question for ipfw2 experts
Hello, I have removed all references of OpenBSD Packet Filter from my kernel and have just completed my first (excluding some experimentation back a decade ago) configuration of ipfw2. At the moment, FreeBSD -current is building world and the applicable /etc/rc.conf entries are like this: firewall_enable=YES firewall_script=/etc/rc.firewall.myFile firewall_quiet=NO firewall_logging=YES firewall_nat_enable=NO The kernel modifications are as follows: options IPFIREWALL options IPFIREWALL_VERBOSE options IPFIREWALL_VERBOSE_LIMIT=5 options DUMMYNET - my configuration file for ipfw2: // BEGIN #!/bin/sh ipfw -q flush // MACROS block_tcp_in=2869,5355,commplex\\-main,loc\\-srv block_udp_in=1900,3544,5355,dhcp6\\-client,dhcp6\\-server,netbios\\-ns block_tcp_out=2869,bootpc,commplex\\-main,loc\\-srv block_udp_out=1900,3544,netbios\\-ns eif=anyIF cmd=ipfw -q add ks=keep-state icmp6_types=1,2,128,129,135,136 local4=this4address local6=this6address localnet=thisNet/mask localnet6=prefix::/prefixlen tcp4_svcs2628,ident tcp6_svcs=ident,ssh udp4_svcs=ntp,radacct,radius udp6_svcs=ntp,radacct,radius out_tcp4=49152-65535,domain,ftp,http,ident,smtp,smtps,ssh,svn out_udp4=33433-33636,49152-65535,domain,ntp out_udp6=33433-33636,49152-65535,domain,ntp out_tcp6=49152-65535,domain,ftp,http,ident,smtp,smtps,ssh,svn // TABLES // ipfw table 1 add 192.168.2.0/24 10.23.2.1 someNet.org // PASS EARLY, ANTISPOOF,CHECK-STATE, and FRAG REASSEMBLE $cmd 27 check-state $cmd 28 reass all from any to $local4 recv $eif $cmd 29 drop ip from any to $local4 not verrevpath recv $eif $cmd 30 drop ip from $local4 to any not versrcreach xmit $eif $cmd 31 pass all from any to any via lo0 $cmd 32 drop all from any to 127.0.0.0/8 recv $eif $cmd 33 drop all from 127.0.0.0/8 to any xmit $eif $cmd 34 drop all from any to ::1 recv $eif $cmd 35 drop all from ::1 to any xmit $eif $cmd 36 drop tcp from any to $local4 in recv $eif frag // $cmd 38 pass log ipv6-icmp from :: to ff02::/16 xmit $eif $cmd 39 pass log ipv6-icmp from fe80::/10 to fe80::/10 $cmd 40 pass log ipv6-icmp from fe80::/10 to ff02::/16 $cmd 41 pass log ipv6-icmp from any to any icmp6types $icmp6_types $cmd 42 unreach6 admin-prohib log ipv6-icmp // BLOCK EARLY # rfc 1918 private address $cmd 45 drop all from 192.168.0.0/16 to any xmit $eif $cmd 46 drop all to 192.168.0.0/16 from any recv $eif # rfc 1918 private address $cmd 48 drop all from 172.16.0.0/12 to any xmit $eif $cmd 49 drop all to 172.16.0.0/12 from any recv $eif # rfc 1918 private address $cmd 51 drop all from 10.0.0.0/8 to any xmit $eif $cmd 52 drop all to 10.0.0.0/8 from any recv $eif #dhcp auto-config $cmd 54 drop all from 169.254.0.0/16 to $local4 recv $eif $cmd 55 drop all to 169.254.0.0/16 from $local4 xmit $eif #reserved for docs $cmd 57 drop all from 192.0.2.0/24 to $local4 recv $eif $cmd 58 drop all from $local4 to 192.0.2.0/24 xmit $eif # sun cluster interconnect $cmd 60 drop all from 204.152.64.0/23 to $local4 recv $eif $cmd 61 drop all from $local4 to 204.152.64.0/23 xmit $eif # class d and e multicast $cmd 63 drop all from 224.0.0.0/3 to $local4 recv $eif $cmd 64 drop all from $local4 to 224.0.0.0/3 xmit $eif // PROTOCOLS DROPPED EARLY $cmd 66 drop udp from any to $local4 $block_udp_in $cmd 67 reset tcp from any to $local4 $block_tcp_in setup // PUBLIC INTERFACE ICMP $cmd 69 pass log icmp from $local4 to any out xmit $eif $ks $cmd 70 pass log icmp from any to $local4 in recv $eif icmptypes \ 8,3 $ks $cmd 71 drop log icmp from any to any // PUBLIC INTERFACE UDP $cmd 73 pass udp from $local4 to any $out_upd4 out xmit $eif $ks $cmd 74 pass udp from $localnet to $local4 $udp4_svcs in recv $eif // PUBLIC INTERFACE TCP $cmd 78 pass tcp from $local4 to any $out_tpc4 out xmit $eif setup \ $ks $cmd 79 pass tcp from $localnet6 to $local6 $tcp6_svcs recv $eif \ setup $ks $cmd 2000 allow ip6 from $localnet6 to $local6 ssh in recv $eif \ setup $ks #$cmd 4 allow tcp from any to $local4 80 in recv $eif setup limit \ src-addr 3 $cmd 5000 drop log tcp from any to any // DROP STATEMENT $cmd 65000 drop all // END Advice, hints, and criticism of my setup and ruleset are welcomed. - also: Can someone please send an exmaple of how to properly use tables? Can someone please expound about using IPv6 in the ruleset? An effort for potentially constructive criticism regarding the documentation- I noticed these points: - file that does not exist: /etc/rc.firewall6 Good that it does not exist, please remove it from the handbook. - statement about internal interfaces: In cases where one or more than one NICs are connected to a private LAN behind the firewall, those interfaces must have rules coded to allow free unmolested movement of packets originating from those LAN interfaces. Is this a fact? Today I am only dealing with one interface. If I wrote rules for both interfaces of a router would it actually not work? Kind regards, Darrel ___ freebsd-questions@freebsd.org mailing list http
Re: question for ipfw2 experts
On Mon, Sep 24, 2012 at 12:35 PM, Darrel levi...@iglou.com wrote:
Can someone please send an exmaple of how to properly use tables?
