From owner-freebsd-questions@FreeBSD.ORG Fri Jun 17 03:06:58 2005 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A444616A41C for ; Fri, 17 Jun 2005 03:06:58 +0000 (GMT) (envelope-from josepha48@yahoo.com) Received: from web41007.mail.yahoo.com (web41007.mail.yahoo.com [66.218.93.6]) by mx1.FreeBSD.org (Postfix) with SMTP id 8030F43D5E for ; Fri, 17 Jun 2005 03:06:58 +0000 (GMT) (envelope-from josepha48@yahoo.com) Received: (qmail 26826 invoked by uid 60001); 17 Jun 2005 03:06:57 -0000 DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com; h=Message-ID:Received:Date:From:Subject:To:Cc:In-Reply-To:MIME-Version:Content-Type:Content-Transfer-Encoding; b=hlI1XyrXOnWmWTXIGJoONd8nwrA8DwgY6SEKUmH2+n/z2bAC6kG1Vt5AhBf6eSnJFTO/ul94lAjl1ZR0NS71Fy/y9sQm1n9fjTQkbVJPyp4Eq9Le0kuL57eSm3WDyGjWhKd5HUm1Ok7pQYY9tF9afMPLg3a80bTAZmXD0sJAlVo= ; Message-ID: <20050617030657.26824.qmail@web41007.mail.yahoo.com> Received: from [69.3.234.17] by web41007.mail.yahoo.com via HTTP; Thu, 16 Jun 2005 20:06:57 PDT Date: Thu, 16 Jun 2005 20:06:57 -0700 (PDT) From: Joe To: Alex Zbyslaw In-Reply-To: <42B203F3.6080502@dial.pipex.com> MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit Cc: freebsd-questions@freebsd.org Subject: Re: SMP and networking under FreeBSD 5.3 X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 17 Jun 2005 03:06:58 -0000 I'm still learning the firewall thing. I didn't understand the 'me' clause until recently. I'm using it on my UP box. My router actually runs off a cdrom. Its hard to make changes to it :-). Its an SMP box. It wouldn't help telling you my ip addresses anyway, because my system is internet IP -> nat(dsl modem) -> nat(lan). I have no idea what my real ip address is on the internet. In any case, thanks for the advice. I've been thinking of redoing these rules for 2 years now. So how would your rules look if nat were in the picture? Thanks, Joe --- Alex Zbyslaw wrote: > Joe wrote: > > >Thanks Alex, > > > > Below are my rules. I have removed the IP addresses and > >replaced with x.x.x.x in most cases. Also some ports have > been > >turned to y's instead of the actual port. > > > > > I don't want to go into the details of your firewall; all I > can offer is > general advice for you to apply if you wish. There are plenty > resources > out there from the various man pages to the handbook. > Firewalls can be > trickier than they look and NAT makes them significantly more > complicated to fathom correctly. I don't claim to be any kind > of expert > and everything I know started life being written by someone > else :-) > Any mistakes are most likely my own! I will say that it is > worth making > sure you understand your own firewall. > > At one point you suggested that you wanted to make your > firewall script > start later so that you had access to your IP address. I > think you are > on to a loser there because there is not particular time when > DHCP > finally gets the IP address. If your provider is down, it > might take > minutes, hours or even days. You could keep polling in some > way to see > if you had an IP address and not running your rules script > until you > did, but it would seem better to just write rules which work > even > without the IP address. Plus, that would also not work if you > ever had > a second external interface (e.g. an old-fashioned modem) > which needed > firewalling irrespective of the status of your ethernet > interface. > > Although a firewall often need to know the actual addresses of > hosts > other than itself there is, as far as I can figure out, no > logical > reason for it to need to know it's own IP address if you have > the "me" > construct. (If, like my machine, your firewall is just > another computer > on a small network that is allowed to do exactly the same > things as any > other host on that network, then it needn't even use "me". > This makes > life much easier because it interferes less with NAT). > > If you have "me" then you can always distinguish between your > firewall > and the rest of your network. > > Take the non-NAT case first: > > allow all from me to any out xmit ext_if > allow all from any to me in recv ext_if > > These rules could only be triggered by packets addressed > directly to > your firewall. If you follow it with e.g. > > deny all from any to any out via ext_if > deny all from any to any in via ext_if > > then you close off your internal network. > > NAT makes things more complicated, because before or after > NATing > (depending on the direction) packets from your network can > look like > they originate on your machine or are destined for it. > > > E.g. > > allow all from me to any out xmit ext_if > > must come before the NAT rule because after NAT-ing all your > internal > packets are going out ext_if. > > whereas > > allow all from any to me in recv ext_if > > must come after the NAT rule to be sure that it is actually > your > firewall which is the recipient. > > If all you have is a small network, then there may be no > reason to > differentiate your firewall from any other machine. In this > case, it is > perfectly sufficient to write rules based on the ext_if > alone. > > So I have rules like: > # Allow connections initiated from internal network > ipfw add allow tcp from any to any out xmit ext_if setup > > # Allow TCP through if setup succeeded > ipfw add pass tcp from any to any via ext_if established > > The only IP addresses in my whole firewall are the limited > number of > hosts which can initiate some kind of connection into my > network > > e.g. > > ipfw add allow tcp from x.x.x.x to any ssh setup > > (x.x.x.x not because I need to hide the IP but because I can't > be > bothered to find it in the firewall script :-)) > > NB that rule says any for recipient because it was written > before me > existed. But since my network is NATed, it would always be a > packet > header for my firewall and could only get elsewhere if I > explicitly > forwarded it. There's no mention of the interface because a > prior rule > has already allowed internal connections which would match. > Looking at > it now, I might get picky and put an interface spec in there > just to be > completist. > > It's often said that there is no security in obscurity, and > while I > don't always agree, I do think that if you actually have to > hide the IPs > in your firewall for it be secure, then it isn't secure. > Since my > firewall never mentions my IP address, I can publish the whole > thing and > even if it has flaws it won't help since you don't know where > I am :-) > > A bit long-winded, but I hope it helps, > > --Alex > > > > > > > ____________________________________________________ Yahoo! Sports Rekindle the Rivalries. Sign up for Fantasy Football http://football.fantasysports.yahoo.com