From owner-freebsd-ipfw@FreeBSD.ORG Mon Feb 21 11:02:19 2005 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 37C9916A59D for ; Mon, 21 Feb 2005 11:02:19 +0000 (GMT) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id 20C8F43D5C for ; Mon, 21 Feb 2005 11:02:19 +0000 (GMT) (envelope-from owner-bugmaster@freebsd.org) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.13.1/8.13.1) with ESMTP id j1LB2JDV034772 for ; Mon, 21 Feb 2005 11:02:19 GMT (envelope-from owner-bugmaster@freebsd.org) Received: (from peter@localhost) by freefall.freebsd.org (8.13.1/8.13.1/Submit) id j1LB2InU034766 for ipfw@freebsd.org; Mon, 21 Feb 2005 11:02:18 GMT (envelope-from owner-bugmaster@freebsd.org) Date: Mon, 21 Feb 2005 11:02:18 GMT Message-Id: <200502211102.j1LB2InU034766@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: peter set sender to owner-bugmaster@freebsd.org using -f From: FreeBSD bugmaster To: ipfw@FreeBSD.org Subject: Current problem reports assigned to you X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 21 Feb 2005 11:02:19 -0000 Current FreeBSD problem reports Critical problems Serious problems S Submitted Tracker Resp. Description ------------------------------------------------------------------------------- o [2003/04/22] kern/51274 ipfw ipfw2 create dynamic rules with parent nu f [2003/04/24] kern/51341 ipfw ipfw rule 'deny icmp from any to any icmp o [2003/12/11] kern/60154 ipfw ipfw core (crash) o [2004/03/03] kern/63724 ipfw IPFW2 Queues dont t work f [2004/03/25] kern/64694 ipfw [ipfw] UID/GID matching in ipfw non-funct o [2004/11/13] kern/73910 ipfw [ipfw] serious bug on forwarding of packe o [2004/11/19] kern/74104 ipfw ipfw2/1 conflict not detected or reported o [2004/12/25] i386/75483 ipfw ipfw count does not count 8 problems total. Non-critical problems S Submitted Tracker Resp. Description ------------------------------------------------------------------------------- a [2001/04/13] kern/26534 ipfw Add an option to ipfw to log gid/uid of w o [2002/12/10] kern/46159 ipfw ipfw dynamic rules lifetime feature o [2003/02/11] kern/48172 ipfw ipfw does not log size and flags o [2003/03/10] kern/49086 ipfw [patch] Make ipfw2 log to different syslo o [2003/04/09] bin/50749 ipfw ipfw2 incorrectly parses ports and port r o [2003/08/26] kern/55984 ipfw [patch] time based firewalling support fo o [2003/12/30] kern/60719 ipfw ipfw: Headerless fragments generate cryp o [2004/08/03] kern/69963 ipfw ipfw: install_state warning about already o [2004/09/04] kern/71366 ipfw "ipfw fwd" sometimes rewrites destination 9 problems total. From owner-freebsd-ipfw@FreeBSD.ORG Tue Feb 22 20:29:38 2005 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 32B1016A4CE for ; Tue, 22 Feb 2005 20:29:38 +0000 (GMT) Received: from wproxy.gmail.com (wproxy.gmail.com [64.233.184.199]) by mx1.FreeBSD.org (Postfix) with ESMTP id A481943D54 for ; Tue, 22 Feb 2005 20:29:37 +0000 (GMT) (envelope-from dot.sn1tch@gmail.com) Received: by wproxy.gmail.com with SMTP id 69so1120438wra for ; Tue, 22 Feb 2005 12:29:37 -0800 (PST) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:reply-to:to:subject:mime-version:content-type:content-transfer-encoding; b=Wn1vaBMdUb1K/jePpnn852Y5LPNMoNsWBqZzn/WitAkCEf2pDZIOtgLkuPtPUAZwy5SdR4MjR4cd7UMDX+B4B9+aKHJC0V5ZIxzJnm/j/Ycqjo30w2dN9NGo+jNrcSlCUpkIPLQLmQMp2lnE5S8LuAJ5qrESrf9mUsgnLKw4Wpw= Received: by 10.54.37.57 with SMTP id k57mr9161wrk; Tue, 22 Feb 2005 12:29:36 -0800 (PST) Received: by 10.54.31.19 with HTTP; Tue, 22 Feb 2005 12:29:36 -0800 (PST) Message-ID: Date: Tue, 22 Feb 2005 15:29:36 -0500 From: sn1tch To: freebsd-ipfw@freebsd.org Mime-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Subject: IPFW Ruleset X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: sn1tch List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 22 Feb 2005 20:29:38 -0000 I'm trying to setup a stateful ruleset for my bsd machine, I have natd running and working, but for the life of me I cannot get to any outside websites. I know DNS is getting blocked but it's by one of the last rules denying everything else=E2=80=A6and I cant seem to get the firew= all to let it pass on.. Here is what I have (which is right out of the FreeBSD handbook): =20 // Begin=20 case ${firewall_type} in=20 [Nn][Ee][Tt])=20 # Outside interface network and netmask and ip oif=3D"fxp0" onet=3D"111.111.111.0" omask=3D"255.255.255.0" oip=3D"111.111.111.45" =20 # Inside interface network and netmask and ip iif=3D"fxp1" inet=3D"10.0.0.0" imask=3D"255.0.0.0" iip=3D"10.0.0.1" =20 # DNS servers dns1=3D"111.111.111.115" =20 skip=3D"skipto 800" =20 cmd=3D"ipfw -q add" =20 setup_loopback =20 ################################################################# # No restrictions on Inside Lan Interface for private network # Change xl0 to your Lan Nic card interface name ################################################################# $cmd 005 allow all from any to any via $iif =20 ################################################################# # No restrictions on Loopback Interface ################################################################# $cmd 010 allow all from any to any via lo0 =20 ################################################################# # check if packet is inbound and nat address if it is ################################################################# $cmd 014 divert natd ip from any to any in via $oif =20 ################################################################# # Allow the packet through if it has previous been added to the # the "dynamic" rules table by a allow keep-state statement. ################################################################# $cmd 015 check-state =20 ################################################################# # Interface facing Public Internet (Outbound Section) # Interrogate session start requests originating from behind the # firewall on the private network or from this gateway server # destine for the public Internet. ################################################################# # Allow out access to my ISP.s Domain name server. # x.x.x.x must be the IP address of your ISP.s DNS # Dup these lines if your ISP has more than one DNS server # Get the IP addresses from /etc/resolv.conf file $cmd 020 $skip tcp from any to $dns1 53 out via $oif setup keep-state =20 # Allow out access to my ISP.s DHCP server for cable/DSL configurations. $cmd 030 $skip udp from any to 111.111.111.116 67 out via $oif keep-state =20 # Allow out non-secure standard www function $cmd 040 $skip tcp from any to any 80 out via $oif setup keep-state =20 # Allow out secure www function https over TLS SSL $cmd 050 $skip tcp from any to any 443 out via $oif setup keep-state =20 # Allow out send & get email function $cmd 060 $skip tcp from any to any 25 out via $oif setup keep-state $cmd 061 $skip tcp from any to any 110 out via $oif setup keep-state =20 # Allow out FreeBSD (make install & CVSUP) functions # Basically give user root "GOD" privileges. $cmd 070 $skip tcp from me to any out via $oif setup keep-state uid root =20 # Allow out ping $cmd 080 $skip icmp from any to any out via $oif keep-state =20 # Allow out Time $cmd 090 $skip tcp from any to any 37 out via $oif setup keep-state =20 # Allow out nntp news (i.e. news groups) $cmd 100 $skip tcp from any to any 119 out via $oif setup keep-state =20 # Allow out secure FTP, Telnet, and SCP # This function is using SSH (secure shell) $cmd 110 $skip tcp from any to any 22 out via $oif setup keep-state =20 # Allow out whois $cmd 120 $skip tcp from any to any 43 out via $oif setup keep-state =20 # Allow ntp time server $cmd 130 $skip udp from any to any 123 out via $oif keep-state =20 ################################################################# # Interface facing Public Internet (Inbound Section) # Interrogate packets originating from the public Internet # destine for this gateway server or the private network. ################################################################# # Deny all inbound traffic from non-routable reserved address spaces $cmd 300 deny all from 192.168.0.0/16 to any in via $oif #RFC 1918 private = IP $cmd 301 deny all from 172.16.0.0/12 to any in via $oif #RFC 1918 private I= P $cmd 302 deny all from 10.0.0.0/8 to any in via $oif #RFC 1918 private IP $cmd 303 deny all from 127.0.0.0/8 to any in via $oif #loopback $cmd 304 deny all from 0.0.0.0/8 to any in via $oif #loopback $cmd 305 deny all from 169.254.0.0/16 to any in via $oif #DHCP auto-config $cmd 306 deny all from 192.0.2.0/24 to any in via $oif #reserved for docs $cmd 307 deny all from 204.152.64.0/23 to any in via $oif #Sun cluster $cmd 308 deny all from 224.0.0.0/3 to any in via $oif #Class D & E multicas= t =20 # Deny ident $cmd 315 deny tcp from any to any 113 in via $oif =20 # Deny all Netbios service. 