Date: Fri, 18 Jun 1999 20:39:35 +1000 (EST) From: Darren Reed <avalon@coombs.anu.edu.au> To: synk@swcp.com (Brendan Conoboy) Cc: freebsd-security@FreeBSD.ORG Subject: Re: ipf howto, tada Message-ID: <199906181039.UAA22257@cheops.anu.edu.au> In-Reply-To: <199906172335.RAA00665@kitsune.swcp.com> from "Brendan Conoboy" at Jun 17, 99 05:35:36 pm
next in thread | previous in thread | raw e-mail | index | archive | help
Let me add some comments which hopefully will enrich your document. [...] > I'm sure there's a good use for this method of layout, but I must confess > that I don't yet grasp it. It allows you to specify the policy at the top or bottom of the ruleset. Whilst you can set this when compiling it as an LKM/into the kernel, I prefer to include the rule to enforce the same in the configuration file anyway, for clarity. Last match also allows for some more complex interactions of rules and their results. [...hmm, I think your examples are a tad backwards, with "pass in all" being the `default'...] [...] > I prefer to run ipmon with as "ipmon -s" so it > syslogs logged packets instead of having them dump to stdout. "ipmon /var/log/iplog" will save log entries direct to that file. ipmon also handles SIGHUP as you would expect, closing and re-opening the log file to allow for rotation. With newsyslog, this should be possible without too much hassle. FWIW, you might like to mention the "log-or-block" option where it will block a packet to be pass'd and logged if it cannot log it due to the log buffer being too full. i.e. pass in log first or-block on vx0 proto tcp from any to any port = 80 flags S/SA keep state Here we say only log the first packet for this connection as recorded by "keep state", but if it can't be logged, then block it. (you can use /bin/cat to save log information from IP Filter with cat /dev/ipf > /var/log/ipflog but it saves binary log data that you need to run ipmon to convert to english). > pass in quick on ed0 proto tcp from any to 200.200.200.1/32 port = 80 > block in quick on ed0 > > This machine will pass in port 80 traffic for 200.200.200.1, and deny > everything else. Perhaps this is all one needs? You should be setting policies (i.e. block in quick all) for each interface and each direction (both in and out) if you want to do it by interface. [...] > Lots of people seem to, that's why ciscos have an "established" clause > that lets established tcp sessions go through. Ipfw has established. > Ipfwadm has setup/established. They all have this feature, but the > name is very misleading. Indeed :-) > pass out quick proto tcp from 200.200.200.1/32 to any keep state This can be in or out...essentially when the packet first crosses your perimeter. If it is a locally made connection going out then the above is correct. If it is from another host on your LAN going through your IP Filter firewall, then it should be "pass in" on the LAN interface. > pass in quick on ed0 proto tcp from any to 200.200.200.1/32 port = 80 flags S keep frags you should *always* qualify "flags" in a rule properly, such as "flags S/SA" or "flags S/S". I don't know if this is too much for your document, but saying "flags S/SA" is *only* going to match the initial connection request (which is all you need with "keep state:). btw, home page for IP Filter is: http://coombs.anu.edu.au/ipfilter Cheers, Darren To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199906181039.UAA22257>