Re: Configuring IPFW
On 10/22/11 15:56, Carmel wrote: I am attempting to set up a firewall using IPFW with a stateful behavior. While I have investigated how to set up these rules, I have run into conflicting opinions as to whether to all or deny established behavior. hi, Carmel the point is : any pkt that carries ACK flag MUST be dropped UNLESS belnonging to an established session as dictaded in a FOLLOWING rule that use keep-state keyword. look at this example # generic header ipfw add pass ip from any to any via lo0 ipfw add deny log ip from any to 127.0.0.0/8 ipfw add deny log ip from 127.0.0.0/8 to any #ipfw add deny log ip from any to 192.168.0.0/16 ipfw add deny log ip from any to 172.16.0.0/12 ipfw add deny log ip from any to 10.0.0.0/8 ipfw add deny log ip from any to 0.0.0.0/8 ipfw add deny log ip from any to 169.254.0.0/16 ipfw add deny log ip from any to 192.0.2.0/24 ipfw add deny log ip from any to 204.152.64.0/23 ipfw add deny log ip from any to 224.0.0.0/3 ipfw add deny log ip from any to any frag # allow any pkt with ACK flag set *if and only if* it matches an # established connection ipfw add check-state # and deny all other *claiming* to belonging to a valid connection ipfw add deny log tcp from any to A.B.C.D/M established # router/firewall mgmt exception ipfw add pass tcp from me to 192.168.43.0/24 33 setup keep-state ipfw add pass udp from me to 192.168.43.0/24 53, 123, 514 ipfw add pass tcp from 192.168.43.0/24 to me 22 setup keep-state ipfw add pass udp from 192.168.43.0/24 123 to me ipfw add pass udp from 192.168.43.0/24 53 to me ipfw add pass tcp from 192.168.43.0/24 to 192.168.35.1 23 setup keep-state ipfw add pass tcp from A.B.C.D/M to 192.168.35.1 23 setup keep-state ipfw add deny log all from any to 192.168.0.0/16 # # operational hosts # # wikileaks : web + full mail ipfw add pass tcp from any to A.B.C.E 22 setup keep-state ipfw add pass tcp from any to A.B.C.E 25 setup keep-state ipfw add pass tcp from any to A.B.C.E 80 setup keep-state ipfw add pass tcp from any to A.B.C.E 110 setup keep-state ipfw add pass tcp from any to A.B.C.E 143 setup keep-state ipfw add pass tcp from any to A.B.C.E 443 setup keep-state ipfw add pass tcp from any to A.B.C.E 465 setup keep-state ipfw add pass tcp from any to A.B.C.E 993 setup keep-state ipfw add pass tcp from any to A.B.C.E 995 setup keep-state # jkwolf : dns + ntp ipfw add pass tcp from any to A.B.C.F 22 setup keep-state ipfw add pass tcp from G.H.J.K/N to A.B.C.F 53 setup keep-state ipfw add pass udp from any 1024-65535 to A.B.C.F 53 ipfw add pass udp from any 53 to A.B.C.D/M 1024-65535 ipfw add pass udp from any 123 to A.B.C.D/M 123 ipfw add pass udp from A.B.C.F 1024-65535 to any 53 # generic tail ipfw add pass tcp from A.B.C.D/M to any setup keep-state ipfw add pass udp from A.B.C.D/M to any ipfw add pass icmp from any to A.B.C.D/M icmptypes 0,3,8,11 ipfw add pass icmp from A.B.C.D/M to any icmptypes 0,3,8,11 ipfw add deny log ip from any to any Alessandro ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Configuring IPFW
I am attempting to set up a firewall using IPFW with a stateful behavior. While I have investigated how to set up these rules, I have run into conflicting opinions as to whether to all or deny established behavior. EXAMPLE: (preceded by a checkstate rule) allow tcp from any to any established Some documentation states that it should be denied and others say it should be allowed. Neither has given me a convincing reason to follow either scenario or any real documentation either for that fact. If possible, could someone with some real firewall knowledge and familiarity with IPFW please give me some advice. Thanks! -- Carmel ✌ carmel...@hotmail.com ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Configuring IPFW
On Sat, 22 Oct 2011 09:56:12 -0400 Carmel wrote: I am attempting to set up a firewall using IPFW with a stateful behavior. While I have investigated how to set up these rules, I have run into conflicting opinions as to whether to all or deny established behavior. EXAMPLE: (preceded by a checkstate rule) allow tcp from any to any established Some documentation states that it should be denied and others say it should be allowed. Neither has given me a convincing reason to follow either scenario or any real documentation either for that fact. Normally if the rules are stateless you would allow established tcp packets, but would deny them with stateful rules. In the latter case, established traffic would be passed by the check-state ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Configuring IPFW