137=3Dname, 138=3Ddatagram, 139=3Dsession # Netbios is MS/Windows sharing services. # Block MS/Windows hosts2 name server requests 81 $cmd 320 deny tcp from any to any 137 in via $oif $cmd 321 deny tcp from any to any 138 in via $oif $cmd 322 deny tcp from any to any 139 in via $oif $cmd 323 deny tcp from any to any 81 in via $oif =20 # Deny any late arriving packets $cmd 330 deny all from any to any frag in via $oif =20 # Deny ACK packets that did not match the dynamic rule table $cmd 332 deny tcp from any to any established in via $oif =20 # Allow traffic in from ISP.s DHCP server. This rule must contain # the IP address of your ISP.s DHCP server as it.s the only # authorized source to send this packet type. # Only necessary for cable or DSL configurations. # This rule is not needed for .user ppp. type connection to # the public Internet. This is the same IP address you captured # and used in the outbound section. $cmd 360 allow udp from 111.111.111.116 to any 68 in via $oif keep-state =20 # Allow in standard www function because I have apache server $cmd 370 allow tcp from any to me 80 in via $oif setup limit src-addr 2 $cmd 371 allow tcp from any to me 443 in via $oif setup limit src-addr 10 =20 # Allow in secure FTP, Telnet, and SCP from public Internet $cmd 380 allow tcp from any to me 21 in via $oif setup limit src-addr 2 $cmd 385 allow tcp from any to me 22 in via $oif setup limit src-addr 2 =20 # Reject & Log all unauthorized incoming connections from the public Intern= et $cmd 400 deny log all from any to any in via $oif =20 # Reject & Log all unauthorized out going connections to the public Interne= t $cmd 450 deny log all from any to any out via $oif =20 # This is skipto location for outbound stateful rules $cmd 800 divert natd ip from any to any out via $oif $cmd 801 allow ip from any to any =20 # Everything else is denied by default # deny and log all packets that fell through to see what they are $cmd 999 deny log all from any to any =20 ;; =20 // End =20 =20 Thanks in advance for any help From owner-freebsd-ipfw@FreeBSD.ORG Wed Feb 23 04:43:51 2005 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 47F2016A4CE for ; Wed, 23 Feb 2005 04:43:51 +0000 (GMT) Received: from nadi-it.com (mx1.nadi-it.com [219.94.101.38]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1F3AF43D46 for ; Wed, 23 Feb 2005 04:43:50 +0000 (GMT) (envelope-from rasfan@nadi-it.com) Received: from localhost (localhost [127.0.0.1]) by nadi-it.com (Postfix) with ESMTP id D0ED17C5C3 for ; Wed, 23 Feb 2005 12:51:21 +0800 (MYT) Received: from nadi-it.com ([127.0.0.1]) by localhost (nadi-it.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 81130-02 for ; Wed, 23 Feb 2005 12:51:21 +0800 (MYT) Received: from webmail.nadi-it.com (localhost [127.0.0.1]) by nadi-it.com (Postfix) with ESMTP id 865CC7C5B6 for ; Wed, 23 Feb 2005 12:51:15 +0800 (MYT) Received: from 219.94.101.37 (SquirrelMail authenticated user rasfan); by webmail.nadi-it.com with HTTP; Wed, 23 Feb 2005 12:51:21 +0800 (MYT) Message-ID: <1293.219.94.101.37.1109134281.squirrel@219.94.101.37> Date: Wed, 23 Feb 2005 12:51:21 +0800 (MYT) From: "Mohd Rasfan" To: freebsd-ipfw@freebsd.org User-Agent: SquirrelMail/1.4.3a X-Mailer: SquirrelMail/1.4.3a MIME-Version: 1.0 Content-Type: text/plain;charset=iso-8859-1 Content-Transfer-Encoding: 8bit X-Priority: 3 (Normal) Importance: Normal References: In-Reply-To: X-Virus-Scanned: by amavisd-new at mail.nadi-it.com Subject: X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: rasfan@nadi-it.com List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 23 Feb 2005 04:43:51 -0000 Hello Guys I want to share with u all about placing a firewall what is the best method ??? A) CLIENT MULTIPLE VLAN -----> SWITCH -----> FIREWALL ------> INTERNET B) CLIENT MULTIPLE VLAN -----> FIREWALL -----> SWITCH ------> INTERNET From the above drawing what is the best setup that u all use.... this comment must consider for attacking, virus and dll... what possibilities for hacking and so on..... I WANT TO SHARE THIS CAKE...... Best Regards , @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ Mohd Rasfan Bin Mohd Nor System Network Administrator Mobile : 019-2792472 Office : 03-42967102 Fax : 03-42967126 Website: http://www.nadi-it.com E-Mail : rasfan[at]nadi-it.com : rasfan[at]rasfan.net @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@