Quick, trivial example - this doesn't help you understand tableargs,
this is just efficiently to handle a very large list of sparse nets.
PEERS=/etc/ipfw/permitted_hosts.txt
cat $PEERS | awk '/^[1-9][0-9\.][0-9\.]*/ { print ipfw table 1 add, $1 }' | sh
$FW add 01000 check-state
[ a bunch of rules ]
$FW add 05000 allow tcp from table\(1\) to me 7514 in recv $OUTSIDE_IF
setup keep-state
$FW add 06000 deny tcp from any to me in recv $OUTSIDE_IF
Now, if you want to atomically change tables without altering
instantiated dynamic rules, you can use separate tables and swap
rulesets. You can use tableargs (the second parameter when adding an
entry to the table) as a rule number to skipto, or as a tag in
logging, etc.
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
IPFW2 script with natd and loadsharing
I am trying to have both natd (divert) and loadsharing (pipe/queue) in the same IPFW2 firewall script. It works partly. That is, something is wrong because, pipe-bandwidth does not at all match the measured and by using the log-facility I found that the following package enter the script at rule 11: TCP 207.46.211.119:80 192.168.12.150:1574 out via em0 but it looks like i had just been translated by rule number 400 The NIC with IP 192.168.10.248 is connected to WAN and the NIC with IP 192.168.12.10 is connected to LAN Here it my script: -- # Firewall script (Kernel compilation: default-rule was set to allow) ipfw -f -q flush ipfw -q add 6 allow all from any to any # Log-facility (for debuging) ipfw add 11 skipto 12 log all from any to any // Start ipfw pipe 1 config bw 80KByte/s # upload limit ipfw pipe 2 config bw 800KByte/s # download limit # Package going in the download-direction are translated by NATD # to get the destination .12-subnet IP address # (change destination ip address) ipfw add 100 divert natd ip from any to 192.168.10.248 // Download ipfw add 200 queue 1 ip from 192.168.12.0/24 to not 192.168.12.0/24 // Upload ipfw queue 1 config weight 10 pipe 1 mask src-ip 0x00ff ipfw add 300 queue 2 ip from any to 192.168.12.0/24 // Download ipfw queue 2 config weight 10 pipe 2 mask dst-ip 0x00ff # Package going in the upload-direction are translated by NATD # to get the source IP address of the WAN NIC (and the port number is also changed) ipfw add 400 divert natd ip from 192.168.12.0/24 to any // Upload -- What is wrong? ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
IPFW2 woes...
Hey all, I've written a short IPFW ruleset, with only some count rules and one allow all ip rule. I've got the following entries in my /etc/rc.conf file: # IPFW Settings # Only used for traffic accounting! firewall_enable=YES firewall_script=/etc/ipfw.sh Every time this system boots, it asks if I'm sure if I want the divert daemon enabled? The answer, really, is NO. pf is doing all that for me, I'm just using IPFW for packet accounting. The message changes slightly if I add natd_enable=NO to the file. Why is it asking me this, and what do I need to do to make it go away!? Thanks! - Eric F Crist Secure Computing Networks ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: ipfw2+divert; why divert rule is ignored?
On 3/10/06, Vladimir [EMAIL PROTECTED] wrote: FreeBSD 5.4 Specifically, I can't figure out why rule 3800 is ignored... :confused: ipfw не такой злобный, чтобы брать и игнорить правила :) Попробуй добавить правило count сразу до или после игнорируемого правила. Скорей всего таких пакетов просто нет (например, глюк маршрутизации). ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
ipfw2+divert; why divert rule is ignored?
FreeBSD 5.4 Specifically, I can't figure out why rule 3800 is ignored... :confused: If you have idea - just give clue abt it Thanks... Regular NAT is working properly, but I can't configure NAPT to services on server in LAN Interface to LAN is also untrusted -that's why so many details in config... tun0 - interface to Internet vr1 - interface to LAN 212.42.xxx.xxx - my external IP firewall rules [#ipfw -de sh] [CODE] 0380000 divert 6893 log logamount 100 tcp from 192.168.0.1 80 to any out via tun0 040000 0 check-state 044000 0 allow log logamount 100 tcp from 212.42.xxx.xxx 80 to any out via tun0 04700 25 1554 divert 6893 log logamount 100 tcp from any to 212.42.xxx.xxx dst-port 80 in via tun0 05000 150 6816 allow log logamount 100 tcp from any to 192.168.0.1 dst-port 80 in via tun0 setup keep-state ## Dynamic rules (14): 05000 17768 (0s) STATE tcp 212.112.117.70 1212 - 192.168.0.1 80 ...[/CODE] /var/log/security [CODE]... Mar 9 14:40:23 free kernel: ipfw: 4700 Divert 6893 TCP 212.112.117.70:1212 212.42.xxx.xxx:80 in via tun0 Mar 9 14:40:23 free kernel: ipfw: 5000 Accept TCP 212.112.117.70:1212 192.168.0.1:80 in via tun0 Mar 9 14:40:23 free kernel: ipfw: 5000 Accept TCP 212.112.117.70:1212 192.168.0.1:80 out via vr1 Mar 9 14:40:23 free kernel: ipfw: 5000 Accept TCP 192.168.0.1:80 212.112.117.70:1212 in via vr1 #^this is O'k - packet is ready to be caught by rule 3800 but that rule is ignored and pachet processed by dymamic rule :confused: Mar 9 14:40:23 free kernel: ipfw: 5000 Accept TCP 192.168.0.1:80 212.112.117.70:1212 out via tun0 ...[/CODE] natd is started by [CODE]natd -log_denied -s -m -p 6893 -dynamic -n tun0 -redirect_port tcp 192.168.0.1:80 80 -log_ipfw_denied -l[/CODE] -- Best regards, Vladimir ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Best Way To Block Range of Addresses with ipfw2?
