Re: Configuring IPFW

[Alessandro Spinella]

On 10/22/11 15:56, Carmel wrote:

I am attempting to set up a firewall using IPFW with a stateful
behavior.

While I have investigated how to set up these rules, I have run into
conflicting opinions as to whether to all or deny established
behavior.



hi, Carmel

the point is : any pkt that carries ACK flag MUST be dropped UNLESS 
belnonging to an established session as dictaded in a FOLLOWING rule 
that use keep-state keyword.


look at this example

# generic header
ipfw add pass ip from any to any via lo0
ipfw add deny log ip from any to 127.0.0.0/8
ipfw add deny log ip from 127.0.0.0/8 to any
#ipfw add deny log ip from any to 192.168.0.0/16
ipfw add deny log ip from any to 172.16.0.0/12
ipfw add deny log ip from any to 10.0.0.0/8
ipfw add deny log ip from any to 0.0.0.0/8
ipfw add deny log ip from any to 169.254.0.0/16
ipfw add deny log ip from any to 192.0.2.0/24
ipfw add deny log ip from any to 204.152.64.0/23
ipfw add deny log ip from any to 224.0.0.0/3
ipfw add deny log ip from any to any frag

# allow any pkt with ACK flag set *if and only if* it matches an
# established connection
ipfw add check-state

# and deny all other *claiming* to belonging to a valid connection
ipfw add deny log tcp from any to A.B.C.D/M established

# router/firewall mgmt exception
ipfw add pass tcp from me to 192.168.43.0/24 33 setup keep-state
ipfw add pass udp from me to 192.168.43.0/24 53, 123, 514
ipfw add pass tcp from 192.168.43.0/24 to me 22 setup keep-state
ipfw add pass udp from 192.168.43.0/24 123 to me
ipfw add pass udp from 192.168.43.0/24 53 to me
ipfw add pass tcp from 192.168.43.0/24 to 192.168.35.1 23 setup keep-state
ipfw add pass tcp from A.B.C.D/M to 192.168.35.1 23 setup keep-state
ipfw add deny log all from any to 192.168.0.0/16
#
# operational hosts
#
# wikileaks : web + full mail
ipfw add pass tcp from any to A.B.C.E 22 setup keep-state
ipfw add pass tcp from any to A.B.C.E 25 setup keep-state
ipfw add pass tcp from any to A.B.C.E 80 setup keep-state
ipfw add pass tcp from any to A.B.C.E 110 setup keep-state
ipfw add pass tcp from any to A.B.C.E 143 setup keep-state
ipfw add pass tcp from any to A.B.C.E 443 setup keep-state
ipfw add pass tcp from any to A.B.C.E 465 setup keep-state
ipfw add pass tcp from any to A.B.C.E 993 setup keep-state
ipfw add pass tcp from any to A.B.C.E 995 setup keep-state
# jkwolf : dns + ntp
ipfw add pass tcp from any to A.B.C.F 22 setup keep-state
ipfw add pass tcp from G.H.J.K/N to A.B.C.F 53 setup keep-state
ipfw add pass udp from any 1024-65535 to A.B.C.F 53
ipfw add pass udp from any 53 to A.B.C.D/M 1024-65535
ipfw add pass udp from any 123 to A.B.C.D/M 123
ipfw add pass udp from A.B.C.F 1024-65535 to any 53
# generic tail
ipfw add pass tcp from A.B.C.D/M to any setup keep-state
ipfw add pass udp from A.B.C.D/M to any
ipfw add pass icmp from any to A.B.C.D/M icmptypes 0,3,8,11
ipfw add pass icmp from A.B.C.D/M to any icmptypes 0,3,8,11
ipfw add deny log ip from any to any



Alessandro
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org

Configuring IPFW

[Carmel]

I am attempting to set up a firewall using IPFW with a stateful
behavior.

While I have investigated how to set up these rules, I have run into
conflicting opinions as to whether to all or deny established
behavior.

EXAMPLE: (preceded by a checkstate rule)

allow tcp from any to any established


Some documentation states that it should be denied and others say it
should be allowed. Neither has given me a convincing reason to follow
either scenario or any real documentation either for that fact.

If possible, could someone with some real firewall knowledge and
familiarity with IPFW please give me some advice.

Thanks!

