Date: Thu, 24 Sep 1998 20:00:41 +1200 (NZST) From: Andrew McNaughton <andrew@squiz.co.nz> To: Muhammad Najib <najib@csi-x.net> Cc: freebsd-security@FreeBSD.ORG Subject: Re: Firewall ... Message-ID: <Pine.BSF.3.96.980924190130.306A-100000@aniwa.sky> In-Reply-To: <3609c0ac.26df.0@csi-x.net>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, 24 Sep 1998, Muhammad Najib wrote: > Date: Thu, 24 Sep 98 11:46:52 -800 > From: Muhammad Najib <najib@csi-x.net> > To: freebsd-security@FreeBSD.ORG > Subject: Re: Firewall ... > > Andrew, > > Actually, I'm working in a college where certain network access to certain > network destination gotta be gave to those who owns the priviledge to do so. > In this case, I am bringing down the firewall structure to the lowest level > of all, the host level instead of the network level. A host consist of about > 30 firewall rules. Can your hosts be grouped into categories? So you have classrooms of computers which each need the same access don't you? I really don't think you're going to get efficiency or security out of this sort of setup. If you can't classify what sort of traffic are allowed onto what wires then packet filtering is the wrong tool for the job. It's too easy to spoof packets. Perhaps you should be looking at a ticket based system like Kerberos? > I don't really know how to hack the ipfw.c source code as > I'm a no c programmer. I've tried using ipfw and had invoked around 30x110 rules My source is unmodified from 2.2.5-RELEASE. This seems to work for me. cd /usr/src/sbin/ipfw/ cp ipfw.c ipfw.c.orig perl -pi -e 's/1024/20480/' ipfw.c # 20K rules make make install The change is to the user interface program, and has no effect on the way things actually work in the kernel. It just lets you see more rules with show and less. As such I presume it's safe in spite of not having read right through the source. > and when I do 'ipfw show' or 'ipfw -a l' it seems likely not to show all the > rules that have been invoked. I wonder why.... About the ip filter, where can > I get it ? Is that ip filter package comes along with FreeBSD ? Please do pin > point me to this problem I'm having ... Thanx in advance :) I don't see anything in the packages directories. I think it hasn't been long since IPfilter was gotten to work with FreeBSD. I gather it's a port from Linux. Go to www.findmail.com and search for 'freebsd ipfilter'. Andrew To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.3.96.980924190130.306A-100000>