Date: Wed, 1 Mar 2000 13:22:52 -0500 (EST) From: Omachonu Ogali <oogali@intranova.net> To: Bhishan Hemrajani <bhishan@cytosine.dhs.org> Cc: Steve Jorgensen <steve@khoral.com>, questions@FreeBSD.ORG Subject: Re: packet filtering from ppp Message-ID: <Pine.BSF.4.10.10003011320220.66429-100000@hydrant.intranova.net> In-Reply-To: <200003010420.UAA13680@cytosine.dhs.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Sample: ipfw add deny tcp from any to any 137-139 in via tun0 ipfw add deny udp from any to any 137-139 in via tun0 What's wrong with applying it to the tun0 device only? Do you want him to have further troubles with his internal network? And also, NetBIOS sits on UDP ports 137-139. On Tue, 29 Feb 2000, Bhishan Hemrajani wrote: > I think you can.... just don't apply them to a specific > device, apply them to all tcp attributes. > > --bhishan > > > Bhishan Hemrajani wrote > > >> Try using rc.firewall in /etc to limit that stuff.. > > >> man ipfw > > >> > > I didn't think you could use the ipfw and rc.firewall stuff on > > the tun0 device. Am I mistaken? > > > > Steve > > >> --bhishan > > >> > > > >> > I have a little 16 IP number net, that is connected > > >> > to the internet via the user ppp on the gateway machine. > > >> > I'm running on a FreeBSD 3.4-STABLE machine last cvsup'ed > > >> > about a month ago. Since I have real IP numbers, I'm > > >> > NOT using the -nat options to ppp, but I would like to use > > >> > the set filter syntax to protect myself from prying external > > >> > programs (in fact, I've been getting probed on my samba port for > > >> > the last couple of weeks from various external ip numbers) > > >> > > > >> > Anyway, I set up my rules based on instructions I found > > >> > in the ppp tutorial at http://www.freebsd.org/tutorials/ppp/x870.html, > > >> > but I can't seem to get things to work right. The example shown > > >> > indicates that only the specified services will be allowed to > > >> > operate through the tun device, and all other packets will be > > >> > blocked. However, when I run it, it either lets everything > > >> > through or disallows any new external to internal connections > > >> > to be started. This behavior is based on the following lines > > >> > > > >> > set filter in 6 permit 0/0 MYGATEWAYADDR/24 > > >> > set filter out 6 permit MYGATEWAYADDR/24 0/0 > > >> > > > >> > If I have these two lines set, it doesn't matter if I have any > > >> > of the other lines in the tutorial, it allows all packets through. > > >> > If I comment those two lines out, no new external connections > > >> > can be established. Any help is appreciated, and I can make > > >> > my full set filter lines available if it's necessary. > > >> > > > >> > Steve > > > > -- > > ----------------------------------------------------------- > > Steven Jorgensen steve@khoral.com steve@spukhaus.com > > ------------------------------+---------------------------- > > Khoral Research Inc. | PHONE: (505) 837-6500 > > 6200 Uptown Blvd, Suite 200 | FAX: (505) 881-3842 > > Albuquerque, NM 87110 | URL: http://www.khoral.com/ > > ----------------------------------------------------------- > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-questions" in the body of the message > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-questions" in the body of the message > -- +-------------------------------------------------------------------------+ | Omachonu Ogali oogali@intranova.net | | Intranova Networking Group http://tribune.intranova.net | | PGP Key ID: 0xBFE60839 | | PGP Fingerprint: C8 51 14 FD 2A 87 53 D1 E3 AA 12 12 01 93 BD 34 | +-------------------------------------------------------------------------+ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.10.10003011320220.66429-100000>