From owner-freebsd-security Mon Dec 7 08:06:42 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id IAA12503 for freebsd-security-outgoing; Mon, 7 Dec 1998 08:06:42 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from aniwa.sky (aniwa.actrix.gen.nz [203.96.56.186]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id IAA12495 for ; Mon, 7 Dec 1998 08:06:39 -0800 (PST) (envelope-from andrew@squiz.co.nz) Received: from localhost (andrew@localhost) by aniwa.sky (8.8.8/8.8.7) with ESMTP id FAA28228; Tue, 8 Dec 1998 05:06:23 +1300 (NZDT) (envelope-from andrew@squiz.co.nz) Date: Tue, 8 Dec 1998 05:06:23 +1300 (NZDT) From: Andrew McNaughton X-Sender: andrew@aniwa.sky Reply-To: andrew@squiz.co.nz To: Nelson cc: security@FreeBSD.ORG Subject: Re: 2.2.8 && ipfw? && 1 other ? In-Reply-To: <3.0.6.32.19981207090315.008713e0@204.184.227.125> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Mon, 7 Dec 1998, Nelson wrote: > ipfw l > > It only shows the rules list down to 2066 All of your rules are there and working, but the code for displaying htem only handles 1024 entries. If you look in /usr/src/sbin/ipfw/ipfw.c These are my diffs from the 2.2.7-RELEASE sources: root@aniwa# diff /usr/src/sbin/ipfw/ipfw.c.orig /usr/src/sbin/ipfw/ipfw.c 182c182 < printf("%10lu %10lu ",chain->fw_pcnt,chain->fw_bcnt); --- > printf("%9lu %11lu ",chain->fw_pcnt,chain->fw_bcnt); 407c407 < struct ip_fw rules[1024]; --- > struct ip_fw rules[10240]; The first difference is unrelated - it improves on the problem of truncating display space for the ipfw statistics. You have to have at least 2^11 bytes of traffic matching a rule for it to matter. > I am not really sure what the lines in the rc.firewall that contain the > word "setup" really mean. Would someone care to help me out with it:) They apply to TCP connections only and match only the packets that are sent to establish the connection. you can set a rule saying ipfw allow tcp from any to any established and it will not on it's own allow any connections to be made. Imagine you want to allow outbound ssh connections. If you use rules like this: ipfw allow tcp from $myip to any ssh ipfw allow tcp from any ssh to $myip then anyone can connect from the ssh port on their machine to any port on your machine. So if you want to keep statistics about how much traffic goes through which kinds of services, you might use: ipfw allow tcp from $myip to any ssh ipfw allow tcp from any ssh to $myip established Or, if you don't care about the statistics but you want to keep your rule set simple you might use: ipfw allow tcp from any to any established ipfw allow tcp from any to $myip ssh This still requires two rules to enable this one service, but only the second rule needs to be repeated in order to enable other services. Andrew McNaughton To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message