Re: IPFW Rule
On Nov 21, 2008, at 6:25 PM, Wojciech Puchar wrote: I am trying to add a IPFW rule to forward traffic but I keep getting the message ipfw: getsockopt(IP_FW_ADD): Invalid argument. The rule I am trying to add looks like this: ipfw add 600 fwd 192.169.2.3, 6000 tcp from 192.169.2.3 to any 80 I do have IP Forwarding enabled. Any ideas what I am doing wrong? rule looks OK, but your message clearly suggest you DO NOT have IP forwarding enabled Interesting sysctl reports that forwarding is enabled: $ sysctl -a |grep forward net.inet.ip.forwarding: 1 IP forwarding is enabled in GENERIC isn't it? I am running 6.1- RELEASE FreeBSD 6.1-RELEASE #0. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: IPFW Rule
On Nov 22, 2008, at 5:43 AM, Tom Marchand wrote: On Nov 21, 2008, at 6:25 PM, Wojciech Puchar wrote: I am trying to add a IPFW rule to forward traffic but I keep getting the message ipfw: getsockopt(IP_FW_ADD): Invalid argument. The rule I am trying to add looks like this: ipfw add 600 fwd 192.169.2.3, 6000 tcp from 192.169.2.3 to any 80 I do have IP Forwarding enabled. Any ideas what I am doing wrong? rule looks OK, but your message clearly suggest you DO NOT have IP forwarding enabled Interesting sysctl reports that forwarding is enabled: $ sysctl -a |grep forward net.inet.ip.forwarding: 1 IP forwarding is enabled in GENERIC isn't it? I am running 6.1- RELEASE FreeBSD 6.1-RELEASE I'm looking at a 6.2 box that does forwarding. The GENERIC kernel does not have this line: options IPFIREWALL_FORWARD In my kernel, I am using that. Recollection is you need this specified explicitly. I could be wrong. #0.___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions- [EMAIL PROTECTED] ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: IPFW Rule
rule looks OK, but your message clearly suggest you DO NOT have IP forwarding enabled Interesting sysctl reports that forwarding is enabled: $ sysctl -a |grep forward net.inet.ip.forwarding: 1 it's not that. it's about routing, not ipfw forwarding you need IPFIREWALL_FORWARD option in kernel. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: IPFW Rule
On Nov 22, 2008, at 10:37 AM, Wojciech Puchar wrote: rule looks OK, but your message clearly suggest you DO NOT have IP forwarding enabled Interesting sysctl reports that forwarding is enabled: $ sysctl -a |grep forward net.inet.ip.forwarding: 1 it's not that. it's about routing, not ipfw forwarding you need IPFIREWALL_FORWARD option in kernel. Thanks that was it. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
IPFW Rule
I am trying to add a IPFW rule to forward traffic but I keep getting the message ipfw: getsockopt(IP_FW_ADD): Invalid argument. The rule I am trying to add looks like this: ipfw add 600 fwd 192.169.2.3, 6000 tcp from 192.169.2.3 to any 80 I do have IP Forwarding enabled. Any ideas what I am doing wrong? ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: ipfw rule question ... all possible interfaces ?
On Mon, 5 Nov 2007 00:22:00 + RW [EMAIL PROTECTED] wrote: On Sun, 4 Nov 2007 16:10:12 -0800 (PST) Juri Mianovich [EMAIL PROTECTED] wrote: Is there a way to tell ipfw: all interfaces currently configured on this system ? ... So if I have a rule like: allow ip from any to any via iwi0 You don't have to use via in a rule. That's true, though you can also specify 'via any'. Whether either is actually a good idea for the case in question may be another matter .. Cheers, Ian ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: ipfw rule question ... all possible interfaces ?
On Monday 05 November 2007 02:10:12 Juri Mianovich wrote: Is there a way to tell ipfw: all interfaces currently configured on this system ? That's not possible directly, I think. I have a laptop and at any time I could plug in a USB NIC or plug in a pccard, in addition to the onboard LAN and WIFI, either of which may or may not be configured at boot time. Being configured or not isn't a problem for ipfw. The interface is just a string and can be anything regardless of validity, such as rl0, fxp0, blah etc. Asterisks can be also used to denote a shell-like interface-name matching e.g. rl* So the point is, the active, configured interfaces changes regularly. So if I have a rule like: allow ip from any to any via iwi0 that won't work well, and neither will: allow ip from any to any via iwi0,abc0 I am not sure you have understood correctly the via keyword. Read the ipfw manual. Not all packets have receive or transmit interfaces so that might a problem you haven't considered. Is via what you want? So is there any way to say all interfaces currently configured and have that rule apply to new interfaces automatically as they are added and subtracted from the system ? You can use me which is an alias for my IP addresses. allow ip from any to me allow ip from me to any This ruleset effectivelly allows all trafic from you to the world and from the world to you. Ofcourse there is not interface checking. HTH, Nikos ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
ipfw rule question ... all possible interfaces ?
Is there a way to tell ipfw: all interfaces currently configured on this system ? I have a laptop and at any time I could plug in a USB NIC or plug in a pccard, in addition to the onboard LAN and WIFI, either of which may or may not be configured at boot time. So the point is, the active, configured interfaces changes regularly. So if I have a rule like: allow ip from any to any via iwi0 that won't work well, and neither will: allow ip from any to any via iwi0,abc0 So is there any way to say all interfaces currently configured and have that rule apply to new interfaces automatically as they are added and subtracted from the system ? __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: ipfw rule question ... all possible interfaces ?
