From owner-freebsd-questions@FreeBSD.ORG Mon Dec 8 15:34:09 2008 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 35F7C1065679 for ; Mon, 8 Dec 2008 15:34:09 +0000 (UTC) (envelope-from fbsd.questions@rachie.is-a-geek.net) Received: from mail.rachie.is-a-geek.net (rachie.is-a-geek.net [66.230.99.27]) by mx1.freebsd.org (Postfix) with ESMTP id EC2248FC12 for ; Mon, 8 Dec 2008 15:34:08 +0000 (UTC) (envelope-from fbsd.questions@rachie.is-a-geek.net) Received: from localhost (mail.rachie.is-a-geek.net [192.168.2.101]) by mail.rachie.is-a-geek.net (Postfix) with ESMTP id CA649AFC1C6; Mon, 8 Dec 2008 06:34:07 -0900 (AKST) From: Mel To: freebsd-questions@freebsd.org, gwg7webbcom@yahoo.com Date: Mon, 8 Dec 2008 16:33:58 +0100 User-Agent: KMail/1.9.7 References: <198267.54082.qm@web52209.mail.re2.yahoo.com> In-Reply-To: <198267.54082.qm@web52209.mail.re2.yahoo.com> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline Message-Id: <200812081634.01296.fbsd.questions@rachie.is-a-geek.net> Cc: Subject: Re: IPFW Firewall Question X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 08 Dec 2008 15:34:09 -0000 On Friday 05 December 2008 20:29:40 G magicman wrote: > I have tried this it did not work and the Co-Lo people are convinced that > sshd and sendmail need to be run out of inetd.conf for this to work. That wouldn't explain sshd being linked against libwrap. Did you comment: # The rules here work on a "First match wins" basis. ALL : ALL : allow > As i said i am used to BSDI=A0 and the Finnish SSHD Hehe, I remember having libwrap as backup, cause the firewall's=20 pre-in/pre-out/in/out concepts were confusing at times. Anyway, I'll give you a pf example, maybe someone with ipfw skills will pic= k=20 it up and translate, or you can kldload pf and use that ;) =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D openports=3D"{ 11, 21, 22, 23, 25, 37, 42, 43, 53, 63, 69, 70, 80, 101, 109= ,=20 110, 115, 119, 123, 143, 443, 4321, 50001 }" table persist { 209.131.0.0/16, 66.65.0.0/16, 71.173.96.0/19, \ 71.173.128.0/17, blabla } table persist file "/etc/pf/spammers.table" ext_if=3D"bge0" # External interface # Rules, last match wins block in all pass in from to any pass in on $ext_if proto {tcp, udp} from any to ($ext_if) port $openports block in on $ext_if from to any port 25 =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D The file /etc/pf/spammers.table can then be filled with one CIDR per line,= =20 easy to maintain/fail and possible to have the file maintained by grok or=20 alike automation scripts. The file is only read on start up, but the table= =20 can be maintained 'live', using pfctl -T commands. Hope this helps. =2D-=20 Mel Problem with today's modular software: they start with the modules and never get to the software part.