Re: Transparent proxy using IPFW
Hello, > 2009/11/30 > >> Dear All, >> >> Is it possible to do like my requirement below? >> >> 1. Setup portfwd in my server listen on port 555 and forward all >> connection through this port to another server with same port or >> different >> port >> 2. All client which connected through this port, then remote server >> which >> landed to the end can see the client's IP. >> >> example: >> >> Client IP: 202.15.15.16 >> FreeBSD IP: 202.16.17.18 listen on port 555 >> Remote Server IP: 202.89.89.90 >> >> Client IP connect to 202.16.17.18 on port 555, and then FreeBSD forward >> it >> to 202.89.89.90 with same port or different port. Server with IP >> 202.89.89.90 can see Client's IP 202.15.15.16. >> >> I am using FreeBSD 7.2-stable. >> >> Thank you >> >> Kalpin Erlangga Silaen >> >> ___ >> freebsd-questions@freebsd.org mailing list >> http://lists.freebsd.org/mailman/listinfo/freebsd-questions >> To unsubscribe, send any mail to " >> freebsd-questions-unsubscr...@freebsd.org" >> > > you can but you will need to do some natting otherwise the return traffic > will go direct to host a from c and not via your box host b > > or you could use nc via inetd > > eg > > some_service stream tcp nowait root > /usr/local/bin/nc nc -n -w 3 hostC port_on_hostc > ___ I tried install rinetd, but it looks the IP come from the server not client's ip. Also, I tried portfwd and portfwd need transparent proxy in kernel. How do I enable this? Need your advice. Regards, Kalpin Erlangga Silaen ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: Transparent proxy using IPFW
2009/11/30 > Dear All, > > Is it possible to do like my requirement below? > > 1. Setup portfwd in my server listen on port 555 and forward all > connection through this port to another server with same port or different > port > 2. All client which connected through this port, then remote server which > landed to the end can see the client's IP. > > example: > > Client IP: 202.15.15.16 > FreeBSD IP: 202.16.17.18 listen on port 555 > Remote Server IP: 202.89.89.90 > > Client IP connect to 202.16.17.18 on port 555, and then FreeBSD forward it > to 202.89.89.90 with same port or different port. Server with IP > 202.89.89.90 can see Client's IP 202.15.15.16. > > I am using FreeBSD 7.2-stable. > > Thank you > > Kalpin Erlangga Silaen > > ___ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to " > freebsd-questions-unsubscr...@freebsd.org" > you can but you will need to do some natting otherwise the return traffic will go direct to host a from c and not via your box host b or you could use nc via inetd eg some_service stream tcp nowait root /usr/local/bin/nc nc -n -w 3 hostC port_on_hostc ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Transparent proxy using IPFW
Dear All, Is it possible to do like my requirement below? 1. Setup portfwd in my server listen on port 555 and forward all connection through this port to another server with same port or different port 2. All client which connected through this port, then remote server which landed to the end can see the client's IP. example: Client IP: 202.15.15.16 FreeBSD IP: 202.16.17.18 listen on port 555 Remote Server IP: 202.89.89.90 Client IP connect to 202.16.17.18 on port 555, and then FreeBSD forward it to 202.89.89.90 with same port or different port. Server with IP 202.89.89.90 can see Client's IP 202.15.15.16. I am using FreeBSD 7.2-stable. Thank you Kalpin Erlangga Silaen ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: Is there anything weird I should know about using ipfw on alias addresses?
Found the problem. Incorrect arp entry. Thanks for your help. Cheers, Brett. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Is there anything weird I should know about using ipfw on alias addresses?
On Thu, 4 Dec 2008, Brett Davidson wrote: > Ian Smith wrote: > > On Tue, 2 Dec 2008, Brett Davidson wrote: > > > Ian Smith wrote: > > > > On Mon, 01 Dec 2008 16:52:12 +1300 Brett Davidson <[EMAIL PROTECTED]> > > > > wrote: > > > > > > > ifconfig shows the alias addresses correctly bound. > > > > > Creating an ipfw rule and testing it from the command line works > > > > > (connects out from master address, not alias) > > > > > > From website on alias address, the firewall blocks the packets. > > > > > > > > > > The weird thing is that it tags them (in the security log) as > > coming > > > > > from the master address (not the alias) out the correct interface. In > > a > > > > > normal world that would mean the packet would match! > > > > > > What's goin' on here Willis? > > > > > > Difficult to tell without seeing a) ifconfig b) netstat -rn c) at > > least the > > > > relevant firewall rule/s and d) log entries that illustrate your > > problem. > > > > Obscure sensitive information by all means, but otherwise pretend we > > > > haven't the slightest clue how your system is configured :) > > > > > > Fair enough. > > > > ifconfig below: > > > > bce1: flags=8843 mtu 1500 > > >options=3b > > >inet 210.5.50.5 netmask 0xffe0 broadcast 210.5.50.31 > > NB .. > > >inet 210.5.51.32 netmask 0x broadcast 210.5.51.32 > > >inet 210.5.51.27 netmask 0x broadcast 210.5.51.27 > > >inet 210.5.51.33 netmask 0x broadcast 210.5.51.33 > > >inet 210.5.51.34 netmask 0x broadcast 210.5.51.34 > > >inet 210.5.51.42 netmask 0x broadcast 210.5.51.42 > > >inet 210.5.51.4 netmask 0x broadcast 210.5.51.4 > > >ether 00:1c:c4:c0:56:94 > > >media: Ethernet autoselect (1000baseSX ) > > >status: active > > > > Relevant /etc/rc.conf entries : > > > ifconfig_bce1="inet 210.5.50.5 netmask 255.255.255.224" > > > ifconfig_bce1_alias0="inet 210.5.50.5 netmask 255.255.255.224" > > > > Your first alias here is a repeat of the 'primary' address. ifonfig seems > > to have resolved/merged that above, but it's not an alias. > > > > > True. Blame that on the piece of software (Plesk) that manages the IP > addresses for the websites we host. Ok in this instance. Please copy the list on replies, for archives. > > > ifconfig_bce1_alias1="inet 210.5.51.4 netmask 255.255.255.255" > > > ifconfig_bce1_alias2="inet 210.5.51.27 netmask 255.255.255.255" > > > ifconfig_bce1_alias3="inet 210.5.51.32 netmask 255.255.255.255" > > > ifconfig_bce1_alias4="inet 210.5.51.33 netmask 255.255.255.255" > > > ifconfig_bce1_alias5="inet 210.5.51.34 netmask 255.255.255.255" > > > ifconfig_bce1_alias6="inet 210.5.51.42 netmask 255.255.255.255" > > > > I didn't spot on first reading this that the first address is in a > > different subnet than all the others. I'm not entirely sure whether that's > > relevant, or how, just pointing it out as being non-obvious, and suspecting > > one of the 210.5.51 subnet should show a broader netmask. > > > I've wondered that as well but it all works EXCEPT for when ipfw is involved. Looks like we may need to see more, if not all, of your ipfw ruleset. 'ipfw -ted show' is pretty good for seeing everything. try adding 'log' to some more rules, until you can SEE where packets are getting blocked. Doesn't 'tcpdump -pn -i bce1 host 210.5.51.42 and host 208.69.123.164' provide any good clues to these flows? Or in this case maybe better: tcpdump -pn -i bce1 host \(210.5.51.42 or 210.5.50.5\) and host 208.69.123.164 > > > Relevant ipfw rules : > > > ipfw -q add 02012 allow tcp from any to 208.69.123.164 80 out via bce1 > > setup > > > keep-state > > > ipfw -q add 02012 allow tcp from any to 208.69.123.164 443 out via bce1 > > setup > > > keep-state Do you have a check-state rule? Where? Are there any skiptos that might miss anything? Do you have rules affecting established traffic? Sorry, but I find this too like a guessing game, or pulling teeth :) > > netstat -finet -rn (or -rna) please? unclear where your default route > > goes, or how the 210.5.51 subnet is routed or its netmask, but assume that > > 208.69.123.164 is probably accessed via the default route .. > > > > > Routing tables > > Internet: > DestinationGatewayFlagsRefs Use Netif Expire > default210.5.50.1 UGS 0 296628406 bce1 > 127.0.0.1 127.0.0.1 UH 0 4339898lo0 > 172.16.1/24link#1 UC 00 bce0 > 172.16.1.1 00:04:28:ad:10:00 UHLW10 bce0 1035 > 172.16.1.4 00:04:23:08:28:30 UHLW1 167202525 bce0 1189 > 172.16.1.8 00:04:23:b2:f7:17 UHLW10 bce0 1021 > 172.16.1.9 00:0
Re: Is there anything weird I should know about using ipfw on alias addresses?