-- 
Carmel ✌
carmel...@hotmail.com

___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org

Re: Configuring IPFW

[RW]

On Sat, 22 Oct 2011 09:56:12 -0400
Carmel wrote:

 I am attempting to set up a firewall using IPFW with a stateful
 behavior.
 
 While I have investigated how to set up these rules, I have run into
 conflicting opinions as to whether to all or deny established
 behavior.
 
 EXAMPLE: (preceded by a checkstate rule)
 
 allow tcp from any to any established
 
 
 Some documentation states that it should be denied and others say it
 should be allowed. Neither has given me a convincing reason to follow
 either scenario or any real documentation either for that fact.


Normally if the rules are stateless you would allow established tcp
packets, but would deny them with stateful rules. In the latter case,
established traffic would be passed by the check-state
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org

Re: Configuring IPFW

[Conrad J. Sabatier]

On Sat, 22 Oct 2011 09:56:12 -0400
Carmel carmel...@hotmail.com wrote:

 I am attempting to set up a firewall using IPFW with a stateful
 behavior.
 
 While I have investigated how to set up these rules, I have run into
 conflicting opinions as to whether to all or deny established
 behavior.
 
 EXAMPLE: (preceded by a checkstate rule)
 
 allow tcp from any to any established
 
 
 Some documentation states that it should be denied and others say it
 should be allowed. Neither has given me a convincing reason to follow
 either scenario or any real documentation either for that fact.
 
 If possible, could someone with some real firewall knowledge and
 familiarity with IPFW please give me some advice.
 
 Thanks!
 

Well, assuming that you're only allowing the connections you actually
want to be be established to be setup in the first place, then the
logical thing is to then allow any already established connections.

All of your tcp allow rules should include the setup keyword, as well
as keep-state.  This way, only connections that are doing a first-time
setup will be allowed, and their state will be remembered, for later
checking using the check-state keyword.

In other words, create setup/keep-state rules for all tcp connections
you want to allow, and deny the rest.  Just be sure the check-state and
established rules precede the deny rules.

Similarly, for udp rules, be sure to include the keep-state (but not
setup) keyword.

Hope this makes sense.  :-)

-- 
Conrad J. Sabatier
conr...@cox.net
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org

Re: Configuring IPFW

[Michael Sierchio]

On Sat, Oct 22, 2011 at 9:54 AM, RW rwmailli...@googlemail.com wrote:

 Normally if the rules are stateless you would allow established tcp
 packets, but would deny them with stateful rules. In the latter case,
 established traffic would be passed by the check-state

You need to pay attention to direction as well.  Suppose you wanted to
permit outbound TCP connections using stateful rules.  If em0 is the
outside interface of your firewall
If you're using stateful rules, you would do something like this:


ipfw add 1000 check-state
ipfw add 2500 allow tcp from any to any out xmit em0 setup keep-state
ipfw add 2550 deny tcp from any to any

The check-state rule checks for established dynamic flows, 2500
permits outbound TCP with SYN,!ACK (the first part of the 3-way
handshake), and 2550 denies all TCP traffic that is not permitted.
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org

Re: Configuring IPFW

[Michael Sierchio]

On Sat, Oct 22, 2011 at 10:08 AM, Conrad J. Sabatier conr...@cox.net wrote:


 Similarly, for udp rules, be sure to include the keep-state (but not
 setup) keyword.


RIght - if you're just protecting a single host, for example, your
ruleset might be something like

ipfw add 1000 allow ip from any to any via lo0
ipfw add 1100 check-state
ipfw add 1200 allow tcp from me to any setup keep-state
ipfw add 1300 allow udp from me to any keep-state
# stateful rules for ICMP sometimes work, and sometimes don't -
traceroute for example
ipfw add 1400 allow icmp from me to any
ipfw add 1500 allow icmp from any to me icmptypes 0,3,8,11
# if you don't want to permit inbound echo requests, then use the next
one instead
# ipfw add 1500 allow icmp from any to me icmptypes 0,3,11

ipfw add 1600 deny ip from any to any


There are sysctl variables you may want to look at: sysctl net.inet.ip.fw

These are described in the man page, and some of these affect the
behavior of dynamic rule sets.  You generally don't need to worry
about them for outbound connections, but they are critical for inbound
connections - it's trivial to DOS a firewall with dynamic rules.