I want to deny access to addresses in this range: 84.57.113.0 - 84.61.96.255 What is the best way to specify this range for ipfw2? There must be a better way than listing a whole bunch of individual networks. Thanks, Drew -- Visit The Alchemist's Warehouse Magic Tricks, DVDs, Videos, Books, More! http://www.alchemistswarehouse.com ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Best Way To Block Range of Addresses with ipfw2?
Drew Tomlinson wrote: I want to deny access to addresses in this range: 84.57.113.0 - 84.61.96.255 What is the best way to specify this range for ipfw2? There must be a better way than listing a whole bunch of individual networks. deny ip from 84.56.0.0/13 to any ...comes pretty close. Use finer-grained allow rule before that if you need to pass stuff in 84.56.0.0/16, for example. -- -Chuck ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Best Way To Block Range of Addresses with ipfw2?
On 2/8/2006 3:11 PM Chuck Swiger wrote: Drew Tomlinson wrote: I want to deny access to addresses in this range: 84.57.113.0 - 84.61.96.255 What is the best way to specify this range for ipfw2? There must be a better way than listing a whole bunch of individual networks. deny ip from 84.56.0.0/13 to any ...comes pretty close. Use finer-grained allow rule before that if you need to pass stuff in 84.56.0.0/16, for example. Thanks. I found that too but was just wondering if there was a way to be exact. Drew -- Visit The Alchemist's Warehouse Magic Tricks, DVDs, Videos, Books, More! http://www.alchemistswarehouse.com ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Best Way To Block Range of Addresses with ipfw2?
In the last episode (Feb 08), Drew Tomlinson said: On 2/8/2006 3:11 PM Chuck Swiger wrote: Drew Tomlinson wrote: I want to deny access to addresses in this range: 84.57.113.0 - 84.61.96.255 What is the best way to specify this range for ipfw2? There must be a better way than listing a whole bunch of individual networks. deny ip from 84.56.0.0/13 to any ...comes pretty close. Use finer-grained allow rule before that if you need to pass stuff in 84.56.0.0/16, for example. Thanks. I found that too but was just wondering if there was a way to be exact. You could use an ipfw table to store the required subnets that cover your range; according to the manpage it's the most efficient way to store large address sets, and it also saves you from cluttering up your ruleset. -- Dan Nelson [EMAIL PROTECTED] ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Advanced IPFW2 Forward rule problem / bug / misunderstanding
Hello,
I have searched the lists for information pertaining to this problem,
but I haven't been able to find anything relevant to my attempted usage
of IPFWs forward action. If there are any preexisting threads that
address my concern, please direct me to them.
I have also sent this message to the freebsd-ipfw list, as this seems
consistent with some other threads I see in their archive.
Here's the situation :
I have two ISPs, each providing two IPs. One of these ISPs is providing
IPs on totally different subnets, and is MAC sensitive. I have two
internal servers (Actually, just one listening on two addresses), and I
want this server to be available externally to both ISPs. (We're
migrating ISPs, and we don't want any interruption in service). I am
using port forwarding in NATd to allow the necessary ports through to
the server. My problem comes with the replies - FreeBSD has only one
default gateway, and all traffic going out, regardless of which external
IP address it is from, goes to that gateway. Since ISP2 doesen't care
much for routing traffic from ISP1, and vice-versa, I have a problem.
I should note here that I am not trying to load balance - I am perfectly
happy with all outbound LAN connections being NATted over one link, I
just need the ability to service inbound connections on all four IPs.
I am using forward rules in my firewall to match packets belonging to
these other interfaces, to forward them to the appropriate gateway.
According to the manpage for ipfw, If /ipaddr/ is not a local address,
then the port number (if specified) is ignored, and the packet will be
forwarded to the remote address, using the route as found in the local
routing table for that IP. I interpret that as The packet's next hop
will be compared to the routing table, and routed out the appropriate
interface to reach that next hop. The problem is that doesen't seem to
be happening. I have tried fiddling a few knobs to no effect -
specifically net.inet.ip.fastforwarding, net.inet.ip.sourceroute and
net.inet.ip.accept_sourceroute.
Telus is the legacy ISP, so when I'm trying these rules all the
inbound server requests are from the two Telus interfaces. I have
numbered a rule here 42000. This rule will catch all kinds of packets
outbound from ${ext1_ip}:80 and ${ext1_ip}:443 to clients on the internet.
This tells me my inbound NAT translation is working, the packets are
getting to the server, replies are coming back, they're matching my
forward rules, but still going out the wrong interface anyways!
As attached as I am to the idea of doing this via ipfw, if anyone has
any suggestions on alternate methods to achieve the same results, I'd
love to hear them!!!
On to the technical details - I have obscured IP addresses here, but the
networks and subnet masks remain the same
---
bsdbox# uname -a
FreeBSD bsdbox 6.0-RELEASE-p1 FreeBSD 6.0-RELEASE-p1 #1: Mon Jan 9
08:15:08 PST 2006 [EMAIL PROTECTED]:/usr/obj/usr/src/sys/BSDBOX i386
---
bsdbox# cat /usr/src/sys/i386/conf/BSDBOX
.
.
.
### FIREWALLING
options IPFIREWALL
options IPFIREWALL_FORWARD
options IPFIREWALL_FORWARD_EXTENDED ( I just did this to test -
it made no difference)
options IPDIVERT
---
bsdbox# cat /etc/rc.conf
.
.
.
