for me. Well with ipfilter there are no implentations for it. Here are a few questions that I seem to not be able to answers for: 1. What is the name of the conf file and its location? (/etc/ipf.conf) 2. How is it called in the startup scripts. 3. Other links of reference that tie closely with the *BSD way of doing things? Any info or pointers is greatly appreciated. TIA -- ------------------------------------------------------------------- Ron Rosson ... and a UNIX user said ... The InSaNe One rm -rf * insane@oneinsane.net and all was /dev/null and *void() ------------------------------------------------------------------- Tell me what you need, and I'll tell you how to get along without it. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Tue Jan 18 0:19:50 2000 Delivered-To: freebsd-ipfw@freebsd.org Received: from jason.argos.org (a1-3b058.neo.rr.com [24.93.181.58]) by hub.freebsd.org (Postfix) with ESMTP id C51C814CF9 for ; Tue, 18 Jan 2000 00:19:48 -0800 (PST) (envelope-from mike@argos.org) Received: from localhost (mike@localhost) by jason.argos.org (8.9.1/8.9.1) with ESMTP id DAA00464; Tue, 18 Jan 2000 03:19:22 -0500 Date: Tue, 18 Jan 2000 03:19:22 -0500 (EST) From: Mike Nowlin To: Olaf Hoyer Cc: freebsd-ipfw@FreeBSD.ORG Subject: Re: Simple router with basic firewall functionalioties In-Reply-To: <4.1.20000114165656.00c8d940@mail.rz.fh-wilhelmshaven.de> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG > Well, I want to recycle my old 486 for a security project... Drill a 3/4" hole through the middle of the case, a matching hole in front of your door, put a steel bar through the case into the hole in your floor, and the door stays shut.... Why spend $39.95 for a Door Club??? :) mike To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Tue Jan 18 0:38:57 2000 Delivered-To: freebsd-ipfw@freebsd.org Received: from jason.argos.org (a1-3b058.neo.rr.com [24.93.181.58]) by hub.freebsd.org (Postfix) with ESMTP id DEA0915201 for ; Tue, 18 Jan 2000 00:38:47 -0800 (PST) (envelope-from mike@argos.org) Received: from localhost (mike@localhost) by jason.argos.org (8.9.1/8.9.1) with ESMTP id DAA00585; Tue, 18 Jan 2000 03:38:45 -0500 Date: Tue, 18 Jan 2000 03:38:45 -0500 (EST) From: Mike Nowlin To: Mark Holloway Cc: freebsd-ipfw@FreeBSD.ORG Subject: Re: Is IPFW Static or Dynamic? In-Reply-To: <001e01bf5eae$95cc2e10$942510ac@sierrahealth.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG > At work we have a T1 to the net and a PIX firewall. It works great for > Layer 3 protection, but we have another T1 link coming in and before I > propose another $18,000 solution [which is high in price for what it does], > I want to investigate what FreeBSD + IPFW can do for me. It has nothing to > do with being a "free" solution, rather, it has everything to do with how > solid and robust the TCP/IP stack is. In my opinion, the FreeBSD IP stack is about as solid and robust as you can get... There have been several times when I've tried to do a particular job with Linux or some other OS, and FreeBSD has come out to be the best solution in terms of both speed and reliability. > The intended goal: To set up a firewall with two NIC cards. One for the > Internet, one for the private network. There are 12 private subnets inside > our network, and a 3Com Netbuilder II Router will forward all "unknown" > packets from the inside of our network to the internal interface of the > FreeBSD box. There will not be a DMZ (yet), but maybe in the future. We > have clients from the outside who will connect to the inside of our network > using Microsoft PPTP/VPN. We also have to allow inbound connections for > SMTP, FTP (which will eventually go to the DMZ), and some custom port > configurations for Citrix clients from home (currently these are configured > at ports 1400-1405, so they are out of the standard range). From the inside > of our network going outbound, we have to allow Telnet on ports 3000-3006. > One thing that's interesting about the PIX is that I had to set up routes > for the other subnets. For example, the PIX lives on 172.16.10.xxx/16. We > have clients on routed segments (inside our network, from the Netbuilder II) > on 192.168.xxx.xxx/24 - and there is approximately 10 class C networks > there. So on the PIX I had to configure "route inside 192.168.20.1 > 255.255.255.0 172.16.1.1" - 172.16.1.1=Netbuilder II. So when packets > originate from 192.16.20.1, the Netbuilder forwards them to the PIX (because > the IP for FreeBSD.org doesn't exist inside our network, so the "destination > of last resort" is the IP of the PIX which forwards to the Internet) - but > then the PIX has to know when packets come back, where does it forward to? > Well, the answer is 172.16.1.1 which knows how to reach 192.168.20.1. As for the routing end of it, no problem. A fairly simple combination of IPFW and NATD will handle all of your internal issues, and some basic IPFW rules take care of the outside end of it. Not to question your brainpower, but you mentioned "172.16.10.xxx/16" and "192.168.xxx.xxx/24" - these seem incorrect in regards to IP block/netmask... ??? Fast fingers? > Does this make sense? Is it doable with FreeBSD and IPFW? Does anyone here > know what the benefits of IPFW are versus PIX? PIX is pretty much a layer 3 > only Firewall with some extended features, but not much. I can use > encryption, but I can't share certificates like I can with Firewall-1. What > does FreeBSD offer for encryption using a VPN? Does FreeBSD support IPSec? I haven't had a reason to play around with IPsec yet, but (if memory's working right now), I think there's some ports that may support it. I believe there's also a couple that allow PPTP from Windoze machines as well. > I would greatly appreciate ANY feedback from this list...I'm not subscribed, > so please "reply to all" so I get a CC:. Thanks! Subscribe to it -- it's worth it... :) mike To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Tue Jan 18 1:29:56 2000 Delivered-To: freebsd-ipfw@freebsd.org Received: from expnet.net (mail.expnet.net [216.174.90.22]) by hub.freebsd.org (Postfix) with ESMTP id 206FB1503E for ; Tue, 18 Jan 2000 01:29:55 -0800 (PST) (envelope-from briang@expnet.net) Received: from briangdesktop [216.174.90.9] by expnet.net (SMTPD32-5.08) id A5B8187A023C; Tue, 18 Jan 2000 01:43:20 -0800 Message-ID: <000701bf6198$8a641000$095aaed8@expnet.net> Reply-To: "Brian Gallucci" From: "Brian Gallucci" To: Subject: New Firewall Date: Tue, 18 Jan 2000 01:43:57 -0800 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.00.2615.200 X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2615.200 Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG We are looking at putting up a new firewall at one of our clients sites using FreeBSD 3-4. Is there any bugs we should know about ? They will be doing some webhosting and email. Thanks -Brian To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Tue Jan 18 8: 2:50 2000 Delivered-To: freebsd-ipfw@freebsd.org Received: from altair.origenbio.com (altair.origenbio.com [216.30.62.130]) by hub.freebsd.org (Postfix) with ESMTP id F1D3914D96 for ; Tue, 18 Jan 2000 08:02:46 -0800 (PST) (envelope-from dmartin@origen.com) Received: from origen.com (dubhe.origen [192.168.0.5]) by altair.origenbio.com (8.9.3/8.9.3) with ESMTP id KAA77790; Tue, 18 Jan 2000 10:02:44 -0600 (CST) (envelope-from dmartin@origen.com) Message-ID: <38848E6A.3526FCF0@origen.com> Date: Tue, 18 Jan 2000 10:01:46 -0600 From: Richard Martin X-Mailer: Mozilla 4.6 [en] (WinNT; I) X-Accept-Language: en MIME-Version: 1.0 To: "Crist J. Clark" Cc: freebsd-ipfw@FreeBSD.ORG Subject: Re: loss of setup option in ipfw References: <3882608D.E77903EE@origen.com> <20000117205243.A63571@cc942873-a.ewndsr1.nj.home.com> <3883DFAC.9129CCBA@origen.com> <20000118000301.C63571@cc942873-a.ewndsr1.nj.home.