Regards,

M
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org

Re: Configuring IPFW

[Robert Bonomi]

 Date: Sat, 22 Oct 2011 12:08:56 -0500
 To: FreeBSD freebsd-questions@freebsd.org
 Subject: Re: Configuring IPFW

 On Sat, 22 Oct 2011 09:56:12 -0400
 Carmel carmel...@hotmail.com wrote:

  I am attempting to set up a firewall using IPFW with a stateful
  behavior.
  
  While I have investigated how to set up these rules, I have run into
  conflicting opinions as to whether to all or deny established
  behavior.
  
  EXAMPLE: (preceded by a checkstate rule)
  
  allow tcp from any to any established
  
  
  Some documentation states that it should be denied and others say it
  should be allowed. Neither has given me a convincing reason to follow
  either scenario or any real documentation either for that fact.
  
  If possible, could someone with some real firewall knowledge and
  familiarity with IPFW please give me some advice.
  
  Thanks!
  

 Well, assuming that you're only allowing the connections you actually
 want to be be established to be setup in the first place, then the
 logical thing is to then allow any already established connections.

This, of course, ignores the possibility that a 'bad guy' might send
an initial packet _without_ the 'SYN' flag set.  grin

 All of your tcp allow rules should include the setup keyword, as well
 as keep-state.  This way, only connections that are doing a first-time
 setup will be allowed, and their state will be remembered, for later
 checking using the check-state keyword.

Now *THAT*, done _properly_, closes the aforementioned hole. :)



___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org

Re: Configuring IPFW IP range [FreeBSD-questions] {offlist}

[Carmel NY]

On Sun, 4 Apr 2010 19:11:42 -0500 (CDT), Robert Bonomi
bon...@mail.r-bonomi.com articulated:

  From owner-freebsd-questi...@freebsd.org  Sun Apr  4 08:12:11 2010
  Date: Sun, 4 Apr 2010 09:11:47 -0400
  From: Carmel NY carmel...@hotmail.com
  To: freebsd-questions@freebsd.org
  Subject: Configuring IPFW IP range
 
  This is my first attempt at configuring IPFW. I have it up and
  running; however, I am not quite sure how to accomplish configuring
  it to block an IP range.
 
  Assume an IP range: 219.128.0.0 to 219.137.255.255
 
  That is an actual range: CHINANET Guangdong province network
 
  I want to block the entire range. I am not sure how to do it in
  IPFW. I have read the 'man' pages; however, I am not getting the
  syntax correct since I cannot get the range added.
 
 
 CIDR ranges have to: (a) start on a 'power of 2' address, (b) be a
 'power of two' in size, and (c) be no larger than the 'power of 2'
 factor for the starting address.  This range is _not_ that way [fails
 (b)], so you'll have to do it with multiple entries.
 
 i.e., one for 219.128.0.0/13 which will catch 219.128.0.0 -
 219.135.255.255 and a 2nd for 219.136.0.0/15 which will catch
 219.136.0.0 - 219.137.255.255
 
 Life can get messier, when rule 3 comes into play,  consider the block
 219.130.0.0 to 219.139.255.255
 
 219.130.0.0 is on a /15 boundary, so that's the max block size you
 can use for tht starting address.
219.130.0.0/15   catches 219.130.0.0 - 219.131.255.255
 next, you can start with 219.132.0.0, which is a /14, and block a /14
 wth 219.132.0.0/14   catches 219.132.0.0 - 219.135.255.255
 now, 219.136.0.0 is a /13  so you could block that big with just more
 rule, if needed, (BUT, you only need another /14, to cover the
 remainder of the group of 10 /16s that the initial block includes.
 thus, lastly: 219.136.0.0/14   catches 219.136.0.0 - 219.139.255.255

Thanks! It was suggested that I try 'ipcalc' by another poster. I did,
and it works excellently. In any case, I do have to familiarize myself
more fully with IP addressing.
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org

Configuring IPFW IP range

[Carmel NY]

This is my first attempt at configuring IPFW. I have it up and running;
however, I am not quite sure how to accomplish configuring it to block
an IP range.