##
## Networking
##
gateway_enable=YES
## Ensure interface configuration and Firewall script remain consistent!!
defaultrouter=24.85.92.1
ifconfig_rl0=192.168.1.1
ifconfig_vr0=142.179.109.xxx netmask 255.255.248.0
ifconfig_vr1=216.232.85.xxx netmask 255.255.254.0
ifconfig_rue0=24.85.9x.xxx netmask 255.255.252.0
ifconfig_rue0_alias0=24.85.9x.xxx netmask 255.255.255.255
natd_enable=NO
firewall_enable=YES
firewall_script=/usr/local/etc/firewall.telus+shaw-test
-
bsdbox# cat /usr/local/etc/firewall.telus+shaw-test
# firewall.telus+shaw 0.9.8
# Aquire variables from /etc/rc.conf
if [ -r /etc/rc.conf ]; then
. /etc/rc.conf
fi
fwcmd=/sbin/ipfw -q
##
## THIS SCRIPT REQUIRES THE FOLLOWING VARIABLES
## TO BE CORRECTLY DEFINED!
##
##
# PRIMARY external interface (Telus)
ext1=vr0 # Device name
ext1_ip=142.179.109.xxx # IP Address
ext1_gw=142.179.104.254 # IP Gateway
ext1_bc=142.179.111.255 # Broadcast Address
ext1_srv=192.168.1.10 # Server IP Address
##
##
# SECONDARY external interface (Telus)
ext2=vr1 # Device name
ext2_ip=216.232.85.xxx # IP Address
ext2_nm=255.255.254.0 # Network Mask
ext2_bc=216.232.85.255 # Broadcast Address
ext2_gw=216.232.84.254 # IP Gateway
ext2_srv=192.168.1.11 # IP Address of internal server
##
##
# Shaw Cable Interface(s)
# PRIMARY IP
shaw=rue0 # Device Name
shaw_ip=24.85.93.xxx # IP Address
shaw_nm=255.255.252.0 # Network Mask
shaw_bc=24.85.95.255 # Broadcast
Re: Advanced IPFW2 Forward rule problem / bug / misunderstanding
This should get you most of the way there or at least give you a good
idea of what's required.
options IPFIREWALL_FORWARD_EXTENDED
I'm pretty sure this will be required.
defaultrouter=24.85.92.1
ifconfig_rl0=192.168.1.1
ifconfig_vr0=142.179.109.xxx netmask 255.255.248.0
ifconfig_vr1=216.232.85.xxx netmask 255.255.254.0
ifconfig_rue0=24.85.9x.xxx netmask 255.255.252.0
ifconfig_rue0_alias0=24.85.9x.xxx netmask 255.255.255.255
Telus
ext1_ip=142.179.109.xxx # IP Address
ext1_gw=142.179.104.254 # IP Gateway
ext2_ip=216.232.85.xxx # IP Address
ext2_gw=216.232.84.254 # IP Gateway
Shaw Cable
shaw_ip=24.85.93.xxx # IP Address
shaw_gw=24.85.92.1 # IP Gateway
srv2_ext=24.85.93.xxx # External IP of server
INTERNAL
int_ip=192.168.1.1 # IP Address
# And run our new NATd
/sbin/natd -log_ipfw_denied -i ${nat_in} -o ${nat_out} -s -m -u -n
${shaw} -punch_fw 36000:100 -redirect_port tcp ${ext1_srv}:22
${ext1_ip}: -redirect_port tcp ${ext1_srv}:53 ${ext1_ip}:53
-redirect_port tcp ${ext1_srv}:80 ${ext1_ip}:80 -redirect_port tcp
${ext1_srv}:443 ${ext1_ip}:443 -redirect_port udp ${ext1_srv}:53
${ext1_ip}:53 -redirect_port tcp ${ext2_srv}:80 ${ext2_ip}:80
-redirect_port tcp ${ext2_srv}:443 ${ext2_ip}:443 -redirect_port tcp
${srv1_int}:22 ${shaw_ip}: -redirect_port tcp ${srv1_int}:53
${shaw_ip}:53 -redirect_port udp ${srv1_int}:53 ${shaw_ip}:53
-redirect_port tcp ${srv1_int}:80 ${shaw_ip}:80 -redirect_port tcp
${srv1_int}:443 ${shaw_ip}:443 -redirect_port tcp ${srv2_int}:80
${srv2_ext}:80 -redirect_port tcp ${srv2_int}:443 ${srv2_ext}:443
That's a hefty nat command. Let's simplfy by putting it in a file. I
leave the port forwarding to you.
/etc/rc.conf
natd_enable=yes
natd_flags=-f /etc/natd.conf
/etc/natd.conf
instance default
interface vr0
port 8668
instance telus2
interface vr1
port 8669
instance shaw1
alias_address 24.85.93.xxx
port 8670
instance shaw2
alias_address 24.85.93.xxx
port 8671
globalport 8672
I see that your firewall is based on rc.firewall. Forget rc.firewall, it
is junk. Base your firewall on this structure.
1. Public Interface NAT Diversion
2. check-state
3. Public Interface Leak Prevention
3.1 deny egress from internal hosts
3.2 deny ingress to internal hosts
4. Antispoof
4.1 allow via loopback interface
4.2 deny ingress from router
4.3 deny ingress from internal hosts via public interface
5. Router
5.1 allow egress
5.2 deny egress
5.3 allow ingress
5.4 deny ingress
6. Internal Hosts
6.1 allow egress
6.2 deny egress
6.3 allow ingress
6.4 deny ingress
7. Default Deny
/etc/rc.conf
firewall_enable=yes
firewall_type=/etc/ipfw.rules
/etc/ipfw.rules
-f flush
add divert 8668 ip from any to any in via vr0
add divert 8669 ip from any to any in via vr1
add divert 8670 ip from any to 24.85.93.xxx in via rue0
add divert 8671 ip from any to 24.85.93.xxx in via rue0
#have never known the globalport to work on inbound
add divert 8672 ip from any to any out via { vr0 or vr1 or rue0 }
#not sure if that 'or' will work... may need to split it up
check-state
add deny ip from 192.168.1.1/24 to any via { vr0 or vr1 or rue0 }
add allow ip from me to me via lo0 keep-state
add deny ip from me to any in
add allow ip from me to { me or 192.168.1.1/24 or 142.179.109.xxx/21 or
216.232.85.xxx/23 or 24.85.9x.xxx/22 } keep-state
add forward 142.179.104.254 ip from 142.179.109.xxx to any keep-state
add forward 216.232.84.254 ip from 216.232.85.xxx to any keep-state
add forward 24.85.92.1 ip from 24.85.9x.xxx to any keep-state
add forward 24.85.92.1 ip from 24.85.9x.xxx to any keep-state
add allow ip from me to any keep-state
add deny ip from me to any
add allow icmp from any to me icmptypes 3,4,8,11 keep-state
add deny ip from any to me
add allow ip from 192.168.1.1/24 to any keep-state
add deny ip from 192.168.1.1/24 to any
add allow icmp from any to 192.168.1.1/24 icmptypes 3,4,11 keep-state
add deny ip from any to 192.168.1.1/24
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Advanced IPFW2 Forward rule problem / bug / misunderstanding
Dennis Olvany wrote:
This should get you most of the way there or at least give you a good
idea of what's required.
