From owner-freebsd-stable Mon Oct 23 16:34:56 2000 Delivered-To: freebsd-stable@freebsd.org Received: from boreas.isi.edu (boreas.isi.edu [128.9.160.161]) by hub.freebsd.org (Postfix) with ESMTP id 55BB837B4C5 for ; Mon, 23 Oct 2000 16:34:51 -0700 (PDT) Received: from isi.edu (hbo.isi.edu [128.9.160.75]) by boreas.isi.edu (8.9.3/8.9.3) with ESMTP id QAA17783 for ; Mon, 23 Oct 2000 16:34:50 -0700 (PDT) Message-ID: <39F4CB17.78E807F2@isi.edu> Date: Mon, 23 Oct 2000 16:34:47 -0700 From: Lars Eggert Organization: USC Information Sciences Institute X-Mailer: Mozilla 4.75 [en] (X11; U; Linux 2.2.12 i386) X-Accept-Language: en, de MIME-Version: 1.0 To: stable@FreeBSD.org Subject: ipfw & /etc/services Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg=sha1; boundary="------------ms0F00EA257796B4D78B8126CB" Sender: owner-freebsd-stable@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG This is a cryptographically signed message in MIME format. --------------ms0F00EA257796B4D78B8126CB Content-Type: multipart/mixed; boundary="------------2846E261110611E01385B08A" This is a multi-part message in MIME format. --------------2846E261110611E01385B08A Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Just completed a buildworld, and ipfw no longer likes strings for service names when reading in my rule file. Strings work fine when I enter the rules manually. The rule file hasn't changed, and worked with 4.1.1-RELEASE. -- Lars Eggert Information Sciences Institute http://www.isi.edu/larse/ University of Southern California --------------2846E261110611E01385B08A Content-Type: text/plain; charset=us-ascii; name="rc.firewall.local" Content-Transfer-Encoding: 7bit Content-Disposition: inline; filename="rc.firewall.local" # ---------------------------------------------------------------------------- # $RCSfile: rc.firewall.local,v $ # # $Revision: 1.6 $ # $Author: larse $ # $Date: 2000/09/25 19:22:10 $ # $State: Exp $ # ---------------------------------------------------------------------------- # $Log: rc.firewall.local,v $ # Revision 1.6 2000/09/25 19:22:10 larse # Tightened the rules. # # Revision 1.5 2000/09/19 00:18:45 larse # Much-improved firewall rules now make only ssh visible from outside # ISI. We also log accesses to ports that seem to be favourites for # script-kiddies (bind, netbios, etc.) Added pass rule for loopback # which got deleted at some point. # # Revision 1.4 2000/05/23 05:59:18 larse # Need full casl B number. # # Revision 1.4 2000/05/23 05:58:20 larse # Need full class B number. # # Revision 1.3 2000/05/23 04:21:12 larse # ISI's net is the full class B 128.9. # # Revision 1.2 2000/05/22 