On Sun, 4 Nov 2007 16:10:12 -0800 (PST) Juri Mianovich [EMAIL PROTECTED] wrote: Is there a way to tell ipfw: all interfaces currently configured on this system ? ... So if I have a rule like: allow ip from any to any via iwi0 You don't have to use via in a rule. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
RE: ipfw rule question ... all possible interfaces ?
Is there a way to tell ipfw: all interfaces currently configured on this system ? I have a laptop and at any time I could plug in a USB NIC or plug in a pccard, in addition to the onboard LAN and WIFI, either of which may or may not be configured at boot time. So the point is, the active, configured interfaces changes regularly. So if I have a rule like: allow ip from any to any via iwi0 that won't work well, and neither will: allow ip from any to any via iwi0,abc0 So is there any way to say all interfaces currently configured and have that rule apply to new interfaces automatically as they are added and subtracted from the system ? Try this: allow ip from any to any Just leave out via __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions- [EMAIL PROTECTED] ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
IPFW rule syntax
Hello, I have observed the following behavior in IPFW (note the asterisks): ipfw add 1000 allow tcp from 10.1.2.3 to 10.3.2.1 ** in gets added to the rule list as: 01000 allow tcp from 10.1.2.3 to 10.3.2.1 *dst-port * in? Why does IPFW convert my to dst-port and doesn't get converted to something like src-port ? Does someone know a logical explanation for this or is this a halfway done attempt of making the rules more readable? This behavior is not a problem, but older versions of IPFW don't exhibit it, so it was probably added for some reason. Thanks! -- Nino ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Need help with IPFW rule
Lowell Gilbert wrote:
Norm Vilmer [EMAIL PROTECTED] writes:
I get this message (below) on the console of my FreeBSD 4.10 firewall:
Connection attempt to TCP my public ip:20388 from 61.151.248.42:80
flags 0x12
It appears that this is getting through the firewall and is logged to
the console because log_in_vain is 1.
Question: What IPFW rule would block this without interfering with
normal http traffic on port 80 (I have Apache running on the box and
nat'd machines on the inside interface that access the Internet)?
In most peoples' configurations, this would be getting blocked by a
default block-all rule. The users' connection out on port 80 would be
accepted by a rule that is specific to the outgoing direction, and
incoming packets on those connections would be accepted by either
keeping state or by letting in only non-SYN packets.
I added log statements to every ipfw rule last night and ran tethereal
against my public interface to get more info on what is happening. It
looks like rule 600 is letting the connection attempts through before it
gets to the deny all rule.
Here's what rule 600 looks like:
${cmd} add 600 pass log tcp from any to any established
Here's the console messages from log_in_vain:
Oct 16 00:03:42 mother /kernel: Oct 16 00:03:42 mother /kernel:
Connection attempt to TCP my public ip:3672 from 69.93.197.98:80
flags:0x12
Oct 16 01:47:34 mother /kernel: Oct 16 01:47:34 mother /kernel:
Connection attempt to TCP my public ip:22813 from 69.93.197.98:80
flags:0x12
Oct 16 01:59:35 mother /kernel: Oct 16 01:59:35 mother /kernel:
Connection attempt to TCP my public ip:25475 from 69.93.197.98:80
flags:0x12
Oct 16 02:14:23 mother /kernel: Oct 16 02:14:23 mother /kernel:
Connection attempt to TCP my public ip:14512 from 69.93.197.98:80
flags:0x12
Here's the IPFW logs:
Oct 16 00:03:42 mother /kernel: ipfw: 600 Accept TCP 69.93.197.98:80
my public ip:3672 in via tun0
Oct 16 01:47:34 mother /kernel: ipfw: 600 Accept TCP 69.93.197.98:80
my public ip:22813 in via tun0
Oct 16 01:59:35 mother /kernel: ipfw: 600 Accept TCP 69.93.197.98:80
my public ip:25475 in via tun0
Oct 16 02:14:23 mother /kernel: ipfw: 600 Accept TCP 69.93.197.98:80
my public ip:14512 in via tun0
Here's the tethereal output:
74 1132.587912 69.93.197.98 - my public ip TCP http 3672 [SYN,
ACK] Seq=0 Ack=1 Win=65535 Len=0 MSS=1452
238 7364.391310 69.93.197.98 - my public ip TCP http 22813 [SYN,
ACK] Seq=0 Ack=1 Win=65535 Len=0 MSS=1452
259 8085.745452 69.93.197.98 - my public ip TCP http 25475 [SYN,
ACK] Seq=0 Ack=1 Win=65535 Len=0 MSS=1452
270 8973.898736 69.93.197.98 - my public ip TCP http 14512 [SYN,
ACK] Seq=0 Ack=1 Win=65535 Len=0 MSS=1452
I am stumped, how can I block these packets? Is the person sending
the packets trying to get packets through as established when they are
really not? Why? Is this a threat?