On Tue, 2 Dec 2008, Brett Davidson wrote: > Ian Smith wrote: > > On Mon, 01 Dec 2008 16:52:12 +1300 Brett Davidson <[EMAIL PROTECTED]> > > wrote: > > > > > ifconfig shows the alias addresses correctly bound. > > > Creating an ipfw rule and testing it from the command line works > > > (connects out from master address, not alias) > > > > From website on alias address, the firewall blocks the packets. > > > > > > The weird thing is that it tags them (in the security log) as coming > > > from the master address (not the alias) out the correct interface. In a > > > normal world that would mean the packet would match! > > > > What's goin' on here Willis? > > > > Difficult to tell without seeing a) ifconfig b) netstat -rn c) at least the > > relevant firewall rule/s and d) log entries that illustrate your problem. > > Obscure sensitive information by all means, but otherwise pretend we > > haven't the slightest clue how your system is configured :) > > Fair enough. > > ifconfig below: > > bce1: flags=8843 mtu 1500 >options=3b >inet 210.5.50.5 netmask 0xffe0 broadcast 210.5.50.31 NB .. >inet 210.5.51.32 netmask 0x broadcast 210.5.51.32 >inet 210.5.51.27 netmask 0x broadcast 210.5.51.27 >inet 210.5.51.33 netmask 0x broadcast 210.5.51.33 >inet 210.5.51.34 netmask 0x broadcast 210.5.51.34 >inet 210.5.51.42 netmask 0x broadcast 210.5.51.42 >inet 210.5.51.4 netmask 0x broadcast 210.5.51.4 >ether 00:1c:c4:c0:56:94 >media: Ethernet autoselect (1000baseSX ) >status: active > > Relevant /etc/rc.conf entries : > ifconfig_bce1="inet 210.5.50.5 netmask 255.255.255.224" > ifconfig_bce1_alias0="inet 210.5.50.5 netmask 255.255.255.224" Your first alias here is a repeat of the 'primary' address. ifonfig seems to have resolved/merged that above, but it's not an alias. > ifconfig_bce1_alias1="inet 210.5.51.4 netmask 255.255.255.255" > ifconfig_bce1_alias2="inet 210.5.51.27 netmask 255.255.255.255" > ifconfig_bce1_alias3="inet 210.5.51.32 netmask 255.255.255.255" > ifconfig_bce1_alias4="inet 210.5.51.33 netmask 255.255.255.255" > ifconfig_bce1_alias5="inet 210.5.51.34 netmask 255.255.255.255" > ifconfig_bce1_alias6="inet 210.5.51.42 netmask 255.255.255.255" I didn't spot on first reading this that the first address is in a different subnet than all the others. I'm not entirely sure whether that's relevant, or how, just pointing it out as being non-obvious, and suspecting one of the 210.5.51 subnet should show a broader netmask. > Relevant ipfw rules : > ipfw -q add 02012 allow tcp from any to 208.69.123.164 80 out via bce1 setup > keep-state > ipfw -q add 02012 allow tcp from any to 208.69.123.164 443 out via bce1 setup > keep-state netstat -finet -rn (or -rna) please? unclear where your default route goes, or how the 210.5.51 subnet is routed or its netmask, but assume that 208.69.123.164 is probably accessed via the default route .. > Interesting entries in /var/log/security : > Dec 1 16:42:25 kernel: ipfw: Deny TCP 210.5.50.5:49708 > 208.69.123.164:80 out via bce1 Did that occur =after= the above rules were installed? Just the one? Seems odd on face value, but without knowing what your other rules do. > What makes this interesting is that I can connect to that port via the > command line. You mean like with 'telnet 208.69.123.164 80' ? With 210.5.50.5 as source address? tcpdump output may help understand or explain this. > It's the website that lives on 210.5.51.42 that is having problems. Why, if > the rule is valid enough for the command line is it having problems from an > aliased address? Hang on; do you mean you're having a webserver on 210.5.51.42 trying to connect out to another webserver on 208.69.123.164 ? If not, what? I guess you have rules allowing inbound port 80 access to 210.5.51.42 ? And that your upstream is routing 210.5.51.42/something to 210.5.50.5 ? > This MUST have something to do with the way ipfw is working with aliased > addresses but I'm blowed if I know what is wrong. ipfw doesn't do anything different with any address in particular except when using the forward action. ipfw certainly has no concept of primary or alias addresses, it just applies the addresses/masks you specify. Nor does ipfw know or care (even when forwarding) whence the stack is next going to route outbound packets .. but netstat -rn will tell us. cheers, Ian ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Is there anything weird I should know about using ipfw on alias addresses?
Ian Smith wrote: On Mon, 01 Dec 2008 16:52:12 +1300 Brett Davidson <[EMAIL PROTECTED]> wrote: > ifconfig shows the alias addresses correctly bound. > Creating an ipfw rule and testing it from the command line works > (connects out from master address, not alias) > > From website on alias address, the firewall blocks the packets. > > The weird thing is that it tags them (in the security log) as coming > from the master address (not the alias) out the correct interface. In a > normal world that would mean the packet would match! > > What's goin' on here Willis? Difficult to tell without seeing a) ifconfig b) netstat -rn c) at least the relevant firewall rule/s and d) log entries that illustrate your problem. Obscure sensitive information by all means, but otherwise pretend we haven't the slightest clue how your system is configured :) cheers, Ian Fair enough. ifconfig below: bce1: flags=8843 mtu 1500 options=3b inet 210.5.50.5 netmask 0xffe0 broadcast 210.5.50.31 inet 210.5.51.32 netmask 0x broadcast 210.5.51.32 inet 210.5.51.27 netmask 0x broadcast 210.5.51.27 inet 210.5.51.33 netmask 0x broadcast 210.5.51.33 inet 210.5.51.34 netmask 0x broadcast 210.5.51.34 inet 210.5.51.42 netmask 0x broadcast 210.5.51.42 inet 210.5.51.4 netmask 0x broadcast 210.5.51.4 ether 00:1c:c4:c0:56:94 media: Ethernet autoselect (1000baseSX ) status: active Relevant /etc/rc.conf entries : ifconfig_bce1="inet 210.5.50.5 netmask 255.255.255.224" ifconfig_bce1_alias0="inet 210.5.50.5 netmask 255.255.255.224" ifconfig_bce1_alias1="inet 210.5.51.4 netmask 255.255.255.255" ifconfig_bce1_alias2="inet 210.5.51.27 netmask 255.255.255.255" ifconfig_bce1_alias3="inet 210.5.51.32 netmask 255.255.255.255" ifconfig_bce1_alias4="inet 210.5.51.33 netmask 255.255.255.255" ifconfig_bce1_alias5="inet 210.5.51.34 netmask 255.255.255.255" ifconfig_bce1_alias6="inet 210.5.51.42 netmask 255.255.255.255" Relevant ipfw rules : ipfw -q add 02012 allow tcp from any to 208.69.123.164 80 out via bce1 setup keep-state ipfw -q add 02012 allow tcp from any to 208.69.123.164 443 out via bce1 setup keep-state Interesting entries in /var/log/security : Dec 1 16:42:25 kernel: ipfw: Deny TCP 210.5.50.5:49708 208.69.123.164:80 out via bce1 What makes this interesting is that I can connect to that port via the command line. It's the website that lives on 210.5.51.42 that is having problems. Why, if the rule is valid enough for the command line is it having problems from an aliased address? This MUST have something to do with the way ipfw is working with aliased addresses but I'm blowed if I know what is wrong. Cheers Brett. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Is there anything weird I should know about using ipfw on alias addresses?
On Mon, 01 Dec 2008 16:52:12 +1300 Brett Davidson <[EMAIL PROTECTED]> wrote: > ifconfig shows the alias addresses correctly bound. > Creating an ipfw rule and testing it from the command line works > (connects out from master address, not alias) > > From website on alias address, the firewall blocks the packets. > > The weird thing is that it tags them (in the security log) as coming > from the master address (not the alias) out the correct interface. In a > normal world that would mean the packet would match! > > What's goin' on here Willis? Difficult to tell without seeing a) ifconfig b) netstat -rn c) at least the relevant firewall rule/s and d) log entries that illustrate your problem. Obscure sensitive information by all means, but otherwise pretend we haven't the slightest clue how your system is configured :) cheers, Ian ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Is there anything weird I should know about using ipfw on alias addresses?
ifconfig shows the alias addresses correctly bound. Creating an ipfw rule and testing it from the command line works (connects out from master address, not alias) From website on alias address, the firewall blocks the packets. The weird thing is that it tags them (in the security log) as coming from the master address (not the alias) out the correct interface. In a normal world that would mean the packet would match! What's goin' on here Willis? ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: how to reject all mac addresses except some mac addresses using ipfw?