On Sat, 22 Oct 2011 09:56:12 -0400 Carmel carmel...@hotmail.com wrote: I am attempting to set up a firewall using IPFW with a stateful behavior. While I have investigated how to set up these rules, I have run into conflicting opinions as to whether to all or deny established behavior. EXAMPLE: (preceded by a checkstate rule) allow tcp from any to any established Some documentation states that it should be denied and others say it should be allowed. Neither has given me a convincing reason to follow either scenario or any real documentation either for that fact. If possible, could someone with some real firewall knowledge and familiarity with IPFW please give me some advice. Thanks! Well, assuming that you're only allowing the connections you actually want to be be established to be setup in the first place, then the logical thing is to then allow any already established connections. All of your tcp allow rules should include the setup keyword, as well as keep-state. This way, only connections that are doing a first-time setup will be allowed, and their state will be remembered, for later checking using the check-state keyword. In other words, create setup/keep-state rules for all tcp connections you want to allow, and deny the rest. Just be sure the check-state and established rules precede the deny rules. Similarly, for udp rules, be sure to include the keep-state (but not setup) keyword. Hope this makes sense. :-) -- Conrad J. Sabatier conr...@cox.net ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Configuring IPFW
On Sat, Oct 22, 2011 at 9:54 AM, RW rwmailli...@googlemail.com wrote: Normally if the rules are stateless you would allow established tcp packets, but would deny them with stateful rules. In the latter case, established traffic would be passed by the check-state You need to pay attention to direction as well. Suppose you wanted to permit outbound TCP connections using stateful rules. If em0 is the outside interface of your firewall If you're using stateful rules, you would do something like this: ipfw add 1000 check-state ipfw add 2500 allow tcp from any to any out xmit em0 setup keep-state ipfw add 2550 deny tcp from any to any The check-state rule checks for established dynamic flows, 2500 permits outbound TCP with SYN,!ACK (the first part of the 3-way handshake), and 2550 denies all TCP traffic that is not permitted. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Configuring IPFW
On Sat, Oct 22, 2011 at 10:08 AM, Conrad J. Sabatier conr...@cox.net wrote: Similarly, for udp rules, be sure to include the keep-state (but not setup) keyword. RIght - if you're just protecting a single host, for example, your ruleset might be something like ipfw add 1000 allow ip from any to any via lo0 ipfw add 1100 check-state ipfw add 1200 allow tcp from me to any setup keep-state ipfw add 1300 allow udp from me to any keep-state # stateful rules for ICMP sometimes work, and sometimes don't - traceroute for example ipfw add 1400 allow icmp from me to any ipfw add 1500 allow icmp from any to me icmptypes 0,3,8,11 # if you don't want to permit inbound echo requests, then use the next one instead # ipfw add 1500 allow icmp from any to me icmptypes 0,3,11 ipfw add 1600 deny ip from any to any There are sysctl variables you may want to look at: sysctl net.inet.ip.fw These are described in the man page, and some of these affect the behavior of dynamic rule sets. You generally don't need to worry about them for outbound connections, but they are critical for inbound connections - it's trivial to DOS a firewall with dynamic rules. Regards, M ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Configuring IPFW