___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Need help with IPFW rule
Norm Vilmer [EMAIL PROTECTED] writes: I get this message (below) on the console of my FreeBSD 4.10 firewall: Connection attempt to TCP my public ip:20388 from 61.151.248.42:80 flags 0x12 It appears that this is getting through the firewall and is logged to the console because log_in_vain is 1. Question: What IPFW rule would block this without interfering with normal http traffic on port 80 (I have Apache running on the box and nat'd machines on the inside interface that access the Internet)? In most peoples' configurations, this would be getting blocked by a default block-all rule. The users' connection out on port 80 would be accepted by a rule that is specific to the outgoing direction, and incoming packets on those connections would be accepted by either keeping state or by letting in only non-SYN packets. -- Lowell Gilbert, embedded/networking software engineer, Boston area http://be-well.ilk.org:8088/~lowell/ ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Need help with IPFW rule
I get this message (below) on the console of my FreeBSD 4.10 firewall: Connection attempt to TCP my public ip:20388 from 61.151.248.42:80 flags 0x12 It appears that this is getting through the firewall and is logged to the console because log_in_vain is 1. Question: What IPFW rule would block this without interfering with normal http traffic on port 80 (I have Apache running on the box and nat'd machines on the inside interface that access the Internet)? ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
ipfw rule deletion
I am using Doorman (http://doorman.sourceforge.net)as a port knocking daemon and I need to write a short script that adds and deletes rules to the ipfw firewall. I can add them just fine, but I can't find the best way to delete them. Is the only way to specify the exact rule number? Below is the add script itself. Thanks for your help! #!/bin/sh # # file ipfw_add # Sample firewall-add script, called by doormand. # This example can be used by systems which use ipfw. # # Called with five arguments: # # $1 : name of the interface (e.g. eth0) # #2 : source IP; i.e. dotted-decimal address of the 'knock' client # $3 : source port; when this script is called for the first time # for a connection (man 8 doormand), this argument will be set # to a single 0 (0x30) character. This means that the source # port is not yet known, and a broad rule allowing any source # port is required. # $4 : destination IP; that is, the IP address of the interface # in argument 1. # $5 : The port number of the requested service (e.g. 22 for ssh, etc.) # # if [ $3 = 0 ] then ipfw addallow log tcp from $2 to $4 $5 in setup keep-state else ipfw addallow log tcp from $2 $3 to $4 $5 in setup keep-state fi err=$? if [ $err = 0 ] then echo 0 else echo $err 3 The firewall_add script sez: Dang. fi -- Aaron Dalton [EMAIL PROTECTED] PGPKeyID# 0x65AB5571 ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: ipfw rule deletion
--On Sunday, July 18, 2004 11:43 AM -0600 Aaron Dalton
[EMAIL PROTECTED] wrote:
I am using Doorman (http://doorman.sourceforge.net)as a port knocking
daemon and I need to write a short script that adds and deletes rules to
the ipfw firewall. I can add them just fine, but I can't find the best
way to delete them. Is the only way to specify the exact rule number?
Yes.
Just use awk to extract the number. One way to handle it would be to write
each add rule to a text file. Then, when you want to delete the rule, you
grab the IP address from the text file, and then use awk to find the right
rule. Something like this:
${fwcmd} delete `awk '/$IP/ {print $1}'`
Paul Schmehl ([EMAIL PROTECTED])
Adjunct Information Security Officer
The University of Texas at Dallas
AVIEN Founding Member
http://www.utdallas.edu
___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]
ipfw2: mac any any blocks ipfw rule
Hi, I use FreeBSD 4.9-Stable, with IPFW2 compiled in. I have an ipfw rule as follows: ipfw allow udp from 11.22.33.44 to any in via rl0 which works fine for my purpose (I faked the IP address for this email). Next I needed to add MAC-checking on this rule, so to begin with I tried to add a dummy mac-check (allow all mac addresses in out): ipfw allow udp from 11.22.33.44 to any in via rl0 mac any any But this will block, whatever was allowed by the previous version of this rule. How is that possible? In this mailinglist I also found a note on: sysctl net.link.ether.ipfw=1 which I did, to no avail. Any ideas, or is MAC-checking broken with ipfw2? Thanks, Rob. ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Divert and ipfw rule numbers
I am currently playing with a toy app using divert and ipfw
on 5.2.1. One of the bits of info I am trying to get ahold of
is the rule number in ipfw that sent the diverted packet over to
me. The DIVERT(4) man page states:
Diverted packets may be read unaltered via read(2), recv(2),
or recvfrom(2). In the latter case, the address returned
will have its port set to some tag supplied by the packet
diverter, (usually the ipfw rule number)
But I cant seem to get it to do so, nor am i really sure I want
it to do so. I still need the source and dest ip and ports,
along with the IPFW rule number. Here is a bit of what I have
(all the error checking and setup stuff pulled out for brievity)
get a socket
fd=socket(PF_INET, SOCK_RAW, IPPROTO_DIVERT))
bind to it:
bindPort.sin_family=AF_INET;
bindPort.sin_port=htons(atol(port));
bindPort.sin_addr.s_addr=0;
if ((ret=bind(fd,(struct sockaddr *) bindPort,
sizeof(struct sockaddr_in))) != 0) {
blah blah error checking}
stolen from the divert socket mini faq to try and use the data
start grabbing data:
sinlen=sizeof(struct sockaddr_in);
while(1) {
n=recvfrom(fd, packet, BUFSIZE, 0, (struct sockaddr *) sin, sinlen);
iphdr=(struct ip*)packet;
if (iphdr-ip_p == IPPROTO_TCP) {
tcphdr = (struct tcphdr *) (packet + sizeof(struct ip));
}
else if (iphdr-ip_p == IPPROTO_UDP) {
udphdr = (struct udphdr *) (packet + sizeof(struct ip));
}
printf(\n);
printf(%s: Source address: %s\n,progname, inet_ntoa(iphdr-ip_src));
if (iphdr-ip_p == IPPROTO_TCP)
printf(%s: Source port: %d\n,progname, ntohs(tcphdr-th_sport));
printf(%s: Destination address: %s\n, progname,
inet_ntoa(iphdr-ip_dst));
if (iphdr-ip_p == IPPROTO_TCP)
printf(%s: Destination port: %d\n\n,progname,
ntohs(tcphdr-th_dport));
printf(%s: Receiving IF address: %s\n, progname,
inet_ntoa(sin.sin_addr));
printf(%s: Protocol number: %i\n, progname, iphdr-ip_p);
printf(%s: Header length: %i\n, progname, iphdr-ip_hl);
printf(%s: Header ttl: %i\n, progname, iphdr-ip_ttl);
printf(%s: Header sum: %i\n\n, progname, iphdr-ip_sum);
if (iphdr-ip_p == IPPROTO_TCP) {
printf(%s: Sequence Number %d\n,progname, ntohs(tcphdr-th_seq));
printf(%s: Acknowledgement Number %d\n\n,progname,
ntohs(tcphdr-th_ack));
}
}
And it all works as you would expect. This really was from source port 1360
and to port 25.