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG "Crist J. Clark" wrote: > > > > I cannot now use the 'setup' option for TCP packets. > You would not happen to have a file named 'setup' in the pwd you > are trying to execute ipfw from? Doh! This was exactly it. I cat'd results of another script into a file called 'setup' to check its run output. I had no idea the ipfw would be looking at that file. Removing it solved the problem, thanks. -- Richard Martin dmartin@origen.com OriGen Biomedical Tel: +1 512 474 7278 2525 Hartford Rd. Fax: +1 512 708 8522 Austin, TX 78703 http://www.formed.net To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Tue Jan 18 8:25:27 2000 Delivered-To: freebsd-ipfw@freebsd.org Received: from intranova.net (blacklisted.intranova.net [209.3.31.70]) by hub.freebsd.org (Postfix) with SMTP id F02BA14E4F for ; Tue, 18 Jan 2000 08:25:20 -0800 (PST) (envelope-from oogali@intranova.net) Received: (qmail 10008 invoked from network); 18 Jan 2000 11:27:31 -0000 Received: from hydrant.intranova.net (user6378@209.201.95.10) by blacklisted.intranova.net with SMTP; 18 Jan 2000 11:27:31 -0000 Date: Tue, 18 Jan 2000 11:22:27 -0500 (EST) From: Omachonu Ogali To: Brian Gallucci Cc: isp@freebsd.org, freebsd-ipfw@freebsd.org Subject: Re: New Firewall In-Reply-To: <000901bf6198$df4927e0$095aaed8@expnet.net> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG The following rules can help if you are going to be running SMTP, HTTP, POP3, and HTTPS, delete what you don't need. # -- Pass through for already established connections ipfw add allow tcp from any to any established # -- SMTP ipfw add allow tcp from any to x.x.x.x 25 # -- HTTP ipfw add allow tcp from any to x.x.x.x 80 # -- POP3 ipfw add allow tcp from any to x.x.x.x 110 # -- HTTPS ipfw add allow tcp from any to x.x.x.x 443 # -- Allow setup of outgoing connections ipfw add allow tcp from x.x.x.x to any setup # -- Deny setup of other incoming connections ipfw add deny tcp from any to any setup # -- Deny other incoming IP packets. ipfw add deny ip from any to any Omachonu Ogali Intranova Networking Group On Tue, 18 Jan 2000, Brian Gallucci wrote: > We are looking at putting up a new firewall at one of our clients sites > using FreeBSD 3-4. Is there any bugs we should know about with IPFW ? They > will be > doing some webhosting and email. > > Thanks > -Brian > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-isp" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Tue Jan 18 8:34:51 2000 Delivered-To: freebsd-ipfw@freebsd.org Received: from proteus.eclipse.net.uk (proteus.eclipse.net.uk [195.188.32.118]) by hub.freebsd.org (Postfix) with ESMTP id ECD3414C37; Tue, 18 Jan 2000 08:34:45 -0800 (PST) (envelope-from sh@eclipse.net.uk) Received: from eclipse.net.uk (elara.eclipse.net.uk [195.188.32.31]) by proteus.eclipse.net.uk (Postfix) with ESMTP id A74109BF8; Tue, 18 Jan 2000 16:34:39 +0000 (GMT) Message-ID: <38849638.1AF1138E@eclipse.net.uk> Date: Tue, 18 Jan 2000 16:35:04 +0000 From: Stuart Henderson Organization: Eclipse Networking Ltd X-Mailer: Mozilla 4.7 [en] (WinNT; U) X-Accept-Language: en-GB MIME-Version: 1.0 To: Omachonu Ogali Cc: Brian Gallucci , isp@freebsd.org, freebsd-ipfw@freebsd.org Subject: Re: New Firewall References: Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG > The following rules can help if you are going to be running SMTP, HTTP, > POP3, and HTTPS, delete what you don't need. You also need to pass icmp fragmentation-needed messages if you don't want to risk breaking access to/from some sites. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Tue Jan 18 9:27:12 2000 Delivered-To: freebsd-ipfw@freebsd.org Received: from bsdie.rwsystems.net (bsdie.rwsystems.net [209.197.223.2]) by hub.freebsd.org (Postfix) with ESMTP id 7E548150CF; Tue, 18 Jan 2000 09:27:06 -0800 (PST) (envelope-from jwyatt@rwsystems.net) Received: from bsdie.rwsystems.net([209.197.223.2]) (1344 bytes) by bsdie.rwsystems.net via sendmail with P:esmtp/R:bind_hosts/T:inet_zone_bind_smtp (sender: ) id for ; Tue, 18 Jan 2000 11:22:32 -0600 (CST) (Smail-3.2.0.106 1999-Mar-31 #1 built 1999-Aug-7) Date: Tue, 18 Jan 2000 11:22:31 -0600 (CST) From: James Wyatt To: Omachonu Ogali Cc: Brian Gallucci , isp@freebsd.org, freebsd-ipfw@freebsd.org Subject: Re: New Firewall In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG On Tue, 18 Jan 2000, Omachonu Ogali wrote: > The following rules can help if you are going to be running SMTP, HTTP, > POP3, and HTTPS, delete what you don't need. [ ... ] > # -- Deny setup of other incoming connections > ipfw add deny tcp from any to any setup > > # -- Deny other incoming IP packets. > ipfw add deny ip from any to any These rules are duplicate, so you can drop the first one. The last rule is commonly the default in /etc/rc.firewall as well. That aside, I might keep the first one and change it to '... deny log ...", thus logging connection attempts. On the other hand, that's what log_in_vain="YES" in /etc/rc.conf is all about... - Jy@ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Tue Jan 18 9:34:21 2000 Delivered-To: freebsd-ipfw@freebsd.org Received: from jetsam.com (flotsam.jetsam.com [205.179.180.122]) by hub.freebsd.org (Postfix) with ESMTP id BEFDE14CB7 for ; Tue, 18 Jan 2000 09:34:18 -0800 (PST) (envelope-from paulo@jetsam.com) Received: (from paulo@localhost) by jetsam.com (8.9.3/8.9.3) id JAA35910 for Paul.Orr@jetsam.com; Tue, 18 Jan 2000 09:34:17 -0800 (PST) Date: Tue, 18 Jan 2000 09:34:17 -0800 (PST) From: Paul Orr Message-Id: <200001181734.JAA35910@jetsam.com> To: freebsd-ipfw@FreeBSD.ORG Subject: perhaps not the best place but it's probably close.... Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG Please redirect me if this is the most wrong place for this question.. I'm looking for information on how I might use two firewalls connected to two different ISPs. That is set it up so that connections coming in from one ISP also go out the same interface. Thanks. Paul Orr To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Tue Jan 18 9:35:53 2000 Delivered-To: freebsd-ipfw@freebsd.org Received: from gndrsh.dnsmgr.net (GndRsh.dnsmgr.net [198.145.92.4]) by hub.freebsd.org (Postfix) with ESMTP id 1C1B414F85; Tue, 18 Jan 2000 09:35:45 -0800 (PST) (envelope-from freebsd@gndrsh.dnsmgr.net) Received: (from freebsd@localhost) by gndrsh.dnsmgr.net (8.9.3/8.9.3) id JAA48588; Tue, 18 Jan 2000 09:35:35 -0800 (PST) (envelope-from freebsd) From: "Rodney W. Grimes" Message-Id: <200001181735.JAA48588@gndrsh.dnsmgr.net> Subject: Re: New Firewall In-Reply-To: from Omachonu Ogali at "Jan 18, 2000 11:22:27 am" To: oogali@intranova.net (Omachonu Ogali) Date: Tue, 18 Jan 2000 09:35:34 -0800 (PST) Cc: briang@expnet.net (Brian Gallucci), isp@FreeBSD.ORG, freebsd-ipfw@FreeBSD.ORG X-Mailer: ELM [version 2.4ME+ PL54 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG > The following rules can help if you are going to be running SMTP, HTTP, > POP3, and HTTPS, delete what you don't need. Allowing anything other than ``setup'' packets on these rules is a mistake... > > # -- Pass through for already established connections > ipfw add allow tcp from any to any established > > # -- SMTP > ipfw add allow tcp from any to x.x.x.x 25 ^setup > > # -- HTTP > ipfw add allow tcp from any to x.x.x.x 80 ^setup > > # -- POP3 > ipfw add allow tcp from any to x.x.x.x 110 ^setup > > # -- HTTPS > ipfw add allow tcp from any to x.x.x.x 443 ^setup > > # -- Allow setup of outgoing connections > ipfw add allow tcp from x.x.x.x to any setup > > # -- Deny setup of other incoming connections > ipfw add deny tcp from any to any setup > > # -- Deny other incoming IP packets. > ipfw add deny ip from any to any This should be the default rule and is not needed... > > Omachonu Ogali > Intranova Networking Group > > On Tue, 18 Jan 2000, Brian Gallucci wrote: > > > We are looking at putting up a new firewall at one of our clients sites > > using FreeBSD 3-4. Is there any bugs we should know about with IPFW ? They > > will be > > doing some webhosting and email. > > > > Thanks > > -Brian > > > > > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-isp" in the body of the message > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-ipfw" in the body of the message > -- Rod Grimes - KD7CAX @ CN85sl - (RWG25) rgrimes@gndrsh.dnsmgr.net To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Tue Jan 18 9:37:55 2000 Delivered-To: freebsd-ipfw@freebsd.org Received: from mail.alpha1.net (mail.alpha1.net [216.88.112.3]) by hub.freebsd.org (Postfix) with ESMTP id 00B2314C07; Tue, 18 Jan 2000 09:37:47 -0800 (PST) (envelope-from marius@alpha1.net) Received: from marius.org (marius@marius.org [216.88.115.170]) by mail.alpha1.net (8.9.3/8.9.3) with ESMTP id KAA01393; Tue, 18 Jan 2000 10:28:45 -0600 Date: Tue, 18 Jan 2000 10:28:44 -0600 (CST) From: Marius Strom X-Sender: marius@marius.org To: Omachonu Ogali Cc: Brian Gallucci , isp@FreeBSD.ORG, freebsd-ipfw@FreeBSD.ORG Subject: Re: New Firewall In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG Incidentally, you may want to allow (udp|tcp)/53 for DNS services inbound, if that's necessary. ( It's fumbled many a new FW setup ) -- Marius Strom Professional Geek/Unix System Administrator Alpha1 Internet http://www.marius.org/marius.pgp 0x5645C228 In theory, there is no difference between theory and practice... ...In practice, there is a big difference. On Tue, 18 Jan 2000, Omachonu Ogali wrote: > The following rules can help if you are going to be running SMTP, HTTP, > POP3, and HTTPS, delete what you don't need. > > # -- Pass through for already established connections > ipfw add allow tcp from any to any established > > # -- SMTP > ipfw add allow tcp from any to x.x.x.x 25 > > # -- HTTP > ipfw add allow tcp from any to x.x.x.x 80 > > # -- POP3 > ipfw add allow tcp from any to x.x.x.x 110 > > # -- HTTPS > ipfw add allow tcp from any to x.x.x.x 443 > > # -- Allow setup of outgoing connections > ipfw add allow tcp from x.x.x.x to any setup > > # -- Deny setup of other incoming connections > ipfw add deny tcp from any to any setup > > # -- Deny other incoming IP packets. > ipfw add deny ip from any to any > > Omachonu Ogali > Intranova Networking Group > > On Tue, 18 Jan 2000, Brian Gallucci wrote: > > > We are looking at putting up a new firewall at one of our clients sites > > using FreeBSD 3-4. Is there any bugs we should know about with IPFW ? They > > will be > > doing some webhosting and email. > > > > Thanks > > -Brian > > > > > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-isp" in the body of the message > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-isp" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Tue Jan 18 9:40:47 2000 Delivered-To: freebsd-ipfw@freebsd.org Received: from gndrsh.dnsmgr.net (GndRsh.dnsmgr.net [198.145.92.4]) by hub.freebsd.org (Postfix) with ESMTP id 7DF9614F55; Tue, 18 Jan 2000 09:40:41 -0800 (PST) (envelope-from freebsd@gndrsh.dnsmgr.net) Received: (from freebsd@localhost) by gndrsh.dnsmgr.net (8.9.3/8.9.3) id JAA48605; Tue, 18 Jan 2000 09:40:33 -0800 (PST) (envelope-from freebsd) From: "Rodney W. Grimes" Message-Id: <200001181740.JAA48605@gndrsh.dnsmgr.net> Subject: Re: New Firewall In-Reply-To: from James Wyatt at "Jan 18, 2000 11:22:31 am" To: jwyatt@rwsystems.net (James Wyatt) Date: Tue, 18 Jan 2000 09:40:33 -0800 (PST) Cc: oogali@intranova.net (Omachonu Ogali), briang@expnet.net (Brian Gallucci), isp@FreeBSD.ORG, freebsd-ipfw@FreeBSD.ORG X-Mailer: ELM [version 2.4ME+ PL54 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG > On Tue, 18 Jan 2000, Omachonu Ogali wrote: > > The following rules can help if you are going to be running SMTP, HTTP, > > POP3, and HTTPS, delete what you don't need. > [ ... ] > > # -- Deny setup of other incoming connections > > ipfw add deny tcp from any to any setup > > > > # -- Deny other incoming IP packets. > > ipfw add deny ip from any to any > > These rules are duplicate, so you can drop the first one. The last rule is > commonly the default in /etc/rc.firewall as well. That aside, I might keep > the first one and change it to '... deny log ...", thus logging connection > attempts. On the other hand, that's what log_in_vain="YES" in /etc/rc.conf > is all about... - Jy@ These rules are not equivelent, ip != tcp, and setup != null. The first rule is _VERY_ important. The second can be eliminated, see other email from me on missing ``setup'' on all the other rules... -- Rod Grimes - KD7CAX @ CN85sl - (RWG25) rgrimes@gndrsh.dnsmgr.net To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Tue Jan 18 9:43: 3 2000 Delivered-To: freebsd-ipfw@freebsd.org Received: from gndrsh.dnsmgr.net (GndRsh.dnsmgr.net [198.145.92.4]) by hub.freebsd.org (Postfix) with ESMTP id C82D215330; Tue, 18 Jan 2000 09:42:57 -0800 (PST) (envelope-from freebsd@gndrsh.dnsmgr.net) Received: (from freebsd@localhost) by gndrsh.dnsmgr.net (8.9.3/8.9.3) id JAA48615; Tue, 18 Jan 2000 09:42:41 -0800 (PST) (envelope-from freebsd) From: "Rodney W. Grimes" Message-Id: <200001181742.JAA48615@gndrsh.dnsmgr.net> Subject: Re: New Firewall In-Reply-To: from Marius Strom at "Jan 18, 2000 10:28:44 am" To: marius@alpha1.net (Marius Strom) Date: Tue, 18 Jan 2000 09:42:41 -0800 (PST) Cc: oogali@intranova.net (Omachonu Ogali), briang@expnet.net (Brian Gallucci), isp@FreeBSD.ORG, freebsd-ipfw@FreeBSD.ORG X-Mailer: ELM [version 2.4ME+ PL54 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG > Incidentally, you may want to allow (udp|tcp)/53 for DNS services inbound, > if that's necessary. ( It's fumbled many a new FW setup ) And is often done quite wrong. udp|tcp/53 is often used as a way around a firewall if the rules are not written correctly. See archive of this and other FreeBSD mailling lists for lots of discussion about how to and how not to do this correctly. ...