Re: IPFW lockout.
Hi all, I have a small problem on one of my dev boxes. I have a bod bootup ipfw rulset and I find myself locked out of the machine. There will be a technician at the NOC on Tuesday that will be able to assist me. My question is: Will he/she be able to simply reboot, logon as root as normal? - and then - disable IPFW in rc.conf ... or will the loopback rule not being present cause more mahem than I think it will? -Grant He should be able to login without any problems. On another note, in the future whenever you make changes to your system that could potentially lock you out, use crontab to disable them after a short amount of time. For example, when I was reconfiguring sshd, I crontab'ed 'killall sshd sshd -f /root/sshd_config_old' and moved the default config file to my /root directory. Also when playing with my ipfw rules, I crontab'ed 'ipfw disable firewall' for every 15 minutes until I got it working the way I wanted too. Be VERY careful with this though. Don't use it and then forget to remove the lines from your /etc/crontab. Remove them as soon as you get it configured the way you want too. This is obviously a serious security risk, so don't use it very often. If you are worried about disabling your firewall, then create a small ipfw script to deny all connections except from your IP address and crontab that instead of 'ipfw disable firewall'. Also keep in mind to enable your firewall again you will need to type 'ipfw enable firewall'. Bow Sineath Class of 2006, the Citadel [EMAIL PROTECTED] - [EMAIL PROTECTED] ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: and the winner is...
I there, i was trying freebsd for a while, and comparing it against debian/linux. The winner was Debian by far... Freebsd could be stable, but it is not faster... and Debian is far much more 'usable'. Freebsd package installation is very laborious compared with Debian's apt system. I have to search in each CD, know dependences,... X configuration is hard too when the autodetected configuration doesn't works... I think fbsd is good, but needs some user facilities. You are going to need a stronger arguement against FreeBSD than ..needs some user facilities. It appears to me that you haven't used either for very long and therefore do not have much of a right to say which is better or worse, no offense. If you went into more detail with your reasoning then I believe you would be taken more seriously, but you fail to show me an legitimate reason that I should install debian over BSD on my next box. As far as installation being too difficult, I downloaded the debian distro and installed it on my laptop. I had more difficulty trying to get it to work than I ever had using FreeBSD. Also, lets not forget that easier doesn't always mean better. I know several people that use Linux over FreeBSD due to how they claim it is easier configure and setup, however I don't find FreeBSD that difficult to setup, especially in comparison to Linux. I believe that once you have become familiar with the process and worked with it, setting up and securing BSD is not all that difficult and is well worth the effort (in my opinion). Bow Sineath Class of 2006, the Citadel [EMAIL PROTECTED] - [EMAIL PROTECTED] ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Re[4]: how to know if i'm under flood?
Thanks for reply! If u have more experience, please give some example about what sysctl variable to set, There are a variety of them, I can give you a few examples of ones that I set but depending upon the attack and what it is targetting, they may proveto be ineffective. Keep in mind that there are a variety of different DoS attacks that target a variety of different services or protocols. Look at some of the following variables: net.inet.tcp.blackhole, net.inet.udp.blackhole,net.inet.icmp.drop_redirects, net.inet.icmp.log_redirects,net.link.ether.inet.max_age, net.inet.tcp.sendspace, net.inet.tcp.recvspace,net.inet.tcp.always_keepalive, kern.ipc.maxsockets, kern.ipc.maxsockbuf,net.inet.ip.rtexpire, net.inet.ip.rtminexpire, kern.ipc.somaxconn I don't want to tell you what to set the values to because many of them vary depending upon the type of attack, stats on the box and the purpose of the machine. There are also a variety of others you can use, those are just some examples. and wich ipfw rules can prevent DoS. Keep in mind that denial of service attacks do not always come in the form of a flood. Often times it can be a few specially crafted packets that causes a service to crash or consume memory, so it is vital that you keep all of your software updated and watch for security advisories. I would advise you to read about the different types of firewalls available and choose one that fits the purpose of your machine. I would recommend setting up an inclusive firewall, you can read more on that in the handbook (there is an example ruleset there I believe). That being said, there isn't much you can do about floods. I never said that using a firewall would PREVENT denial of service attacks, I simply said that it would notify you when they were occuring. Also, be sure to setup your rules so that if you do get flooded, your logs won't fill up so quickly that it consumes your entire hard drive (set specific rules and use logamount x). If you are having a problem with floods then the only other thing you can do is have your ISP filter them out, the firewall rules on your box will prove to be ineffective against high bandwidth floods. Bow Sineath Class of 2006, the Citadel [EMAIL PROTECTED] - [EMAIL PROTECTED] ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: interface alias at start-up
FWIW: That doesnt work for me :( Make sure that you replaced rl0 with the name of your interface, which can be found with a simple ifconfig -a. any other way? write a simple shell script to do it or do it manually with the following: ifconfig interface inet ip netmask subnet mask alias However, using your rc.conf should bind them when you boot up. I have heard that sometimes you have to statically add routes to your kernel routing table for aliases to work, however I don't know if there is any truth to that. You can try adding them with the following command: route add -host ip 127.0.0.1 0 Bow Sineath Class of 2006, the Citadel [EMAIL PROTECTED] - [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: On Sat, 27 Aug 2005 14:26:32 -0700 Carstea Catalin [EMAIL PROTECTED] wrote: how tu setting-up interface alias at start-up # example /etc/rc.conf part defaultrouter=192.168.2.1 ifconfig_rl0=inet 192.168.2.222 netmask 255.255.255.0 ifconfig_rl0_alias0=inet 192.168.2.2 netmask 0x ifconfig_rl0_alias1=inet 192.168.2.3 netmask 0x ifconfig_rl0_alias2=inet 192.168.2.4 netmask 0x ifconfig_rl0_alias3=inet 192.168.2.5 netmask 0x ifconfig_rl0_alias4=inet 192.168.2.6 netmask 0x ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Re[2]: how to know if i'm under flood?
