Date: Tue, 13 Apr 1999 22:06:06 -0400 From: "Christopher J. Michaels" <cjm2@earthling.net> To: <sporkl@ix.netcom.com> Cc: "'FreeBSD Mailing List (E-mail)'" <questions@FreeBSD.ORG> Subject: RE: IPFW filtering on a dynamic linkup. Message-ID: <001a01be861b$5b2d7fa0$6400000a@weeble.dyndns.org> In-Reply-To: <Pine.BSF.4.05.9904121853010.316-100000@pigstuy.penguinpowered.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Well, the strange thing was that not a single DNS query would resolve unless
I opened port 53. I don't quite understand it myself.
-Chris
-----Original Message-----
From: Spike [mailto:spork@startrekmail.com]
Sent: Monday, April 12, 1999 7:00 PM
To: Christopher J. Michaels
Cc: 'FreeBSD Mailing List (E-mail)'
Subject: RE: IPFW filtering on a dynamic linkup.
On Mon, 12 Apr 1999, Christopher J. Michaels wrote:
> Ok, one last question...
>
> I'd like to block all access coming in via the tun0 interface to all the
> reserved ports 1-1024, and then open up ports as I need them. This is
> partly paranoia and partly a learning experience.
ipfw add 1000 deny tcp from any to {localhost IP} 1-1024 via tun0
>
> Now, i'm leaving 113 open for ident, and I found out the hard way that I
> need to leave 53 open for DNS otherwise it doesn't seem to work at all.
ipfw add 900 pass tcp from any to {localhost IP} 113,53
ipfw add 901 pass udp form any to {localhost IP} 53
I don't have port 53 open (UDP or TCP) to the outside world, so I don't
see why you need the rules opening port 53.
>
> Does anyone know of any other ports that I will need to keep open so that
> things function properly.
Nope, as long as localhost can send data to any part of itself (as in,
ipfw add pass any from any to any via lo0) you shouldn't *need* anything
open. Certain programs might need open ports via tun0, and those will
error and then you can open up what they need.
>
> -Chris
>
>
> -----Original Message-----
> From: Spike [mailto:spork@startrekmail.com]
> Sent: Sunday, April 11, 1999 1:21 PM
> To: Christopher Michaels
> Cc: FreeBSD Mailing List (E-mail)
> Subject: RE: IPFW filtering on a dynamic linkup.
>
>
> On Sun, 11 Apr 1999, Christopher Michaels wrote:
>
> > > -----Original Message-----
> > > From: Spike [SMTP:spork@startrekmail.com]
> > > Sent: Sunday, April 11, 1999 1:59 AM
> > > To: Christopher Michaels
> > > Cc: FreeBSD Mailing List (E-mail)
> > > Subject: Re: IPFW filtering on a dynamic linkup.
> > >
> > > On Sun, 11 Apr 1999, Christopher Michaels wrote:
> > >
> > > > FreeBSD-2.2.8
> > > >
> > > > Hello,
> > > > I've been trying to figure out how to do this with no avail. I
have
> a
> > > > dialup link, using usermode ppp on the tun0 device. What I would
like
> > > to be
> > > > able to do is filter requests going to specific ports, via the
dialup
> > > link.
> > > > So for example, if someone tries to connect to my machine's telnet
> port
> > > (23)
> > > > it'll be filtered. I don't want to filter out requests via the fxp0
> > > > interface though. I also do not was to filter out any requests to
> port
> > > 23
> > > > going out over the tun0 device. The thing is, most of the example
> rules
> > > in
> > > > the ipfw config file need the machine's IP address to do this, and
it
> is
> > > a
> > > > dynamic address.
> > >
> > > You can use ipfw (man ipfw) to do this. In order to get your IP
> address,
> > > do the following:
> > >
> > > ifconfig tun0 | grep inet | sed -e 's/inet //' -e 's/ -->.*//'
> > >
> > > This will print your IP. I have a list of firewall rules in a shell
> > > script. A simple example is:
> > >
> > > #!/bin/sh
> > > /sbin/ipfw add pass any from $1 to any
> > >
> > > Then, you use xargs to makethe output of the first command I gave you
in
> > > to the script full of ipfw rules. Example:
> > >
> > > #!/bin/sh
> > >
> > > ifconfig tun0 | grep inet | sed -e 's/inet //' -e 's/ -->.*//' |
> > > xargs -t /etc/firewallrules.sh
> > >
> > > You can not block packets coming in fxp0 by specifying the interface
on
> > > all your ipfw rules. Example:
> > >
> > > ipfw add pass log any from any to $1 23 via tun0
> > > ^^^^^^^^
> > >
> > Huh? you totally lost me there. Can you possibly reword that above
> > statement, I'm sorry to say it doesn't make sense to me. I think that
by
> my
> > referencing fxp0 at all I confused the issue. fxp0 is on the internal
> > ethernet (which you probably figured out).