Date: Sat, 22 Oct 2011 12:08:56 -0500 To: FreeBSD freebsd-questions@freebsd.org Subject: Re: Configuring IPFW On Sat, 22 Oct 2011 09:56:12 -0400 Carmel carmel...@hotmail.com wrote: I am attempting to set up a firewall using IPFW with a stateful behavior. While I have investigated how to set up these rules, I have run into conflicting opinions as to whether to all or deny established behavior. EXAMPLE: (preceded by a checkstate rule) allow tcp from any to any established Some documentation states that it should be denied and others say it should be allowed. Neither has given me a convincing reason to follow either scenario or any real documentation either for that fact. If possible, could someone with some real firewall knowledge and familiarity with IPFW please give me some advice. Thanks! Well, assuming that you're only allowing the connections you actually want to be be established to be setup in the first place, then the logical thing is to then allow any already established connections. This, of course, ignores the possibility that a 'bad guy' might send an initial packet _without_ the 'SYN' flag set. grin All of your tcp allow rules should include the setup keyword, as well as keep-state. This way, only connections that are doing a first-time setup will be allowed, and their state will be remembered, for later checking using the check-state keyword. Now *THAT*, done _properly_, closes the aforementioned hole. :) ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Configuring IPFW IP range [FreeBSD-questions] {offlist}
On Sun, 4 Apr 2010 19:11:42 -0500 (CDT), Robert Bonomi bon...@mail.r-bonomi.com articulated: From owner-freebsd-questi...@freebsd.org Sun Apr 4 08:12:11 2010 Date: Sun, 4 Apr 2010 09:11:47 -0400 From: Carmel NY carmel...@hotmail.com To: freebsd-questions@freebsd.org Subject: Configuring IPFW IP range This is my first attempt at configuring IPFW. I have it up and running; however, I am not quite sure how to accomplish configuring it to block an IP range. Assume an IP range: 219.128.0.0 to 219.137.255.255 That is an actual range: CHINANET Guangdong province network I want to block the entire range. I am not sure how to do it in IPFW. I have read the 'man' pages; however, I am not getting the syntax correct since I cannot get the range added. CIDR ranges have to: (a) start on a 'power of 2' address, (b) be a 'power of two' in size, and (c) be no larger than the 'power of 2' factor for the starting address. This range is _not_ that way [fails (b)], so you'll have to do it with multiple entries. i.e., one for 219.128.0.0/13 which will catch 219.128.0.0 - 219.135.255.255 and a 2nd for 219.136.0.0/15 which will catch 219.136.0.0 - 219.137.255.255 Life can get messier, when rule 3 comes into play, consider the block 219.130.0.0 to 219.139.255.255 219.130.0.0 is on a /15 boundary, so that's the max block size you can use for tht starting address. 219.130.0.0/15 catches 219.130.0.0 - 219.131.255.255 next, you can start with 219.132.0.0, which is a /14, and block a /14 wth 219.132.0.0/14 catches 219.132.0.0 - 219.135.255.255 now, 219.136.0.0 is a /13 so you could block that big with just more rule, if needed, (BUT, you only need another /14, to cover the remainder of the group of 10 /16s that the initial block includes. thus, lastly: 219.136.0.0/14 catches 219.136.0.0 - 219.139.255.255 Thanks! It was suggested that I try 'ipcalc' by another poster. I did, and it works excellently. In any case, I do have to familiarize myself more fully with IP addressing. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Configuring IPFW IP range
This is my first attempt at configuring IPFW. I have it up and running; however, I am not quite sure how to accomplish configuring it to block an IP range. Assume an IP range: 219.128.0.0 to 219.137.255.255 That is an actual range: CHINANET Guangdong province network I want to block the entire range. I am not sure how to do it in IPFW. I have read the 'man' pages; however, I am not getting the syntax correct since I cannot get the range added. -- Carmel carmel...@hotmail.com |=== |=== |=== |=== | Slurm, n.: The slime that accumulates on the underside of a soap bar when it sits in the dish too long. Rich Hall, Sniglets ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Configuring IPFW IP range
Carmel NY carmel...@hotmail.com wrote: This is my first attempt at configuring IPFW. I have it up and running; however, I am not quite sure how to accomplish configuring it to block an IP range. Assume an IP range: 219.128.0.0 to 219.137.255.255 That is an actual range: CHINANET Guangdong province network I want to block the entire range. I am not sure how to do it in IPFW. I have read the 'man' pages; however, I am not getting the syntax correct since I cannot get the range added. #v+ tlh...@arsenic:~ % ipcalc 219.128.0.0 - 219.137.255.255 deaggregate 219.128.0.0 - 219.137.255.255 219.128.0.0/13 219.136.0.0/15 #v- -- regards, Maciej Suszko. signature.asc Description: PGP signature