The packet in hex:
69 16 00 52 247 230 64 00 64 06 61 91 192 168 66 11
192 168 66 22 05 80 00 25 49 238 186 32 30 184 225 162
128 16 226 64 195 168 00 00 01 01 08 10 27 81 180 235
00 38 09 44
Source address: 192.168.66.11
Source port: 1360
Destination address: 192.168.66.22
Destination port: 25
Receiving IF address: 192.168.66.22
Protocol number: 6
Header length: 5
Header ttl: 64
Header sum: 23357
Sequence Number 12782
Acknowledgement Number 7864
DIVERT 52 bytes
52 bytes reinjected.
Now, I need the data this way as i am also stuffing it off to a file in pcap
format. But from reading the divert man page I would expect to see the rule
number somewhere.
Sorry to have rambled on so much.I just want to know how I can continue to
get all the data I have now, but also find out what rule number ipfw is hitting
on before diverting to me.
Thank you so much for you help,
Matthew Goward
m g o w a r d @ e v i l o v e r l o r d . o r g
[EMAIL PROTECTED] 906 uname -a
FreeBSD IneedAname 5.2.1-RELEASE FreeBSD 5.2.1-RELEASE #2: Thu Feb 26 12:57:33 GMT
2004 [EMAIL PROTECTED]:/usr/obj/usr/src/sys/MATT i38
[EMAIL PROTECTED] 909 diff MATT GENERIC
49c49
options SCSI_DELAY=2000 #Delay (in ms) before probing SCSI
---
options SCSI_DELAY=15000#Delay (in ms) before probing SCSI
60,69d59
options IPFIREWALL #firewall
options IPFIREWALL_VERBOSE #enable logging to syslogd(8)
options IPDIVERT#divert sockets
options IPFIREWALL_VERBOSE_LIMIT=100
#optionsIPFIREWALL_DEFAULT_TO_ACCEPT
options RANDOM_IP_ID
options DUMMYNET
options TCP_DROP_SYNFIN
options IPSTEALTH
#options ICMP_BANDLIM
1482549 divert tcp from 192.168.66.11 to 192.168.66.22 dst-port 25
1 0 0 divert udp from 192.168.55.22 to 192.168.66.22 dst-port 25
2 0 0 divert tcp from 192.168.66.22 25 to 192.168.55.22
2 0 0 divert udp from 192.168.66.22 25 to 192.168.55.22
00100542914 allow ip from any to any via lo0
00200 0 0 deny ip from any to 127.0.0.0/8
00300 0 0 deny ip from 127.0.0.0/8 to any
65000 34423 9607284 allow ip from any to any
Re: IPFW Rule set question...
Thanks for your reply. I don't understand what you mean when you say NAT modifications... meaning how the packets are changed on the gateway to allow them to be seen as transparent from behind?? When I do a netstat -an while connected remotley it shows the connection on SSH as coming from 203.10.10.38, but when I add a rule to allow everything from that net it still won't allow access... I did add the rule before the divert, but i still couldn't connect until i added an allow all manually... i also tried opening up the ssh port to everyone, with allow tcp from any to me 22 via tl0, but that wouldn't allow a connection either... It's a bit confusing... Thanks again, D From: Lowell Gilbert [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] To: Drew Robertson [EMAIL PROTECTED] CC: [EMAIL PROTECTED] Subject: Re: IPFW Rule set question... Date: 24 Dec 2003 16:43:49 -0500 Drew Robertson [EMAIL PROTECTED] writes: I have enabled SSH, TELNET and FTP on my freeBSD 4.8 box at home... it is dual homed, 2 NICs one for the internal LAN one running my cable modem. Everything works fine on the internal side. When accessing the box using any of those apps from work, the system looks to briefly connect and then returns a Connection Lost or Connection closed by remote host error. The command setup to allow in access is as follows... 820 allow log tcp from any to me 22 limit src-addr 4 in recv tl0 setup 830 allow log tcp from any to me 23 limit src-addr 4 in recv tl0 setup I assume these are supposed to have keep-state in them. It *is* written that way in the full ruleset you posted lower down. when this didn't work I added another command at the start of the ruleset to just let everything in from a particular IP address range... 202 allow ip from 203.10.10.0/24 to any however this produced the same error... It wasn't until I allowed all from any to any that I was able to connect... Then the packets aren't actually being seen as coming from that address. Maybe you're running into NAT modifications? When checking out the security log, it tells me that rule 820 is allowing access to my computer at home... But only for SYN packets... -- Lowell Gilbert, embedded/networking software engineer, Boston area: resume/CV at http://be-well.ilk.org:8088/~lowell/resume/ username/password public _ Hot chart ringtones and polyphonics. Go to http://ninemsn.com.au/mobilemania/default.asp ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: IPFW Rule set question...