On Tue, 24 Jun 2008 12:23:48 -0700 Chris St Denis <[EMAIL PROTECTED]> wrote: > Yavuz Maslak wrote: > > I use ipfw on freebsd7. > > > > I have two questions > > > > 1- I want to fix an ip address for each mac address. But some pc > > and servers have more than an ip address. How can I map multiple ip > > addresses for a mac address? > > 2- I want to allow these fixed mac addresses using ipfw. After that > > I want to deny all mac address via the server's local ethernet card. > > How can I do these cases? > I haven't used ipfw for mac level filtering before, but it looks like > the syntax is. > > ipfw add allow MAC any > ipfw add allow MAC any > ipfw add allow MAC any > ipfw add deny MAC any any > > You'll probably have to include the server's own MAC in that list. Firstly, a similar caveat; I haven't actually used this myself yet, but scanning ipfw(8) for 'mac|MAC' reveals that it's not quite so simple. You need to separate layer2 packets that have an associated MAC address, from layer3 packets, that don't. To filter layer2 packets you need to set sysctl net.link.ether.ipfw=1 'Controls whether layer-2 packets are passed to ipfw. Default is no (0)' With this set, ipfw will be invoked twice on each incoming packet, and twice on each outgoing one. Testing here just on the input path, perhaps .. see ipfw(8): # packets from ether_demux or bdg_forward ipfw add 10 skipto 1000 all from any to any layer2 in recv $some_if # packets from ip_input (layer 3) ipfw add 10 skipto 2000 all from any to any not layer2 in recv $some_if [.. see ipfw(8) example ..] # incoming packets from ether_demux, having a mac address, on $some_if # first example re Q1, two IP addresses having the same MAC (aliases?) ipaddr1='192.168.0.30' ipaddr2='192.168.0.31' # or could use a list, or a table .. srcmac1='de:ad:be:ef:c0:de' ipaddr3='192.168.0.50' srcmac3='de:af:fe:ca:dd:ed' [..] ipfw add 1000 skipto 1500 all from $ipaddr1 to any MAC any $srcmac1 ipfw add 1001 skipto 1500 all from $ipaddr2 to any MAC any $srcmac1 # another box ipfw add 1010 skipto 1500 all from $ipaddr3 to any MAC any $srcmac3 [..] ipfw add 1490 deny log all from any to any # unknown MAC/IP pairs ipfw add 1500 allow all from any to any # proceed to layer 3 pass .. [..] ipfw add 2000 [.. layer 3 filtering as per usual ..] Note that MAC addresses are specified dst-mac first, then src-mac, and that you will also need to allow, if not check, outgoing layer2 pkts. Completely untested: may contain syntax errors, traces of nuts, etc. cheers, Ian ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: how to reject all mac addresses except some mac addresses using ipfw?
Yavuz Maslak wrote: I use ipfw on freebsd7. I have two questions 1- I want to fix an ip address for each mac address. But some pc and servers have more than an ip address. How can I map multiple ip addresses for a mac address? 2- I want to allow these fixed mac addresses using ipfw. After that I want to deny all mac address via the server's local ethernet card. How can I do these cases? Thanks ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]" I haven't used ipfw for mac level filtering before, but it looks like the syntax is. ipfw add allow MAC any ipfw add allow MAC any ipfw add allow MAC any ipfw add deny MAC any any You'll probably have to include the server's own MAC in that list. -- Chris St Denis Programmer SmarttNet (www.smartt.com) Ph: 604-473-9700 Ext. 200 --- "Smart Internet Solutions For Businesses" ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: how to reject all mac addresses except some mac addresses using ipfw?
would you have a working example on how to deny traffic from a mac address if it is not using a allowed ip address.. I would like to use pf On 6/24/08, Chuck Swiger <[EMAIL PROTECTED]> wrote: > On Jun 24, 2008, at 10:26 AM, Yavuz Maslak wrote: >> 1- I want to fix an ip address for each mac address. But some pc and >> servers have more than an ip address. How can I map multiple ip >> addresses for a mac address? > > Most people use ifconfig, perhaps indirectly via /etc/rc.conf. > >> 2- I want to allow these fixed mac addresses using ipfw. After that >> I want to deny all mac address via the server's local ethernet >> card. How can I do these cases? > > Few choose to go that route, but you can disable ARP and set up /etc/ > ethers, or you could even fire up your favorite firewall (IPFW, PF, > whatever), and add allow rules for the permitted MAC addresses, and > deny all others. > > -- > -Chuck > > ___ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to "[EMAIL PROTECTED]" > ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: how to reject all mac addresses except some mac addresses using ipfw?
[ ...please don't top-post... ] On Jun 24, 2008, at 11:42 AM, Yavuz Maslak wrote: But I should have asked different my first question. I have meant that how can I restrict to use an ip address which I already assigned to a computer, anyone can use at his pc? There is nothing which can prevent someone from configuring a machine to use any IP address they want to set, assuming they have admin access to that machine. Normally, you don't grant physical access to your network for people you don't trust, but if you need to provide network access to untrustworthy systems, then you need to look into setting up access control via VLANs, or maybe PPPoE, or something similar where you can isolate their network and only let their traffic talk to other things if they connect "properly"... Regards, -- -Chuck ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: how to reject all mac addresses except some mac addresses using ipfw?
On Jun 24, 2008, at 10:26 AM, Yavuz Maslak wrote: 1- I want to fix an ip address for each mac address. But some pc and servers have more than an ip address. How can I map multiple ip addresses for a mac address? Most people use ifconfig, perhaps indirectly via /etc/rc.conf. 2- I want to allow these fixed mac addresses using ipfw. After that I want to deny all mac address via the server's local ethernet card. How can I do these cases? Few choose to go that route, but you can disable ARP and set up /etc/ ethers, or you could even fire up your favorite firewall (IPFW, PF, whatever), and add allow rules for the permitted MAC addresses, and deny all others. -- -Chuck ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
how to reject all mac addresses except some mac addresses using ipfw?
I use ipfw on freebsd7. I have two questions 1- I want to fix an ip address for each mac address. But some pc and servers have more than an ip address. How can I map multiple ip addresses for a mac address? 2- I want to allow these fixed mac addresses using ipfw. After that I want to deny all mac address via the server's local ethernet card. How can I do these cases? Thanks ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Limit # of connections per IP using ipfw?
Perfect, thanks! On Feb 13, 2008 10:14 AM, Christopher Cowart <[EMAIL PROTECTED]> wrote: > > On Wed, Feb 13, 2008 at 09:23:31AM -0800, patrick wrote: > > Is there a way to limit the number of TCP connections from a > > particular IP at a given time using ipfw? We are running Cyrus IMAP on > > FreeBSD 6.2, and are sometimes subject to POP3 brute force login > > attacks. I'm not sure if it's Cyrus or the SASL SQL plugin, but these > > attacks grind the server to halt (the load level goes up beyond 350!). > > The database against which authentication takes places is on a > > separate server, so I know it's not MySQL's fault. I'd like to be able > > to set a firewall rule to set a reasonable limit per IP for these > > sorts of connections. I know that pf can do it, and I'm in the process > > of figuring out how to migrate all of our stuff over to pf, but in the > > meantime, I'd like to try to do this with ipfw. > > You can use limit rules. This should do the trick: > > # ipfw add allow tcp from any to me pop3s limit src-addr 5 > > Check the ipfw man page section on limit for more info (though it's > pretty brief). > > -- > Chris Cowart > Network Technical Lead > Network & Infrastructure Services, RSSP-IT > UC Berkeley > ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Limit # of connections per IP using ipfw?
On Wed, Feb 13, 2008 at 09:23:31AM -0800, patrick wrote: > Is there a way to limit the number of TCP connections from a > particular IP at a given time using ipfw? We are running Cyrus IMAP on > FreeBSD 6.2, and are sometimes subject to POP3 brute force login > attacks. I'm not sure if it's Cyrus or the SASL SQL plugin, but these > attacks grind the server to halt (the load level goes up beyond 350!). > The database against which authentication takes places is on a > separate server, so I know it's not MySQL's fault. I'd like to be able > to set a firewall rule to set a reasonable limit per IP for these > sorts of connections. I know that pf can do it, and I'm in the process > of figuring out how to migrate all of our stuff over to pf, but in the > meantime, I'd like to try to do this with ipfw. You can use limit rules. This should do the trick: # ipfw add allow tcp from any to me pop3s limit src-addr 5 Check the ipfw man page section on limit for more info (though it's pretty brief). -- Chris Cowart Network Technical Lead Network & Infrastructure Services, RSSP-IT UC Berkeley pgpQqf8woDCZ5.pgp Description: PGP signature
Limit # of connections per IP using ipfw?