Re: Configuring IPFW IP range
On 04/04/2010 09:11 AM, Carmel NY wrote: This is my first attempt at configuring IPFW. I have it up and running; however, I am not quite sure how to accomplish configuring it to block an IP range. Assume an IP range: 219.128.0.0 to 219.137.255.255 That is an actual range: CHINANET Guangdong province network I want to block the entire range. I am not sure how to do it in IPFW. I have read the 'man' pages; however, I am not getting the syntax correct since I cannot get the range added. Carmel, Have you tried something like what's mentioned in this excerpt quoted below?: Network-based filtering works similarly, and the network notation there utilizes either bitmasks or netmasks, for instance: add 2000 allow all from 192.168.0.0/16 to any add 2100 deny all from any to 10.0.0.0:255.0.0.0 The first rule allows all traffic from the network whose IP range is 192.168.0.0-192.168.255.255. It uses a bitmask to indicate this. A bitmask specifies how many bits from the network address (192.168.0.0) should remain the same for matching packets. In this instance, the first 16 bits out of the 32 bit address will remain the same, and as the first 16 bits happen to be the first two octets, 192.168, all addresses whose source addresses have the first two octets as 192.168 will be matched by this rule. The second rule accomplishes a similar thing using netmasks. The netmask indicate how many bits from the indicated network address should be used for rule matching. In the above example, for rule two, the netmask is 255.0.0.0. Its first octet is set with high bits; in other words, the first 8 bits are set high. This indicates to ipfw(8) that only packets with the first 8 bits of the network address (10.0.0.0) should be matched. As the first 8 bits of the network address equal 10, then all packets whose destination address have a 10 for the first octet (all addresses between 10.0.0.0 and 10.255.255.255) will be matched by this rule, and then dropped, as indicated by the action. (This excerpt from http://www.freebsd-howto.com/HOWTO/Ipfw-HOWTO) -- Ashley ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Configuring IPFW IP range
On Sun, 04 Apr 2010 11:02:29 -0400, Ashley ash...@cpufight.com articulated: On 04/04/2010 09:11 AM, Carmel NY wrote: This is my first attempt at configuring IPFW. I have it up and running; however, I am not quite sure how to accomplish configuring it to block an IP range. Assume an IP range: 219.128.0.0 to 219.137.255.255 That is an actual range: CHINANET Guangdong province network I want to block the entire range. I am not sure how to do it in IPFW. I have read the 'man' pages; however, I am not getting the syntax correct since I cannot get the range added. Carmel, Have you tried something like what's mentioned in this excerpt quoted below?: Network-based filtering works similarly, and the network notation there utilizes either bitmasks or netmasks, for instance: add 2000 allow all from 192.168.0.0/16 to any add 2100 deny all from any to 10.0.0.0:255.0.0.0 The first rule allows all traffic from the network whose IP range is 192.168.0.0-192.168.255.255. It uses a bitmask to indicate this. A bitmask specifies how many bits from the network address (192.168.0.0) should remain the same for matching packets. In this instance, the first 16 bits out of the 32 bit address will remain the same, and as the first 16 bits happen to be the first two octets, 192.168, all addresses whose source addresses have the first two octets as 192.168 will be matched by this rule. The second rule accomplishes a similar thing using netmasks. The netmask indicate how many bits from the indicated network address should be used for rule matching. In the above example, for rule two, the netmask is 255.0.0.0. Its first octet is set with high bits; in other words, the first 8 bits are set high. This indicates to ipfw(8) that only packets with the first 8 bits of the network address (10.0.0.0) should be matched. As the first 8 bits of the network address equal 10, then all packets whose destination address have a 10 for the first octet (all addresses between 10.0.0.0 and 10.255.255.255) will be matched by this rule, and then dropped, as indicated by the action. (This excerpt from http://www.freebsd-howto.com/HOWTO/Ipfw-HOWTO) Thanks Maciej Suszko and Ashley. I used the ipcalc tool. I thought I had seen something like that before; however, I was not able to recall the name of the utility. I really have to study up on IPs and networking. -- Carmel carmel...@hotmail.com |=== |=== |=== |=== | BACHELOR: A man who chases women and never Mrs. one. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Configuring IPFW IP range [FreeBSD-questions] {offlist}