Assume an IP range: 219.128.0.0 to 219.137.255.255

That is an actual range: CHINANET Guangdong province network

I want to block the entire range. I am not sure how to do it in IPFW. I
have read the 'man' pages; however, I am not getting the syntax correct
since I cannot get the range added.


-- 
Carmel
carmel...@hotmail.com

|===
|===
|===
|===
|

Slurm, n.:
The slime that accumulates on the underside of a soap bar when
it sits in the dish too long.

Rich Hall, Sniglets
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org

Re: Configuring IPFW IP range

[Maciej Suszko]

Carmel NY carmel...@hotmail.com wrote:
 This is my first attempt at configuring IPFW. I have it up and
 running; however, I am not quite sure how to accomplish configuring
 it to block an IP range.
 
 Assume an IP range: 219.128.0.0 to 219.137.255.255
 
 That is an actual range: CHINANET Guangdong province network
 
 I want to block the entire range. I am not sure how to do it in IPFW.
 I have read the 'man' pages; however, I am not getting the syntax
 correct since I cannot get the range added.

#v+
tlh...@arsenic:~ % ipcalc 219.128.0.0 - 219.137.255.255
deaggregate 219.128.0.0 - 219.137.255.255
219.128.0.0/13
219.136.0.0/15
#v-
-- 
regards, Maciej Suszko.


signature.asc
Description: PGP signature

Re: Configuring IPFW IP range

[Ashley]

On 04/04/2010 09:11 AM, Carmel NY wrote:

This is my first attempt at configuring IPFW. I have it up and running;
however, I am not quite sure how to accomplish configuring it to block
an IP range.

Assume an IP range: 219.128.0.0 to 219.137.255.255

That is an actual range: CHINANET Guangdong province network

I want to block the entire range. I am not sure how to do it in IPFW. I
have read the 'man' pages; however, I am not getting the syntax correct
since I cannot get the range added.

Carmel,

Have you tried something like what's mentioned in this excerpt quoted 
below?:


Network-based filtering works similarly, and the network
notation there utilizes either bitmasks or netmasks, for instance:

add 2000 allow all from 192.168.0.0/16 to any
add 2100 deny all from any to 10.0.0.0:255.0.0.0

The first rule allows all traffic from the network whose IP range
is 192.168.0.0-192.168.255.255. It uses a bitmask to indicate this. A
bitmask specifies how many bits from the network address (192.168.0.0)
should remain the same for matching packets. In this instance, the first
16 bits out of the 32 bit address will remain the same, and as the first
16 bits happen to be the first two octets, 192.168, all addresses whose
source addresses have the first two octets as 192.168 will be matched by
this rule. The second rule accomplishes a similar thing using netmasks.
The netmask indicate how many bits from the indicated network address
should be used for rule matching. In the above example, for rule two, the
netmask is 255.0.0.0. Its first octet is set with high bits; in other
words, the first 8 bits are set high. This indicates to ipfw(8) that only
packets with the first 8 bits of the network address (10.0.0.0) should be
matched. As the first 8 bits of the network address equal 10, then all
packets whose destination address have a 10 for the first octet (all
addresses between 10.0.0.0 and 10.255.255.255) will be matched by this
rule, and then dropped, as indicated by the action.


(This excerpt from http://www.freebsd-howto.com/HOWTO/Ipfw-HOWTO)



--
Ashley
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org

Re: Configuring IPFW IP range

[Carmel NY]

On Sun, 04 Apr 2010 11:02:29 -0400, Ashley ash...@cpufight.com
articulated:

 On 04/04/2010 09:11 AM, Carmel NY wrote:
  This is my first attempt at configuring IPFW. I have it up and
  running; however, I am not quite sure how to accomplish configuring
  it to block an IP range.
 