20:34:26 larse # Unified root environment for demo. # # Revision 1.1 2000/05/17 18:59:37 larse # Added local firewall rules. Enabled gateway. # # ---------------------------------------------------------------------------- # everything over loopback is fine, except when it came from the outside add pass all from any to any via lo0 add deny all from any to 127.0.0.0/8 # everything between ISI hosts is fine add pass all from 128.9.0.0/16 to any # this will stop hosts from outside ISI from accessing the services # used to gather information for the lab status page add deny log tcp from any to any netstat,uname,ifconfig,rpcinfo,sunrpc add deny log udp from any to any netstat,uname,ifconfig,rpcinfo,sunrpc # close all these TCP services to the outside world add deny log tcp from any to any ftp,ftp\-data,telnet,shell,comsat add deny log tcp from any to any login,finger,exec,uucpd,nntp,ntalk add deny log tcp from any to any tftp,bootps,bootpc,netperf,nfsd add deny log tcp from any to any daytime,time,4,7,discard,chargen add deny log tcp from any to any 6000-6063,smtp,printer,domain,klogin add deny log tcp from any to any eklogin,kshell,rkinit,cvspserver add deny log tcp from any to any pop3,imap4,auth,netbios\-ssn,snmp add deny log tcp from any to any netbios\-ns,netbios\-dgm,submission add deny log tcp from any to any snmptrap,irc,irc\-serv,socks # close all these UDP services to the outside world add deny log udp from any to any syslog,nntp,netperf,domain,nfsd add deny log udp from any to any daytime,time,4,7,discard,chargen add deny log udp from any to any snmptrap,irc,irc-serv,socks # the following ports we log, because they're popular with script-kiddies add pass log tcp from any to any 0,1,98,427,548,709,1024 add pass log tcp from any to any 1024,2926,2107,6346,6667,6970,16001 add pass log udp from any to any 0,1,98,427,548,709,1024 add pass log udp from any to any 1024,2926,2107,6346,6667,6970,16001 # pass (but log) all webcam accesses add pass log tcp from any to any webcam\-small-webcam\-large add pass log udp from any to any webcam\-small-webcam\-large --------------2846E261110611E01385B08A-- --------------ms0F00EA257796B4D78B8126CB Content-Type: application/x-pkcs7-signature; name="smime.p7s" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="smime.p7s" Content-Description: S/MIME Cryptographic Signature MIIIIwYJKoZIhvcNAQcCoIIIFDCCCBACAQExCzAJBgUrDgMCGgUAMAsGCSqGSIb3DQEHAaCC BfQwggLYMIICQaADAgECAgMDIwUwDQYJKoZIhvcNAQEEBQAwgZQxCzAJBgNVBAYTAlpBMRUw EwYDVQQIEwxXZXN0ZXJuIENhcGUxFDASBgNVBAcTC0R1cmJhbnZpbGxlMQ8wDQYDVQQKEwZU aGF3dGUxHTAbBgNVBAsTFENlcnRpZmljYXRlIFNlcnZpY2VzMSgwJgYDVQQDEx9QZXJzb25h