options IPFIREWALL_FORWARD_EXTENDED
I'm pretty sure this will be required.
defaultrouter=24.85.92.1
ifconfig_rl0=192.168.1.1
ifconfig_vr0=142.179.109.xxx netmask 255.255.248.0
ifconfig_vr1=216.232.85.xxx netmask 255.255.254.0
ifconfig_rue0=24.85.9x.xxx netmask 255.255.252.0
ifconfig_rue0_alias0=24.85.9x.xxx netmask 255.255.255.255
Telus
ext1_ip=142.179.109.xxx # IP Address
ext1_gw=142.179.104.254 # IP Gateway
ext2_ip=216.232.85.xxx # IP Address
ext2_gw=216.232.84.254 # IP Gateway
Shaw Cable
shaw_ip=24.85.93.xxx # IP Address
shaw_gw=24.85.92.1 # IP Gateway
srv2_ext=24.85.93.xxx # External IP of server
INTERNAL
int_ip=192.168.1.1 # IP Address
# And run our new NATd
/sbin/natd -log_ipfw_denied -i ${nat_in} -o ${nat_out} -s -m -u -n
${shaw} -punch_fw 36000:100 -redirect_port tcp ${ext1_srv}:22
${ext1_ip}: -redirect_port tcp ${ext1_srv}:53 ${ext1_ip}:53
-redirect_port tcp ${ext1_srv}:80 ${ext1_ip}:80 -redirect_port tcp
${ext1_srv}:443 ${ext1_ip}:443 -redirect_port udp ${ext1_srv}:53
${ext1_ip}:53 -redirect_port tcp ${ext2_srv}:80 ${ext2_ip}:80
-redirect_port tcp ${ext2_srv}:443 ${ext2_ip}:443 -redirect_port tcp
${srv1_int}:22 ${shaw_ip}: -redirect_port tcp ${srv1_int}:53
${shaw_ip}:53 -redirect_port udp ${srv1_int}:53 ${shaw_ip}:53
-redirect_port tcp ${srv1_int}:80 ${shaw_ip}:80 -redirect_port tcp
${srv1_int}:443 ${shaw_ip}:443 -redirect_port tcp ${srv2_int}:80
${srv2_ext}:80 -redirect_port tcp ${srv2_int}:443 ${srv2_ext}:443
That's a hefty nat command. Let's simplfy by putting it in a file. I
leave the port forwarding to you.
/etc/rc.conf
natd_enable=yes
natd_flags=-f /etc/natd.conf
/etc/natd.conf
instance default
interface vr0
port 8668
instance telus2
interface vr1
port 8669
instance shaw1
alias_address 24.85.93.xxx
port 8670
instance shaw2
alias_address 24.85.93.xxx
port 8671
globalport 8672
I see that your firewall is based on rc.firewall. Forget rc.firewall, it
is junk. Base your firewall on this structure.
1. Public Interface NAT Diversion
2. check-state
3. Public Interface Leak Prevention
3.1 deny egress from internal hosts
3.2 deny ingress to internal hosts
4. Antispoof
4.1 allow via loopback interface
4.2 deny ingress from router
4.3 deny ingress from internal hosts via public interface
5. Router
5.1 allow egress
5.2 deny egress
5.3 allow ingress
5.4 deny ingress
6. Internal Hosts
6.1 allow egress
6.2 deny egress
6.3 allow ingress
6.4 deny ingress
7. Default Deny
/etc/rc.conf
firewall_enable=yes
firewall_type=/etc/ipfw.rules
/etc/ipfw.rules
-f flush
add divert 8668 ip from any to any in via vr0
add divert 8669 ip from any to any in via vr1
add divert 8670 ip from any to 24.85.93.xxx in via rue0
add divert 8671 ip from any to 24.85.93.xxx in via rue0
#have never known the globalport to work on inbound
add divert 8672 ip from any to any out via { vr0 or vr1 or rue0 }
#not sure if that 'or' will work... may need to split it up
check-state
add deny ip from 192.168.1.1/24 to any via { vr0 or vr1 or rue0 }
add allow ip from me to me via lo0 keep-state
add deny ip from me to any in
add allow ip from me to { me or 192.168.1.1/24 or 142.179.109.xxx/21 or
216.232.85.xxx/23 or 24.85.9x.xxx/22 } keep-state
add forward 142.179.104.254 ip from 142.179.109.xxx to any keep-state
add forward 216.232.84.254 ip from 216.232.85.xxx to any keep-state
add forward 24.85.92.1 ip from 24.85.9x.xxx to any keep-state
add forward 24.85.92.1 ip from 24.85.9x.xxx to any keep-state
add allow ip from me to any keep-state
add deny ip from me to any
add allow icmp from any to me icmptypes 3,4,8,11 keep-state
add deny ip from any to me
add allow ip from 192.168.1.1/24 to any keep-state
add deny ip from 192.168.1.1/24 to any
add allow icmp from any to 192.168.1.1/24 icmptypes 3,4,11 keep-state
add deny ip from any to 192.168.1.1/24
Thank for the quick reply.
I just want to clarify a few things here Given that I only want
outbound NAT on one interface, is it really necessary to run four
instances of NATd? Can't one instance handle outbound NAT + inbound
sessions on all interfaces, as I have it setup? Also, you're using a
whole bunch of options and features here that are not documented on the
natd man page. I found a writeup by the author of these features, but
I'm not certain if that's in the -STABLE branch or not. (IE, will these
options work with a 6.0-RELEASE natd?)