Is there a way to limit the number of TCP connections from a particular IP at a given time using ipfw? We are running Cyrus IMAP on FreeBSD 6.2, and are sometimes subject to POP3 brute force login attacks. I'm not sure if it's Cyrus or the SASL SQL plugin, but these attacks grind the server to halt (the load level goes up beyond 350!). The database against which authentication takes places is on a separate server, so I know it's not MySQL's fault. I'd like to be able to set a firewall rule to set a reasonable limit per IP for these sorts of connections. I know that pf can do it, and I'm in the process of figuring out how to migrate all of our stuff over to pf, but in the meantime, I'd like to try to do this with ipfw. Thanks, Patrick ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Blocking traffic by Mac address using IPFW
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Thu, 25 Jan 2007 08:22:17 -0600 Kevin Kinsey <[EMAIL PROTECTED]> wrote: > Tek Bahadur Limbu wrote: > > -BEGIN PGP SIGNED MESSAGE- > > Hash: SHA1 > > > > > > Dear All, > > > > I need some help regarding using IPFW to block specific MAC > > addresses. How do I block incoming traffic by a MAC address instead > > of an IP address. > > > > Can this be done using IPFW? Since I am quite new to FreeBSD, can > > somebody shed some light on this issue? > > Yes, it appears that ipfw(8) can do this --- check the manpage (quite > a ways down, in the RULE OPTIONS section [ about byte 45000] for full > details; note also that there may be other issues involved. Here is > a short thread on the subject from a couple of years ago: > > http://lists.freebsd.org/pipermail/freebsd-ipfw/2004-September/001375.html > > Disclaimer: IANAE, and don't play one on television ;-) > > HTH, > > Kevin Kinsey > -- > Heisenberg may have been here. > Dear Kevin, Thanks. I am looking at the links you provided. - -- With best regards and good wishes, Yours sincerely, Tek Bahadur Limbu (TAG/TDG Group) Jwl Systems Department Worldlink Communications Pvt. Ltd. Jawalakhel, Nepal -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.2.2 (FreeBSD) iD8DBQFFvDTfVrOl+eVhOvYRAr8+AJ9cRvI687IxBsQwMsoW+gDRBvxUcwCfV8ed RjZgBkI1c0m8SlB6cE3jJho= =PIHo -END PGP SIGNATURE- ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Blocking traffic by Mac address using IPFW
Tek Bahadur Limbu wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Dear All, I need some help regarding using IPFW to block specific MAC addresses. How do I block incoming traffic by a MAC address instead of an IP address. Can this be done using IPFW? Since I am quite new to FreeBSD, can somebody shed some light on this issue? Yes, it appears that ipfw(8) can do this --- check the manpage (quite a ways down, in the RULE OPTIONS section [ about byte 45000] for full details; note also that there may be other issues involved. Here is a short thread on the subject from a couple of years ago: http://lists.freebsd.org/pipermail/freebsd-ipfw/2004-September/001375.html Disclaimer: IANAE, and don't play one on television ;-) HTH, Kevin Kinsey -- Heisenberg may have been here. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Blocking traffic by Mac address using IPFW
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Dear All, I need some help regarding using IPFW to block specific MAC addresses. How do I block incoming traffic by a MAC address instead of an IP address. Can this be done using IPFW? Since I am quite new to FreeBSD, can somebody shed some light on this issue? - -- With best regards and good wishes, Yours sincerely, Tek Bahadur Limbu (TAG/TDG Group) Jwl Systems Department Worldlink Communications Pvt. Ltd. Jawalakhel, Nepal -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.2.2 (FreeBSD) iD8DBQFFuH/RVrOl+eVhOvYRAhdCAJwLVoPRkuw1gTXosLDsIC0HQUsoYgCeK402 90HvaqCMIcg9T7GzGl1PlDs= =7Mft -END PGP SIGNATURE- ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Using IPFW to bypass hotmail.com
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Tue, 9 Jan 2007 15:28:44 +0100 (CET) Oliver Fromme <[EMAIL PROTECTED]> wrote: > Tek Bahadur Limbu wrote: > > I run a transparent squid proxy using IPFW below: > > > > ipfw -q add allow tcp from 192.168.55.0/24 to any 3128 in via > > bge0 > > That's not the rule for transparent proxying. For that you > need a "forward" (or "fwd") rule, not an "allow" rule. > (Of course, the "allow" rule above might still be needed, > but it's not the one that actually enables the transparent > proxying). > > > Now I want the IP: 192.168.55.22 to bypass Squid when requesting > > www.hotmail.com. > > > > How do I go about doing this using IPFW? Can somebody shed some > > light on this issue? > > Simply add an "allow" rule for that IP, and place it > _before_ the "forward" (or "fwd") rule in your rule set: > > allow tcp from 192.168.55.22 to www.hotmail.com > > Note that the hostname is not resolved dynamically, but > at the time the rule is added to teh rule set. > > Best regards >Oliver > > -- > Oliver Fromme, secnetix GmbH & Co. KG, Marktplatz 29, 85567 Grafing > Dienstleistungen mit Schwerpunkt FreeBSD: http://www.secnetix.de/bsd > Any opinions expressed in this message may be personal to the author > and may not necessarily reflect the opinions of secnetix in any way. > > "To this day, many C programmers believe that 'strong typing' > just means pounding extra hard on the keyboard." > -- Peter van der Linden > ___ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to > "[EMAIL PROTECTED]" > Dear Oliver Fromme, Thanks for your input. I really appreciate it. I have rechecked my firewall and I do have the following rule: $IPFW add fwd 127.0.0.1,3128 tcp from any to any 80 in I have place your rule on top of the above rules like this: ipfw -q allow tcp from 192.168.55.22 to www.hotmail.com ipfw -a add fwd 127.0.0.1,3128 tcp from any to any 80 in ipfw -q add allow tcp from 192.168.55.0/24 to any 3128 in via bge0 Are the above rules correct ? Once again, thanks alot. -- With best regards and good wishes, Yours sincerely, Tek Bahadur Limbu (TAG/TDG Group) Jwl Systems Department Worldlink Communications Pvt. Ltd. Jawalakhel, Nepal -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.2.2 (FreeBSD) iD8DBQFFpJc4VrOl+eVhOvYRAigpAJ9WDSsy7CsXtCI9qKwXLqsujnmHXQCcDstb wwjEiMWm0P280aBFuhDsq+0= =Vcsn -END PGP SIGNATURE- ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Using IPFW to bypass hotmail.com
Tek Bahadur Limbu wrote: > I run a transparent squid proxy using IPFW below: > > ipfw -q add allow tcp from 192.168.55.0/24 to any 3128 in via bge0 That's not the rule for transparent proxying. For that you need a "forward" (or "fwd") rule, not an "allow" rule. (Of course, the "allow" rule above might still be needed, but it's not the one that actually enables the transparent proxying). > Now I want the IP: 192.168.55.22 to bypass Squid when requesting > www.hotmail.com. > > How do I go about doing this using IPFW? Can somebody shed some light > on this issue? Simply add an "allow" rule for that IP, and place it _before_ the "forward" (or "fwd") rule in your rule set: allow tcp from 192.168.55.22 to www.hotmail.com Note that the hostname is not resolved dynamically, but at the time the rule is added to teh rule set. Best regards Oliver -- Oliver Fromme, secnetix GmbH & Co. KG, Marktplatz 29, 85567 Grafing Dienstleistungen mit Schwerpunkt FreeBSD: http://www.secnetix.de/bsd Any opinions expressed in this message may be personal to the author and may not necessarily reflect the opinions of secnetix in any way. "To this day, many C programmers believe that 'strong typing' just means pounding extra hard on the keyboard." -- Peter van der Linden ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Using IPFW to bypass hotmail.com
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Dear All, I run a transparent squid proxy using IPFW below: ipfw -q add allow tcp from 192.168.55.0/24 to any 3128 in via bge0 Now I want the IP: 192.168.55.22 to bypass Squid when requesting www.hotmail.com. How do I go about doing this using IPFW? Can somebody shed some light on this issue? Thanks. - -- With best regards and good wishes, Yours sincerely, Tek Bahadur Limbu (TAG/TDG Group) Jwl Systems Department Worldlink Communications Pvt. Ltd. Jawalakhel, Nepal -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.2.2 (FreeBSD) iD8DBQFFo3IGVrOl+eVhOvYRAliLAJsEHVzJ/5517Jh4VO89dncftAU6GACgqsXo cBxfF4URRL+dh5jiqaxZQAE= =KwVZ -END PGP SIGNATURE- ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
using ipfw for NAT mapping in a 1:1 fake:real IPs for VPN
Hi, I have a pretty complicated setup currently and am trying to figure out exactly how to implement it. I'm pretty unfamiliar with freebsd, the last incarnation I used was 4.3 and I only used it for a few months before moving to linux. I have a VPN setup for an IP range 10.0.0.1-10.0.0.255 for clients connecting using OpenVPN. Now I am handling NAT for these up to 5 IPs. I have 5 real IPs that are allocated to the machine that the VPN server runs on (OpenVPN). I need each client to have a real and unique IP, although not from the client's viewpoint. From my understanding, I would get OpenVPN to give out IPs 10.0.0.1-10.0.0.5. I would then set up rather than a standard NAT for like 192.168.0.0/24 through A.B.C.D (single real IP) I would now set up nat 10.0.0.1 through A.B.C.D nat 10.0.0.2 through A.B.C.E etc Does this make sense and am I missing something? These would be going through BSD's tun-type device. Thanks, -James ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Using IPFW to redirect all outgoing SMTP traffic to localhost
Kieran Simkin wrote: I have an IPFW question that I'm a bit stuck on and could do with some help. Basically what I'm trying to do is count and limit the number of e-mails each user on the system is allowed to send. I've got this working fine within the e-mail server and everything's dandy, except for the fact that it's easy to bypass the mail server by making direct SMTP connections to the target hosts. Yes. Use the firewall to do something like: ipfw add pass tcp from any to MAILSERVER 25 keep-state ipfw add pass tcp from MAILSERVER to any 25 keep-state ipfw add unreach filter-prohib log tcp from any to any 25 (I suppose you could use a deny instead, but getting an actual ICMP error is probably more useful in this situation) -- -Chuck ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Using IPFW to redirect all outgoing SMTP traffic to localhost
