Date: Mon, 12 Apr 1999 14:58:14 -0400 From: "Christopher J. Michaels" <cjm2@earthling.net> To: <sporkl@ix.netcom.com> Cc: "'FreeBSD Mailing List (E-mail)'" <questions@FreeBSD.ORG> Subject: RE: IPFW filtering on a dynamic linkup. Message-ID: <000601be8516$6befb980$6400000a@weeble.dyndns.org> In-Reply-To: <Pine.BSF.4.05.9904111304150.337-100000@pigstuy.penguinpowered.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Ok, one last question...
I'd like to block all access coming in via the tun0 interface to all the
reserved ports 1-1024, and then open up ports as I need them. This is
partly paranoia and partly a learning experience.
Now, i'm leaving 113 open for ident, and I found out the hard way that I
need to leave 53 open for DNS otherwise it doesn't seem to work at all.
Does anyone know of any other ports that I will need to keep open so that
things function properly.
-Chris
-----Original Message-----
From: Spike [mailto:spork@startrekmail.com]
Sent: Sunday, April 11, 1999 1:21 PM
To: Christopher Michaels
Cc: FreeBSD Mailing List (E-mail)
Subject: RE: IPFW filtering on a dynamic linkup.
On Sun, 11 Apr 1999, Christopher Michaels wrote:
> > -----Original Message-----
> > From: Spike [SMTP:spork@startrekmail.com]
> > Sent: Sunday, April 11, 1999 1:59 AM
> > To: Christopher Michaels
> > Cc: FreeBSD Mailing List (E-mail)
> > Subject: Re: IPFW filtering on a dynamic linkup.
> >
> > On Sun, 11 Apr 1999, Christopher Michaels wrote:
> >
> > > FreeBSD-2.2.8
> > >
> > > Hello,
> > > I've been trying to figure out how to do this with no avail. I have
a
> > > dialup link, using usermode ppp on the tun0 device. What I would like
> > to be
> > > able to do is filter requests going to specific ports, via the dialup
> > link.
> > > So for example, if someone tries to connect to my machine's telnet
port
> > (23)
> > > it'll be filtered. I don't want to filter out requests via the fxp0
> > > interface though. I also do not was to filter out any requests to
port
> > 23
> > > going out over the tun0 device. The thing is, most of the example
rules
> > in
> > > the ipfw config file need the machine's IP address to do this, and it
is
> > a
> > > dynamic address.
> >
> > You can use ipfw (man ipfw) to do this. In order to get your IP
address,
> > do the following:
> >
> > ifconfig tun0 | grep inet | sed -e 's/inet //' -e 's/ -->.*//'
> >
> > This will print your IP. I have a list of firewall rules in a shell
> > script. A simple example is:
> >
> > #!/bin/sh
> > /sbin/ipfw add pass any from $1 to any
> >
> > Then, you use xargs to makethe output of the first command I gave you in
> > to the script full of ipfw rules. Example:
> >
> > #!/bin/sh
> >
> > ifconfig tun0 | grep inet | sed -e 's/inet //' -e 's/ -->.*//' |
> > xargs -t /etc/firewallrules.sh
> >
> > You can not block packets coming in fxp0 by specifying the interface on
> > all your ipfw rules. Example:
> >
> > ipfw add pass log any from any to $1 23 via tun0
> > ^^^^^^^^
> >
> Huh? you totally lost me there. Can you possibly reword that above
> statement, I'm sorry to say it doesn't make sense to me. I think that by
my
> referencing fxp0 at all I confused the issue. fxp0 is on the internal
> ethernet (which you probably figured out).
>
> All I meant is that if I set a rule that was something to the effect
> of...
> ipfw add 1000 deny tcp from any to any 23 via tun0
>
> ...that it would block all traffic that was destined for port 23 on
> any machine (over tun0). Which obviously is not what I want. I could
> technically add a subnet mask to the destination and just suck in all the
> ip's that my isp uses, and that would do the job effectively, it would
limit
> me if I were to connect to someone else's machine from my isp.
Ahhh, I see. I'm sorry, I didn't understand that you needed to filter only
for the ppp machine but not have the filter black data to the machines on
the other side of fxp0. This will filter telnet to the ppp machine but not
telnet data going to machines over fxp0:
($1 is the telnet machines IP)
ipfw add 900 pass tcp from any to (other machine's IP) 23 via tun0
ipfw add 1000 deny tcp from any to $1 23 via tun0
The first rule is possibly redundant, though I'm not sure.
>
> Now if I were to use something like your solution, I would be
> replacing that second any with the ip address of my FreeBSD machine.
Which
> makes sense conceptually, and is basically what I want to do.
>
> Am I supposed to run this script in ppp.linkup? Do the commands you
> gave above account for the fact that the ppp link has a tendency to build
up
> a painfully large list of ip addresses ( I cannot test this till I get
home,
> I'm at work now). There are times when I'll do an 'ifconfig tun0' and
have
> 20 odd addresses listed. I know how to clean that out and is off topic.
Well, that isn't what I've done but I believe it would be possible using
ppp's !, shell, or !bg commands. What I've done is make ppp one element of
a script. I run ppp in -background mode, and it dials out and then
detaches. After it detaches, I run other scripts I need to run when I get
online.
As for the problem of tun0 building up IP addresses, you could either
place the commands to get rid of that at the beginning of your script that
determines your IP, or you could use another method to learn your IP.
This other method could be the following: Take your routing table (netstat
-rn) and grep for your ISP's terminal server's IP (or a big enough chunk
of it to match, if your ISP has more than one.) This leaves you with two
routes- default, which is your -> terminal server, and the opposit, which
is terminal server -> you. Use sed to delete the line for the default
route, and then awk to sift your IP out of the remaining line. This would
be:
#!/bin/sh
netstat -rn |
grep {terminal server's IP |
sed -e '/default/d' |
awk '{print $2}'
Hope this helps.
> > >
> > > Also, is there anyway/anywhere that ipfw logs packets that matched a
> > > specific rule, as in where and where it originated?
> >
> > Use the "log" command to ipfw. You need to define "options
> > IPFIREWALL_VERBOSE" in your kernel config file, as well as the "options
> > IPFIREWALL" needed for basic ipfw.
> >
> Where does it store this information? I believe I have these
> already compiled in. I know I can get a readout of how many packets
matched
> a given rule, I want to know where they came from though. Is this even
> possible with ipfw?
It stores this information /var/log/messages.
>
> > >
> > > Any help, pointers, references (other than 'man ipfw' unless you are
> > > pointing out a specific thing I missed) would be appreciated.
> > > -Chris
> > >
> > > P.S. I don't want to use tcpwrappers, citing the telnet port was just
an
> > > example.
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?000601be8516$6befb980$6400000a>