> >
> > All I meant is that if I set a rule that was something to the effect
> > of...
> > ipfw add 1000 deny tcp from any to any 23 via tun0
> >
> > ...that it would block all traffic that was destined for port 23 on
> > any machine (over tun0). Which obviously is not what I want. I could
> > technically add a subnet mask to the destination and just suck in all
the
> > ip's that my isp uses, and that would do the job effectively, it would
> limit
> > me if I were to connect to someone else's machine from my isp.
>
> Ahhh, I see. I'm sorry, I didn't understand that you needed to filter only
> for the ppp machine but not have the filter black data to the machines on
> the other side of fxp0. This will filter telnet to the ppp machine but not
> telnet data going to machines over fxp0:
>
> ($1 is the telnet machines IP)
>
> ipfw add 900 pass tcp from any to (other machine's IP) 23 via tun0
> ipfw add 1000 deny tcp from any to $1 23 via tun0
>
> The first rule is possibly redundant, though I'm not sure.
> >
> > Now if I were to use something like your solution, I would be
> > replacing that second any with the ip address of my FreeBSD machine.
> Which
> > makes sense conceptually, and is basically what I want to do.
> >
> > Am I supposed to run this script in ppp.linkup? Do the commands you
> > gave above account for the fact that the ppp link has a tendency to
build
> up
> > a painfully large list of ip addresses ( I cannot test this till I get
> home,
> > I'm at work now). There are times when I'll do an 'ifconfig tun0' and
> have
> > 20 odd addresses listed. I know how to clean that out and is off topic.
>
> Well, that isn't what I've done but I believe it would be possible using
> ppp's !, shell, or !bg commands. What I've done is make ppp one element of
> a script. I run ppp in -background mode, and it dials out and then
> detaches. After it detaches, I run other scripts I need to run when I get
> online.
>
> As for the problem of tun0 building up IP addresses, you could either
> place the commands to get rid of that at the beginning of your script that
> determines your IP, or you could use another method to learn your IP.
>
> This other method could be the following: Take your routing table (netstat
> -rn) and grep for your ISP's terminal server's IP (or a big enough chunk
> of it to match, if your ISP has more than one.) This leaves you with two
> routes- default, which is your -> terminal server, and the opposit, which
> is terminal server -> you. Use sed to delete the line for the default
> route, and then awk to sift your IP out of the remaining line. This would
> be:
>
> #!/bin/sh
>
> netstat -rn |
> grep {terminal server's IP |
> sed -e '/default/d' |
> awk '{print $2}'
>
>
> Hope this helps.
>
> > > >
> > > > Also, is there anyway/anywhere that ipfw logs packets that matched a
> > > > specific rule, as in where and where it originated?
> > >
> > > Use the "log" command to ipfw. You need to define "options
> > > IPFIREWALL_VERBOSE" in your kernel config file, as well as the
"options
> > > IPFIREWALL" needed for basic ipfw.
> > >
> > Where does it store this information? I believe I have these
> > already compiled in. I know I can get a readout of how many packets
> matched
> > a given rule, I want to know where they came from though. Is this even
> > possible with ipfw?
>
> It stores this information /var/log/messages.
>
> >
> > > >
> > > > Any help, pointers, references (other than 'man ipfw' unless you are
> > > > pointing out a specific thing I missed) would be appreciated.
> > > > -Chris
> > > >
> > > > P.S. I don't want to use tcpwrappers, citing the telnet port was
just
> an
> > > > example.
>
>
>
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-questions" in the body of the message
>
>
-Spike Gronim
sporkl@ix.netcom.com
Finger gronimw@shell.stuy.edu for PGP public key.
The majority only rules those who let them.
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?001a01be861b$5b2d7fa0$6400000a>