Hi Guys, I have an IPFW question that I'm a bit stuck on and could do with some help. Basically what I'm trying to do is count and limit the number of e-mails each user on the system is allowed to send. I've got this working fine within the e-mail server and everything's dandy, except for the fact that it's easy to bypass the mail server by making direct SMTP connections to the target hosts. What I need to be able to do is force all connections to any host on port 25 to be redirected to localhost. Ideally I'd just be able to forward all outgoing connections with dst port 25 to localhost. If this is not possible, I would be happy to simply firewall all outbound traffic with dst port 25. There is a caveat: I need port 25 redirection/blocking to occur for all users except those which I name (ie, the mailserver and certain admin users). Of course, the mail server must be able to send e-mail to external hosts, and I'd like certain other users on the system to be able to do this as well. To be honest I'm not really sure where to start writing an IPFW rule to do this - and pointers would be greatly appreciated. Best regards, ~Kieran Simkin Digital Crocus ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: IP Banning (Using IPFW)
On 2/9/06, Chris <[EMAIL PROTECTED]> wrote: > On 07/02/06, David Scheidt <[EMAIL PROTECTED]> wrote: > > > > On Tue, Feb 07, 2006 at 12:40:22AM +0200, Atis wrote: > > > On Sun, 5 Feb 2006 18:55:13 -0500 > > > David Scheidt <[EMAIL PROTECTED]> wrote: > > > > > > > > > > > Nonsense. There may be some people that only scan well-known ports, > > > > but it's much more common to scan every port on a machine. If you're > > > > running a server on a non-standard port, an attacker will find it. > > > > > > > > > > sure, but 99% of the time the machines attacking your server are zombies > > > that do not care to do a full portscan. i suppose the purpose is to > > > find other misconfigured, easy-to-hack computers on the network. by > > > putting your services on non-standard ports you get rid of these > > > mindless drones and don't pollute log files with useless garbage. > > > > > > now if somebody _does_ actually target your server in particular then > > > this is definitely not the solution. > > > > > > anywayz, putting things on non-standard ports helps a lot, and is > > > one of the first and easiest security measures an administrator > > > may consider. > > > > > > > Taking your clothes off and painting yourself blue is also one of the > > first and easiest security measures to consider. It's even more > > effective, too. I know of no machine that's been cracked that had a > > wheel naked and painted blue. I've seen lots running standard > > services on non-standard ports. > > > > Security through obscurity doesn't work, it makes tracking down > > other problems harder, and creates work to maintain non-standard > > configurations. > > > I understand his point, I see 2 types of problems we have to deal with. The > thousands of drones that scan for boxes that are vulnerable to a specific > exploit, they will often scan ip ranges on a specific port and if its open > see if its vulnerable. For these types of intruders chnging ports is very > effective since you would simply be skipped past on their scan, for most of > us 99% of attempted intrusions are zombie based or some script a kid has > downloaded of the web. > > The argument against changing ports is of course when you have a persistent > hacker who wants in, he will of course scan all the ports and find the > service and this type of protection is nullified. In this scenario if you > havent taken additional measures to secure the box then you may be in > trouble, > > I personally move things like sshd of its normal port simply to stop my logs > been flooded with brute force logins and since I am the only one who uses > ssh there is no downside to it, I of course dont rely on this alone and keep > my software up to date amongst other security measures it is simply an extra > layer of skin on the onion. For things like httpd I keep on port 80 as I > think moving the port of that is more hassle then its worth. I've seen someone mention how to move httpd to a non-reserved port (ie 8080), and let that change be transparent for the end-user by using ipf. I dont know how, though. > > Chris > ___ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to "[EMAIL PROTECTED]" > ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: IP Banning (Using IPFW)
On 07/02/06, David Scheidt <[EMAIL PROTECTED]> wrote: > > On Tue, Feb 07, 2006 at 12:40:22AM +0200, Atis wrote: > > On Sun, 5 Feb 2006 18:55:13 -0500 > > David Scheidt <[EMAIL PROTECTED]> wrote: > > > > > > > > Nonsense. There may be some people that only scan well-known ports, > > > but it's much more common to scan every port on a machine. If you're > > > running a server on a non-standard port, an attacker will find it. > > > > > > > sure, but 99% of the time the machines attacking your server are zombies > > that do not care to do a full portscan. i suppose the purpose is to > > find other misconfigured, easy-to-hack computers on the network. by > > putting your services on non-standard ports you get rid of these > > mindless drones and don't pollute log files with useless garbage. > > > > now if somebody _does_ actually target your server in particular then > > this is definitely not the solution. > > > > anywayz, putting things on non-standard ports helps a lot, and is > > one of the first and easiest security measures an administrator > > may consider. > > > > Taking your clothes off and painting yourself blue is also one of the > first and easiest security measures to consider. It's even more > effective, too. I know of no machine that's been cracked that had a > wheel naked and painted blue. I've seen lots running standard > services on non-standard ports. > > Security through obscurity doesn't work, it makes tracking down > other problems harder, and creates work to maintain non-standard > configurations. I understand his point, I see 2 types of problems we have to deal with. The thousands of drones that scan for boxes that are vulnerable to a specific exploit, they will often scan ip ranges on a specific port and if its open see if its vulnerable. For these types of intruders chnging ports is very effective since you would simply be skipped past on their scan, for most of us 99% of attempted intrusions are zombie based or some script a kid has downloaded of the web. The argument against changing ports is of course when you have a persistent hacker who wants in, he will of course scan all the ports and find the service and this type of protection is nullified. In this scenario if you havent taken additional measures to secure the box then you may be in trouble, I personally move things like sshd of its normal port simply to stop my logs been flooded with brute force logins and since I am the only one who uses ssh there is no downside to it, I of course dont rely on this alone and keep my software up to date amongst other security measures it is simply an extra layer of skin on the onion. For things like httpd I keep on port 80 as I think moving the port of that is more hassle then its worth. Chris ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: IP Banning (Using IPFW)
On Tue, Feb 07, 2006 at 12:40:22AM +0200, Atis wrote: > On Sun, 5 Feb 2006 18:55:13 -0500 > David Scheidt <[EMAIL PROTECTED]> wrote: > > > > > Nonsense. There may be some people that only scan well-known ports, > > but it's much more common to scan every port on a machine. If you're > > running a server on a non-standard port, an attacker will find it. > > > > sure, but 99% of the time the machines attacking your server are zombies > that do not care to do a full portscan. i suppose the purpose is to > find other misconfigured, easy-to-hack computers on the network. by > putting your services on non-standard ports you get rid of these > mindless drones and don't pollute log files with useless garbage. > > now if somebody _does_ actually target your server in particular then > this is definitely not the solution. > > anywayz, putting things on non-standard ports helps a lot, and is > one of the first and easiest security measures an administrator > may consider. > Taking your clothes off and painting yourself blue is also one of the first and easiest security measures to consider. It's even more effective, too. I know of no machine that's been cracked that had a wheel naked and painted blue. I've seen lots running standard services on non-standard ports. Security through obscurity doesn't work, it makes tracking down other problems harder, and creates work to maintain non-standard configurations. David ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: IP Banning (Using IPFW)
On Sun, 5 Feb 2006 18:55:13 -0500 David Scheidt <[EMAIL PROTECTED]> wrote: > > Nonsense. There may be some people that only scan well-known ports, > but it's much more common to scan every port on a machine. If you're > running a server on a non-standard port, an attacker will find it. > sure, but 99% of the time the machines attacking your server are zombies that do not care to do a full portscan. i suppose the purpose is to find other misconfigured, easy-to-hack computers on the network. by putting your services on non-standard ports you get rid of these mindless drones and don't pollute log files with useless garbage. now if somebody _does_ actually target your server in particular then this is definitely not the solution. anywayz, putting things on non-standard ports helps a lot, and is one of the first and easiest security measures an administrator may consider. Atis ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: IP Banning (Using IPFW)