From owner-freebsd-questi...@freebsd.org Sun Apr 4 08:12:11 2010 Date: Sun, 4 Apr 2010 09:11:47 -0400 From: Carmel NY carmel...@hotmail.com To: freebsd-questions@freebsd.org Subject: Configuring IPFW IP range This is my first attempt at configuring IPFW. I have it up and running; however, I am not quite sure how to accomplish configuring it to block an IP range. Assume an IP range: 219.128.0.0 to 219.137.255.255 That is an actual range: CHINANET Guangdong province network I want to block the entire range. I am not sure how to do it in IPFW. I have read the 'man' pages; however, I am not getting the syntax correct since I cannot get the range added. CIDR ranges have to: (a) start on a 'power of 2' address, (b) be a 'power of two' in size, and (c) be no larger than the 'power of 2' factor for the starting address. This range is _not_ that way [fails (b)], so you'll have to do it with multiple entries. i.e., one for 219.128.0.0/13 which will catch 219.128.0.0 - 219.135.255.255 and a 2nd for 219.136.0.0/15 which will catch 219.136.0.0 - 219.137.255.255 Life can get messier, when rule 3 comes into play, consider the block 219.130.0.0 to 219.139.255.255 219.130.0.0 is on a /15 boundary, so that's the max block size you can use for tht starting address. 219.130.0.0/15 catches 219.130.0.0 - 219.131.255.255 next, you can start with 219.132.0.0, which is a /14, and block a /14 wth 219.132.0.0/14 catches 219.132.0.0 - 219.135.255.255 now, 219.136.0.0 is a /13 so you could block that big with just more rule, if needed, (BUT, you only need another /14, to cover the remainder of the group of 10 /16s that the initial block includes. thus, lastly: 219.136.0.0/14 catches 219.136.0.0 - 219.139.255.255 This should help you get the syntax right. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Issues with configuring IPFW for NAT setup
I'm trying to configure a lightweight router/gateway just to block bad SMTP requests; many virii/spyware apps on Windoze boxes on my network have forced our ISP to almost shut us down more than once now because people don't know how to manage their machines =\. The problem with my config is that all that's going through the NAT machine are ICMP packets (?!). Weird.. Anyhow, here's the ipfw configuration so far: #!/bin/sh # comment the line below and uncomment the line following that if you just want to test the rule output cmd_flags=-f #cmd_flags=-n cmd=ipfw $cmd_flags cmd_a=$cmd add cmd_d=$cmd del ks=keep-state # just macros to simplify typing/reading fata=from any to any aafat=allow all from any to daf=deny all from dafat=$daf any to prif=fxp0 puif=xl0 # trusted subnet tsu=192.168.1.0/24 # untrusted subnet usu=192.168.0.0/24 bad_ports=81, 113, 137-139, 445, 901, 1026, 1433-1434, 1900, 2283, 2869, 3389, 5000, 8080 # IRC IDENT, HTTP, Sun RPC ports, uPnP ports, RDP ports, etc virus_ports=1080, 2283, 2535, 2745, 3127-3198, 3410, 5554, 8866, 9898 # See /root/ports.html for a short list with explanations $cmd -f flush $cmd_a 001 $aafat any via lo* $cmd_a 050 divert natd ip from any to me in via $puif # Properly direct all incoming NAT redirects $cmd_a 081 $daf 172.16.0.0/12 to any # reserved IPs $cmd_a 082 $daf 10.0.0.0/8 to any # reserved IPs $cmd_a 083 $daf 127.0.0.0/8 to any # loopback $cmd_a 084 $daf 0.0.0.0/8 to any # broadcast $cmd_a 085 $daf 169.254.0.0/16 to any # auto-DHCP $cmd_a 086 deny tcp from 224.0.0.0/3 to any # deny multicast TCP support # private subnet firewall rules -- allow incoming SSH, HTTP, and HTTP-SSL $cmd_a 160 allow all from any to me 22, 68-69, 80, 443 via $prif # public SSH rules $cmd_a 170 allow all from any to me 22 via $puif $cmd_a 171 deny all from any to me 22, 68-69, 80, 443 via $puif # SMTP rules -- basically allow SMTP traffic on port 25 to UW, Comcast, and Earthlink clients; block