Re: IPFilter section in Handbook needs updating
And incomplete yes i agree that the doc does need to be updated and examples (more) need to be added. --- On Fri, 12/5/08, Dean Weimer [EMAIL PROTECTED] wrote: From: Dean Weimer [EMAIL PROTECTED] Subject: IPFilter section in Handbook needs updating To: freebsd-questions@freebsd.org Date: Friday, December 5, 2008, 10:07 AM I was just setting up ipfilter and ipmon on a FreeBSD 7 server, and noticed that the ipmon and syslog information under the ipfilter section of the handbook is incorrect. The section reads: -snip- 31.5.7 IPMON Logging Syslogd uses its own special method for segregation of log data. It uses special groupings called facility and level. IPMON in -Ds mode uses security as the facility name. All IPMON logged data goes to security The following levels can be used to further segregate the logged data if desired: LOG_INFO - packets logged using the log keyword as the action rather than pass or block. LOG_NOTICE - packets logged which are also passed LOG_WARNING - packets logged which are also blocked LOG_ERR - packets which have been logged and which can be considered short To setup IPFILTER to log all data to /var/log/ipfilter.log, you will need to create the file. The following command will do that: # touch /var/log/ipfilter.log The syslog function is controlled by definition statements in the /etc/syslog.conf file. The syslog.conf file offers considerable flexibility in how syslog will deal with system messages issued by software applications like IPF. Add the following statement to /etc/syslog.conf: security.* /var/log/ipfilter.log The security.* means to write all the logged messages to the coded file location. To activate the changes to /etc/syslog.conf you can reboot or bump the syslog task into re-reading /etc/syslog.conf by running /etc/rc.d/syslogd reload Do not forget to change /etc/newsyslog.conf to rotate the new log you just created above. -snip- In trying to configure this I found that ipmon -Dsa doesn't log to security, but logs to local0 instead. Reading the man page for ipmon does in fact state this. However it also list the -L option as being able to change this default behavior, I tried ipmon -DSa -L security, it excepts this, but doesn't actually change the logging to use security. It still only outputs to the syslog using local0, I also tried using ipmon -DSa -L local7 as well, still outputs to local0. It was easy enough to modify my syslog.conf to output the local0.* as well as security.* to the /var/log/security file. However it would be greatly appreciated if someone that actually understands what's going on here could get this info updated. It would have saved me some time, as well as I am sure some other people in the future. Of course it's always possible I am missing something simple here that is causing this discrepancy, please do inform me if I did. It's probably worth mentioning that I am starting ipmon using the rc.conf file with ipmon_enable=YES and ipmon_flags=-DSa, just in case the /etc/rc.d/ipmon script actually changes the default behavior of ipmon in some way, though I didn't see anything in it that should. And ps wwaux | grep ipmon does display the process running with the flags exactly as stated on the ipmon_flags line of the /etc/rc.conf file. Thanks, Dean Weimer Network Administrator Orscheln Management Co ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: IPFW Firewall Question
I have tried this it did not work and the Co-Lo people are convinced that sshd and sendmail need to be run out of inetd.conf for this to work As i said i am used to BSDI and the Finnish SSHD Also here they are using the combined hosts.allow/deny with the deny inside which i never liked Thank you for your help on this Garrett --- On Fri, 12/5/08, Mel [EMAIL PROTECTED] wrote: From: Mel [EMAIL PROTECTED] Subject: Re: IPFW Firewall Question To: freebsd-questions@freebsd.org, [EMAIL PROTECTED] Date: Friday, December 5, 2008, 6:02 AM On Friday 05 December 2008 01:26:04 G magicman wrote: Why because of the following: 1. Hosts.access on freebsd works on the Application Layer instead of the Network Layer Therefore Hosts.allow/hosts.deny no longer works the way i want and i do not feel like running Sendmail and sshd out of Inetd which appearantly is the only way to be able to use hosts.allow/deny You're right about the application layer, but not about the rest. From sshd(8): /etc/hosts.allow /etc/hosts.deny Access controls that should be enforced by tcp-wrappers are defined here. Further details are described in hosts_access(5). 2. Next openssh doesnot have an AllowHosts directive like the Finnish one does it only has an AllowUsers directive so i need to protect the system from DDOS attacks Again, see above. and Hacking I already tried to block things using the Sendmail Access file but all that did was choak up the server with moronic shit. And i want to be able to use my sftp program but it opens random ports which can not be controlled so i need the Clearaddresses to be able to see all ports. For the firewall, pf user here, so others should help. ;) -- Mel Problem with today's modular software: they start with the modules and never get to the software part. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
IPFW Firewall Question
1. I need help to reconfigure my firewall on the server using BSD's ipfw here is part of the configuration file so far that the Co-lo people put in. 2. short of a reboot how do you start stop and restart the firewall #!/usr/local/bin/bash export IPF=ipfw -q add ports=11 21 22 23 25 37 42 43 53 63 69 70 80 101 109 110 115 119 123 143 443 4321 50001 clearaddresses=209.131.0.0/16 66.65.0.0/16 71.173.96.0/19 71.173.128.0/17 blah blah count=60 ipfw -q -f flush $IPF 10 allow all from any to any via lo0 $IPF 20 deny all from any to 127.0.0.0/8 $IPF 30 deny all from 127.0.0.0/8 to any $IPF 40 deny tcp from any to any frag $IPF 50 allow icmp from any to any for a in $clearaddresses; do $IPF $count allow ip from $a to any $IPF $(($count+1)) allow ip from any to $a count=$(($count+10)) done for p in $ports; do $IPF $count allow ip from any to any $p in $IPF $(($count+1)) allow ip from any to any $p out $IPF $(($count+2)) allow ip from any $p to any in $IPF $(($count+3)) allow ip from any $p to any out count=$(($count+10)) done $IPF 5000 deny log all from any to any echo Firewall created Here is what i want : 1. i want all ports open to the ipaddresses in line 4 clearaddresses 2. I want to be able to control access to port 25 sendmail to be able to deny whole A B and C addresses Why because of the following: 1. Hosts.access on freebsd works on the Application Layer instead of the Network Layer Therefore Hosts.allow/hosts.deny no longer works the way i want and i do not feel like running Sendmail and sshd out of Inetd which appearantly is the only way to be able to use hosts.allow/deny 2. Next openssh doesnot have an AllowHosts directive like the Finnish one does it only has an AllowUsers directive so i need to protect the system from DDOS attacks and Hacking I already tried to block things using the Sendmail Access file but all that did was choak up the server with moronic shit. And i want to be able to use my sftp program but it opens random ports which can not be controlled so i need the Clearaddresses to be able to see all ports. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Image Programs
Hello does anyone know the following 1. Does Freebsd have a program like Photoshop avail to use a copy-left GNU license type ? and a form of Thumbsplus which allows me to do rudimentary picture manipulations changing file type, cropping etc. i have all the 3d programs but not these 2 basic ones. Thank you ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