[No need to quote the whole thing yet again....] -- Rod Grimes - KD7CAX @ CN85sl - (RWG25) rgrimes@gndrsh.dnsmgr.net To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Tue Jan 18 9:47:11 2000 Delivered-To: freebsd-ipfw@freebsd.org Received: from bsdie.rwsystems.net (bsdie.rwsystems.net [209.197.223.2]) by hub.freebsd.org (Postfix) with ESMTP id 58D7315097; Tue, 18 Jan 2000 09:47:06 -0800 (PST) (envelope-from jwyatt@rwsystems.net) Received: from bsdie.rwsystems.net([209.197.223.2]) (1439 bytes) by bsdie.rwsystems.net via sendmail with P:esmtp/R:bind_hosts/T:inet_zone_bind_smtp (sender: ) id for ; Tue, 18 Jan 2000 11:44:19 -0600 (CST) (Smail-3.2.0.106 1999-Mar-31 #1 built 1999-Aug-7) Date: Tue, 18 Jan 2000 11:44:19 -0600 (CST) From: James Wyatt To: "Rodney W. Grimes" Cc: Omachonu Ogali , Brian Gallucci , isp@FreeBSD.ORG, freebsd-ipfw@FreeBSD.ORG Subject: Re: New Firewall In-Reply-To: <200001181735.JAA48588@gndrsh.dnsmgr.net> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG Oops, good call! Make sure you add the 'add pass tcp from any to any wstablished' rule so you can get past the setup. Hey, aren't we just building the /etc/rc.firewall file again? (^_^) ipfw rules! - Jy@ On Tue, 18 Jan 2000, Rodney W. Grimes wrote: > > The following rules can help if you are going to be running SMTP, HTTP, > > POP3, and HTTPS, delete what you don't need. > > Allowing anything other than ``setup'' packets on these rules is a mistake... > > > # -- Pass through for already established connections > > ipfw add allow tcp from any to any established > > > > # -- SMTP > > ipfw add allow tcp from any to x.x.x.x 25 > ^setup > > [ ... ] To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Tue Jan 18 10: 2: 0 2000 Delivered-To: freebsd-ipfw@freebsd.org Received: from gndrsh.dnsmgr.net (GndRsh.dnsmgr.net [198.145.92.4]) by hub.freebsd.org (Postfix) with ESMTP id 927B614FD9; Tue, 18 Jan 2000 10:01:51 -0800 (PST) (envelope-from freebsd@gndrsh.dnsmgr.net) Received: (from freebsd@localhost) by gndrsh.dnsmgr.net (8.9.3/8.9.3) id KAA48678; Tue, 18 Jan 2000 10:01:42 -0800 (PST) (envelope-from freebsd) From: "Rodney W. Grimes" Message-Id: <200001181801.KAA48678@gndrsh.dnsmgr.net> Subject: Re: New Firewall In-Reply-To: from James Wyatt at "Jan 18, 2000 11:44:19 am" To: jwyatt@rwsystems.net (James Wyatt) Date: Tue, 18 Jan 2000 10:01:42 -0800 (PST) Cc: oogali@intranova.net (Omachonu Ogali), briang@expnet.net (Brian Gallucci), isp@FreeBSD.ORG, freebsd-ipfw@FreeBSD.ORG X-Mailer: ELM [version 2.4ME+ PL54 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG > Oops, good call! Make sure you add the 'add pass tcp from any to any > wstablished' rule so you can get past the setup. Hey, aren't we just > building the /etc/rc.firewall file again? (^_^) ipfw rules! - Jy@ The established rule is already there, stop speed reading.. ipfw is not a place to do things fast and hasty, but slow and careful. > > On Tue, 18 Jan 2000, Rodney W. Grimes wrote: > > > The following rules can help if you are going to be running SMTP, HTTP, > > > POP3, and HTTPS, delete what you don't need. > > > > Allowing anything other than ``setup'' packets on these rules is a mistake... > > > > > # -- Pass through for already established connections > > > ipfw add allow tcp from any to any established ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ > > > > > > # -- SMTP > > > ipfw add allow tcp from any to x.x.x.x 25 > > ^setup > > > > [ ... ] > > -- Rod Grimes - KD7CAX @ CN85sl - (RWG25) rgrimes@gndrsh.dnsmgr.net To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Tue Jan 18 10:22:32 2000 Delivered-To: freebsd-ipfw@freebsd.org Received: from inago.swcp.com (inago.swcp.com [198.59.115.17]) by hub.freebsd.org (Postfix) with ESMTP id B3CD014CA6 for ; Tue, 18 Jan 2000 10:22:29 -0800 (PST) (envelope-from synk@swcp.com) Received: (from synk@localhost) by inago.swcp.com (8.8.7/8.8.7) id LAA21018; Tue, 18 Jan 2000 11:22:18 -0700 (MST) Date: Tue, 18 Jan 2000 11:22:18 -0700 From: Brendan Conoboy To: "Ron 'The InSaNe One' Rosson" Cc: freebsd-ipfw@FreeBSD.ORG Subject: Re: incorporating ipfilter Message-ID: <20000118112218.A10262@inago.swcp.com> References: <20000117225352.A9148@lunatic.oneinsane.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.95.6i In-Reply-To: <20000117225352.A9148@lunatic.oneinsane.net>; from Ron 'The InSaNe One' Rosson on Mon, Jan 17, 2000 at 10:53:52PM -0800 Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG On Mon, Jan 17, 2000 at 10:53:52PM -0800, Ron 'The InSaNe One' Rosson wrote: > I come from using IPFW but wantto learn and experiment with ipfilter. I > guess you can say I have grown accustomed to /etc/rc.conf and > /etc/rc.firewall to do all the work for me. Well with ipfilter there are > no implentations for it. > > Here are a few questions that I seem to not be able to answers for: > 1. What is the name of the conf file and its location? (/etc/ipf.conf) > 2. How is it called in the startup scripts. > 3. Other links of reference that tie closely with the *BSD way of > doing things? > > Any info or pointers is greatly appreciated. Hi Tia, FreeBSD doesn't currently have any ipf support in rc.conf and rc.firewall. I've promised to do this, and it looks like I better get hopping if I want it to be included in freebsd 4.0. You probably want do some something like "/sbin/ipf -f /etc/ipf.rules" in your rc.firewall script, or maybe even in rc itself. If you're also doing nat, "/usr/sbin/ipnat -f /etc/ipnat.conf". As an aid in creating ipf.rules and ipnat.conf, take a look at the howto at: http://www.obfuscation.org/ipf/ -Brendan (synk@swcp.com) To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Tue Jan 18 10:52:48 2000 Delivered-To: freebsd-ipfw@freebsd.org Received: from fledge.watson.org (fledge.watson.org [204.156.12.50]) by hub.freebsd.org (Postfix) with ESMTP id 89B8A14EE2 for ; Tue, 18 Jan 2000 10:52:42 -0800 (PST) (envelope-from robert@cyrus.watson.org) Received: from fledge.watson.org (robert@fledge.pr.watson.org [192.0.2.3]) by fledge.watson.org (8.9.3/8.9.3) with SMTP id NAA03999; Tue, 18 Jan 2000 13:53:01 -0500 (EST) (envelope-from robert@cyrus.watson.org) Date: Tue, 18 Jan 2000 13:53:01 -0500 (EST) From: Robert Watson X-Sender: robert@fledge.watson.org Reply-To: Robert Watson To: mouss Cc: freebsd-ipfw@freebsd.org Subject: RE: Two-way transparency In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG On Mon, 17 Jan 2000, mouss wrote: > This is easily done by making the proxy to bind() its client socket > to the address of the original client, before calling connect() and > in the case of unconnected sokets, before calling any send() function. > > more precisely, a proxy will have two socket descriptors: > client_fd: socket used between client and proxy > server_fd: socket between proxy and remote server. > > a getpeername(client_fd, ...) yieds the IP address of the client (among > other things). > store this in a struct sockaddr variable "client_addr". Then just call > > error = bind(remote_fd, &client_addr, client_addr_len); > if (error < 0) { > unhappy("cannot bind it...."); > } > > This makes the proxy uses the IP client address as its "outgoing" address. > This works because the TCP/IP stack doesn't normally check that the address > you bind to is local or not. I seem to get bind: Can't assign requested address When trying what you suggest--it could be that I'm doing it wrong, or it could be that there is actually a test to check for a valid client IP. This code from netinet/in_pcb.c suggests that there is such a check, at lest in 3.4-STABLE: } else if (sin->sin_addr.s_addr != INADDR_ANY) { sin->sin_port = 0; /* yech... */ if (ifa_ifwithaddr((struct sockaddr *)sin) == 0) return (EADDRNOTAVAIL); I.e., if there is no interface hosting the given address, then reject the address. This is after a check for multicast addresses... I haven't read the divert code in detail, so don't know how that might impact things. > There are three notes here: > > 1- you can't force the arbitrary source port to that of the client, since > the port is not necessarily free > on the gateway host. anyway, there's no reason to force an arbitrary port! I would have thought it would be possible given that, if the client uses (clientIP,port) then it knows it is unique, meaning that we should also have no existing binding for (clientIP,port) on the firewall box. My understanding was that on a given box (*,port) didn't have to be available just (mychoiceIP,port). > 2- You'll have to check your packet filter config carefully to make sure > that responses to proxy packets > will be returned to the proxy! Indeed, since you're using the client IP > address to send packets, responses will > be directed to the client. you then have to divert these responses to the > proxy and make sure there is no > other route to the client. otherwise, you'll end with "dangling > connections"! I'm not clear on what you mean--to what extent, based on the tcp connection block configured using bind, will the kernel know to "just do the right thing"? Will I need to add an ipfw fwd entry to force packets to the right place come from the target host via the proxy? > 3- Under Solaris (this doesn't concern BSD but is worth to be noted), if you > call rresvport() to use a > reserved port, then the bind() above will fail. I am not sure if this was > bug and whether it has been fixed, but an easy > workaround is to copy the BSD version of rresvport() and call it instead of > that of the system. > > > While I am in, I am in the process of writing new proxies (with the above > functionality and other functionalities > as well). The fwtk is getting old and NAI are MS-oriented. I am planning to > implement this in C (but I am > open to using C++ instead, if there are enough arguments) and have many > ideas in mind. Are there any volounteers? Unfortunately time and work prohibit my becoming seriously involved in such a project at this time :-). > > > Regards, > > mouss > > > > > -----Original Message----- > > From: owner-freebsd-ipfw@FreeBSD.ORG > > [mailto:owner-freebsd-ipfw@FreeBSD.ORG]On Behalf Of Robert Watson > > Sent: Friday, January 07, 2000 2:45 PM > > To: freebsd-ipfw@freebsd.org > > Subject: Two-way transparency > > > > > > > > Last night at the fug-washdc meeting, we discussed expansions to ipfw that > > might be useful--not doubt someone will post a summary soon. One of the > > issues I raised and am interested in is the ability to have userland > > proxies filter traffic in a completely transparent way -- i.e., two way > > transparency. Right now with NAT and divert sockets, fwds, etc, it's easy > > to do transparency from the perspective of a client application *making* a > > connection, but I'm not sure how to go about allowing the proxy to go > > about making an outgoing connection that appears to come from the client. > > > > There are a number of applications where this would be useful, including > > transparent local firewalls on multi-user machines, filtering incoming > > connections, firewalls for protocols that bind address information into > > their connections, etc. It would allow a userland proxy-based firewall > > (such as fwtk, etc) to look more like a traditional packet filter not > > running with NAT. > > > > Anyone have any thoughts on this? :-) > > > > Robert N M Watson > > > > robert@fledge.watson.org http://www.watson.org/~robert/ > > PGP key fingerprint: AF B5 5F FF A6 4A 79 37 ED 5F 55 E9 58 04 6A B1 > > TIS Labs at Network Associates, Safeport Network Services > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-ipfw" in the body of the message > > > > Robert N M Watson robert@fledge.watson.org http://www.watson.org/~robert/ PGP key fingerprint: AF B5 5F FF A6 4A 79 37 ED 5F 55 E9 58 04 6A B1 TIS Labs at Network Associates, Safeport Network Services To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Tue Jan 18 16: 2:12 2000 Delivered-To: freebsd-ipfw@freebsd.org Received: from postfix1.free.fr (postfix1.free.fr [212.27.32.21]) by hub.freebsd.org (Postfix) with ESMTP id 9CBF6151CB for ; Tue, 18 Jan 2000 16:02:07 -0800 (PST) (envelope-from usebsd@free.fr) Received: from safi (paris11-nas4-46-39.dial.proxad.net [212.27.46.39]) by postfix1.free.fr (Postfix) with SMTP id 6CFB028EF3; Wed, 19 Jan 2000 00:52:04 +0100 (MET) From: "mouss" To: Cc: Subject: RE: Two-way transparency Date: Wed, 19 Jan 2000 01:07:04 +0100 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2910.0) In-Reply-To: X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2615.200 Importance: Normal Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG > When trying what you suggest--it could be that I'm doing it wrong, or it > could be that there is actually a test to check for a valid client IP. > This code from netinet/in_pcb.c suggests that there is such a check, at > lest in 3.4-STABLE: > > } else if (sin->sin_addr.s_addr != INADDR_ANY) { > sin->sin_port = 0; /* yech... */ > if (ifa_ifwithaddr((struct sockaddr *)sin) == 0) > return (EADDRNOTAVAIL); > > I.e., if there is no interface hosting the given address, then reject the > address. This is after a check for multicast addresses... I haven't read > the divert code in detail, so don't know