From owner-freebsd-security Sun Nov 26 17:30:30 2000 Delivered-To: freebsd-security@freebsd.org Received: from pt-quorum.com (pt-quorum.com [209.10.167.210]) by hub.freebsd.org (Postfix) with ESMTP id 96C7037B4E5 for ; Sun, 26 Nov 2000 17:30:19 -0800 (PST) Received: from n2 ([213.30.47.209]) by pt-quorum.com (8.9.3/8.9.3) with SMTP id BAA32711; Mon, 27 Nov 2000 01:25:45 GMT Message-ID: <003301c05812$0f7deb60$0200a8c0@n2> From: "Nuno Teixeira" To: Cc: References: <001701c057c4$1e1ac010$0200a8c0@n2> <20001126110756.C34151@149.211.6.64.reflexcom.com> <000b01c057dd$f9423ab0$0200a8c0@n2> <20001126113720.A70192@149.211.6.64.reflexcom.com> <3A2183E7.6039C582@FreeBSD.org> <20001126140033.E70192@149.211.6.64.reflexcom.com> Subject: Re: NATD: failed to write packet back (Permission denied) Date: Mon, 27 Nov 2000 01:33:32 -0000 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4133.2400 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hello, 1. Ok. It works. Now I can traceroute others but the outside can't traceroute me. The result is: "65435 Deny UDP other_server:65302 my_server:33509 in via tun0" 2. I found one problem: when I login other computer via FTP and I make a "ls" I get the log: "65435 Deny TCP ftp_server:20 my_server:49152 in via tun0" Does I forgot something? My fwrules are: # Firewall rules # Written by Marc Silver (marcs@draenor.org) # http://draenor.org/ipfw # Freely distributable # Define the firewall command (as in /etc/rc.firewall) for easy # reference. Helps to make it easier to read. fwcmd="/sbin/ipfw" # Force a flushing of the current rules before we reload. $fwcmd -f flush # Allow all data from my network card and localhost. Make sure you # change your network card (mine was fxp0) before you reboot. :) $fwcmd add allow ip from any to any via lo0 $fwcmd add allow ip from any to any via ed0 # Allow all connections that I initiate. $fwcmd add allow tcp from any to any out xmit tun0 setup # Once connections are made, allow them to stay open. $fwcmd add allow tcp from any to any via tun0 established # Everyone on the internet is allowed to connect to the following # services on the machine. This example shows that people may connect # to ssh and apache. # $fwcmd add allow tcp from any to any 80 setup # $fwcmd add allow tcp from any to any 22 setup # This sends a RESET to all ident packets. $fwcmd add reset log tcp from any to any 113 in recv tun0 # -- ISP NAME SERVERS: # NETC 212.18.160.133 212.18.160.134 # IOL 193.126.4.33 193.126.4.33 # Allow outgoing DNS queries ONLY to the specified servers. $fwcmd add allow udp from any to 212.18.160.133 53 out xmit tun0 $fwcmd add allow udp from any to 212.18.160.134 53 out xmit tun0 # Allow them back in with the answers... :) $fwcmd add allow udp from 212.18.160.133 53 to any in recv tun0 $fwcmd add allow udp from 212.18.160.134 53 to any in recv tun0 # Allow ICMP (for ping and traceroute to work). You may wish to # disallow this, but I feel it suits my needs to keep them in. $fwcmd add 65435 allow icmp from any to any $fwcmd add allow udp from any to any 33434-33474 out via tun0 # Deny all the rest. $fwcmd add 65435 deny log ip from any to any Thanks, Nuno Teixeira ----- Original Message ----- From: "Crist J . Clark" To: "Doug Barton" Cc: "Nuno Teixeira" ; Sent: Sunday, November 26, 2000 10:00 PM Subject: Re: NATD: failed to write packet back (Permission denied) > On Sun, Nov 26, 2000 at 01:43:03PM -0800, Doug Barton wrote: > > "Crist J . Clark" wrote: > > > > > > On Sun, Nov 26, 2000 at 07:20:41PM -0000, Nuno Teixeira wrote: > > > > Hi, > > > > > > > > I think not. Can you tell me how to add this rule to my ruleset? > > > > > > The two rules needed to get UNIX-style traceroutes to work are, > > > > > > Sfwcmd add allow udp from any to any 33434-33474 out via ${oif} > > > > When I do a traceroute from a freebsd machine outside my firewall to the > > firewall machine, I see this: > > > > ipfw: 1200 Deny UDP :38575 :33468 in via ep0 > > > > ipfw: 1200 Deny UDP :38597 :33477 in via ep0 > > ipfw: 1200 Deny UDP :38597 :33478 in via ep0 > > ipfw: 1200 Deny UDP :38597 :33479 in via ep0 > > > > Which supports what I've been told that unix traceroute uses udp > > packets. It sounds like in order to allow traceroutes through the > > firewall you have to open up a pretty big hole for udp... > > But if you want to traceroute other people, you only need to let the > UDP _out_ and the ICMP types 11 and 3 in (11:0 and 3:3 to be precise). > > As for how it works, read the manpage, > > This program attempts to trace the route an IP packet > would follow to some internet host by launching UDP probe > packets with a small ttl (time to live) then listening for > an ICMP "time exceeded" reply from a gateway. We start > our probes with a ttl of one and increase by one until we > get an ICMP "port unreachable" (which means we got to > "host") or hit a max (which defaults to 30 hops & can be > changed with the -m flag). > > As for people tracerouting you, blocking the ususal UNIX-style (the > one we've been discussing) or M$-style (using pings rather than UDP) > is not too tough. However, if you let any traffic into your network > (and what's the point of connecting to the 'Net if you don't), it is > extremely difficult to stop people from tracerouting you by other > means. > > If you want to let people traceroute your net, yeah, you need to make > a pretty big hole... but if you want to let people to traceroute you, > you apparently are interested in giving out a lot of information > anyway. > -- > Crist J. Clark cjclark@alum.mit.edu > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message