Also, I'm not certain how your forward rules would work when mine do
not, as you're doing the same thing I did - NAT Translation, then
forward to the appropriate gateway. My experience is that forwarding
packets to the appropriate gateway *does* *not* *work*, as they all
leave via the default route's interface
Re: Advanced IPFW2 Forward rule problem / bug / misunderstanding
Andrew Fremantle wrote:
Dennis Olvany wrote:
This should get you most of the way there or at least give you a
good idea of what's required.
options IPFIREWALL_FORWARD_EXTENDED
I'm pretty sure this will be required.
defaultrouter=24.85.92.1 ifconfig_rl0=192.168.1.1
ifconfig_vr0=142.179.109.xxx netmask 255.255.248.0
ifconfig_vr1=216.232.85.xxx netmask 255.255.254.0
ifconfig_rue0=24.85.9x.xxx netmask 255.255.252.0
ifconfig_rue0_alias0=24.85.9x.xxx netmask 255.255.255.255
Telus ext1_ip=142.179.109.xxx # IP Address
ext1_gw=142.179.104.254 # IP Gateway ext2_ip=216.232.85.xxx
# IP Address ext2_gw=216.232.84.254 # IP Gateway
Shaw Cable shaw_ip=24.85.93.xxx # IP Address
shaw_gw=24.85.92.1 # IP Gateway srv2_ext=24.85.93.xxx #
External IP of server
INTERNAL int_ip=192.168.1.1 # IP Address
# And run our new NATd /sbin/natd -log_ipfw_denied -i ${nat_in}
-o ${nat_out} -s -m -u -n ${shaw} -punch_fw 36000:100
-redirect_port tcp ${ext1_srv}:22 ${ext1_ip}: -redirect_port
tcp ${ext1_srv}:53 ${ext1_ip}:53 -redirect_port tcp
${ext1_srv}:80 ${ext1_ip}:80 -redirect_port tcp ${ext1_srv}:443
${ext1_ip}:443 -redirect_port udp ${ext1_srv}:53 ${ext1_ip}:53
-redirect_port tcp ${ext2_srv}:80 ${ext2_ip}:80 -redirect_port
tcp ${ext2_srv}:443 ${ext2_ip}:443 -redirect_port tcp
${srv1_int}:22 ${shaw_ip}: -redirect_port tcp ${srv1_int}:53
${shaw_ip}:53 -redirect_port udp ${srv1_int}:53 ${shaw_ip}:53
-redirect_port tcp ${srv1_int}:80 ${shaw_ip}:80 -redirect_port
tcp ${srv1_int}:443 ${shaw_ip}:443 -redirect_port tcp
${srv2_int}:80 ${srv2_ext}:80 -redirect_port tcp ${srv2_int}:443
${srv2_ext}:443
That's a hefty nat command. Let's simplfy by putting it in a file.
I leave the port forwarding to you.
/etc/rc.conf
natd_enable=yes natd_flags=-f /etc/natd.conf
/etc/natd.conf
instance default interface vr0 port 8668
instance telus2 interface vr1 port 8669
instance shaw1 alias_address 24.85.93.xxx port 8670
instance shaw2 alias_address 24.85.93.xxx port 8671
globalport 8672
I see that your firewall is based on rc.firewall. Forget
rc.firewall, it is junk. Base your firewall on this structure.
1. Public Interface NAT Diversion
2. check-state
3. Public Interface Leak Prevention 3.1 deny egress from internal
hosts 3.2 deny ingress to internal hosts
4. Antispoof 4.1 allow via loopback interface 4.2 deny ingress from
router 4.3 deny ingress from internal hosts via public interface
5. Router 5.1 allow egress 5.2 deny egress 5.3 allow ingress 5.4
deny ingress
6. Internal Hosts 6.1 allow egress 6.2 deny egress 6.3 allow
ingress 6.4 deny ingress
7. Default Deny
/etc/rc.conf
firewall_enable=yes firewall_type=/etc/ipfw.rules
/etc/ipfw.rules
-f flush
add divert 8668 ip from any to any in via vr0 add divert 8669 ip
from any to any in via vr1 add divert 8670 ip from any to
24.85.93.xxx in via rue0 add divert 8671 ip from any to
24.85.93.xxx in via rue0 #have never known the globalport to work
on inbound add divert 8672 ip from any to any out via { vr0 or vr1
or rue0 } #not sure if that 'or' will work... may need to split it
up
check-state
add deny ip from 192.168.1.1/24 to any via { vr0 or vr1 or rue0 }
add allow ip from me to me via lo0 keep-state add deny ip from me
to any in
add allow ip from me to { me or 192.168.1.1/24 or
142.179.109.xxx/21 or 216.232.85.xxx/23 or 24.85.9x.xxx/22 }
keep-state add forward 142.179.104.254 ip from 142.179.109.xxx to
any keep-state add forward 216.232.84.254 ip from 216.232.85.xxx to
any keep-state add forward 24.85.92.1 ip from 24.85.9x.xxx to any
keep-state add forward 24.85.92.1 ip from 24.85.9x.xxx to any
keep-state add allow ip from me to any keep-state add deny ip from
me to any add allow icmp from any to me icmptypes 3,4,8,11
keep-state add deny ip from any to me
add allow ip from 192.168.1.1/24 to any keep-state add deny ip from
192.168.1.1/24 to any add allow icmp from any to 192.168.1.1/24
icmptypes 3,4,11 keep-state add deny ip from any to 192.168.1.1/24
Thank for the quick reply.
I just want to clarify a few things here Given that I only want
outbound NAT on one interface, is it really necessary to run four
instances of NATd? Can't one instance handle outbound NAT + inbound
sessions on all interfaces, as I have it setup?
I'm sure you'll need one instance for each public IP from which you wish
to originate traffic.
Also, you're using a whole bunch of options and features here that
are not documented on the natd man page. I found a writeup by the
author of these features, but I'm not certain if that's in the
-STABLE branch or not. (IE, will these options work with a
6.0-RELEASE natd?)
Yes. I use these features with 6.0-release.
