From owner-freebsd-security Fri Nov 5 21:52:48 1999 Delivered-To: freebsd-security@freebsd.org Received: from mta1.snfc21.pbi.net (mta1.snfc21.pbi.net [206.13.28.122]) by hub.freebsd.org (Postfix) with ESMTP id A539014BE9 for ; Fri, 5 Nov 1999 21:52:46 -0800 (PST) (envelope-from madscientist@thegrid.net) Received: from remus ([63.193.246.169]) by mta1.snfc21.pbi.net (Sun Internet Mail Server sims.3.5.1999.09.16.21.57.p8) with SMTP id <0FKR001CMHJRNR@mta1.snfc21.pbi.net> for freebsd-security@freebsd.org; Fri, 5 Nov 1999 21:50:15 -0800 (PST) Date: Fri, 05 Nov 1999 21:44:51 -0800 From: The Mad Scientist Subject: Re: FW: rc.firewall X-Sender: i289861@mail.thegrid.net To: freebsd-security@freebsd.org Message-id: <4.1.19991105214436.00969f00@mail.thegrid.net> Message-id: <4.1.19991105214436.00969f00@mail.thegrid.net> MIME-version: 1.0 X-Mailer: QUALCOMM Windows Eudora Pro Version 4.1 Content-type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org At 10:44 AM 11/4/99 -0700, you wrote: >hello, i was checking out my firewall, an it seems that it doesn't actually >do anything >=), i've been tring to get it to block FTP lately for example, but when i >ftp in from >a remote host it isn't blocked.. > >Could someOne help me? > >This is my situation: > I am running DHCPclient and as such i don't have a static ip that i could >put into >the rc.firewall, i was told that it would be OK to generalize the whole >thing (ie any to any) but it doesn't apear to be working.. > >#!/bin/sh >fwcmd="/sbin/ipfw -N" >$fwcmd -f flush Remember that rules are examined sequentially. Rule 110 allows everything through. Next, you have to remember that the rules will apply to packets going in either direction if they're left unqualified such as in rule 310. Here's something that should do it: $fwcmd add deny tcp from any to any 21 in via xl0 $fwcmd add deny tcp from any 20 to any out xmit xl0 This denys connections to the ftp server port and an outgoing data connection. If you're not running an ftp server on that machine, the second rule isn't really necessary. Even if you are running an ftp server, it shouldn't be opening rouge data channels to machines that haven't set up the command channel, but you never know. See below for further comments. >$fwcmd add 100 divert natd all from any to any via xl0 >$fwcmd add 110 pass all from any to any >$fwcmd add 120 pass all from any to any via lo0 >$fwcmd add 130 pass tcp from any to any established >$fwcmd add 144 pass all from 10.0.0.0/3 to any > >#accept >$fwcmd add 200 pass tcp from any to any 25 # sendmail >#$fwcmd add 310 pass tcp from any to any 20-21 # ftp >$fwcmd add 320 pass tcp from any to any 22 # ssh >$fwcmd add 315 pass udp from any 53 to any # dns (don't log) >##$fwcmd add 318 pass udp from any 9000 to any # Asherons Call >$fwcmd add 350 pass tcp from any to any 80 # werld wide weeb >$fwcmd add 320 pass tcp from any to any 110 # pop3 > >#deny >$fwcmd add 10000 deny log tcp from any to any 20-21 # block FTP >$fwcmd add 10001 deny log udp from any to any 20-21 # block FTP >$fwcmd add 10160 deny log icmp from any to any #icmp >$fwcmd add 10160 deny log udp from any to any #udp >$fwcmd add 10155 deny log tcp from any to any 2049 #nfs (tcp) >$fwcmd add 10155 deny log tcp from any to any 0-1024 #services >$fwcmd add 10155 deny log tcp from any to any 12300-12350 #netbus >$fwcmd add 10150 deny log tcp from any to any 23 # use ssh not telnet >Please someone help? Why doesn't this apear to work.. > >(the only thing i could do to stop ftp was comment it out in /etc/services) /etc/services is just a database of known servers that run on different ports. I think you're looking for /etc/inetd.conf > >I'm new to ipfw, and wouldn't mind if someone could help and or point me to >resources that would help with this problem > >THanks! >Curtis HTH -Dean To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message