From owner-freebsd-stable Sun Mar 25 11: 5:14 2001 Delivered-To: freebsd-stable@freebsd.org Received: from maynard.mail.mindspring.net (maynard.mail.mindspring.net [207.69.200.243]) by hub.freebsd.org (Postfix) with ESMTP id D8EB337B719 for ; Sun, 25 Mar 2001 11:05:09 -0800 (PST) (envelope-from mvh@ix.netcom.com) Received: from netcom1.netcom.com (lai-ca3b-56.ix.netcom.com [209.110.241.56]) by maynard.mail.mindspring.net (8.9.3/8.8.5) with ESMTP id OAA23543; Sun, 25 Mar 2001 14:05:06 -0500 (EST) Received: by netcom1.netcom.com (Postfix, from userid 1000) id 6C7F4113BD0; Sun, 25 Mar 2001 11:05:03 -0800 (PST) From: Mike Harding To: randy@psg.com Cc: freebsd-stable@freebsd.org In-reply-to: (message from Randy Bush on Sun, 25 Mar 2001 10:09:25 -0800) Subject: Re: ipf idiot wants to roam References: Message-Id: <20010325190503.6C7F4113BD0@netcom1.netcom.com> Date: Sun, 25 Mar 2001 11:05:03 -0800 (PST) Sender: owner-freebsd-stable@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG You can specify interfaces by name in your rules - but you have to issue 'ipf -y' to sync up with interface address changes. I've done this with a dial-up line by putting 'ipf -y' in /etc/rc.network at the end of pass 1. This file should be updated in the distribution so that this happens automatically or ppp users may not see any packet filtering! You then need to call 'ipf -y' in ppp.linkup. I assume something similar for dhcp... See the following web page, http://coombs.anu.edu.au/ipfilter/ and especially http://www.obfuscation.org/ipf/ipf-howto.txt - you can use dynamic filter rules which are short but secure. - Mike Harding From: Randy Bush Content-Type: text/plain; charset=us-ascii Date: Sun, 25 Mar 2001 10:09:25 -0800 Sender: owner-freebsd-stable@FreeBSD.ORG X-Loop: FreeBSD.ORG Precedence: bulk [ i can find no list for ipf questions. if folk know of one, please tell me. ] installing ipf on a machine which roams and therefore changes both interfaces (wi0, ep0, and tun0) and ip addresses. trying to come up with a ipf.rules as a first time ipf user. help appreciated randy --- #!/sbin/ipf -f - # #------------------------------------------------------- # # short packets which are packets fragmented too short to be real # block in log first quick all with short # # loose source routed packsts # block in log first quick all with opt lsrr block in log first quick all with opt ssrr # # reserved addresses # block in log first quick from 10.0.0.0/8 to any block in log first quick from 192.168.0.0/16 to any block in log first quick from 172.16.0.0/12 to any # #------------------------------------------------------- # # loopback allows all packets # pass in quick on lo0 all pass out quick on lo0 all # # # Support all icmp connections initiated from inside # pass in log first quick proto icmp all keep state # pass in quick proto icmp from any to any icmp-type 0 pass in quick proto icmp from any to any icmp-type 11 block in log first quick proto icmp from any to any # #------------------------------------------------------- # pass in quick proto udp from any to any port = 67 # dhcps pass in quick proto udp from any to any port = 68 # dhcpc pass in quick proto udp from any to any port = 123 # ntp # pass in quick proto tcp from any to any port = 13 # daytime pass in quick proto tcp from any to any port = 22 # ssh pass in quick proto tcp from any to any port = 25 # smtp pass in quick proto tcp from any to any port = 53 # dns pass in quick proto tcp from any to any port = 113 # ident # #------------------------------------------------------- # # Allow any communication between the inside network and the outside only # # Allow all outgoing connections (SSH, TELNET, FTP, WWW, gopher, etc) # pass in log first quick proto tcp all flags S/SA keep state #------------------------------------------------------- # # log these # # return RST packets for invalid SYN packets to help the other end close block return-rst in log first proto tcp from any to any flags S/SA # return ICMP error packets for invalid UDP packets block return-icmp(net-unr) in proto udp all To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message