From owner-freebsd-ipfw Mon Dec 3 10:46:31 2001 Delivered-To: freebsd-ipfw@freebsd.org Received: from box.backalley.friscowebworks.com (dsl092-014-221.sfo1.dsl.speakeasy.net [66.92.14.221]) by hub.freebsd.org (Postfix) with ESMTP id 6FE0837B416 for ; Mon, 3 Dec 2001 10:46:30 -0800 (PST) Received: from dog (c-10-0-0-2.gwclients.backalley.friscowebworks.com [10.0.0.2]) by box.backalley.friscowebworks.com (8.9.3/8.9.3) with SMTP id KAA12161 for ; Mon, 3 Dec 2001 10:46:30 -0800 (PST) Message-ID: <000401c17ca9$ba4beda0$0200000a@dog> From: "Robert Roberts" To: Subject: subscribe Date: Tue, 4 Dec 2001 01:48:46 -0800 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2600.0000 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG I would like to subscribe. thank you Robert Roberts To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Wed Dec 5 12:45:24 2001 Delivered-To: freebsd-ipfw@freebsd.org Received: from staffshell.tor.primus.ca (staffshell.tor.primus.ca [216.254.136.110]) by hub.freebsd.org (Postfix) with ESMTP id B7A1837B507 for ; Wed, 5 Dec 2001 12:45:10 -0800 (PST) Received: from drwitura (helo=localhost) by staffshell.tor.primus.ca with local-esmtp (Exim 3.16 #1) id 16Biuv-00015i-00 for freebsd-ipfw@FreeBSD.ORG; Wed, 05 Dec 2001 15:45:21 -0500 Date: Wed, 5 Dec 2001 15:45:21 -0500 (EST) From: Didier Rwitura To: Subject: test Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG test To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Wed Dec 5 15:33:29 2001 Delivered-To: freebsd-ipfw@freebsd.org Received: from db.nexgen.com (db.nexgen.com [66.92.98.149]) by hub.freebsd.org (Postfix) with SMTP id BC6E737B417 for ; Wed, 5 Dec 2001 15:33:25 -0800 (PST) Received: (qmail 5603 invoked from network); 5 Dec 2001 23:32:39 -0000 Received: from localhost.nexgen.com (HELO alexus) (root@127.0.0.1) by localhost.nexgen.com with SMTP; 5 Dec 2001 23:32:39 -0000 Message-ID: <000701c17de5$3881d4a0$0d00a8c0@alexus> From: "alexus" To: Subject: rc.conf Date: Wed, 5 Dec 2001 18:33:18 -0500 Organization: NexGen MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2600.0000 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG all those settings are they applyes towards ipf or ipfw? su-2.05# grep -i firewall /etc/defaults/rc.conf ### Basic network and firewall/security options: ### firewall_enable="NO" # Set to YES to enable firewall functionality firewall_script="/etc/rc.firewall" # Which script to run to set up the firewall firewall_type="UNKNOWN" # Firewall type (see /etc/rc.firewall) firewall_quiet="NO" # Set to YES to suppress rule display firewall_logging="NO" # Set to YES to enable events logging firewall_flags="" # Flags passed to ipfw when type is a file natd_enable="NO" # Enable natd (if firewall_enable == YES). ipv6_firewall_enable="NO" # Set to YES to enable IPv6 firewall ipv6_firewall_script="/etc/rc.firewall6" # Which script to run to set up the IPv6 firewall ipv6_firewall_type="UNKNOWN" # IPv6 Firewall type (see /etc/rc.firewall6) ipv6_firewall_quiet="NO" # Set to YES to suppress rule display ipv6_firewall_logging="NO" # Set to YES to enable events logging ipv6_firewall_flags="" # Flags passed to ip6fw when type is a file su-2.05# To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Wed Dec 5 16:46:52 2001 Delivered-To: freebsd-ipfw@freebsd.org Received: from staffshell.tor.primus.ca (staffshell.tor.primus.ca [216.254.136.110]) by hub.freebsd.org (Postfix) with ESMTP id D987937B416 for ; Wed, 5 Dec 2001 16:46:46 -0800 (PST) Received: from drwitura (helo=localhost) by staffshell.tor.primus.ca with local-esmtp (Exim 3.16 #1) id 16Bmgj-000496-00 for freebsd-ipfw@freebsd.org; Wed, 05 Dec 2001 19:46:57 -0500 Date: Wed, 5 Dec 2001 19:46:57 -0500 (EST) From: Didier Rwitura To: Subject: IPFW with SSH Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG .. can u guys help me with opening ssh port 22 using ipfw (I can conect to other hosts without any problem but can not access my box from outsite ... here are all my ruleset file #from man 8 ipfw: allow only outbound TCP connections I've created #allow ssh add 00300 check-state add 00301 allow tcp from any to any in established add 00302 allow tcp from any ssh to any out setup keep-state add 00304 allow tcp from any to any ssh in add 00305 allow tcp from any to any out setup keep-state #allow DNS add 00400 allow udp from 24.200.243.242 53 to any in recv ed0 add 00401 allow udp from 24.201.245.114 53 to any in recv ed0 add 00402 allow udp from 24.200.243.250 53 to any in recv ed0 ##Dynamic rules add 00403 allow udp from any to any out add 00501 allow udp from 10.23.128.2 67 to any 68 in via ed0 #allow some icmp types (codes ot supported) #####allow path-mtu in both directions add 00600 allow icmp from any to any icmptypes 3 ####allow source quench in and out add 00601 allow icmp from any to any icmptypes 4 #### allow me to ping out and receive response back add 00602 allow icmp from any to any icmptypes 8 out add 00603 allow icmp from any to any icmptypes 0 in ## allow me to run traceroute add 00604 allow icmp from any to any icmptypes 11 in thanx for your time -- ------------------------------------------ Didier Rwitura Technical Support Technique Primus Canada http://support.primus.ca Tel: 1-800-370-0015 Ext :8628 "Perfectionism is a dangerous state of mind in an imperfect world." --Robert Hillyer To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Wed Dec 5 17: 9:44 2001 Delivered-To: freebsd-ipfw@freebsd.org Received: from gull.prod.itd.earthlink.net (gull.mail.pas.earthlink.net [207.217.120.84]) by hub.freebsd.org (Postfix) with ESMTP id 75B7E37B405 for ; Wed, 5 Dec 2001 17:09:41 -0800 (PST) Received: from dialup-209.244.107.135.dial1.sanjose1.level3.net ([209.244.107.135] helo=blossom.cjclark.org) by gull.prod.itd.earthlink.net with esmtp (Exim 3.33 #1) id 16Bn2a-00016C-00; Wed, 05 Dec 2001 17:09:37 -0800 Received: (from cjc@localhost) by blossom.cjclark.org (8.11.6/8.11.3) id fB618oe05543; Wed, 5 Dec 2001 17:08:50 -0800 (PST) (envelope-from cjc) Date: Wed, 5 Dec 2001 17:08:42 -0800 From: "Crist J . Clark" To: alexus Cc: freebsd-ipfw@FreeBSD.ORG Subject: Re: rc.conf Message-ID: <20011205170842.K3061@blossom.cjclark.org> References: <000701c17de5$3881d4a0$0d00a8c0@alexus> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <000701c17de5$3881d4a0$0d00a8c0@alexus>; from ml@db.nexgen.com on Wed, Dec 05, 2001 at 06:33:18PM -0500 X-URL: http://people.freebsd.org/~cjc/ Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Wed, Dec 05, 2001 at 06:33:18PM -0500, alexus wrote: > all those settings > > are they applyes towards ipf or ipfw? If it's '^firewall', it's ipfw(8). If it's '^ip6_firewall', it's ip6fw(8). If it's '^ipfilter', it's ipf(8). -- "It's always funny until someone gets hurt. Then it's hilarious." Crist J. Clark | cjclark@alum.mit.edu | cjclark@jhu.edu http://people.freebsd.org/~cjc/ | cjc@freebsd.