the rest to prevent mass spamming $cmd_a 200 $aafat smtp.washington.edu 25 out via $puif $cmd_a 201 $aafat smtp.comcast.net 25 out via $puif $cmd_a 202 $aafat smtp.earthlink.net 25 out via $puif $cmd_a 203 $dafat any 25 out via $puif $cmd_a 400 $dafat any $bad_ports, $virus_ports via $puif # deny any TCP traffic trying to be forwarded on ports 1-65535. Don't block UDP since MSN and other services like to randomly allocate ports in this range for UDP use. $cmd_a 401 deny tcp $fata 1-65535 $cmd_a 600 divert natd all from $tsu to any out via $puif # For outbound NAT translation $cmd_a 605 deny all from $usu to not me via $prif $cmd_a 611 allow all $fata Some additional helpful information: FreeBSD router: su-2.05b# uname -a FreeBSD hummer.localdomain 6.1-RELEASE-p5 FreeBSD 6.1-RELEASE-p5 #10: Wed Sep 27 00:17:54 PDT 2006 [EMAIL PROTECTED]:/usr/obj/usr/src/sys/HUMMER i386 su-2.05b# sysctl -n net.inet.ip.forwarding 1 Another interesting thing is that it appears that I've totally screwed up my TCP configuration or something (or firewalled a bunch of ports), so my machine cannot access the outside world (even from localhost). The only thing that appears to be working is DNS resolving.. =\. My routing tables: su-2.05b# netstat -r -f inet Routing tables Internet: DestinationGatewayFlagsRefs Use Netif Expire default192.168.0.1UGS 0 2389xl0 localhost localhost UH 02lo0 192.168.0 link#2 UC 00xl0 192.168.0.100:09:5b:56:c4:b4 UHLW20xl0 1175 hoover 00:0a:e6:47:73:c7 UHLW12xl0957 sprsd 00:e0:7d:f7:6e:2e UHLW116281xl0 1117 192.168.1 link#1 UC 00 fxp0 192.168.1.100:a0:c9:5e:ba:2d UHLW10lo0 192.168.1.224 00:11:24:2f:15:bc UHLW1 51 fxp0306 My static routes in /etc/rc.conf: #..snip.. #Route defs static_routes=router tsu usu #static_routes=usu route_router=-net 0.0.0.0 192.168.0.1 route_usu=-net 192.168.0.0/24 192.168.0.1 route_tsu=-net 192.168.1.0/24 192.168.1.1 #..end snip.. Ping example of DNS resolving working: su-2.05b# ping -c 3 google.com PING google.com (64.233.187.99): 56 data bytes 64 bytes from 64.233.187.99: icmp_seq=0 ttl=246 time=84.567 ms 64 bytes from 64.233.187.99: icmp_seq=1 ttl=246 time=107.181 ms 64 bytes from 64.233.187.99: icmp_seq=2 ttl=246 time=84.443 ms --- google.com ping statistics --- 3 packets transmitted, 3 packets received, 0% packet loss round-trip min/avg/max/stddev = 84.443/92.064/107.181/10.690 ms su-2.05b# IPFIREWALL sections of kernel config: su-2.05b# grep IPFIREWALL /root/HUMMER options IPFIREWALL options IPFIREWALL_VERBOSE options IPFIREWALL_VERBOSE_LIMIT=5 options
Configuring IPFW (Firewall) and Proxy/Nylon, Help Please
Hello There, I currently am a running 5.2.1-Release which is configured as a gateway with kernel firewall support. I have installed Squid (Proxy) and Nylon (SOCKS) which seem to be configured fine. However, I need help in getting all http/https traffic to only route to the proxy (Port 3128) and all other traffic to point to nylon (Port 1080). This way the proxy and socks server cannot be circumvented. Could someone please suggest some tips or a website? I am using the standard rc.firewall configuration. Thanks! Below is my rc.conf file: --- gateway_enable=YES firewall_enable=YES firewall_type=OPEN natd_enable=YES natd_interface=ed0 #natd_flags=-f /etc/natd.conf hostname=** ifconfig_ed0=DHCP inetd_enable=YES keyrate=fast sshd_enable=YES usbd_enable=YES ifconfig_dc0=inet 192.168.1.254 netmask 255.255.255.0 defaultrouter=192.168.1.254 ___ Do you Yahoo!? Declare Yourself - Register online to vote today! http://vote.yahoo.com ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Configuring IPFW (Firewall) and Proxy/Nylon, Help Please
Hello, On Mon, 13 Sep 2004 16:26:15 -0700 (PDT), JP [EMAIL PROTECTED] wrote: Hello There, I currently am a running 5.2.1-Release which is configured as a gateway with kernel firewall support. I have installed Squid (Proxy) and Nylon (SOCKS) which seem to be configured fine. However, I need help in getting all http/https traffic to only route to the proxy (Port 3128) and all other traffic to point to nylon (Port 1080). This way the proxy and socks server cannot be circumvented. Could someone please suggest some tips or a website? I am using the standard rc.firewall configuration. http runs on port 80 by default and https on port 443 so you can divert incoming traffic on port 80 and 443 on port 3128. And do not forget to