Date: Sun, 11 Apr 1999 02:19:17 -0400 From: Christopher Michaels <ChrisMic@clientlogic.com> To: "'sporkl@ix.netcom.com'" <sporkl@ix.netcom.com> Cc: "FreeBSD Mailing List (E-mail)" <questions@FreeBSD.ORG> Subject: RE: IPFW filtering on a dynamic linkup. Message-ID: <6C37EE640B78D2118D2F00A0C90FCB441A605D@site2s1>
next in thread | raw e-mail | index | archive | help
> -----Original Message----- > From: Spike [SMTP:spork@startrekmail.com] > Sent: Sunday, April 11, 1999 1:59 AM > To: Christopher Michaels > Cc: FreeBSD Mailing List (E-mail) > Subject: Re: IPFW filtering on a dynamic linkup. > > On Sun, 11 Apr 1999, Christopher Michaels wrote: > > > FreeBSD-2.2.8 > > > > Hello, > > I've been trying to figure out how to do this with no avail. I have a > > dialup link, using usermode ppp on the tun0 device. What I would like > to be > > able to do is filter requests going to specific ports, via the dialup > link. > > So for example, if someone tries to connect to my machine's telnet port > (23) > > it'll be filtered. I don't want to filter out requests via the fxp0 > > interface though. I also do not was to filter out any requests to port > 23 > > going out over the tun0 device. The thing is, most of the example rules > in > > the ipfw config file need the machine's IP address to do this, and it is > a > > dynamic address. > > You can use ipfw (man ipfw) to do this. In order to get your IP address, > do the following: > > ifconfig tun0 | grep inet | sed -e 's/inet //' -e 's/ -->.*//' > > This will print your IP. I have a list of firewall rules in a shell > script. A simple example is: > > #!/bin/sh > /sbin/ipfw add pass any from $1 to any > > Then, you use xargs to makethe output of the first command I gave you in > to the script full of ipfw rules. Example: > > #!/bin/sh > > ifconfig tun0 | grep inet | sed -e 's/inet //' -e 's/ -->.*//' | > xargs -t /etc/firewallrules.sh > > You can not block packets coming in fxp0 by specifying the interface on > all your ipfw rules. Example: > > ipfw add pass log any from any to $1 23 via tun0 > ^^^^^^^^ > Huh? you totally lost me there. Can you possibly reword that above statement, I'm sorry to say it doesn't make sense to me. I think that by my referencing fxp0 at all I confused the issue. fxp0 is on the internal ethernet (which you probably figured out). All I meant is that if I set a rule that was something to the effect of... ipfw add 1000 deny tcp from any to any 23 via tun0 ...that it would block all traffic that was destined for port 23 on any machine (over tun0). Which obviously is not what I want. I could technically add a subnet mask to the destination and just suck in all the ip's that my isp uses, and that would do the job effectively, it would limit me if I were to connect to someone else's machine from my isp. Now if I were to use something like your solution, I would be replacing that second any with the ip address of my FreeBSD machine. Which makes sense conceptually, and is basically what I want to do. Am I supposed to run this script in ppp.linkup? Do the commands you gave above account for the fact that the ppp link has a tendency to build up a painfully large list of ip addresses ( I cannot test this till I get home, I'm at work now). There are times when I'll do an 'ifconfig tun0' and have 20 odd addresses listed. I know how to clean that out and is off topic. > > > > Also, is there anyway/anywhere that ipfw logs packets that matched a > > specific rule, as in where and where it originated? > > Use the "log" command to ipfw. You need to define "options > IPFIREWALL_VERBOSE" in your kernel config file, as well as the "options > IPFIREWALL" needed for basic ipfw. > Where does it store this information? I believe I have these already compiled in. I know I can get a readout of how many packets matched a given rule, I want to know where they came from though. Is this even possible with ipfw? > > > > Any help, pointers, references (other than 'man ipfw' unless you are > > pointing out a specific thing I missed) would be appreciated. > > -Chris > > > > P.S. I don't want to use tcpwrappers, citing the telnet port was just an > > example. > > > > > -Spike Gronim > sporkl@ix.netcom.com > Finger gronimw@shell.stuy.edu for PGP public key. > > The majority only rules those who let them. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?6C37EE640B78D2118D2F00A0C90FCB441A605D>