Date: Mon, 23 Oct 2000 17:43:05 -0700 From: "Crist J . Clark" <cjclark@reflexnet.net> To: Lars Eggert <larse@ISI.EDU> Cc: stable@FreeBSD.ORG Subject: Re: ipfw & /etc/services Message-ID: <20001023174304.O75251@149.211.6.64.reflexcom.com> In-Reply-To: <39F4CB17.78E807F2@isi.edu>; from larse@ISI.EDU on Mon, Oct 23, 2000 at 04:34:47PM -0700 References: <39F4CB17.78E807F2@isi.edu>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, Oct 23, 2000 at 04:34:47PM -0700, Lars Eggert wrote: > Just completed a buildworld, and ipfw no longer likes strings for service > names when reading in my rule file. Strings work fine when I enter the > rules manually. The rule file hasn't changed, and worked with > 4.1.1-RELEASE. The file below worked? It really shouldn't since you have a bunch of stuff that is not in /etc/services by default. Which ones choke when you load this? [snip] > # everything over loopback is fine, except when it came from the outside > add pass all from any to any via lo0 > add deny all from any to 127.0.0.0/8 > > # everything between ISI hosts is fine > add pass all from 128.9.0.0/16 to any Iii-ee. Can we all say, "spoof attack?" > # this will stop hosts from outside ISI from accessing the services > # used to gather information for the lab status page > add deny log tcp from any to any netstat,uname,ifconfig,rpcinfo,sunrpc > add deny log udp from any to any netstat,uname,ifconfig,rpcinfo,sunrpc netstat, uname, and ifconfig are not valid service names. rpcinfo and sunrpc are the same thing. > # close all these TCP services to the outside world > add deny log tcp from any to any ftp,ftp\-data,telnet,shell,comsat comsat is a UDP service. > add deny log tcp from any to any login,finger,exec,uucpd,nntp,ntalk ntalk is UDP. > add deny log tcp from any to any tftp,bootps,bootpc,netperf,nfsd tftp, bootps, and bootpc are UDP. netperf is not a service. > add deny log tcp from any to any daytime,time,4,7,discard,chargen > add deny log tcp from any to any 6000-6063,smtp,printer,domain,klogin > add deny log tcp from any to any eklogin,kshell,rkinit,cvspserver > add deny log tcp from any to any pop3,imap4,auth,netbios\-ssn,snmp snmp is UDP. > add deny log tcp from any to any netbios\-ns,netbios\-dgm,submission netbios-ns and netbios-dgm are UDP. > add deny log tcp from any to any snmptrap,irc,irc\-serv,socks snmptrap is UDP. > # close all these UDP services to the outside world > add deny log udp from any to any syslog,nntp,netperf,domain,nfsd nntp is TCP. netperf is not a valid service. > add deny log udp from any to any daytime,time,4,7,discard,chargen > add deny log udp from any to any snmptrap,irc,irc-serv,socks IRC is TCP. > # the following ports we log, because they're popular with script-kiddies > add pass log tcp from any to any 0,1,98,427,548,709,1024 > add pass log tcp from any to any 1024,2926,2107,6346,6667,6970,16001 > add pass log udp from any to any 0,1,98,427,548,709,1024 > add pass log udp from any to any 1024,2926,2107,6346,6667,6970,16001 > > # pass (but log) all webcam accesses > add pass log tcp from any to any webcam\-small-webcam\-large > add pass log udp from any to any webcam\-small-webcam\-large I assume these are custom entries. Perhaps the unofficial entries that I pointed out above are custom ones too? Did you perhaps clobber a custom /etc/services in the upgrade? -- Crist J. Clark cjclark@alum.mit.edu To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20001023174304.O75251>