On Sun, Feb 05, 2006 at 05:38:11PM -0500, fbsd_user wrote: > > You missed to whole meaning. > Attackers only scan for the published service port numbers, > that is what is meant by "portscan the box". > Those high order port numbers are dynamically > used during normal session conversation. > So any response from those port numbers if an > attacker scanned that high would be meaningless. > Please check your facts before commenting. Nonsense. There may be some people that only scan well-known ports, but it's much more common to scan every port on a machine. If you're running a server on a non-standard port, an attacker will find it. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: IP Banning (Using IPFW)
I know for a fact, that if a hacker wants to root a box, the first and least thing he does is to nmap -p1-65535 -Avv host And yeah, it does detect services on unusual ports. And regardless of what you say, assigning nondefault ports is security through obscurity. On 2/5/06, fbsd_user <[EMAIL PROTECTED]> wrote: > You missed to whole meaning. > Attackers only scan for the published service port numbers, > that is what is meant by "portscan the box". > Those high order port numbers are dynamically > used during normal session conversation. > So any response from those port numbers if an > attacker scanned that high would be meaningless. > Please check your facts before commenting. > > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] Behalf Of Daniel A. > Sent: Sunday, February 05, 2006 4:58 PM > To: [EMAIL PROTECTED] > Cc: [EMAIL PROTECTED]; Michael A. Alestock > Subject: Re: IP Banning (Using IPFW) > > > On 2/5/06, fbsd_user <[EMAIL PROTECTED]> wrote: > > I find this kind of approach is treating the symptom and not the > > cause. > > The basic problem is the services have well published port numbers > > and attackers beat on those known port numbers. A much simpler > > approach is to change the standard port numbers to some high order > > port number. See /etc/services SSH logon command allows for a > port > > number and the same for telnet. Your remote users will be the only > > people knowing your selected port numbers for those services. This > > way a attackers port scan will show the well published port > numbers > > as not open so they will pass on attacking those ports on your ip > > address. This way your bandwidth usage will be reduced as > attackers > > find your ip address as having nothing of interest. > > > > This same kind of thing can also be done for port 80 by using the > > web forwarding function of Zoneedit pointing to different port for > > your web server. Only people coming to your site through dns will > be > > forwarded to the correct port. > > > > The clear key here is attackers roll through a large range of ip > > address port scanning for open ports. By using nonstandard port > > numbers for your services you stop the attacker even finding you > in > > the first place. > > > > good luck what ever you choose to do. > You just argued against yourself. If an attacker is genuinely > interested in rooting someones box, that attacker will most likely > portscan the box - And thereby discovering that you have assigned > alternative port numbers to your services. > Security through obscurity is a bad place to start. > > > > -Original Message- > > From: [EMAIL PROTECTED] > > [mailto:[EMAIL PROTECTED] Behalf Of Michael > A. > > Alestock > > Sent: Sunday, February 05, 2006 10:42 AM > > To: [EMAIL PROTECTED] > > Subject: IP Banning (Using IPFW) > > Importance: High > > > > > > Hello, > > > > I was wondering if there's some sort of port available that can > > actively > > ban IPs that try and bruteforce a service such as SSH or Telnet, > by > > scanning the /var/log/auth.log log for Regex such as "Illegal > User" > > or > > "LOGIN FAILURES", and then using IPFW to essentially deny (ban) > that > > IP > > for a certain period of time or possibly forever. > > > > I've seen a very useful one that works for linux (fail2ban), and > was > > wondering if one exists for FreeBSD's IPFW? > > > > I've looked around in /usr/ports/security and /usr/ports/net but > > can't > > seem to find anything that closely resembles that. > > > > Your help would be greatly appreciated Thanks in advance! > > > > >> Michael A., USA... Loyal FreeBSD user since 2000. > > ___ > > freebsd-questions@freebsd.org mailing list > > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > > To unsubscribe, send any mail to > > "[EMAIL PROTECTED]" > > > > ___ > > freebsd-questions@freebsd.org mailing list > > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > > To unsubscribe, send any mail to > "[EMAIL PROTECTED]" > > > ___ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to > "[EMAIL PROTECTED]" > > ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
RE: IP Banning (Using IPFW)
You missed to whole meaning. Attackers only scan for the published service port numbers, that is what is meant by "portscan the box". Those high order port numbers are dynamically used during normal session conversation. So any response from those port numbers if an attacker scanned that high would be meaningless. Please check your facts before commenting. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Daniel A. Sent: Sunday, February 05, 2006 4:58 PM To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED]; Michael A. Alestock Subject: Re: IP Banning (Using IPFW) On 2/5/06, fbsd_user <[EMAIL PROTECTED]> wrote: > I find this kind of approach is treating the symptom and not the > cause. > The basic problem is the services have well published port numbers > and attackers beat on those known port numbers. A much simpler > approach is to change the standard port numbers to some high order > port number. See /etc/services SSH logon command allows for a port > number and the same for telnet. Your remote users will be the only > people knowing your selected port numbers for those services. This > way a attackers port scan will show the well published port numbers > as not open so they will pass on attacking those ports on your ip > address. This way your bandwidth usage will be reduced as attackers > find your ip address as having nothing of interest. > > This same kind of thing can also be done for port 80 by using the > web forwarding function of Zoneedit pointing to different port for > your web server. Only people coming to your site through dns will be > forwarded to the correct port. > > The clear key here is attackers roll through a large range of ip > address port scanning for open ports. By using nonstandard port > numbers for your services you stop the attacker even finding you in > the first place. > > good luck what ever you choose to do. You just argued against yourself. If an attacker is genuinely interested in rooting someones box, that attacker will most likely portscan the box - And thereby discovering that you have assigned alternative port numbers to your services. Security through obscurity is a bad place to start. > > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] Behalf Of Michael A. > Alestock > Sent: Sunday, February 05, 2006 10:42 AM > To: [EMAIL PROTECTED] > Subject: IP Banning (Using IPFW) > Importance: High > > > Hello, > > I was wondering if there's some sort of port available that can > actively > ban IPs that try and bruteforce a service such as SSH or Telnet, by > scanning the /var/log/auth.log log for Regex such as "Illegal User" > or > "LOGIN FAILURES", and then using IPFW to essentially deny (ban) that > IP > for a certain period of time or possibly forever. > > I've seen a very useful one that works for linux (fail2ban), and was > wondering if one exists for FreeBSD's IPFW? > > I've looked around in /usr/ports/security and /usr/ports/net but > can't > seem to find anything that closely resembles that. > > Your help would be greatly appreciated Thanks in advance! > > >> Michael A., USA... Loyal FreeBSD user since 2000. > ___ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to > "[EMAIL PROTECTED]" > > ___ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to "[EMAIL PROTECTED]" > ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]" ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: IP Banning (Using IPFW)
On 2/5/06, fbsd_user <[EMAIL PROTECTED]> wrote: > I find this kind of approach is treating the symptom and not the > cause. > The basic problem is the services have well published port numbers > and attackers beat on those known port numbers. A much simpler > approach is to change the standard port numbers to some high order > port number. See /etc/services SSH logon command allows for a port > number and the same for telnet. Your remote users will be the only > people knowing your selected port numbers for those services. This > way a attackers port scan will show the well published port numbers > as not open so they will pass on attacking those ports on your ip > address. This way your bandwidth usage will be reduced as attackers > find your ip address as having nothing of interest. > > This same kind of thing can also be done for port 80 by using the > web forwarding function of Zoneedit pointing to different port for > your web server. Only people coming to your site through dns will be > forwarded to the correct port. > > The clear key here is attackers roll through a large range of ip > address port scanning for open ports. By using nonstandard port > numbers for your services you stop the attacker even finding you in > the first place. > > good luck what ever you choose to do. You just argued against yourself. If an attacker is genuinely interested in rooting someones box, that attacker will most likely portscan the box - And thereby discovering that you have assigned alternative port numbers to your services. Security through obscurity is a bad place to start. > > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] Behalf Of Michael A. > Alestock > Sent: Sunday, February 05, 2006 10:42 AM > To: [EMAIL PROTECTED] > Subject: IP Banning (Using IPFW) > Importance: High > > > Hello, > > I was wondering if there's some sort of port available that can > actively > ban IPs that try and bruteforce a service such as SSH or Telnet, by > scanning the /var/log/auth.log log for Regex such as "Illegal User" > or > "LOGIN FAILURES", and then using IPFW to essentially deny (ban) that > IP > for a certain period of time or possibly forever. > > I've seen a very useful one that works for linux (fail2ban), and was > wondering if one exists for FreeBSD's IPFW? > > I've looked around in /usr/ports/security and /usr/ports/net but > can't > seem to find anything that closely resembles that. > > Your help would be greatly appreciated Thanks in advance! > > >> Michael A., USA... Loyal FreeBSD user since 2000. > ___ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to > "[EMAIL PROTECTED]" > > ___ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to "[EMAIL PROTECTED]" > ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