how that might impact things. you're right. my claim "the normal stack does not check the address" is not true. I was working with a modified code that indeed does not check ;-< We then have to modify the code above. The simplest is to allow processes to bind to any address they want: } else if (sin->sin_addr.s_addr != INADDR_ANY) { #ifndef FULLY_TRANSPARENT sin->sin_port = 0; /* yech... */ if (ifa_ifwithaddr((struct sockaddr *)sin) == 0) return (EADDRNOTAVAIL); #endif with this, a user may send packets with a forged sourc address. however, on a serious firewall, only trusted guys should be able to start network services. one can restrict the addresses to those for which a divert rule exists. a more restrictive scheme would be to maintain a list of diverted packets and to allow the above-binding only to the source addresses of these packets, but this would be a lot of job for nothing! maybe some guys who know the divert code have a better answer... > I would have thought it would be possible given that, if the client uses > (clientIP,port) then it knows it is unique, meaning that we should also > have no existing binding for (clientIP,port) on the firewall box. My > understanding was that on a given box (*,port) didn't have to be available > just (mychoiceIP,port). What did I smoke? using he client port is only a problem when not using the client address, but this would be a strange choice! > I'm not clear on what you mean--to what extent, based on the tcp > connection block configured using bind, will the kernel know to "just do > the right thing"? Will I need to add an ipfw fwd entry to force packets > to the right place come from the target host via the proxy? the response packet is first examined by ip_input. its destination address is compared to local addresses, and if no macth is found and no ip filtering rule requires that the packet be locally delivered, it will be forwarded and no check is done at the TCP level. ip_input won't check the PCB's to see whether a process is waiting for this response. thus, you have to add a filtering rule so that the packet is considered as a local one so that the code in ip_input would "goto ours". such a rule may be added by the proxy itself (and then removed by the proxy when it is no more needed). This way, there would be no need to add a static rule, and morover, the rule may be "very specific", that is, it may contain all the ports (while on a static rule, you won't specify the arbitrary port). A more serious problem is when many routes exist between the client and the server. If the server resonse is not delivered to the firewall that relayed the client request, then there is no chance that the proxy gets it. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Wed Jan 19 0:40:29 2000 Delivered-To: freebsd-ipfw@freebsd.org Received: from relay.ucb.crimea.ua (UCB-Async4-CRISCO.CRIS.NET [212.110.129.130]) by hub.freebsd.org (Postfix) with ESMTP id 3A08614EBA; Wed, 19 Jan 2000 00:40:01 -0800 (PST) (envelope-from ru@ucb.crimea.ua) Received: (from ru@localhost) by relay.ucb.crimea.ua (8.9.3/8.9.3/UCB) id KAA61586; Wed, 19 Jan 2000 10:41:56 +0200 (EET) (envelope-from ru) Date: Wed, 19 Jan 2000 10:41:56 +0200 From: Ruslan Ermilov To: committers@FreeBSD.org Cc: ipfw@FreeBSD.org Subject: Assigning responsible for ipfw(8)-related PRs Message-ID: <20000119104156.D49712@relay.ucb.crimea.ua> Mail-Followup-To: committers@FreeBSD.org, ipfw@FreeBSD.org Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.95.3i X-Operating-System: FreeBSD 3.3-STABLE i386 Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG Hi! How about assing an ipfw(8)-related PRs to freebsd-ipfw? Cheers, -- Ruslan Ermilov Sysadmin and DBA of the ru@ucb.crimea.ua United Commercial Bank, ru@FreeBSD.org FreeBSD committer, +380.652.247.647 Simferopol, Ukraine http://www.FreeBSD.org The Power To Serve http://www.oracle.com Enabling The Information Age To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Wed Jan 19 17:19:31 2000 Delivered-To: freebsd-ipfw@freebsd.org Received: from zero.arkaine.com (zero.arkaine.com [206.217.210.40]) by hub.freebsd.org (Postfix) with ESMTP id 8334414C2A; Wed, 19 Jan 2000 17:19:22 -0800 (PST) (envelope-from andre@arkaine.com) Received: from s.arkaine.com (s.arkaine.com [192.168.10.10]) by zero.arkaine.com (8.9.3/8.9.3) with ESMTP id VAA01053; Wed, 19 Jan 2000 21:15:00 -0500 (EST) (envelope-from andre@arkaine.com) Received: by s.arkaine.com with Internet Mail Service (5.5.2650.21) id ; Wed, 19 Jan 2000 20:22:24 -0500 Message-ID: <6C191944837ED311863A00104BC7598F774E@s.arkaine.com> From: Andre Chang To: "'Stuart Henderson'" , Omachonu Ogali Cc: Brian Gallucci , isp@FreeBSD.ORG, freebsd-ipfw@FreeBSD.ORG Subject: RE: New Firewall Date: Wed, 19 Jan 2000 20:22:13 -0500 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2650.21) Content-Type: text/plain; charset="iso-8859-1" Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG Mr. Henderson, could you elaborate on the "icmp fragmentation-needed messages" please? I'm trying to track down the following error: Jan 18 09:02:56 `host_clipped` sendmail[49987]: NOQUEUE: SYSERR: putoutmsg ([xxx.xxx.xxx.xxx]): error on output channel sending "220 `hostname_clipped` ESMTP Sendmail 8.9.3/8.9.3; Tue, 18 Jan 2000 09:02:56 GMT": Broken pipe Thanks. -----Original Message----- From: Stuart Henderson [mailto:sh@eclipse.net.uk] Sent: Tuesday, January 18, 2000 11:35 AM To: Omachonu Ogali Cc: Brian Gallucci; isp@FreeBSD.ORG; freebsd-ipfw@FreeBSD.ORG Subject: Re: New Firewall > The following rules can help if you are going to be running SMTP, HTTP, > POP3, and HTTPS, delete what you don't need. You also need to pass icmp fragmentation-needed messages if you don't want to risk breaking access to/from some sites. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Wed Jan 19 20:45: 1 2000 Delivered-To: freebsd-ipfw@freebsd.org Received: from cc942873-a.ewndsr1.nj.home.com (cc942873-a.ewndsr1.nj.home.com [24.2.89.207]) by hub.freebsd.org (Postfix) with ESMTP id 4826114E9F; Wed, 19 Jan 2000 20:44:57 -0800 (PST) (envelope-from cjc@cc942873-a.ewndsr1.nj.home.com) Received: (from cjc@localhost) by cc942873-a.ewndsr1.nj.home.com (8.9.3/8.9.3) id XAA71154; Wed, 19 Jan 2000 23:48:27 -0500 (EST) (envelope-from cjc) Date: Wed, 19 Jan 2000 23:48:27 -0500 From: "Crist J. Clark" To: "Rodney W. Grimes" Cc: James Wyatt , Omachonu Ogali , Brian Gallucci , isp@FreeBSD.ORG, freebsd-ipfw@FreeBSD.ORG Subject: Re: New Firewall Message-ID: <20000119234827.A70698@cc942873-a.ewndsr1.nj.home.com> References: <200001181740.JAA48605@gndrsh.dnsmgr.