  Assume an IP range: 219.128.0.0 to 219.137.255.255
 
  That is an actual range: CHINANET Guangdong province network
 
  I want to block the entire range. I am not sure how to do it in
  IPFW. I have read the 'man' pages; however, I am not getting the
  syntax correct since I cannot get the range added.
 Carmel,
 
 Have you tried something like what's mentioned in this excerpt quoted 
 below?:
 
 Network-based filtering works similarly, and the network
 notation there utilizes either bitmasks or netmasks, for instance:
 
 add 2000 allow all from 192.168.0.0/16 to any
 add 2100 deny all from any to 10.0.0.0:255.0.0.0
 
 The first rule allows all traffic from the network whose IP range
 is 192.168.0.0-192.168.255.255. It uses a bitmask to indicate this. A
 bitmask specifies how many bits from the network address (192.168.0.0)
 should remain the same for matching packets. In this instance, the
 first 16 bits out of the 32 bit address will remain the same, and as
 the first 16 bits happen to be the first two octets, 192.168, all
 addresses whose source addresses have the first two octets as 192.168
 will be matched by this rule. The second rule accomplishes a similar
 thing using netmasks. The netmask indicate how many bits from the
 indicated network address should be used for rule matching. In the
 above example, for rule two, the netmask is 255.0.0.0. Its first
 octet is set with high bits; in other words, the first 8 bits are set
 high. This indicates to ipfw(8) that only packets with the first 8
 bits of the network address (10.0.0.0) should be matched. As the
 first 8 bits of the network address equal 10, then all packets whose
 destination address have a 10 for the first octet (all addresses
 between 10.0.0.0 and 10.255.255.255) will be matched by this rule,
 and then dropped, as indicated by the action.
 
 
 (This excerpt from http://www.freebsd-howto.com/HOWTO/Ipfw-HOWTO)

Thanks Maciej Suszko and Ashley. I used the ipcalc tool. I thought I
had seen something like that before; however, I was not able to recall
the name of the utility. I really have to study up on IPs and
networking.

-- 
Carmel
carmel...@hotmail.com

|===
|===
|===
|===
|

BACHELOR: A man who chases women and never Mrs. one.
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org

Re: Configuring IPFW IP range [FreeBSD-questions] {offlist}

[Robert Bonomi]

 From owner-freebsd-questi...@freebsd.org  Sun Apr  4 08:12:11 2010
 Date: Sun, 4 Apr 2010 09:11:47 -0400
 From: Carmel NY carmel...@hotmail.com
 To: freebsd-questions@freebsd.org
 Subject: Configuring IPFW IP range

 This is my first attempt at configuring IPFW. I have it up and running;
 however, I am not quite sure how to accomplish configuring it to block
 an IP range.

 Assume an IP range: 219.128.0.0 to 219.137.255.255

 That is an actual range: CHINANET Guangdong province network

 I want to block the entire range. I am not sure how to do it in IPFW. I
 have read the 'man' pages; however, I am not getting the syntax correct
 since I cannot get the range added.


CIDR ranges have to: (a) start on a 'power of 2' address, (b) be a 'power of 
two'
in size, and (c) be no larger than the 'power of 2' factor for the starting 
address.  This range is _not_ that way [fails (b)], so you'll have to do it with
multiple entries.

i.e., one for 219.128.0.0/13 which will catch 219.128.0.0 - 219.135.255.255
and a 2nd for 219.136.0.0/15 which will catch 219.136.0.0 - 219.137.255.255

Life can get messier, when rule 3 comes into play,  consider the block
219.130.0.0 to 219.139.255.255

219.130.0.0 is on a /15 boundary, so that's the max block size you can use
for tht starting address.
   219.130.0.0/15   catches 219.130.0.0 - 219.131.255.255
next, you can start with 219.132.0.0, which is a /14, and block a /14 wth
   219.132.0.0/14   catches 219.132.0.0 - 219.135.255.255
now, 219.136.0.0 is a /13  so you could block that big with just more rule,
if needed, (BUT, you only need another /14, to cover the remainder of the 
group of 10 /16s that the initial block includes.  thus, lastly:
   219.136.0.0/14   catches 219.136.0.0 - 219.139.255.255

This should help you get the syntax right.



___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org

Issues with configuring IPFW for NAT setup

[Garrett Cooper]

   I'm trying to configure a lightweight router/gateway just to block 
bad SMTP requests; many virii/spyware apps on Windoze boxes on my 
network have forced our ISP to almost shut us down more than once now 
because people don't know how to manage their machines =\.
   The problem with my config is that all that's going through the NAT 
machine are ICMP packets (?!). Weird..