bCBGcmVlbWFpbCBSU0EgMTk5OS45LjE2MB4XDTAwMDgyNDIwMzAwOFoXDTAxMDgyNDIwMzAw OFowVDEPMA0GA1UEBBMGRWdnZXJ0MQ0wCwYDVQQqEwRMYXJzMRQwEgYDVQQDEwtMYXJzIEVn Z2VydDEcMBoGCSqGSIb3DQEJARYNbGFyc2VAaXNpLmVkdTCBnzANBgkqhkiG9w0BAQEFAAOB jQAwgYkCgYEAz1yfcNs53rvhuw8gSDvr2+/snP8GduYY7x7WkJdyvcwb4oipNpWYIkMGP214 Zv1KrgvntGaG+jeugAGQt0n64VusgcIzQ6QDRtnMgdQDTAkVSQ2eLRSQka+nAPx6SFKJg79W EEHmgKQBMtZdMBYtYv/mTOcpm7jTJVg+7W6n04UCAwEAAaN3MHUwKgYFK2UBBAEEITAfAgEA MBowGAIBBAQTTDJ1TXlmZkJOVWJOSkpjZFoyczAYBgNVHREEETAPgQ1sYXJzZUBpc2kuZWR1 MAwGA1UdEwEB/wQCMAAwHwYDVR0jBBgwFoAUiKvxYINmVfTkWMdGHcBhvSPXw4wwDQYJKoZI hvcNAQEEBQADgYEAi65fM/jSCaPhRoA9JW5X2FktSFhE5zkIpFVPpv33GWPPNrncsK13HfZm s0B1rNy2vU7UhFI/vsJQgBJyffkLFgMCjp3uRZvBBjGD1q4yjDO5yfMMjquqBpZtRp5op3lT d01faA58ZCB5sxCb0ORSxvXR8tc9DJO0JIpQILa6vIAwggMUMIICfaADAgECAgELMA0GCSqG SIb3DQEBBAUAMIHRMQswCQYDVQQGEwJaQTEVMBMGA1UECBMMV2VzdGVybiBDYXBlMRIwEAYD VQQHEwlDYXBlIFRvd24xGjAYBgNVBAoTEVRoYXd0ZSBDb25zdWx0aW5nMSgwJgYDVQQLEx9D ZXJ0aWZpY2F0aW9uIFNlcnZpY2VzIERpdmlzaW9uMSQwIgYDVQQDExtUaGF3dGUgUGVyc29u YWwgRnJlZW1haWwgQ0ExKzApBgkqhkiG9w0BCQEWHHBlcnNvbmFsLWZyZWVtYWlsQHRoYXd0 ZS5jb20wHhcNOTkwOTE2MTQwMTQwWhcNMDEwOTE1MTQwMTQwWjCBlDELMAkGA1UEBhMCWkEx FTATBgNVBAgTDFdlc3Rlcm4gQ2FwZTEUMBIGA1UEBxMLRHVyYmFudmlsbGUxDzANBgNVBAoT BlRoYXd0ZTEdMBsGA1UECxMUQ2VydGlmaWNhdGUgU2VydmljZXMxKDAmBgNVBAMTH1BlcnNv bmFsIEZyZWVtYWlsIFJTQSAxOTk5LjkuMTYwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGB ALNpWpfU0BYLerXFXekhnCNyzRJMS/d+z8f7ynIk9EJSrFeV43theheE5/1yOTiUtOrtZaeS Bl694GX2GbuUeXZMPrlocHWEHPQRdAC8BSxPCQMXMcz0QdRyxqZd4ohEsIsuxE3x8NaFPmzz lZR4kX5A6ZzRjRVXjsJz5TDeRvVPAgMBAAGjNzA1MBIGA1UdEwEB/wQIMAYBAf8CAQAwHwYD VR0jBBgwFoAUcknCczTGVfQLdnKBfnf0h+fGsg4wDQYJKoZIhvcNAQEEBQADgYEAa8ZZ6TH6 6bbssQPY33Jy/pFgSOrGVd178GeOxmFw523CpTfYnbcXKFYFi91cdW/GkZDGbGZxE9AQfGuR b4bgITYtwdfqsgmtzy1txoNSm/u7/pyHnfy36XSS5FyXrvx+rMoNb3J6Zyxrc/WG+Z31AG70 HQfOnZ6CYynvkwl+Vd4xggH3MIIB8wIBATCBnDCBlDELMAkGA1UEBhMCWkExFTATBgNVBAgT DFdlc3Rlcm4gQ2FwZTEUMBIGA1UEBxMLRHVyYmFudmlsbGUxDzANBgNVBAoTBlRoYXd0ZTEd MBsGA1UECxMUQ2VydGlmaWNhdGUgU2VydmljZXMxKDAmBgNVBAMTH1BlcnNvbmFsIEZyZWVt YWlsIFJTQSAxOTk5LjkuMTYCAwMjBTAJBgUrDgMCGgUAoIGxMBgGCSqGSIb3DQEJAzELBgkq hkiG9w0BBwEwHAYJKoZIhvcNAQkFMQ8XDTAwMTAyMzIzMzQ1MFowIwYJKoZIhvcNAQkEMRYE FGUNwamvWkzvLJbnYWC9AEdnFBO9MFIGCSqGSIb3DQEJDzFFMEMwCgYIKoZIhvcNAwcwDgYI KoZIhvcNAwICAgCAMAcGBSsOAwIHMA0GCCqGSIb3DQMCAgFAMA0GCCqGSIb3DQMCAgEoMA0G CSqGSIb3DQEBAQUABIGApxBkZFfMhKna7DSKxL3r/YqHGym/TGHl4ouFe+oSDr2V6mRYhbm+ kY7Zek1L2SgyW2wjefznAWTaig83rRJ3a2ILiai3W++m+GAgCf3dMks+y/i1WMtcZ1KGgycx kpce77uPwaVXby3GxG/lzxaDPc+0eklJznLv3TxN5VNShBM= --------------ms0F00EA257796B4D78B8126CB-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message