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0i In-Reply-To: <200001181740.JAA48605@gndrsh.dnsmgr.net>; from freebsd@gndrsh.dnsmgr.net on Tue, Jan 18, 2000 at 09:40:33AM -0800 Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG On Tue, Jan 18, 2000 at 09:40:33AM -0800, Rodney W. Grimes wrote: > > On Tue, 18 Jan 2000, Omachonu Ogali wrote: > > > The following rules can help if you are going to be running SMTP, HTTP, > > > POP3, and HTTPS, delete what you don't need. > > [ ... ] > > > # -- Deny setup of other incoming connections > > > ipfw add deny tcp from any to any setup > > > > > > # -- Deny other incoming IP packets. > > > ipfw add deny ip from any to any > > > > These rules are duplicate, so you can drop the first one. The last rule is > > commonly the default in /etc/rc.firewall as well. That aside, I might keep > > the first one and change it to '... deny log ...", thus logging connection > > attempts. On the other hand, that's what log_in_vain="YES" in /etc/rc.conf > > is all about... - Jy@ > > These rules are not equivelent, ip != tcp, and setup != null. The first > rule is _VERY_ important. The second can be eliminated, see other email > from me on missing ``setup'' on all the other rules... Huh? While it's true the rules are obviously not "duplicates" or "equivalent," the first one is not necessary when these two appear next to one another and no logging is done (like it is written). Anything that would be denied by the first rule would be denied by the second, i.e. all packets that match the first rule are a subset of the packets that match the second. Or am I missing something? -- Crist J. Clark cjclark@home.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Wed Jan 19 20:48:17 2000 Delivered-To: freebsd-ipfw@freebsd.org Received: from cc942873-a.ewndsr1.nj.home.com (cc942873-a.ewndsr1.nj.home.com [24.2.89.207]) by hub.freebsd.org (Postfix) with ESMTP id 0EBB714E9F; Wed, 19 Jan 2000 20:48:12 -0800 (PST) (envelope-from cjc@cc942873-a.ewndsr1.nj.home.com) Received: (from cjc@localhost) by cc942873-a.ewndsr1.nj.home.com (8.9.3/8.9.3) id XAA71242; Wed, 19 Jan 2000 23:52:57 -0500 (EST) (envelope-from cjc) Date: Wed, 19 Jan 2000 23:52:57 -0500 From: "Crist J. Clark" To: Ruslan Ermilov Cc: committers@FreeBSD.ORG, ipfw@FreeBSD.ORG Subject: Re: Assigning responsible for ipfw(8)-related PRs Message-ID: <20000119235256.B70698@cc942873-a.ewndsr1.nj.home.com> References: <20000119104156.D49712@relay.ucb.crimea.ua> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0i In-Reply-To: <20000119104156.D49712@relay.ucb.crimea.ua>; from ru@FreeBSD.ORG on Wed, Jan 19, 2000 at 10:41:56AM +0200 Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG On Wed, Jan 19, 2000 at 10:41:56AM +0200, Ruslan Ermilov wrote: > Hi! > > How about assing an ipfw(8)-related PRs to freebsd-ipfw? There currently is no "ipfw" "Category" on the PR forms. If something is put in place to send them here, they still should go to their primary destination (e.g. -bugs or -doc) as well. -- Crist J. Clark cjclark@home.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Wed Jan 19 21: 1: 7 2000 Delivered-To: freebsd-ipfw@freebsd.org Received: from gndrsh.dnsmgr.net (GndRsh.dnsmgr.net [198.145.92.4]) by hub.freebsd.org (Postfix) with ESMTP id 1C6AF14DC3; Wed, 19 Jan 2000 21:01:02 -0800 (PST) (envelope-from freebsd@gndrsh.dnsmgr.net) Received: (from freebsd@localhost) by gndrsh.dnsmgr.net (8.9.3/8.9.3) id VAA53835; Wed, 19 Jan 2000 21:00:29 -0800 (PST) (envelope-from freebsd) From: "Rodney W. Grimes" Message-Id: <200001200500.VAA53835@gndrsh.dnsmgr.net> Subject: Re: New Firewall In-Reply-To: <20000119234827.A70698@cc942873-a.ewndsr1.nj.home.com> from "Crist J. Clark" at "Jan 19, 2000 11:48:27 pm" To: cjc@cc942873-a.ewndsr1.nj.home.com (Crist J. Clark) Date: Wed, 19 Jan 2000 21:00:29 -0800 (PST) Cc: jwyatt@rwsystems.net (James Wyatt), oogali@intranova.net (Omachonu Ogali), briang@expnet.net (Brian Gallucci), isp@FreeBSD.ORG, freebsd-ipfw@FreeBSD.ORG X-Mailer: ELM [version 2.4ME+ PL54 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG > On Tue, Jan 18, 2000 at 09:40:33AM -0800, Rodney W. Grimes wrote: > > > On Tue, 18 Jan 2000, Omachonu Ogali wrote: > > > > The following rules can help if you are going to be running SMTP, HTTP, > > > > POP3, and HTTPS, delete what you don't need. > > > [ ... ] > > > > # -- Deny setup of other incoming connections > > > > ipfw add deny tcp from any to any setup > > > > > > > > # -- Deny other incoming IP packets. > > > > ipfw add deny ip from any to any > > > > > > These rules are duplicate, so you can drop the first one. The last rule is > > > commonly the default in /etc/rc.firewall as well. That aside, I might keep > > > the first one and change it to '... deny log ...", thus logging connection > > > attempts. On the other hand, that's what log_in_vain="YES" in /etc/rc.conf > > > is all about... - Jy@ I missed this the first time around. log_in_vain will not always do what a log deny would do on this rule. log_in_vain will only catch connections to the router/host, not packets passing through the router if it is a real firewall/forwarding engine. > > > > These rules are not equivelent, ip != tcp, and setup != null. The first > > rule is _VERY_ important. The second can be eliminated, see other email > > from me on missing ``setup'' on all the other rules... > > Huh? > > While it's true the rules are obviously not "duplicates" or > "equivalent," the first one is not necessary when these two appear next > to one another and no logging is done (like it is written). Then it would have been clearer had you said ``The second rule is redundant because...'' > Anything > that would be denied by the first rule would be denied by the > second, i.e. all packets that match the first rule are a subset of the > packets that match the second. Yes, that is true, however I still stand by my statement, and you confirm that here, that ``these rules are not equivelent'' > > Or am I missing something? Yea, that people often add rules between other rules, especially between those 2 rules :-). (For example that is one place that ttcp syn/fin packet processing can be done.) -- Rod Grimes - KD7CAX @ CN85sl - (RWG25) rgrimes@gndrsh.dnsmgr.net To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Thu Jan 20 3:51:34 2000 Delivered-To: freebsd-ipfw@freebsd.org Received: from intranova.net (blacklisted.intranova.net [209.3.31.70]) by hub.freebsd.org (Postfix) with SMTP id D4BF514D73 for ; Thu, 20 Jan 2000 03:51:29 -0800 (PST) (envelope-from oogali@intranova.net) Received: (qmail 91615 invoked from network); 20 Jan 2000 06:53:40 -0000 Received: from missnglnk.wants.to-fuck.com (HELO hydrant.intranova.net) (user58572@209.201.95.10) by blacklisted.intranova.net with SMTP; 20 Jan 2000 06:53:40 -0000 Date: Thu, 20 Jan 2000 06:50:18 -0500 (EST) From: Omachonu Ogali To: Andre Chang Cc: 'Stuart Henderson' , Brian Gallucci , isp@FreeBSD.ORG, freebsd-ipfw@FreeBSD.ORG Subject: RE: New Firewall In-Reply-To: <6C191944837ED311863A00104BC7598F774E@s.arkaine.