   Anyhow, here's the ipfw configuration so far:

#!/bin/sh

# comment the line below and uncomment the line following that if you 
just want to test the rule output

cmd_flags=-f
#cmd_flags=-n
cmd=ipfw $cmd_flags
cmd_a=$cmd add
cmd_d=$cmd del
ks=keep-state

# just macros to simplify typing/reading
fata=from any to any
aafat=allow all from any to
daf=deny all from
dafat=$daf any to

prif=fxp0
puif=xl0

# trusted subnet
tsu=192.168.1.0/24
# untrusted subnet
usu=192.168.0.0/24

bad_ports=81, 113, 137-139, 445, 901, 1026, 1433-1434, 1900, 2283, 
2869, 3389, 5000, 8080 # IRC IDENT, HTTP, Sun RPC ports, uPnP 
ports, RDP ports, etc
virus_ports=1080, 2283, 2535, 2745, 3127-3198, 3410, 5554, 8866, 
9898 # See /root/ports.html for a short list 
with explanations


$cmd -f flush

$cmd_a 001 $aafat any via lo*

$cmd_a 050 divert natd ip from any to me in via $puif # Properly direct 
all incoming NAT redirects


$cmd_a 081 $daf 172.16.0.0/12 to any # reserved IPs
$cmd_a 082 $daf 10.0.0.0/8 to any # reserved IPs
$cmd_a 083 $daf 127.0.0.0/8 to any # loopback
$cmd_a 084 $daf 0.0.0.0/8 to any # broadcast
$cmd_a 085 $daf 169.254.0.0/16 to any # auto-DHCP
$cmd_a 086 deny tcp from 224.0.0.0/3 to any # deny multicast TCP support

# private subnet firewall rules -- allow incoming SSH, HTTP, and HTTP-SSL
$cmd_a 160 allow all from any to me 22, 68-69, 80, 443 via $prif

# public SSH rules
$cmd_a 170 allow all from any to me 22 via $puif
$cmd_a 171 deny all from any to me 22, 68-69, 80, 443 via $puif

# SMTP rules -- basically allow SMTP traffic on port 25 to UW, Comcast, 
and Earthlink clients; block the rest to prevent mass spamming   
$cmd_a 200 $aafat smtp.washington.edu 25 out via $puif

$cmd_a 201 $aafat smtp.comcast.net 25 out via $puif
$cmd_a 202 $aafat smtp.earthlink.net 25 out via $puif
$cmd_a 203 $dafat any 25 out via $puif

$cmd_a 400 $dafat any $bad_ports, $virus_ports via $puif
# deny any TCP traffic trying to be forwarded on ports 1-65535. 
Don't block UDP since MSN and other services like to randomly allocate 
ports in this range for UDP use.

$cmd_a 401 deny tcp $fata 1-65535

$cmd_a 600 divert natd all from $tsu to any out via $puif # For outbound 
NAT translation


$cmd_a 605 deny all from $usu to not me via $prif

$cmd_a 611 allow all $fata

Some additional helpful information:

FreeBSD router:
su-2.05b# uname -a
FreeBSD hummer.localdomain 6.1-RELEASE-p5 FreeBSD 6.1-RELEASE-p5 #10: 
Wed Sep 27 00:17:54 PDT 2006 
[EMAIL PROTECTED]:/usr/obj/usr/src/sys/HUMMER  i386

su-2.05b# sysctl -n net.inet.ip.forwarding
1

   Another interesting thing is that it appears that I've totally 
screwed up my TCP configuration or something (or firewalled a bunch of 
ports), so my machine cannot access the outside world (even from 
localhost). The only thing that appears to be working is DNS resolving.. =\.


My routing tables:

su-2.05b# netstat -r -f inet
Routing tables

Internet:
DestinationGatewayFlagsRefs  Use  Netif Expire
default192.168.0.1UGS 0 2389xl0
localhost  localhost  UH  02lo0
192.168.0  link#2 UC  00xl0
192.168.0.100:09:5b:56:c4:b4  UHLW20xl0   1175
hoover 00:0a:e6:47:73:c7  UHLW12xl0957
sprsd  00:e0:7d:f7:6e:2e  UHLW116281xl0   1117
192.168.1  link#1 UC  00   fxp0
192.168.1.100:a0:c9:5e:ba:2d  UHLW10lo0
192.168.1.224  00:11:24:2f:15:bc  UHLW1   51   fxp0306

   My static routes in /etc/rc.conf:

#..snip..