Drew Robertson [EMAIL PROTECTED] writes: I have enabled SSH, TELNET and FTP on my freeBSD 4.8 box at home... it is dual homed, 2 NICs one for the internal LAN one running my cable modem. Everything works fine on the internal side. When accessing the box using any of those apps from work, the system looks to briefly connect and then returns a Connection Lost or Connection closed by remote host error. The command setup to allow in access is as follows... 820 allow log tcp from any to me 22 limit src-addr 4 in recv tl0 setup 830 allow log tcp from any to me 23 limit src-addr 4 in recv tl0 setup I assume these are supposed to have keep-state in them. It *is* written that way in the full ruleset you posted lower down. when this didn't work I added another command at the start of the ruleset to just let everything in from a particular IP address range... 202 allow ip from 203.10.10.0/24 to any however this produced the same error... It wasn't until I allowed all from any to any that I was able to connect... Then the packets aren't actually being seen as coming from that address. Maybe you're running into NAT modifications? When checking out the security log, it tells me that rule 820 is allowing access to my computer at home... But only for SYN packets... -- Lowell Gilbert, embedded/networking software engineer, Boston area: resume/CV at http://be-well.ilk.org:8088/~lowell/resume/ username/password public ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: IPFW Rule set question...
Just a very quick suggestion - when you get an initial connection that closes almost immediately, it is usually TCP wrappers rather than a firewall. Have you checked /etc/hosts.allow? - Original Message - From: Drew Robertson [EMAIL PROTECTED] Subject: IPFW Rule set question... Hi everyone, Thanks to those who take the time to read and reply to these emails. I have a strange issue regarding my firewall (IPFW)... I have enabled SSH, TELNET and FTP on my freeBSD 4.8 box at home... it is dual homed, 2 NICs one for the internal LAN one running my cable modem. Everything works fine on the internal side. When accessing the box using any of those apps from work, the system looks to briefly connect and then returns a Connection Lost or Connection closed by remote host error. The command setup to allow in access is as follows... 820 allow log tcp from any to me 22 limit src-addr 4 in recv tl0 setup 830 allow log tcp from any to me 23 limit src-addr 4 in recv tl0 setup when this didn't work I added another command at the start of the ruleset to just let everything in from a particular IP address range... 202 allow ip from 203.10.10.0/24 to any however this produced the same error... It wasn't until I allowed all from any to any that I was able to connect... When checking out the security log, it tells me that rule 820 is allowing access to my computer at home... Ruleset is attached completely below /sbin/ipfw -q -f flush # Set rules command prefix # The -q option on the command is for quite mode. # Do not display rules as they load. Remove during development to see. cmd=/sbin/ipfw -q add # Set defaults oif=tl0# Nic card to cable modem public internet connection odns1=203.2.75.132 # ISP's dns server IP address $cmd 00200 divert natd all from any to any via $oif control section # Start of IPFW advanced Stateful Filtering using dynamic rules. # The check-state statement behavior is to match bi-directional packet traffic # flow between source and destination using protocol/IP/port/sequence number. # The dynamic rule has a limited lifetime which is controlled by a set of # sysctl(8) variables. The lifetime is refreshed every time a matching # packet is found in the dynamic table. # Allow the packet through if it has previous been added to the # the dynamic rules table by an allow keep-state statement. $cmd 00202 allow log all from 203.10.10.0/24 to any $cmd 00203 allow log all from any to any via tun0 $cmd 00400 check-state # SAMBA File/Printer Sharing on Internal LAN $cmd 0410 allow log tcp from 192.168.1.0/24 to 192.168.1.0/24 $cmd 0411 allow log udp from 192.168.1.0/24 to 192.168.1.0/24 # Run all private LAN xl0 packet traffic through the dynamic rules # table so the IP address are in sync with Natd. $cmd 00500 allow log all from any to any via sis0 keep-state # Deny all fragments as bogus packets $cmd 00530 deny log all from any to any frag in via $oif # Deny ACK packets that did not match the dynamic rule table $cmd 00540 deny log tcp from any to any established in via $oif outbound section # Interrogate packets originating from behind the firewall, private net. # Upon a rule match, it's keep-state option will create a dynamic rule. # Allow out non-secure standard http function $cmd 00600 allow log tcp from any to any 80 out via $oif setup keep-state # Allow out secure www function https over TLS SSL $cmd 00601 allow log tcp from any to any 443 out via $oif setup keep-state # Allow out access to my ISP's Domain name server. $cmd 00610 allow log tcp from any to $odns1 53 out via $oif setup keep-state $cmd 00611 allow log udp from any to $odns1 53 out via $oif keep-state # Allow out send get email function $cmd 00630 allow log tcp from any to any 25,110 out via $oif setup keep-state # Allow out in FBSD (make install CVSUP) functions # Basically give user id [ROOT] GOD privileges. $cmd 00640 allow log tcp from me to any out via $oif setup keep-state uid root inbound section # Interrogate packets originating from in front of the firewall, public net. # Allow in www http access to my apache server #$cmd 00800 allow log tcp from any to any 80 in via $oif setup keep-state limit src-addr 4 # Allow TCP FTP control channel in data channel out $cmd 00810 allow log tcp from any to me 21 in via $oif setup keep-state limit src-addr 4 $cmd 00811 allow log tcp from any 20 to any 1024-49151 out via $oif setup keep limit src-addr 4 # Allow in ssh function $cmd 00820 allow log tcp from any to me 22 in via $oif setup keep-state limit src-addr 4 # Allow in Telnet $cmd 00830 allow log tcp from any to me 23 in via $oif setup keep-state limit src-addr 4 Thanks. D
IPFW Rule set question...