RE: IP Banning (Using IPFW)
I find this kind of approach is treating the symptom and not the cause. The basic problem is the services have well published port numbers and attackers beat on those known port numbers. A much simpler approach is to change the standard port numbers to some high order port number. See /etc/services SSH logon command allows for a port number and the same for telnet. Your remote users will be the only people knowing your selected port numbers for those services. This way a attackers port scan will show the well published port numbers as not open so they will pass on attacking those ports on your ip address. This way your bandwidth usage will be reduced as attackers find your ip address as having nothing of interest. This same kind of thing can also be done for port 80 by using the web forwarding function of Zoneedit pointing to different port for your web server. Only people coming to your site through dns will be forwarded to the correct port. The clear key here is attackers roll through a large range of ip address port scanning for open ports. By using nonstandard port numbers for your services you stop the attacker even finding you in the first place. good luck what ever you choose to do. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Michael A. Alestock Sent: Sunday, February 05, 2006 10:42 AM To: [EMAIL PROTECTED] Subject: IP Banning (Using IPFW) Importance: High Hello, I was wondering if there's some sort of port available that can actively ban IPs that try and bruteforce a service such as SSH or Telnet, by scanning the /var/log/auth.log log for Regex such as "Illegal User" or "LOGIN FAILURES", and then using IPFW to essentially deny (ban) that IP for a certain period of time or possibly forever. I've seen a very useful one that works for linux (fail2ban), and was wondering if one exists for FreeBSD's IPFW? I've looked around in /usr/ports/security and /usr/ports/net but can't seem to find anything that closely resembles that. Your help would be greatly appreciated Thanks in advance! >> Michael A., USA... Loyal FreeBSD user since 2000. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]" ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: IP Banning (Using IPFW)
I was wondering if there's some sort of port available that can actively ban IPs that try and bruteforce a service such as SSH or Telnet, by scanning the /var/log/auth.log log for Regex such as "Illegal User" or "LOGIN FAILURES", and then using IPFW to essentially deny (ban) that IP for a certain period of time or possibly forever. I've seen a very useful one that works for linux (fail2ban), and was wondering if one exists for FreeBSD's IPFW? There are some in the ports, but you can write your own pretty easy too. The one thing I didn't like about the ones in the ports is the app was responsible for removing the rules after a set amount of time. Which could be a problem if that app crashed for some reason. You could lock yourself out permanently... Here's a quick perl script I wrote that does what you want... http://pastebin.com/540575 Combine that with these two crontab entries: 0-59/4 * * * * /sbin/ipfw delete 501 >/dev/null 2>&1 2-59/4 * * * * /sbin/ipfw delete 500 >/dev/null 2>&1 -philip ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
IP Banning (Using IPFW)
Hello, I was wondering if there's some sort of port available that can actively ban IPs that try and bruteforce a service such as SSH or Telnet, by scanning the /var/log/auth.log log for Regex such as "Illegal User" or "LOGIN FAILURES", and then using IPFW to essentially deny (ban) that IP for a certain period of time or possibly forever. I've seen a very useful one that works for linux (fail2ban), and was wondering if one exists for FreeBSD's IPFW? I've looked around in /usr/ports/security and /usr/ports/net but can't seem to find anything that closely resembles that. Your help would be greatly appreciated Thanks in advance! Michael A., USA... Loyal FreeBSD user since 2000. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: how may i deny many streams downloads using ipfw
On Fri, 24 Sep 2004 10:00:32 +0600 stepan <[EMAIL PROTECTED]> wrote: > Hi all! > > sorry for my english... > > Please tell me, how to set disable of many streams download > (using Flashget or Reget) via my FreeBSD-4.7.1 router using firewall. > My `pipe' settings are ineffective where whit this programs. See ipfw man page and search for ``limit'' key-word allow tcp from any to any limit dst-addr 5 -- IOnut Unregistered ;) FreeBSD "user" 5.3-BETA4 - try `sysctl debug.witness_watch=0` and prepare to fly :-) ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
how may i deny many streams downloads using ipfw
Hi all! sorry for my english... Please tell me, how to set disable of many streams download (using Flashget or Reget) via my FreeBSD-4.7.1 router using firewall. My `pipe' settings are ineffective where whit this programs. Best regards stepan mailto:[EMAIL PROTECTED] ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Using IPFW & DUMMYNET with an existing IPFILTER/IPNAT setup for QoS
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 J. Seth Henry wrote: | Hello, | I have an existing FreeBSD based router/internet gateway system that is using | ipfilter & ipnat. It performs quite well, and my wife would be mightily | irritated if I screwed it up. :) | http://www.phildev.net/ipf/IPFfreebsd.html#12 HTH, Siddhartha -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.1 (MingW32) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFBGyumOGaxOP7knVwRAiaYAKCJweNshwFaDKBBAtYqq6SNCb9ZdQCbBZec VEmbnLEjV7arnsWz9k/jm2c= =xpRU -END PGP SIGNATURE- ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Using IPFW & DUMMYNET with an existing IPFILTER/IPNAT setup for QoS
Hello,
I have an existing FreeBSD based router/internet gateway system that is using
ipfilter & ipnat. It performs quite well, and my wife would be mightily
irritated if I screwed it up. :)
However, we have VoIP through Vonage, and a standard Comcast cable modem
connection to the Internet. Most of the time, everything works well, but when
I upload large files to the office via FTP, the sound gets choppy - to the
point where we end up having to use our cell phones.
So, I would like to set up IPFW & DUMMYNET to provide a basic QoS service.
All I really need to do is reserve sufficient bandwidth for, or give highest
priority to, the ATA - followed by ssh. I believe it needs at least 128kbps
in each direction for adequate sound quality. I merely want to give ssh
traffic a higher priority (or reserve bandwidth for) over everything else, so
that I can still get into my systems even when an ftp session is running.
First, a bit about my (fairly simple) network:
--< external IF: fxp0ROUTER internal IF: xl0 >---< SWITCH >
The switch has its own management port, 2 SmartUPS with management cards, a
Cisco ATA, and 5 PC's.
To simplify management of IP addresses, I use isc-dhcp for both obtaining the
router WAN address (dhclient), and for distributing fixed addresses to all of
the network hosts (dhcpd) (except for the switch and UPS' - which don't
support DHCP correctly) I don't yet manage local DNS services, so I simply
distribute a fixed hosts file.
The router is also a stratum 2 time server for the nework (all hosts that can
synchronize their clocks to the router, not an external time server) via
ntpd.
Eventually, I plan to run a local DNS server - but I haven't gotten around to
it yet. I would like to run my own to support my local naming scheme, without
passing any information back up the tree, as well as caching DNS information
should Comcast have a DNS problem. This, however, is a task for another day.
So, we have:
#
# Outside Interface
#
pass in quick on fxp0 proto tcp from any to any port = 21 flags S keep frags
keep state
pass in quick on fxp0 proto tcp from any to any port = 22 flags S keep frags
keep state
pass in quick on fxp0 proto tcp from any to any port = 23 flags S keep frags
keep state
pass in quick on fxp0 proto udp from any to any port = 68 keep state
pass in quick on fxp0 proto tcp from any to any port = 110 flags S keep frags
keep state
pass out quick on fxp0 proto tcp from any to any flags S keep frags keep state
pass out quick on fxp0 proto udp from any to any keep state keep frags
pass out quick on fxp0 proto icmp from any to any keep state
block out quick on fxp0 all
block in log quick on fxp0 all
#
# Inside Interface
#
pass in quick on xl0 all
pass out quick on xl0 all
#
# Loopback Interface
#
pass in quick on lo0 all
pass out quick on lo0 all
map fxp0 192.168.1.254/24 -> 0/32 proxy port ftp ftp/tcp
rdr fxp0 0.0.0.0/0 port 21 -> 192.168.1.2 port 21 tcp
rdr fxp0 0.0.0.0/0 port 22 -> 192.168.1.2 port 22 tcp
#below is a irc identd port forwarding example
#rdr fxp0 0.0.0.0/0 port 113 -> 192.168.1.5 port 113 tcp
map fxp0 192.168.1.254/24 -> 0/32 portmap tcp/udp auto
map fxp0 192.168.1.254/24 -> 0/32
# dhcpd.conf
# option definitions common to all supported networks...
option domain-name "gambrl01.md.comcast.net";
option domain-name-servers 68.48.0.6, 68.48.0.12;
default-lease-time 600;
max-lease-time 7200;
# If this DHCP server is the official DHCP server for the local
# network, the authoritative directive should be uncommented.
authoritative;
# ad-hoc DNS update scheme - set to "none" to disable dynamic DNS updates.
ddns-update-style ad-hoc;