#Route defs
static_routes=router tsu usu
#static_routes=usu
route_router=-net 0.0.0.0 192.168.0.1
route_usu=-net 192.168.0.0/24 192.168.0.1
route_tsu=-net 192.168.1.0/24 192.168.1.1

#..end snip..

   Ping example of DNS resolving working:

su-2.05b# ping -c 3 google.com
PING google.com (64.233.187.99): 56 data bytes
64 bytes from 64.233.187.99: icmp_seq=0 ttl=246 time=84.567 ms
64 bytes from 64.233.187.99: icmp_seq=1 ttl=246 time=107.181 ms
64 bytes from 64.233.187.99: icmp_seq=2 ttl=246 time=84.443 ms

--- google.com ping statistics ---
3 packets transmitted, 3 packets received, 0% packet loss
round-trip min/avg/max/stddev = 84.443/92.064/107.181/10.690 ms
su-2.05b#

   IPFIREWALL sections of kernel config:

su-2.05b# grep IPFIREWALL /root/HUMMER
options IPFIREWALL
options IPFIREWALL_VERBOSE
options IPFIREWALL_VERBOSE_LIMIT=5
options 

Configuring IPFW (Firewall) and Proxy/Nylon, Help Please

[JP]

Hello There,

I currently am a running 5.2.1-Release which is
configured as a gateway with kernel firewall support. 
I have installed Squid (Proxy) and Nylon (SOCKS) which
seem to be configured fine.  However, I need help in
getting all http/https traffic to only route to the
proxy (Port 3128) and all other traffic to point to
nylon (Port 1080).  This way the proxy and socks
server cannot be circumvented.  Could someone please
suggest some tips or a website?  I am using the
standard rc.firewall configuration.  

Thanks!

Below is my rc.conf file:

---

gateway_enable=YES
firewall_enable=YES
firewall_type=OPEN
natd_enable=YES
natd_interface=ed0
#natd_flags=-f /etc/natd.conf
hostname=**
ifconfig_ed0=DHCP
inetd_enable=YES
keyrate=fast
sshd_enable=YES
usbd_enable=YES
ifconfig_dc0=inet 192.168.1.254  netmask
255.255.255.0
defaultrouter=192.168.1.254




___
Do you Yahoo!?
Declare Yourself - Register online to vote today!
http://vote.yahoo.com
___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

Re: Configuring IPFW (Firewall) and Proxy/Nylon, Help Please

[Subhro]

Hello,


On Mon, 13 Sep 2004 16:26:15 -0700 (PDT), JP [EMAIL PROTECTED] wrote:
 Hello There,
 
 I currently am a running 5.2.1-Release which is
 configured as a gateway with kernel firewall support.
 I have installed Squid (Proxy) and Nylon (SOCKS) which
 seem to be configured fine.  However, I need help in
 getting all http/https traffic to only route to the
 proxy (Port 3128) and all other traffic to point to
 nylon (Port 1080).  This way the proxy and socks
 server cannot be circumvented.  Could someone please
 suggest some tips or a website?  I am using the
 standard rc.firewall configuration.
 

http runs on port 80 by default and https on port 443 so you can
divert incoming traffic on port 80 and 443 on port 3128. And do not
forget to save the states for the incoming traffic or the reply
traffic wont get through.

For the later section you can set up a  default divert for everthing
to port 1080.

 Thanks!

You are welcome

 
 Below is my rc.conf file:
 
 ---
 
 gateway_enable=YES
 firewall_enable=YES
 firewall_type=OPEN ---you need to remove this and make this point to your 
 firewall ruleset file
 natd_enable=YES  ---You need to comment this out because if natd is running the 
 clients can anyway get through the NAT and avoid proxy.
 natd_interface=ed0
 #natd_flags=-f /etc/natd.conf
 hostname=**
 ifconfig_ed0=DHCP
 inetd_enable=YES
 keyrate=fast
 sshd_enable=YES
 usbd_enable=YES
 ifconfig_dc0=inet 192.168.1.254  netmask
 255.255.255.0
 defaultrouter=192.168.1.254
 

Regards
S.