Hi everyone, Thanks to those who take the time to read and reply to these emails. I have a strange issue regarding my firewall (IPFW)... I have enabled SSH, TELNET and FTP on my freeBSD 4.8 box at home... it is dual homed, 2 NICs one for the internal LAN one running my cable modem. Everything works fine on the internal side. When accessing the box using any of those apps from work, the system looks to briefly connect and then returns a Connection Lost or Connection closed by remote host error. The command setup to allow in access is as follows... 820 allow log tcp from any to me 22 limit src-addr 4 in recv tl0 setup 830 allow log tcp from any to me 23 limit src-addr 4 in recv tl0 setup when this didn't work I added another command at the start of the ruleset to just let everything in from a particular IP address range... 202 allow ip from 203.10.10.0/24 to any however this produced the same error... It wasn't until I allowed all from any to any that I was able to connect... When checking out the security log, it tells me that rule 820 is allowing access to my computer at home... Ruleset is attached completely below /sbin/ipfw -q -f flush # Set rules command prefix # The -q option on the command is for quite mode. # Do not display rules as they load. Remove during development to see. cmd=/sbin/ipfw -q add # Set defaults oif=tl0# Nic card to cable modem public internet connection odns1=203.2.75.132 # ISP's dns server IP address $cmd 00200 divert natd all from any to any via $oif control section # Start of IPFW advanced Stateful Filtering using dynamic rules. # The check-state statement behavior is to match bi-directional packet traffic # flow between source and destination using protocol/IP/port/sequence number. # The dynamic rule has a limited lifetime which is controlled by a set of # sysctl(8) variables. The lifetime is refreshed every time a matching # packet is found in the dynamic table. # Allow the packet through if it has previous been added to the # the dynamic rules table by an allow keep-state statement. $cmd 00202 allow log all from 203.10.10.0/24 to any $cmd 00203 allow log all from any to any via tun0 $cmd 00400 check-state # SAMBA File/Printer Sharing on Internal LAN $cmd 0410 allow log tcp from 192.168.1.0/24 to 192.168.1.0/24 $cmd 0411 allow log udp from 192.168.1.0/24 to 192.168.1.0/24 # Run all private LAN xl0 packet traffic through the dynamic rules # table so the IP address are in sync with Natd. $cmd 00500 allow log all from any to any via sis0 keep-state # Deny all fragments as bogus packets $cmd 00530 deny log all from any to any frag in via $oif # Deny ACK packets that did not match the dynamic rule table $cmd 00540 deny log tcp from any to any established in via $oif outbound section # Interrogate packets originating from behind the firewall, private net. # Upon a rule match, it's keep-state option will create a dynamic rule. # Allow out non-secure standard http function $cmd 00600 allow log tcp from any to any 80 out via $oif setup keep-state # Allow out secure www function https over TLS SSL $cmd 00601 allow log tcp from any to any 443 out via $oif setup keep-state # Allow out access to my ISP's Domain name server. $cmd 00610 allow log tcp from any to $odns1 53 out via $oif setup keep-state $cmd 00611 allow log udp from any to $odns1 53 out via $oif keep-state # Allow out send get email function $cmd 00630 allow log tcp from any to any 25,110 out via $oif setup keep-state # Allow out in FBSD (make install CVSUP) functions # Basically give user id [ROOT] GOD privileges. $cmd 00640 allow log tcp from me to any out via $oif setup keep-state uid root inbound section # Interrogate packets originating from in front of the firewall, public net. # Allow in www http access to my apache server #$cmd 00800 allow log tcp from any to any 80 in via $oif setup keep-state limit src-addr 4 # Allow TCP FTP control channel in data channel out $cmd 00810 allow log tcp from any to me 21 in via $oif setup keep-state limit src-addr 4 $cmd 00811 allow log tcp from any 20 to any 1024-49151 out via $oif setup keep limit src-addr 4 # Allow in ssh function $cmd 00820 allow log tcp from any to me 22 in via $oif setup keep-state limit src-addr 4 # Allow in Telnet $cmd 00830 allow log tcp from any to me 23 in via $oif setup keep-state limit src-addr 4 Thanks. D _ ninemsn Premium transforms your e-mail with colours, photos and animated text. Click here http://ninemsn.com.au/premium/landing.asp ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
ipfw troubleshooting (was ipfw rule placement)
Hello I am running 4.7-release p6 as a gateway (ipfw+natd). Thanks to those of you who helped me firm up my ruleset. Natd is running and configured, however, I am not able to do port redirection or http from the outside. (Firewall disk crashed over the weekend, and I didn't have things properly backed up). My firewall log is flooded with this message: [date and time]churgeon /kernel: ipfw: Deny UDP 10.142.240.1:67 255.255.255.255:68 in via ed1 When I run sockstat, I see that dhclient is listening for udp packets on port 68: root dhclient62 4 udp4 *:68 *:* Attached is my ipfw ruleset. I'd like to know if I need to allow these packets (if they're required by dhclient, etc.). Just in case, I've attached natd.conf and rc.conf, as well. Thanks for any help. --- Joshua Lokken FreeBSD: The Power to Serve! [EMAIL PROTECTED] Need a new email address that people can remember Check out the new EudoraMail at http://www.eudoramail.com#!