save the states for the incoming traffic or the reply traffic wont get through. For the later section you can set up a default divert for everthing to port 1080. Thanks! You are welcome Below is my rc.conf file: --- gateway_enable=YES firewall_enable=YES firewall_type=OPEN ---you need to remove this and make this point to your firewall ruleset file natd_enable=YES ---You need to comment this out because if natd is running the clients can anyway get through the NAT and avoid proxy. natd_interface=ed0 #natd_flags=-f /etc/natd.conf hostname=** ifconfig_ed0=DHCP inetd_enable=YES keyrate=fast sshd_enable=YES usbd_enable=YES ifconfig_dc0=inet 192.168.1.254 netmask 255.255.255.0 defaultrouter=192.168.1.254 Regards S. -- Subhro Sankha Kar School of Information Technology Block AQ-13/1 Sector V ZIP 700091 India ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Configuring IPFW (Firewall) and Proxy/Nylon, Help Please
On Tue, 14 Sep 2004 10:22:16 +0530, Subhro [EMAIL PROTECTED] wrote: Hello, On Mon, 13 Sep 2004 16:26:15 -0700 (PDT), JP [EMAIL PROTECTED] wrote: Hello There, I currently am a running 5.2.1-Release which is configured as a gateway with kernel firewall support. I have installed Squid (Proxy) and Nylon (SOCKS) which seem to be configured fine. However, I need help in getting all http/https traffic to only route to the proxy (Port 3128) and all other traffic to point to nylon (Port 1080). This way the proxy and socks server cannot be circumvented. Could someone please suggest some tips or a website? I am using the standard rc.firewall configuration. http runs on port 80 by default and https on port 443 so you can divert incoming traffic on port 80 and 443 on port 3128. And do not forget to save the states for the incoming traffic or the reply traffic wont get through. For the later section you can set up a default divert for everthing to port 1080. Thanks! You are welcome Below is my rc.conf file: --- gateway_enable=YES firewall_enable=YES firewall_type=OPEN ---you need to remove this and make this point to your firewall ruleset file natd_enable=YES ---You need to comment this out because if natd is running the clients can anyway get through the NAT and avoid proxy. natd_interface=ed0 #natd_flags=-f /etc/natd.conf hostname=** ifconfig_ed0=DHCP inetd_enable=YES keyrate=fast sshd_enable=YES usbd_enable=YES Sorry to backpost but what are trying to achieve by the next two lines? ifconfig_dc0=inet 192.168.1.254 netmask 255.255.255.0 defaultrouter=192.168.1.254 Regards S. -- Subhro Sankha Kar School of Information Technology Block AQ-13/1 Sector V ZIP 700091 India ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
problems configuring ipfw via raw sockets
Hi ppl! I need to use direct access to ipfw rules via raw sockets instead of some scripts using ipfw utility. I looked into ipfw sources and made a simple program to test if I could add a simple rule this way. Just rewrote pieces of original code into my program w/out any serious change. But setsockopt() always return EINVAL and string msg Invalid argument. And no details. Hence I'm in a fix. Icannot get what's wrong indeed. It's my first experience with configuring ipfw this way and maybe I missed something obvious for a guru :0) Here I place my code (short anough). Any advice would be appritiated. Maybe some links to some docs - I failed to find anything but a very short info in manpages. #includestdlib.h #includesys/types.h #includesys/socket.h #includesys/queue.h #includenetinet/in.h #includenetinet/ip_fw.h #includearpa/inet.h #includenetdb.h #includeerrno.h inttest(void) { int sock,res,sz; struct ip_fw rule; sock = socket(AF_INET,SOCK_RAW,IPPROTO_RAW); if (sock==-1) {printf(\n\nsoket() failed with \%s\\n\n,strerror(errno)); return -1;}; memset(rule,0,sizeof(struct ip_fw)); rule.fw_number = 700; rule.fw_flg = IP_FW_F_DENY; rule.fw_src.s_addr = inet_addr(195.48.121.34); rule.fw_smsk.s_addr = inet_addr(255.255.255.255); rule.fw_dst.s_addr = inet_addr(127.0.0.0); rule.fw_dmsk.s_addr = inet_addr(255.0.0.0); rule.fw_prot = IPPROTO_IP; sz = sizeof(struct ip_fw); res = setsockopt(sock,IPPROTO_IP,IP_FW_ADD,rule,sz); if (res==-1) {printf(\n\nsetsockopt() failed with \%s\\n\n,strerror(errno)); return -1;}; return 0; }; intmain(void) { test(); return 0; }; Alexander Komratov To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message