In response to your first question, I would highly recommend setting up a verbose firewall if you have not already done so. Personally, I use ipfw but there are a variety of options available to you (pf/ipf/ipfw/ipfw2), so check out the handbook and figure out which one you want to use. Doing this is a vital step in preventing attacks and keeping track of the connections on your system. There are also a variety of sysctl variables that can help in handling DoS attacks, if you find yourself being flooded on a regular basis then you may want to play with some of them. There are a variety of ways to watch for DoS attacks and floods, but setting up a firewall is a vital part of that. If you need any help doing so then feel free to ask and I would be happy to help (however I am only familiar with ipfw and ipf) but be sure to read the handbook first. And how exactly use netstat for this purpose? I see many options in man pages. try netstat -a. I've never used netstat for this purpose but I believe that may work, it will list all of your current connections. If you have a lot of them then you are probably being DoS'd. Bow Sineath Class of 2006, the Citadel [EMAIL PROTECTED] - [EMAIL PROTECTED] ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: anonymous ssh forwarding
I would highly discourage you from doing this, especially without the permission of your company. Just make sure that your admin knows that you are doing this and make sure that your BSD box at home is properly secured. Keep in mind that if your system at home is compromised then your system at work is open to attack. Anyhow, couldn't you just ssh into your box at home and then ssh to the system at work from there? I think this would be an easier and safer solution than creating a tunnel. Bow Sineath Class of 2006, the Citadel [EMAIL PROTECTED] - [EMAIL PROTECTED] - Original Message - From: Toomas Laasik [EMAIL PROTECTED] To: freebsd-questions@freebsd.org Sent: Wednesday, August 24, 2005 5:35 PM Subject: anonymous ssh forwarding Hello, I have the following situation. Our company has a ssh server where users can connect from only specified static ip addresses. Like I have at home an ip address 1.2.3.4 and ssh server accepts connections only from it. Now I wan't to get access to that ssh server from places where I don't have static ip. I already have at home a freebsd server running with simple configutation. Is it possible to make some kind of tunnel or something so I could connect to my home freebsd machine that connects to ssh server so that ssh server 'thinks' that I'm connecting from home? Thank you in advance. Sorry for bad English Toomas - ITV - Sinu lemmiksaated internetis! http://www.itv.ee ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: NAT router confusion
My understanding is that the netmask (255.255.255.0 as you put it) is only to determine how much of the IP address is used for the subnet address. I'm a newb with this as well, so please, someone correct me if i'm wrong. If your IP is 192.168.1.10 and your netmask is 255.255.255.0, then only the last 8 bits of your IP (the last .10) is usable for a specific host on the network and the first 24 bits are used for the network address and subnet address. In binary: ... would be your netmask and only the trailing 0's can be used for a host address. This could also be expressed as 192.168.1.0/24 using CIDR. Let me try to give you another example: if your IP range was 192.168.99.0 to 192.168.99.255 and netmask was 255.255.255.254 then, in binary, the netmask would look like this: 111...1110 Being that you are using 192.168.99.0 as the network address, the first three 1's in the last 8 bits of the netmask would be your subnet addresses. So you could use.192.168.99.32, *.64, *.96, *.128, *.160 and *.192 for subnet addresses and the IPs between all of those (except the last IP, so you can only assign 30 per subnet since the last IP is used for broadcast) can be assigned to hosts. Hopefully that (correctly) clears up any confusion involving subnets and netmasks. Like I said, I'm new at as well, so please correct me if I am wrong. - Original Message - From: Ulf Magnusson [EMAIL PROTECTED] To: freebsd-questions@freebsd.org Sent: Friday, June 24, 2005 6:25 AM Subject: Re: NAT router confusion - Original Message - From: Michael H. Semcheski [EMAIL PROTECTED] Date: Friday, June 24, 2005 1:46 am Subject: Re: NAT router confusion On Thursday 23 June 2005 07:43 pm, Ulf Magnusson wrote: Is this router really some switch/router hybrid? Or..? Bleh, someone please sort this out for me. I realize this isn't strictly FreeBSD-related, but I simply couldn't think of a better place to pick brains, so I hope I'll be excused :) It is a switch / router hybrid. If the traffic is going to an address on the same network, its a switch. If the traffic is going to an address on a different network, its a router. If you understand that concept, then you should have a pretty