/bin/sh fwcmd=/sbin/ipfw oif=ed1 oip=xxx.xxx.xxx.xxx iif=rl0 inwr=10.0.0.0/8 iip=10.0.0.1 ns1=204.127.198.4 ns2=216.148.227.68 ns3=207.228.252.107 ns4=64.246.26.64 $fwcmd -f flush $fwcmd add allow all from any to any via lo0 $fwcmd add divert natd all from any to any via $oif $fwcmd add allow icmp from any to any icmptypes 3,4,11,12 $fwcmd add check-state $fwcmd add allow udp from $oip to any via $oif keep-state $fwcmd add allow tcp from any to $oip 22,25,80,110,443,6346,22002,22003,22010 setup via $oif keep-state $fwcmd add allow ip from $oip to any keep-state out via $oif $fwcmd add allow ip from $inwr to any keep-state via $iif $fwcmd add 65435 deny log ip from any to any# natd.conf # flags interface ed1 dynamic yes unregistered_only yes # Web and mail redirect_port tcp 10.0.0.10:8080 80 redirect_port udp 10.0.0.10:8080 80 redirect_port tcp 10.0.0.10:443 443 redirect_port udp 10.0.0.10:443 443 # SSH redirect_port tcp 10.0.0.2:22 22002 redirect_port udp 10.0.0.2:22 22002 redirect_port tcp 10.0.0.3:22 22003 redirect_port udp 10.0.0.3:22 22003 redirect_port tcp 10.0.0.10:22 22010 redirect_port udp 10.0.0.10:22 22010 # VNC redirect_port tcp 10.0.0.2:5900-5910 5900-5910 redirect_port udp 10.0.0.2:5900-5910 5900-5910 # -- sysinstall generated deltas -- # Sat Feb 15 13:14:18 2003 # Created: Sat Feb 15 13:14:18 2003 network_interfaces=lo0 ed1 rl0 hostname=churgeon.joshualokken.com ifconfig_ed1=DHCP ifconfig_rl0=inet 10.0.0.1 netmask 255.0.0.0 inetd_enable=NO kern_securelevel_enable=YES kern_securelevel=1 nfs_reserved_port_only=YES sendmail_enable=NONE sshd_enable=YES syslogd_enable=YES syslogd_flags=-ss gateway_enable=YES firewall_enable=YES natd_enable=YES natd_interface=ed1 natd_flags=-f /etc/natd.conf firewall_script=/etc/firewall.conf tcp_extensions=YES icmp_drop_redirect=YES
ipfw troubleshooting (was ipfw rule placement)
Hello I am running 4.7-release p6 as a gateway (ipfw+natd). Thanks to those of you who helped me firm up my ruleset. Natd is running and configured, however, I am not able to do port redirection or http from the outside. (Firewall disk crashed over the weekend, and I didn't have things properly backed up). My firewall log is flooded with this message: [date and time]churgeon /kernel: ipfw: Deny UDP 10.142.240.1:67 255.255.255.255:68 in via ed1 When I run sockstat, I see that dhclient is listening for udp packets on port 68: root dhclient62 4 udp4 *:68 *:* Attached is my ipfw ruleset. I'd like to know if I need to allow these packets (if they're required by dhclient, etc.). Just in case, I've attached natd.conf and rc.conf, as well. Thanks for any help. --- Joshua Lokken FreeBSD: The Power to Serve! [EMAIL PROTECTED] Need a new email address that people can remember Check out the new EudoraMail at http://www.eudoramail.com fwcmd=/sbin/ipfw oif=ed1 oip=xxx.xxx.xxx.xxx iif=rl0 inwr=10.0.0.0/8 iip=10.0.0.1 ns1=204.127.198.4 ns2=216.148.227.68 ns3=207.228.252.107 ns4=64.246.26.64 $fwcmd -f flush $fwcmd add allow all from any to any via lo0 $fwcmd add divert natd all from any to any via $oif $fwcmd add allow icmp from any to any icmptypes 3,4,11,12 $fwcmd add check-state $fwcmd add allow udp from $oip to any via $oif keep-state $fwcmd add allow tcp from any to $oip 22,25,80,110,443,6346,22002,22003,22010 setup via $oif keep-state $fwcmd add allow ip from $oip to any keep-state out via $oif $fwcmd add allow ip from $inwr to any keep-state via $iif $fwcmd add 65435 deny log ip from any to any# natd.conf # flags interface ed1 dynamic yes unregistered_only yes # Web and mail redirect_port tcp 10.0.0.10:8080 80 redirect_port udp 10.0.0.10:8080 80 redirect_port tcp 10.0.0.10:443 443 redirect_port udp 10.0.0.10:443 443 # SSH redirect_port tcp 10.0.0.2:22 22002 redirect_port udp 10.0.0.2:22 22002 redirect_port tcp 10.0.0.3:22 22003 redirect_port udp 10.0.0.3:22 22003 redirect_port tcp 10.0.0.10:22 22010 redirect_port udp 10.0.0.10:22 22010 # VNC redirect_port tcp 10.0.0.2:5900-5910 5900-5910 redirect_port udp 10.0.0.2:5900-5910 5900-5910 # -- sysinstall generated deltas -- # Sat Feb 15 13:14:18 2003 # Created: Sat Feb 15 13:14:18 2003 network_interfaces=lo0 ed1 rl0 hostname=churgeon.joshualokken.com ifconfig_ed1=DHCP ifconfig_rl0=inet 10.0.0.1 netmask 255.0.0.0 inetd_enable=NO kern_securelevel_enable=YES kern_securelevel=1 nfs_reserved_port_only=YES sendmail_enable=NONE sshd_enable=YES syslogd_enable=YES syslogd_flags=-ss gateway_enable=YES firewall_enable=YES natd_enable=YES natd_interface=ed1 natd_flags=-f /etc/natd.conf firewall_script=/etc/firewall.conf tcp_extensions=YES icmp_drop_redirect=YES
ipfw rule placement
Hello, Primary harddisk failed on my 4.7-release gateway (ipfw+natd) box last weekend, and I had not backed things up properly. Attached is my ipfw ruleset. After the rebuild, I rewrote things from memory. When I remove the default deny rule from the list, nat works fine, port redirections and all, but with the deny rule in place, nat isn't working, so I'm thinking I have a rule in the wrong place. Can anyone point out any obvious missing/misplaced rules here? Thanks much. --- Joshua Lokken FreeBSD: The Power to Serve! [EMAIL PROTECTED] Need a new email address that people can remember Check out the new EudoraMail at http://www.eudoramail.com To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message
Fwd: ipfw rule placement