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG I'm not sure what he meant by ICMP fragmentation-needed messages, but yes, ICMP is needed for reliable communication and faster communication (primarily unreachables), so you can allow ICMP to pass through but I wouldn't recommend it after seeing 24Mbps smurfs come through... And in your case Andre, ICMP fragmentation has nothing to do with your sendmail problem, that shows that your connection is breaking/dropping after a while, maybe the remote side is closing the connection prematurely...check it out by telnetting to the remote host on port 25 and imitate a regular SMTP transaction to find the problem... Omachonu Ogali Intranova Networking Group On Wed, 19 Jan 2000, Andre Chang wrote: > Mr. Henderson, > > could you elaborate on the "icmp fragmentation-needed messages" please? > > I'm trying to track down the following error: > > Jan 18 09:02:56 `host_clipped` sendmail[49987]: NOQUEUE: SYSERR: putoutmsg > ([xxx.xxx.xxx.xxx]): error on output channel sending "220 `hostname_clipped` > ESMTP Sendmail 8.9.3/8.9.3; Tue, 18 Jan 2000 09:02:56 GMT": Broken pipe > > Thanks. > > -----Original Message----- > From: Stuart Henderson [mailto:sh@eclipse.net.uk] > Sent: Tuesday, January 18, 2000 11:35 AM > To: Omachonu Ogali > Cc: Brian Gallucci; isp@FreeBSD.ORG; freebsd-ipfw@FreeBSD.ORG > Subject: Re: New Firewall > > > > The following rules can help if you are going to be running SMTP, HTTP, > > POP3, and HTTPS, delete what you don't need. > > You also need to pass icmp fragmentation-needed messages if you > don't want to risk breaking access to/from some sites. > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-ipfw" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Thu Jan 20 5: 0:45 2000 Delivered-To: freebsd-ipfw@freebsd.org Received: from proteus.eclipse.net.uk (proteus.eclipse.net.uk [195.188.32.118]) by hub.freebsd.org (Postfix) with ESMTP id 6041714D0D; Thu, 20 Jan 2000 05:00:40 -0800 (PST) (envelope-from stuart@eclipse.net.uk) Received: from eclipse.net.uk (elara.eclipse.net.uk [195.188.32.31]) by proteus.eclipse.net.uk (Postfix) with ESMTP id 8F93F9DA6; Thu, 20 Jan 2000 13:00:28 +0000 (GMT) Message-ID: <38870705.EB4386DB@eclipse.net.uk> Date: Thu, 20 Jan 2000 13:00:53 +0000 From: Stuart Henderson Organization: Eclipse Networking Ltd X-Mailer: Mozilla 4.7 [en] (WinNT; U) X-Accept-Language: en-GB MIME-Version: 1.0 To: Omachonu Ogali Cc: Andre Chang , 'Stuart Henderson' , Brian Gallucci , isp@FreeBSD.ORG, freebsd-ipfw@FreeBSD.ORG Subject: Re: New Firewall References: Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG > I'm not sure what he meant by ICMP fragmentation-needed messages, He meant what is mentioned in the Postfix faq. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Thu Jan 20 9:41:24 2000 Delivered-To: freebsd-ipfw@freebsd.org Received: from gndrsh.dnsmgr.net (GndRsh.dnsmgr.net [198.145.92.4]) by hub.freebsd.org (Postfix) with ESMTP id 8A57814C37; Thu, 20 Jan 2000 09:41:19 -0800 (PST) (envelope-from freebsd@gndrsh.dnsmgr.net) Received: (from freebsd@localhost) by gndrsh.dnsmgr.net (8.9.3/8.9.3) id JAA54999; Thu, 20 Jan 2000 09:40:31 -0800 (PST) (envelope-from freebsd) From: "Rodney W. Grimes" Message-Id: <200001201740.JAA54999@gndrsh.dnsmgr.net> Subject: Re: New Firewall In-Reply-To: from Omachonu Ogali at "Jan 20, 2000 06:50:18 am" To: oogali@intranova.net (Omachonu Ogali) Date: Thu, 20 Jan 2000 09:40:31 -0800 (PST) Cc: andre@arkaine.com (Andre Chang), sh@eclipse.net.uk ('Stuart Henderson'), briang@expnet.net (Brian Gallucci), isp@FreeBSD.ORG, freebsd-ipfw@FreeBSD.ORG X-Mailer: ELM [version 2.4ME+ PL54 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG > I'm not sure what he meant by ICMP fragmentation-needed messages, but > yes, ICMP is needed for reliable communication and faster communication > (primarily unreachables), so you can allow ICMP to pass through but I > wouldn't recommend it after seeing 24Mbps smurfs come through... > > And in your case Andre, ICMP fragmentation has nothing to do with your > sendmail problem, that shows that your connection is breaking/dropping > after a while, maybe the remote side is closing the connection > prematurely...check it out by telnetting to the remote host on port 25 and > imitate a regular SMTP transaction to find the problem... If Andre is filtering ICMP 3.4 (ICMP_UNREACH.ICMP_UNREACH_NEEDFRAG) it certainly could have to do with his sendmail problem. -- Rod Grimes - KD7CAX @ CN85sl - (RWG25) rgrimes@gndrsh.dnsmgr.net To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Fri Jan 21 13:41:35 2000 Delivered-To: freebsd-ipfw@freebsd.org Received: from zero.arkaine.com (zero.arkaine.com [206.217.210.40]) by hub.freebsd.org (Postfix) with ESMTP id 5969215542 for ; Fri, 21 Jan 2000 13:41:32 -0800 (PST) (envelope-from andre@arkaine.com) Received: from s.arkaine.com (s.arkaine.com [192.168.10.10]) by zero.arkaine.com (8.9.3/8.9.3) with ESMTP id RAA05339; Fri, 21 Jan 2000 17:37:00 -0500 (EST) (envelope-from andre@arkaine.com) Received: by s.arkaine.com with Internet Mail Service (5.5.2650.21) id ; Fri, 21 Jan 2000 16:44:34 -0500 Message-ID: <6C191944837ED311863A00104BC7598F7752@s.arkaine.com> From: Andre Chang To: "'Rodney W. Grimes'" , oogali@intranova.net Cc: freebsd-ipfw@FreeBSD.ORG Subject: RE: New Firewall Date: Fri, 21 Jan 2000 16:44:24 -0500 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2650.21) Content-Type: text/plain; charset="iso-8859-1" Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG Well I checked up on the remote machines and they are mostly just SMTP relay hosts for different domains, nothing special. I am dropping all ICMP types other than 0,3,8 and 11 on that machine. Considering that I am leaving ping and traceroute open, the machine are just secondary mail server in case the primary mail server is unreachable. It's primary role is DNS. It remains to be my own decision if I want the machine to respond to ICMP type 3.4 I'd rather the machine unable to fulfill it's secondary tasks for some sites than opening it up to possible DoS which would affect it's primary task. -- Andre. -----Original Message----- From: Rodney W. Grimes [mailto:freebsd@gndrsh.dnsmgr.net] Sent: Thursday, January 20, 2000 12:41 PM To: oogali@intranova.net Cc: andre@arkaine.com; sh@eclipse.net.uk; briang@expnet.net; isp@FreeBSD.ORG; freebsd-ipfw@FreeBSD.ORG Subject: Re: New Firewall > I'm not sure what he meant by ICMP fragmentation-needed messages, but > yes, ICMP is needed for reliable communication and faster communication > (primarily unreachables), so you can allow ICMP to pass through but I > wouldn't recommend it after seeing 24Mbps smurfs come through... > > And in your case Andre, ICMP fragmentation has nothing to do with your > sendmail problem, that shows that your connection is breaking/dropping > after a while, maybe the remote side is closing the connection > prematurely...check it out by telnetting to the remote host on port 25 and > imitate a regular SMTP transaction to find the problem... If Andre is filtering ICMP 3.4 (ICMP_UNREACH.ICMP_UNREACH_NEEDFRAG) it certainly could have to do with his sendmail problem. -- Rod Grimes - KD7CAX @ CN85sl - (RWG25) rgrimes@gndrsh.dnsmgr.net To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message