From owner-freebsd-security  Sat Jun 10 11:44:13 2000
Delivered-To: freebsd-security@freebsd.org
Received: from hormann.tzo.cc (cvg-29-15-234.cinci.rr.com [24.29.15.234])
	by hub.freebsd.org (Postfix) with ESMTP id 683E037B86F
	for <security@freebsd.org>; Sat, 10 Jun 2000 11:44:09 -0700 (PDT)
	(envelope-from ghormann@alumni.indiana.edu)
Received: from localhost (ghormann@localhost)
	by hormann.tzo.cc (8.9.3/8.9.3) with ESMTP id OAA01834;
	Sat, 10 Jun 2000 14:46:22 -0400 (EDT)
	(envelope-from ghormann@alumni.indiana.edu)
X-Authentication-Warning: hormann.tzo.cc: ghormann owned process doing -bs
Date: Sat, 10 Jun 2000 14:46:20 -0400 (EDT)
From: Greg Hormann <ghormann@alumni.indiana.edu>
X-Sender: ghormann@hormann.tzo.cc
To: John F Cuzzola <vdrifter@ocis.ocis.net>
Cc: security@freebsd.org
Subject: Re: Setting up simple firewall with ipfw
In-Reply-To: <Pine.LNX.4.21.0006101100070.19094-100000@ocis.ocis.net>
Message-ID: <Pine.BSF.4.05.10006101434190.1793-100000@hormann.tzo.cc>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org


Thanks.  ssh/ftp now work correctly through the firewall.

Logging still doesn't work.  (Its not showing up in /var/log/* or the
console. I've tried playing with net.inet.ip.fw.verbose_limit, but that
didn't help either.

As for the first question, I think I may have figured it out.  Haven't
tried it yet, but I could have my firewall script figure out the current 
ip from ifconfig.  Then, I would just need to call my firewall script each
time a new IP address was assigned. (Should be easy using hooks from
dhclient)

Thanks again.

Greg.

On Sat, 10 Jun 2000, John F Cuzzola wrote:

> 
> *** by default firewall messages are logged in /var/log/messages(I
> think). I usually create a seperate file for firewall logging
> (/var/log/firewall.log) then change /etc/syslogd.conf appropriately

> 
> *** you have rules with the same numbers (two rules 100 & 200). In my
> experience with FreeBSD 4 this sometimes causes problems. Renumber your
> rules so each one has its own unique rule number. Your ssh setup looks
> like it should work. SSH only uses tcp so the rule:
> > 00500   0     0 allow udp from any to any 22
> can be deleted.
> 
> as for ftp. When you are using true ftp (instead of passive) a connection
> is made FROM a computer port 20 TO you on some port. So the rules:
> 
> > 00700   0     0 allow tcp from any to any 20 via ed0
> > 00800   0     0 allow tcp from any to any 21 via ed0
> 
> are almost right. Rule 700 should read:
> ipfw add 700 allow tcp from any 20 to any via ed0
> (the port 20 comes from the host you are contacting it doesn't connect
> back to you on port 20)



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message