Also, I'm not certain how your forward rules would work when mine do
not, as you're doing the same thing I did - NAT
ipfw2 NAT/forwarding config for bittorrent
Hello -questions: I would like to make bittorrent work in following scenario: - machine running py-bittorrent has private ip-address 192.168.x.y and currently runs FreeBSD 5.4-RELEASE - firewall/NAT machine is FreeBSD 4.10-STABLE, last updated by source in November 2004. - firewall/NAT is ipfw2, has run just fine for months How do I configure ipfw2 for properly forwarding the bittorrent ports (6881-6889) to the destination machine? Log_in_vain is active on the firewall machine when bittorrent is active on the private-ip machine, the firewall's syslog is being cluttered with attempts on port 6881. Where in the firewall config would such rule(s) go in relation to the divert rule? Would that silence the port 6881 messages properly pass that traffic to the internal machine? So far I'm not understanding the ipfw manpage for port forwarding. FAQ/documentation/RTFM pointers/examples are quite welcome. :) Please CC me any replies. Thanks, -kc ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: ipfw2 NAT/forwarding config for bittorrent
Kenneth W Cochran wrote: How do I configure ipfw2 for properly forwarding the bittorrent ports (6881-6889) to the destination machine? Log_in_vain is natd(8) -redirect_port ipfw will just forward the packet where as natd will rewrite it ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
ipfw2 - too many dynamic rules
I need some help with ipfw2 on my squid box I have too many dynamic rules errors for dns Can I insert a dns static rule into my rules (as below) and how? allow ip from any to any via lo0 allow ip from any to any via lo1 deny ip from any to 127.0.0.0/8 deny ip from 127.0.0.0/8 to any check-state allow ip from me to any keep-state divert 8668 tcp from 202.4.48.0/22 to any dst-port 80 fwd 127.0.0.1,3128 tcp from 202.4.48.0/22 to any dst-port 80 allow ip from any to any deny ip from any to any ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: ipfw2 - too many dynamic rules
Stec John wrote: I need some help with ipfw2 on my squid box I have too many dynamic rules errors for dns Can I insert a dns static rule into my rules (as below) and how? [ ... ] # allow DNS,NTP queries out in the world add pass udp from any 1024-65535 to any 53,123 add pass udp from any 53,123 to any 1024-65535 add pass udp from any 53,123 to any 53,123 add pass tcp from me to any 53 setup keep-state Note that you probably want to use the combination of setup keep-state elsewhere in your rules, too. -- -Chuck ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: ipfw2 - too many dynamic rules
Stec John wrote: Hi Chuck, are you suggesting to add these dns rules on top of the existing rules? Yes. Can I use allow instead of pass? Yes, they mean the same thing: allow Allow packets that match rule. The search terminates. Aliases are pass, permit and accept. -- -Chuck ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: ipfw2 - too many dynamic rules
Hi Chuck, are you suggesting to add these dns rules on top of the existing rules? Can I use allow instead of pass? - Original Message - From: Chuck Swiger [EMAIL PROTECTED] To: Stec John [EMAIL PROTECTED] Cc: freebsd-questions@freebsd.org Sent: Tuesday, October 18, 2005 12:31 PM Subject: Re: ipfw2 - too many dynamic rules Stec John wrote: I need some help with ipfw2 on my squid box I have too many dynamic rules errors for dns Can I insert a dns static rule into my rules (as below) and how? [ ... ] # allow DNS,NTP queries out in the world add pass udp from any 1024-65535 to any 53,123 add pass udp from any 53,123 to any 1024-65535 add pass udp from any 53,123 to any 53,123 add pass tcp from me to any 53 setup keep-state Note that you probably want to use the combination of setup keep-state elsewhere in your rules, too. -- -Chuck ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Denying Multiple login in samba with ipfw2
On Oct 11, 2005, at 10:06 PM, RdBSD wrote: Dear all, Can i deny multiple login with the same username in samba using ipfw2 ? Thanks, RdBSD IT Staff I do not believe so. IPFW checks for IP packets, not login credentials. This is something you would have to do within Samba itself, if the capability is there. What you could do is traffic shaping with IPFW. Simply limit the amount of bandwidth a person uses based on IP address, then it doesn't really matter how many time they log in. My $.02. ___ Eric F Crist I am so smart, S.M.R.T! Secure Computing Networks -Homer J Simpson ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Denying Multiple login in samba with ipfw2
Dear all, Can i deny multiple login with the same username in samba using ipfw2 ? Thanks, RdBSD IT Staff ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
IPFW2+NATD stateful rules VS. FTP
Hello everybody, please can anybody help me with ipfw rules? My machine is acting as firewall/router/www-proxy/ftp-proxy for small LAN. It does not work as ftp-server. I set my ipfw2 rules exactly as in section 25.6.5.7 An Example NAT and Stateful Ruleset Ex.2 from handbook. Everything works well except miserable ftp. I just installed ports/jftpgw to be an transparent proxy for internal LAN but still without success. I understand all rules in those example, but I do not know where should I place fwd rule(s). Ftp depends on two ports 20 and 21. So i assume there should be two fwd rules semewhere in the ruleset. Please, where should I place those rules? Or is it better to use /etc/nad.conf to redirect all incomming connections on ports 20 and 21 to localhost? Any help is *very* appreciated :-) Peter Rosa P.S. Please consider adding such rules into mentioned example in handbook. I think a lot of users will welcome such addition. I spent four days on Ggle before writing here and I did not find anything helpful. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Getting ipfw2 on FreeBSD-4.11-STABLE...
I have FreeBSD-4.11-STABLE on one of my systems. I did a buildworld/installworld today - but I still have ipfw and not ipfw2 - even though the manpage says otherwise. It's been a while since I updated this system - I looked through the docs and no mention of this in UPDATING etc. I see in the /usr/src/sbin/ipfw directory a define of -DIPFW2. So before I hack further, I wonder if I messed something up or if there's a switch I must implement to get ipfw2 running on here. Thanks. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Getting ipfw2 on FreeBSD-4.11-STABLE...
you can always update the Makefile / source. theres 101 ways to grap the updated copy of the source, so heres one of em. http://www.freebsd.org/cgi/cvsweb.cgi/src/sbin/ipfw/ good luck :) Ben Forrest Aldrich wrote: I have FreeBSD-4.11-STABLE on one of my systems. I did a buildworld/installworld today - but I still have ipfw and not ipfw2 - even though the manpage says otherwise. It's been a while since I updated this system - I looked through the docs and no mention of this in UPDATING etc. I see in the /usr/src/sbin/ipfw directory a define of -DIPFW2. So before I hack further, I wonder if I messed something up or if there's a switch I must implement to get ipfw2 running on here. Thanks. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Getting ipfw2 on FreeBSD-4.11-STABLE...