# Use this to send dhcp log messages to a different log file (you also
# have to hack syslog.conf to complete the redirection).
log-facility local7;
# Local systems are defined here, and use DHCP as a convenience
host alexandria {
hardware ethernet 00:30:48:21:8b:8a;
fixed-address alexandria;
}
host switch {
hardware ethernet 00:50:ba:ec:61:b3;
fixed-address switch;
}
host net_ups {
hardware ethernet 00:c0:b7:6a:00:dd;
fixed-address net_ups;
}
host serv_ups {
hardware ethernet 00:c0:b7:a3:a5:67;
fixed-address serv_ups;
}
host vonage-ata {
hardware ethernet 00:0d:29:0a:af:2e;
fixed-address vonage-ata;
}
host office_pc {
hardware ethernet 00:50:04:ae:90:16;
fixed-address office_pc;
}
host den_pc {
hardware ethernet 00:d0:b7:ab:cb:fd;
fixed-address den_pc;
}
host bedroom_pc {
hardware ethernet 00:e0:81:23:c2:fd;
fixed-address bedroom_pc;
}
host spyglass {
hardware ethernet 00:04:5a:95:47:
mail forwarding using ipfw
dear all, i have network like this lanX.com - | lanA.com IPFW FBSD lanB.com ===> to Internet | | lanC.com ---| |--- lanD.com right now,... lanA.com , lanC.com, lanD.com have smtpoutgoing to internet via lanB.com the problem is .. i want to make ruleset in IPFW FBSD that email outgoing from lanC.com , lanD.com, and lanA.com through lanX.com before go to lanB.com without change configuration smtpoutgoing in the lanA,lanC,lanD only in IPFW_FBSD .. (is it possible ???) __ Do you Yahoo!? Yahoo! Small Business $15K Web Design Giveaway http://promotions.yahoo.com/design_giveaway/ ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
RE: Using IPFW/NAT with multiport PCI cards
> I am writing to request for advise/recommendations on the > subject. I've > been tasked to build a router/firewall based on FreeBSD. I'd > like to use > 5.2-RELEASE. > > Now my only problem is that I have played a little with ipfw in a > situation where I have just two interfaces, 1 external and 1 internal. > My current requirement however involves one external interface and > four (or more) internal interfaces (which should all be SEPARATE > networks, invisible from each other). Sure, this is possible. To tell you the truth, if you're not sure how to do it, the cheapest and easiest way would be to just get 4 ethernet cards for the internal interfaces. However, the most dynamic way would be to get an ethernet card that supports 802.1q or Cisco ISL, which are switch trunking protocols. You could then separate the networks into different virtual LANs in a switch, that was connected to the 802.1q NIC. That NIC would then have an IP address from each of the networks. I'm not sure how 802.1q can be configured in FreeBSD, but that shouldn't be too hard - the more difficult part should be configuring the switch. ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Using IPFW/NAT with multiport PCI cards
On Tue, Mar 30, 2004 at 11:06:16AM +0300, Odhiambo Washington wrote:
> Now my only problem is that I have played a little with ipfw in a
> situation where I have just two interfaces, 1 external and 1 internal.
> My current requirement however involves one external interface and
> four (or more) internal interfaces (which should all be SEPARATE
> networks, invisible from each other).
>
> Is this doable? (I hope someone has done this before). I would say I am
> a total newbie on this one.
Not only is it doable, it's fairly trivial if you've done a 1 in, 1 out
ipfw firewall before. You just take that idea and grow it a little.
> 2. Guides/Pointers on HOWTO configure this WRT to ipfw configuration.
>Any minute gotchas/clues will be highly appreciated. URL links
>pointing to people's experiences also welcome.
Just set the firewall to deny by default and add your rules really...
Here's an example that would allow FTP to one network and HTTP to
another...
${fwcmd} add allow tcp from any to 192.168.1.0/24 80 tcpflags syn keep-state in via
xl0
${fwcmd} add allow tcp from any to 192.168.2.0/24 21 tcpflags syn keep-state in via
xl0
You can also have rules between your networks as well... This one allows
all machines on one of the protected networks to ssh to all machines in
the other network.
${fwcmd} add allow tcp from 192.168.1.0/24 to 192.168.2.0/24 22 tcpflags syn
keep-state in via xl1
Note the following things about this rule...
1. I've specified a source range to allow.
2. I've used a different interface. This guarantees that this traffic
isn't coming in via the main external interface, but that it is
coming in on one of the protected interfaces.
Of course, everywhere I've used an entire range here, you could use a
single IP range. Combining IP addresses with via interface statements
lets you be pretty flexible :)
Hope this helps some ?
--
Wayne Pascoe
BSD is for people who love UNIX; Linux is for
people who hate Windows
___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Using IPFW/NAT with multiport PCI cards
Dear Ladies and Gentlemen, I am writing to request for advise/recommendations on the subject. I've been tasked to build a router/firewall based on FreeBSD. I'd like to use 5.2-RELEASE. Now my only problem is that I have played a little with ipfw in a situation where I have just two interfaces, 1 external and 1 internal. My current requirement however involves one external interface and four (or more) internal interfaces (which should all be SEPARATE networks, invisible from each other). Is this doable? (I hope someone has done this before). I would say I am a total newbie on this one. I am looking for recommendations on the following aspects: 1. Known compatible quad port PCI ethernet cards. The cost is a factor, but perhaps may not be very important as compared to functionality/stability. 2. Guides/Pointers on HOWTO configure this WRT to ipfw configuration. Any minute gotchas/clues will be highly appreciated. URL links pointing to people's experiences also welcome. Thanking you in advance. -Wash http://www.netmeister.org/news/learn2quote.html -- +==+ |\ _,,,---,,_ | Odhiambo Washington<[EMAIL PROTECTED]> Zzz /,`.-'`'-. ;-;;,_ | Wananchi Online Ltd. www.wananchi.com |,4- ) )-,_. ,\ ( `'-'| Tel: +254 20 313985-9 +254 20 313922 '---''(_/--' `-'\_) | GSM: +254 722 743223 +254 733 744121 +==+ Anyone who uses the phrase "easy as taking candy from a baby" has never tried taking candy from a baby. -- Robin Hood ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: using ipfw
Karan Gupta wrote: Newbie here so pls excuse if this question sounds trivial Here's a bunch of links posted to questions a little while ago for ipfw help: http://freebsd.amazingdev.com/blog/archives/000112.html -- Jonathan Arnold (mailto:[EMAIL PROTECTED]) Daemon Dancing in the Dark, a FreeBSD weblog: http://freebsd.amazingdev.com/blog/ ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: using ipfw
Karan Gupta wrote: Newbie here so pls excuse if this question sounds trivial i use a single bsd router to service 2 properties. I want ppl on prop A to get 1.024kbit/s and the ones on prop B to get 256kbit/sprop B is connected on the same network as prop A using a wireless device that has the an IP within the network range. Can is add a pipe to limit data from the IP address of the wireless device to 256kbit/s & achieve what i desire? Karan Gupta (949) 355-4042 [EMAIL PROTECTED] EdgeFocus Inc 65 Enterprise Aliso Viejo CA 92656 Something like this, for one pipe, assuming an xl NIC and using your dotted quad IP's: ipfw add pipe 1 tcp from any to ip.of.some.box via xl0 ipfw pipe 1 config bw 1024Kbit/s You probably need to check that you have the following in your kernel config options DUMMYNET options HZ=1000 HTH, Kevin Kinsey DaleCo, S.P. ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
using ipfw
Newbie here so pls excuse if this question sounds trivial i use a single bsd router to service 2 properties. I want ppl on prop A to get 1.024kbit/s and the ones on prop B to get 256kbit/sprop B is connected on the same network as prop A using a wireless device that has the an IP within the network range. Can is add a pipe to limit data from the IP address of the wireless device to 256kbit/s & achieve what i desire? Karan Gupta (949) 355-4042 [EMAIL PROTECTED] EdgeFocus Inc 65 Enterprise Aliso Viejo CA 92656 ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: using ipfw and ipf/ipnat together
On Tue, 17 Feb 2004, Nelis Lamprecht wrote: > Hi, > > I would like to make use of ipfw/dummynet traffic shaper and use it > together with ipnat/ipf's filtering. Hope this is possible ? It works fine > > Can someone suggest what I would or would not need to use in my rc.conf > and kernel please. I have selected the following ( FreeBSD 5.2R ): It looks fine > > Seeing as though I'm not using ipfw filtering I thought I could just > allow everything through by default. Will dummynet still work if > IPFIREWALL_DEFAULT_TO_ACCEPT is set ? Yes, it will. Fer ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
using ipfw and ipf/ipnat together
Hi, I would like to make use of ipfw/dummynet traffic shaper and use it together with ipnat/ipf's filtering. Hope this is possible ? This is a personal preference so no need to tell me why I should just use ipfw etc. Can someone suggest what I would or would not need to use in my rc.conf and kernel please. I have selected the following ( FreeBSD 5.2R ): rc.conf: ipfilter_enable="YES" ipfilter_program="/sbin/ipf" ipfilter_rules="/etc/ipf.rules" ipfilter_flags="" ipnat_enable="YES" ipnat_program="/sbin/ipnat" ipnat_rules="/etc/ipnat.rules" ipmon_enable="YES" ipmon_program="/sbin/ipmon" ipmon_flags="-Dsvn" ipnat_enable="YES" kernel config: options IPFILTER#ipfilter support options IPFILTER_LOG#ipfilter logging options PFIL_HOOKS #required by IPFILTER options IPFILTER_DEFAULT_BLOCK #block all packets by default options IPFIREWALL #firewall options IPFIREWALL_DEFAULT_TO_ACCEPT#allow everything by default options DUMMYNET#bandwidth limiter options IPSTEALTH #support for stealth forwarding Seeing as though I'm not using ipfw filtering I thought I could just allow everything through by default. Will dummynet still work if IPFIREWALL_DEFAULT_TO_ACCEPT is set ? Any suggestions appreciated. Thanks. -- Nelis Lamprecht PGP: http://www.8ball.co.za/pgpkey/nelis.asc "Unix IS user friendly.. It's just selective about who its friends are." signature.asc Description: This is a digitally signed message part