- Forwarded Message - DATE: Tue, 25 Feb 2003 16:06:22 From: Joshua Lokken [EMAIL PROTECTED] To: Questions [EMAIL PROTECTED] Hello, Primary harddisk failed on my 4.7-release gateway (ipfw+natd) box last weekend, and I had not backed things up properly. Attached is my ipfw ruleset. After the rebuild, I rewrote things from memory. When I remove the default deny rule from the list, nat works fine, port redirections and all, but with the deny rule in place, nat isn't working, so I'm thinking I have a rule in the wrong place. Can anyone point out any obvious missing/misplaced rules here? Thanks much. --- Joshua Lokken FreeBSD: The Power to Serve! [EMAIL PROTECTED] - End Forwarded Message - My apologies for the missing attachment... and for the M$ formatted file ;( Need a new email address that people can remember Check out the new EudoraMail at http://www.eudoramail.com$fwcmd -f flush $fwcmd add allow all from any to any via lo0 $fwcmd add divert natd all from any to any via $oif $fwcmd add allow tcp from any to $oip 22,80,443,6346,22002,22003,22010 setup $fwcmd add allow tcp from any to any established $fwcmd add allow icmp from any to any icmptypes 3,4,11,12 $fwcmd add check-state $fwcmd add allow ip from $oip to any keep-state out via $oif $fwcmd add allow ip from $inwr to any keep-state via $iif $fwcmd add 65435 deny log ip from any to any
Re: Fwd: ipfw rule placement
On 2003-02-25 16:09, Joshua Lokken [EMAIL PROTECTED] wrote: When I remove the default deny rule from the list, nat works fine, port redirections and all, but with the deny rule in place, nat isn't working, so I'm thinking I have a rule in the wrong place. Can anyone point out any obvious missing/misplaced rules here? For NAT to be working, you hav to make sure natd(8) is running and has a proper configuration file. Now, as far as the ipfw(8) rules are concerned, try using the following ruleset: # $fwcmd -f flush # $fwcmd add allow all from any to any via lo0 # $fwcmd add divert natd all from any to any via $oif # $fwcmd add allow icmp from any to any icmptypes 3,4,11,12 # $fwcmd add check-state # $fwcmd add allow udp from $oip to any via $oif keep-state # $fwcmd add allow tcp from any to $oip 22,80,443,6346,22002,22003,22010 setup via $oif keep-state # $fwcmd add allow ip from $oip to any keep-state out via $oif # $fwcmd add allow ip from $inwr to any keep-state via $iif # $fwcmd add 65435 deny log ip from any to any The changes from your own set of rules are summarized below: - moved icmp checking higher, since they're unrelated to tcp or udp and state checking - added a rule for udp packets, since DNS resolving and a few other useful things depend on them - moved check-state higher, to minimise the delay for packets that are parts of an existing connection (ipfw rules are checked sequentially, from start to end) - added keep-state in your 'setup' rule for incoming connections to $oip and 'via $oif' to make sure that packets destined for $oip are only accepted on $oif (good measure against spoofing) Before using this set of rules, make sure you give proper values to $iip, $oip, $iif, $oif and $inwr. - Giorgos To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message
Re: Fwd: ipfw rule placement
On Wed, 26 Feb 2003 02:25:12 Giorgos Keramidas wrote: On 2003-02-25 16:09, Joshua Lokken [EMAIL PROTECTED] wrote: When I remove the default deny rule from the list, nat works fine, port redirections and all, but with the deny rule in place, nat isn't working, so I'm thinking I have a rule in the wrong place. Can anyone point out any obvious missing/misplaced rules here? For NAT to be working, you hav to make sure natd(8) is running and has a proper configuration file. Now, as far as the ipfw(8) rules are concerned, try using the following ruleset: # $fwcmd -f flush # $fwcmd add allow all from any to any via lo0 # $fwcmd add divert natd all from any to any via $oif # $fwcmd add allow icmp from any to any icmptypes 3,4,11,12 # $fwcmd add check-state # $fwcmd add allow udp from $oip to any via $oif keep-state # $fwcmd add allow tcp from any to $oip 22,80,443,6346,22002,22003,22010 setup via $oif keep-state # $fwcmd add allow ip from $oip to any keep-state out via $oif # $fwcmd add allow ip from $inwr to any keep-state via $iif # $fwcmd add 65435 deny log ip from any to any The changes from your own set of rules are summarized below: - moved icmp checking higher, since they're unrelated to tcp or udp and state checking - added a rule for udp packets, since DNS resolving and a few other useful things depend on them - moved check-state higher, to minimise the delay for packets that are parts of an existing connection (ipfw rules are checked sequentially, from start to end) - added keep-state in your 'setup' rule for incoming connections to $oip and 'via $oif' to make sure that packets destined for $oip are only accepted on $oif (good measure against spoofing) Before using this set of rules, make sure you give proper values to $iip, $oip, $iif, $oif and $inwr. - Giorgos Indeed! I do have the variables listed defined, and have natd configured and working. Thank you very much--not only did you answer my question, but gave me a better understanding of ipfw! Joshua Need a new email address that people can remember Check out the new EudoraMail at http://www.eudoramail.com To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message
ipfw rule help needed
Hi, I am trying to create these two ipfw rules: deny all packets with an ack of zero deny all tcp packets with no MSS specified Can anyone show me the syntax to do that ? Also, comments on bad things that could happen if I put these in are appreciated. AFAIK, the only thing that can happen is that 1 in every 2^32 valid packets will be denied by the ack zero rule, and that the second rule will not affect anything except people using syn flood tools - since every valid tcp packet should have a MSS, right ? thanks. To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message
