From owner-freebsd-questions@FreeBSD.ORG Mon Oct 25 16:11:11 2004 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C43DC16A4CE for ; Mon, 25 Oct 2004 16:11:11 +0000 (GMT) Received: from mail-relay4.mirrorimage.net (mail-relay4.mirrorimage.net [209.58.140.15]) by mx1.FreeBSD.org (Postfix) with ESMTP id ADDF743D49 for ; Mon, 25 Oct 2004 16:11:09 +0000 (GMT) (envelope-from FreeBSD@keyslapper.org) Received: from localhost (unknown [10.10.4.59]) by mail-relay4.mirrorimage.net (Postfix) with SMTP id 1167C69282 for ; Mon, 25 Oct 2004 12:11:09 -0400 (EDT) Received: by localhost (sSMTP sendmail emulation); Mon, 25 Oct 2004 12:14:03 -0400 Date: Mon, 25 Oct 2004 12:14:03 -0400 From: Louis LeBlanc To: FreeBSD Questions Message-ID: <20041025161403.GB57087@keyslapper.org> Mail-Followup-To: FreeBSD Questions Mime-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: 8bit User-Agent: Mutt/1.5.6i Subject: moving to 5.3 and need help understanding firewalls X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: freebsd-questions@FreeBSD.org List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 25 Oct 2004 16:11:11 -0000 Hey all. I'm getting ready (again) to set up my new system with 5.3 RELEASE the moment the ISOs are published. One thing I need to understand better is the current firewall tool, and how to get my 4.10 firewall moved over from ipfw to pf. Seems there will be a few issues to work out. Another thing I want to work through is the issue of these hack attempts that everyone has been seeing from Asian (and a few Canadian) networks. Most of these attempts work with just the basic accounts, like root, guest, test, etc., but recently I've seen a few attempt accounts like nobody, www, operator, and a few userids like oracle, sybase, patrick john, pamela, backup, etc. This looks like a trend toward finding access through an unprivileged account. I only have a single account that should be able to log in remotely, but I don't want to provide any chances to find it (or one that I missed) and break the PW. A while back, someone named Chris provided the following snippet: ${fwcmd} add 090 pass log tcp from 123.123.123.123/xx to ${ip} 22 setup limit src-addr 4 I found this pretty interesting, but haven't been able to understand it that well. I assumed it was a way to shut an IP out if it failed to complete a login successfully 4 times, but I can't see how this works, so I'm pretty sure I don't understand it correctly. Is this maybe a limit on the concurrent setup requests from a given IP? I had thought about this one a bit though, and figured that it would be a simple translation to the external network: ${fwcmd} add pass log tcp from any to ${ip} 22 setup limit src-addr 4 But I never put it in because I don't understand exactly what it will do. The ipfw manpage is well written, but I kinda need an idiots guide to bridge whatever intellectual gap I'm running into. Any pointers to said "idiots guide" would be appreciated. Any newbie level explaination of the above snippet would be just as appreciated, as would any pointer to any "conversion howto" for the move to pf. TIA. Lou -- Louis LeBlanc FreeBSD@keyslapper.org Fully Funded Hobbyist, KeySlapper Extrordinaire :) http://www.keyslapper.org ԿԬ Green's Law of Debate: Anything is possible if you don't know what you're talking about.