good idea of how the system works. I do not have a complete enough understanding of IP networks to explain this in specific detail. I think the key is that the computer generating the traffic looks at the netmask for the sending interface (eg, 255.255.255.0) and uses this to determine if the endpoint of the traffic is on the same network or not. If it is, it sends the traffic directly to the host. If it is on a different network, it forwards the traffic to the gateway address. Mike Thanks, I think I understand how it works now. I guess it's basically like an ordinary router that pretends it's a switch for all addresses that appear on the same local network. It looks at the destination address in IP packets and the address of the sending system and goes into switch mode if they both appear on the same subnet (which is pretty much verbatim what you said, when I think about it). I'll throw another short question in the mix while I'm at it.. perhaps I should rename the thread Switching/routing questions from a curious networking newbie :-) Do switches gain anything by having full-duplex connections to hubs? I understand there must be a performance benefit when you connect a host directly to a switch, but won't the half-duplex connections of the hosts to the hub become a bottleneck? Ulf ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: ipf blocking pass rule
Thank you, I wasn't aware that it did that. Your response was my first impression as well, however I looked at it further and I don't believe that is the case. When I have log first in my other rules, it rarely takes effect. I used it to cut down on the number of logs produced, but it only does so within a very short amount of time. I also have not experienced that problem with any other rules or ports, even though I have log first in most of my rules. It always seems to block every other connection attempt, regardless of timing. It passes the first connection, then the second connection occurs five minutes later and is blocked, then the process is repeated. Five minutes later I get another connection attempt that is passed, then the next one is blocked five minutes later. I don't have this problem with any other ports or rules, even though this rule is identical to my other pass in rules except for port number. Thanks again. James Bowman Sineath, III wrote: James, You should send messages to the list directly. When you start your question by hitting reply to a question about shell accounts, your message will be lumped under there in a lot of mail clients, and is less likely to be see. I have the following rule in my ipf.rules: pass in log first quick on xl0 proto tcp from any to any port = 25 keep state for some reason it will pass the first connection but block the next. A log is below. Any ideas on why this is happening would be much appreciated. I'm no IPF expert, but I'd wonder if pass in log FIRST quick is doing exactly what you describe correctly ... -d -- http://dannyman.toldme.com/ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
ipf blocking pass rule
I have the following rule in my ipf.rules: pass in log first quick on xl0 proto tcp from any to any port = 25 keep state for some reason it will pass the first connection but block the next. A log is below. Any ideas on why this is happening would be much appreciated. Jun 8 16:11:38 fenrir ipmon[202]: 16:11:34.521157 xl0 @0:6 p imf17aec.mail.bellsouth.net[205.152.59.65],35968 - 10.0.10.20[65.0.232.44],smtp PR tcp len 20 48 -S 2159541450 0 25416 K-S IN Jun 8 16:16:42 fenrir ipmon[202]: 16:16:41.852047 xl0 @0:6 b imf17aec.mail.bellsouth.net[205.152.59.65],35968 - 10.0.10.20[65.0.232.44],smtp PR tcp len 20 40 -AR 2159543277 3340325284 0 K-S IN ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: FreeBSD Co-location
I would also check out lomag at http://www.lomag.net/ I've worked with them for the past 3 or 4 years and their service is amazing. Their connectivity is very good as well. - Original Message - From: Peter Thoenen [EMAIL PROTECTED] To: Bob Perry [EMAIL PROTECTED]; [EMAIL PROTECTED]; freebsd-questions@freebsd.org Sent: Sunday, June 05, 2005 10:44 PM Subject: Re: FreeBSD Co-location I have always had good luck with John Companies (http://www.johncompanies.com/) ... might also want to try Vixie's personal colo site: http://www.vix.com/personalcolo/ -Peter --- Bob Perry [EMAIL PROTECTED] wrote: Vinicius Pavanelli Vianna wrote: Hi, I'm looking for FreeBSD co-located servers on united states or any other country that have good internet connections, for a secondary backup of data and web host for the company I work to, sorry for this OT message, but could any of you send me good sites where i can find this? Is difficult to judge well too outside of this market. TIA, Vinicius ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] You may want to try my ISP. http://home.gti.net/Default.htm Bob Perry ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
