From owner-freebsd-stable Mon Oct 23 17:43:11 2000 Delivered-To: freebsd-stable@freebsd.org Received: from mailhost01.reflexnet.net (mailhost01.reflexnet.net [64.6.192.82]) by hub.freebsd.org (Postfix) with ESMTP id C5D4737B4C5 for ; Mon, 23 Oct 2000 17:43:07 -0700 (PDT) Received: from 149.211.6.64.reflexcom.com ([64.6.211.149]) by mailhost01.reflexnet.net with Microsoft SMTPSVC(5.5.1877.197.19); Mon, 23 Oct 2000 17:41:48 -0700 Received: (from cjc@localhost) by 149.211.6.64.reflexcom.com (8.11.0/8.11.0) id e9O0h5v11269; Mon, 23 Oct 2000 17:43:05 -0700 (PDT) (envelope-from cjc) Date: Mon, 23 Oct 2000 17:43:05 -0700 From: "Crist J . Clark" To: Lars Eggert Cc: stable@FreeBSD.ORG Subject: Re: ipfw & /etc/services Message-ID: <20001023174304.O75251@149.211.6.64.reflexcom.com> Reply-To: cjclark@alum.mit.edu References: <39F4CB17.78E807F2@isi.edu> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0i In-Reply-To: <39F4CB17.78E807F2@isi.edu>; from larse@ISI.EDU on Mon, Oct 23, 2000 at 04:34:47PM -0700 Sender: owner-freebsd-stable@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG On Mon, Oct 23, 2000 at 04:34:47PM -0700, Lars Eggert wrote: > Just completed a buildworld, and ipfw no longer likes strings for service > names when reading in my rule file. Strings work fine when I enter the > rules manually. The rule file hasn't changed, and worked with > 4.1.1-RELEASE. The file below worked? It really shouldn't since you have a bunch of stuff that is not in /etc/services by default. Which ones choke when you load this? [snip] > # everything over loopback is fine, except when it came from the outside > add pass all from any to any via lo0 > add deny all from any to 127.0.0.0/8 > > # everything between ISI hosts is fine > add pass all from 128.9.0.0/16 to any Iii-ee. Can we all say, "spoof attack?" > # this will stop hosts from outside ISI from accessing the services > # used to gather information for the lab status page > add deny log tcp from any to any netstat,uname,ifconfig,rpcinfo,sunrpc > add deny log udp from any to any netstat,uname,ifconfig,rpcinfo,sunrpc netstat, uname, and ifconfig are not valid service names. rpcinfo and sunrpc are the same thing. > # close all these TCP services to the outside world > add deny log tcp from any to any ftp,ftp\-data,telnet,shell,comsat comsat is a UDP service. > add deny log tcp from any to any login,finger,exec,uucpd,nntp,ntalk ntalk is UDP. > add deny log tcp from any to any tftp,bootps,bootpc,netperf,nfsd tftp, bootps, and bootpc are UDP. netperf is not a service. > add deny log tcp from any to any daytime,time,4,7,discard,chargen > add deny log tcp from any to any 6000-6063,smtp,printer,domain,klogin > add deny log tcp from any to any eklogin,kshell,rkinit,cvspserver > add deny log tcp from any to any pop3,imap4,auth,netbios\-ssn,snmp snmp is UDP. > add deny log tcp from any to any netbios\-ns,netbios\-dgm,submission netbios-ns and netbios-dgm are UDP. > add deny log tcp from any to any snmptrap,irc,irc\-serv,socks snmptrap is UDP. > # close all these UDP services to the outside world > add deny log udp from any to any syslog,nntp,netperf,domain,nfsd nntp is TCP. netperf is not a valid service. > add deny log udp from any to any daytime,time,4,7,discard,chargen > add deny log udp from any to any snmptrap,irc,irc-serv,socks IRC is TCP. > # the following ports we log, because they're popular with script-kiddies > add pass log tcp from any to any 0,1,98,427,548,709,1024 > add pass log tcp from any to any 1024,2926,2107,6346,6667,6970,16001 > add pass log udp from any to any 0,1,98,427,548,709,1024 > add pass log udp from any to any 1024,2926,2107,6346,6667,6970,16001 > > # pass (but log) all webcam accesses > add pass log tcp from any to any webcam\-small-webcam\-large > add pass log udp from any to any webcam\-small-webcam\-large I assume these are custom entries. Perhaps the unofficial entries that I pointed out above are custom ones too? Did you perhaps clobber a custom /etc/services in the upgrade? -- Crist J. Clark cjclark@alum.mit.edu To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message