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Wed Dec 5 17:18:17 2001 Delivered-To: freebsd-ipfw@freebsd.org Received: from snipe.prod.itd.earthlink.net (snipe.mail.pas.earthlink.net [207.217.120.62]) by hub.freebsd.org (Postfix) with ESMTP id 35B8137B419 for ; Wed, 5 Dec 2001 17:18:14 -0800 (PST) Received: from dialup-209.244.107.135.dial1.sanjose1.level3.net ([209.244.107.135] helo=blossom.cjclark.org) by snipe.prod.itd.earthlink.net with esmtp (Exim 3.33 #1) id 16BnAn-0003bt-00; Wed, 05 Dec 2001 17:18:05 -0800 Received: (from cjc@localhost) by blossom.cjclark.org (8.11.6/8.11.3) id fB61HYE05573; Wed, 5 Dec 2001 17:17:34 -0800 (PST) (envelope-from cjc) Date: Wed, 5 Dec 2001 17:17:34 -0800 From: "Crist J . Clark" To: Didier Rwitura Cc: freebsd-ipfw@FreeBSD.ORG Subject: Re: IPFW with SSH Message-ID: <20011205171734.L3061@blossom.cjclark.org> References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from drwitura@primus.ca on Wed, Dec 05, 2001 at 07:46:57PM -0500 X-URL: http://people.freebsd.org/~cjc/ Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Wed, Dec 05, 2001 at 07:46:57PM -0500, Didier Rwitura wrote: > > > .. can u guys help me with opening ssh port 22 using > ipfw (I can conect to other hosts without any > problem but can not access my box from outsite ... > here are all my ruleset file > > > #from man 8 ipfw: allow only outbound TCP connections I've created > #allow ssh > add 00300 check-state > add 00301 allow tcp from any to any in established > add 00302 allow tcp from any ssh to any out setup keep-state > add 00304 allow tcp from any to any ssh in > add 00305 allow tcp from any to any out setup keep-state Rules 300 and 301 are an odd pair. Not much point in bothering with keep-state rules if you have rule 301. Also, unless it is for usage statistics, there is no reason for rule 302 in light of 305. Not to mention the fact that I doubt 302 is ever triggered; a SYN with a source of 22? I believe your problem is that you can't establish SSH sessions since you are not letting your SYN-ACK response back out. How about replacing all of those with, 300 add allow tcp from any to any ssh in setup keep-state 310 add allow tcp from any to any out setup keep-state -- "It's always funny until someone gets hurt. Then it's hilarious." Crist J. Clark | cjclark@alum.mit.edu | cjclark@jhu.edu http://people.freebsd.org/~cjc/ | cjc@freebsd.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Sat Dec 8 4:57:39 2001 Delivered-To: freebsd-ipfw@freebsd.org Received: from palraz.rem.cmu.edu (PALRAZ.REM.CMU.EDU [128.237.161.212]) by hub.freebsd.org (Postfix) with ESMTP id EFB4137B405 for ; Sat, 8 Dec 2001 04:57:36 -0800 (PST) Received: from palraz.wburn (palraz [192.168.1.1]) by palraz.rem.cmu.edu (8.11.6/8.11.4) with ESMTP id fB8CvYl10641 (using TLSv1/SSLv3 with cipher EDH-RSA-DES-CBC3-SHA (168 bits) verified NO) for ; Sat, 8 Dec 2001 07:57:36 -0500 (EST) (envelope-from dpelleg@palraz.rem.cmu.edu) Received: (from dpelleg@localhost) by palraz.wburn (8.11.6/8.11.6) id fB8CvYq13301; Sat, 8 Dec 2001 07:57:34 -0500 (EST) (envelope-from dpelleg) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Message-ID: <15378.3646.123303.804870@palraz.wburn> Date: Sat, 8 Dec 2001 07:57:34 -0500 To: freebsd-ipfw@freebsd.org Subject: incorrect handling of limit rules X-Mailer: VM 6.92 under 21.1 (patch 14) "Cuyahoga Valley" XEmacs Lucid From: Dan Pelleg Reply-To: Dan Pelleg Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG I have posted a PR detailing incorrect handling of parent rules in ipfw. It's long, so I won't post it here. Please see http://www.freebsd.org/cgi/query-pr.cgi?pr=32600 Summary: incorrect handling of the expire and count field in parent rules caused ipfw to emit "OUCH! cannot remove rule" messages. While fixing this, I stumbled on a kernel panic bug, which was hidden by the more benign bug. PR includes patches for both bugs, as well as a similar fix to userland ipfw and plugging of a minor problem to do with the rule list passed to userland ipfw. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Sat Dec 8 6:18: 3 2001 Delivered-To: freebsd-ipfw@freebsd.org Received: from mix.premierbank.dp.ua (premierbank.atlantis.dp.ua [193.108.46.78]) by hub.freebsd.org (Postfix) with SMTP id B11F137B41E for ; Sat, 8 Dec 2001 06:17:52 -0800 (PST) Received: (qmail 9043 invoked by uid 85); 8 Dec 2001 14:17:47 -0000 Received: from kot@premierbank.dp.ua by mix.premierbank.dp.ua with qmail-scanner-1.01 (. Clean. Processed in 0.575487 secs); 08 Dec 2001 14:17:47 -0000 Received: from hkot.premierbank.dp.ua (HELO hkot) (192.168.2.4) by mix.premierbank.dp.ua with SMTP; 8 Dec 2001 14:17:46 -0000 Message-ID: <003401c17ff3$1c8bf7c0$0402a8c0@premierbank.dp.ua> From: "Konstantin Reznichenko" To: Cc: , Subject: ipsec tunnel & dummynet... Date: Sat, 8 Dec 2001 16:17:46 +0200 MIME-Version: 1.0 Content-Type: text/plain; charset="koi8-r" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4522.1200 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200 Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Kind day. Is ipsec the tunnel FreeBSD- > FreeBSD (gif0&ppp0). It is necessary in this tunnel to organize restriction of a passband with the help ipfw (dummynet). How it to organize? TCPDUMP on the pseudo-device gif - is silent. Under an ipfw-rule "... tcp from any to any via gif0 " any packet leaving in the tunnel will not get. How transport of packet's through devices gifX is organized? I am sorry for mine bad English. Yours faithfully, Konstantin. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Sat Dec 8 8:41:38 2001 Delivered-To: freebsd-ipfw@freebsd.org Received: from iguana.aciri.org (iguana.aciri.org [192.150.187.36]) by hub.freebsd.org (Postfix) with ESMTP id 678E137B416 for ; Sat, 8 Dec 2001 08:41:21 -0800 (PST) Received: (from rizzo@localhost) by iguana.aciri.org (8.11.3/8.11.1) id fB8GfKs94229; Sat, 8 Dec 2001 08:41:20 -0800 (PST) (envelope-from rizzo) Date: Sat, 8 Dec 2001 08:41:20 -0800 From: Luigi Rizzo To: Dan Pelleg Cc: freebsd-ipfw@FreeBSD.ORG Subject: Re: incorrect handling of limit rules Message-ID: <20011208084120.C93899@iguana.aciri.org> References: <15378.3646.123303.804870@palraz.wburn> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <15378.3646.123303.804870@palraz.wburn> User-Agent: Mutt/1.3.23i Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG thanks, I'll look at this. cheers luigi On Sat, Dec 08, 2001 at 07:57:34AM -0500, Dan Pelleg wrote: > > I have posted a PR detailing incorrect handling of parent rules > in ipfw. It's long, so I won't post it here. Please see > http://www.freebsd.org/cgi/query-pr.cgi?pr=32600 > > > Summary: incorrect handling of the expire and count field in parent rules > caused ipfw to emit "OUCH! cannot remove rule" messages. While fixing this, > I stumbled on a kernel panic bug, which was hidden by the more benign bug. > > PR includes patches for both bugs, as well as a similar fix to userland > ipfw and plugging of a minor problem to do with the rule list passed to > userland ipfw. > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-ipfw" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message