-- 
Subhro Sankha Kar
School of Information Technology
Block AQ-13/1 Sector V
ZIP 700091
India
___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

Re: Configuring IPFW (Firewall) and Proxy/Nylon, Help Please

[Subhro]

On Tue, 14 Sep 2004 10:22:16 +0530, Subhro [EMAIL PROTECTED] wrote:
 Hello,
 
 
 On Mon, 13 Sep 2004 16:26:15 -0700 (PDT), JP [EMAIL PROTECTED] wrote:
  Hello There,
 
  I currently am a running 5.2.1-Release which is
  configured as a gateway with kernel firewall support.
  I have installed Squid (Proxy) and Nylon (SOCKS) which
  seem to be configured fine.  However, I need help in
  getting all http/https traffic to only route to the
  proxy (Port 3128) and all other traffic to point to
  nylon (Port 1080).  This way the proxy and socks
  server cannot be circumvented.  Could someone please
  suggest some tips or a website?  I am using the
  standard rc.firewall configuration.
 
 
 http runs on port 80 by default and https on port 443 so you can
 divert incoming traffic on port 80 and 443 on port 3128. And do not
 forget to save the states for the incoming traffic or the reply
 traffic wont get through.
 
 For the later section you can set up a  default divert for everthing
 to port 1080.
 
  Thanks!
 
 You are welcome
 
 
  Below is my rc.conf file:
 
  ---
 
  gateway_enable=YES
  firewall_enable=YES
  firewall_type=OPEN ---you need to remove this and make this point to your 
  firewall ruleset file
  natd_enable=YES  ---You need to comment this out because if natd is running 
  the clients can anyway get through the NAT and avoid proxy.
  natd_interface=ed0
  #natd_flags=-f /etc/natd.conf
  hostname=**
  ifconfig_ed0=DHCP
  inetd_enable=YES
  keyrate=fast
  sshd_enable=YES
  usbd_enable=YES

Sorry to backpost but what are trying to achieve by the next two lines? 

  ifconfig_dc0=inet 192.168.1.254  netmask
  255.255.255.0
  defaultrouter=192.168.1.254

Regards
S.

-- 
Subhro Sankha Kar
School of Information Technology
Block AQ-13/1 Sector V
ZIP 700091
India
___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

problems configuring ipfw via raw sockets

[Alex]

Hi ppl!

I need to use direct access to ipfw rules via raw sockets instead of 
some scripts using ipfw utility.

I  looked into ipfw sources and made a simple program to test if I could 
add a simple rule this way.
Just rewrote pieces of original code into my program w/out any serious 
change.

But setsockopt() always return EINVAL and string msg Invalid argument.
And no details. Hence I'm in a fix. Icannot get what's wrong indeed.
It's my first experience with configuring ipfw this way and maybe I 
missed something obvious for a guru :0)

Here I place my code (short anough).
Any advice would be appritiated.
Maybe some links to some docs - I failed to find anything but a very 
short info in manpages.

#includestdlib.h
#includesys/types.h
#includesys/socket.h
#includesys/queue.h
#includenetinet/in.h
#includenetinet/ip_fw.h
#includearpa/inet.h
#includenetdb.h
#includeerrno.h

inttest(void)

{
int sock,res,sz;
struct ip_fw  rule;

sock = socket(AF_INET,SOCK_RAW,IPPROTO_RAW);
if (sock==-1) {printf(\n\nsoket() failed with 
\%s\\n\n,strerror(errno)); return -1;};


memset(rule,0,sizeof(struct ip_fw));

rule.fw_number = 700;
rule.fw_flg = IP_FW_F_DENY;
rule.fw_src.s_addr = inet_addr(195.48.121.34);
rule.fw_smsk.s_addr = inet_addr(255.255.255.255);
rule.fw_dst.s_addr = inet_addr(127.0.0.0);
rule.fw_dmsk.s_addr = inet_addr(255.0.0.0);

rule.fw_prot = IPPROTO_IP;

sz = sizeof(struct ip_fw);
res = setsockopt(sock,IPPROTO_IP,IP_FW_ADD,rule,sz);
if (res==-1) {printf(\n\nsetsockopt() failed with 
\%s\\n\n,strerror(errno)); return -1;};

return 0;
};


intmain(void)

{
test();
return 0;
};


Alexander Komratov


To Unsubscribe: send mail to [EMAIL PROTECTED]
with unsubscribe freebsd-questions in the body of the message