On Thu, 18 Aug 2005 19:12:19 -0400, in sentex.lists.freebsd.questions you wrote: I have FreeBSD-4.11-STABLE on one of my systems. I did a buildworld/installworld today - but I still have ipfw and not ipfw2 - even though the manpage says otherwise. Add IPFW2=TRUE in /etc/make.conf and options IPFW2 #firewall in the kernel I *think* /usr/src/sbin/ipfw make clean;make depend;make;make install should work, and then a make buildkernel should do the trick ---Mike Mike Tancsa, Sentex communications http://www.sentex.net Providing Internet Access since 1994 [EMAIL PROTECTED], (http://www.tancsa.com) ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Getting ipfw2 on FreeBSD-4.11-STABLE...
Thanks this worked well. One further question, the manpage doesn't really elaborate much on the use of tables. Particularly, how to utilize them in deny rules. Anyone have better examples, or did I miss something. Thanks. Mike Tancsa wrote: On Thu, 18 Aug 2005 19:12:19 -0400, in sentex.lists.freebsd.questions you wrote: I have FreeBSD-4.11-STABLE on one of my systems. I did a buildworld/installworld today - but I still have ipfw and not ipfw2 - even though the manpage says otherwise. Add IPFW2=TRUE in /etc/make.conf and options IPFW2 #firewall in the kernel I *think* /usr/src/sbin/ipfw make clean;make depend;make;make install should work, and then a make buildkernel should do the trick ---Mike Mike Tancsa, Sentex communications http://www.sentex.net Providing Internet Access since 1994 [EMAIL PROTECTED], (http://www.tancsa.com) ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: ipfw2 and clearing a rules state table records
On 7/1/05, fbsd_user [EMAIL PROTECTED] wrote: Is there a way in 5.4 ipfw2 to reset/delete/clear a stateful rule's records in the state table? Never tried this myself, but probably by temporarily lowering net.inet.ip.fw.dyn_*_lifetime? -- Dmitry We live less by imagination than despite it - Rockwell Kent, N by E ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
ipfw2 and clearing a rules state table records
Is there a way in 5.4 ipfw2 to reset/delete/clear a stateful rule's records in the state table? ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
ipfw2 flush state table
When I do a ipfw delete nnon a incore rule which has keep-state on it, the rule gets removed ok but it's still in the state table. How can I delete the targeted rule and flush just that rules state table records with out blowing away all the other state table records? ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: ipfw2 filtering on bridge
Ben wrote: I'm sorry, I can't send this to the list because my messages to the list bounce because reverse DNS isn't set up. No worries, thanks a lot for answering. This is funny, I just set this up for the first time yesterday except I set everything up to have no IP addresses so that the firewall would be invisible to anyone. I think I see what is wrong with your setup... You've got to change net.link.ether.bridge_ipfw=1 to net.link.ether.bridge.ipfw=1 in /etc/sysctl.conf. The handbook (http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/network-bridging.html) says that net.link.ether.bridge_ipfw=1 was updated in 5.2-RELEASE. net.link.ether.bridge.enable=1 net.link.ether.bridge.config=fxp0,fxp1 net.link.ether.bridge_ipfw=1 # sysctl net.link.ether.bridge.ipfw=1 net.link.ether.bridge.ipfw: 1 - 1 # # ipfw add deny icmp from any to any 00100 deny icmp from any to any # # ipfw show 00100 0 0 deny icmp from any to any 65535 931748 651891769 allow ip from any to any # PING EXT_IP_BEHIND_BRIDGE: 56 data bytes 64 bytes from EXT_IP_BEHIND_BRIDGE: icmp_seq=0 ttl=233 time=74.399 ms 64 bytes from EXT_IP_BEHIND_BRIDGE: icmp_seq=1 ttl=233 time=106.194 ms Seems not to be working :( Yours, -- Alin-Adrian Anton GPG keyID 0x183087BA (B129 E8F4 7B34 15A9 0785 2F7C 5823 ABA0 1830 87BA) gpg --keyserver pgp.mit.edu --recv-keys 0x183087BA It is dangerous to be right when the government is wrong. - Voltaire ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
ipfw2 filtering on bridge
Hi there, I've been running into some problems with what is supposed to be a filtering bridge with IPFW, on FreeBSD 5.4-REL0. IPFW has been compiled into kernel: options BRIDGE options IPFIREWALL options IPFIREWALL_DEFAULT_TO_ACCEPT options IPDIVERT along with the bridging capability. No other firewalling mechanisms are enabled. The bridge is configured and working: net.link.ether.bridge.enable=1 net.link.ether.bridge.config=fxp0,vr0 net.link.ether.bridge_ipfw=1 fxp0 is Internet vr0 is a server with an external IP, called EXT_IP I tried blocking with trivial ruleset: 001000 0 deny icmp from any to any 65535 8518 584248 allow ip from any to any However, pinging through the bridge, from the Internet, works without fear: 64 bytes from EXT_IP: icmp_seq=0 ttl=233 time=85.994 ms 64 bytes from EXT_IP: icmp_seq=1 ttl=233 time=96.220 ms If anyone could help me a bit, I'd be really thankfull. Thanks for the time. Yours Sincerely, -- Alin-Adrian Anton GPG keyID 0x183087BA (B129 E8F4 7B34 15A9 0785 2F7C 5823 ABA0 1830 87BA) gpg --keyserver pgp.mit.edu --recv-keys 0x183087BA It is dangerous to be right when the government is wrong. - Voltaire ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
matching tos 0x0 with ipfw2?
Hi List, I'am trying to match 0x0 (Normal Service) with ipfw iptos [TOS-Value] as far as I can see one can only use names to refer to, as reliabilty, congestion .. but the tag normal or normal-service does not exist. background is, that I want to stop nmap from scanning my radius server. Noticed that nmap sends with tos 0x0. shall I switch to pf now? best regards ; wmiuser/[EMAIL PROTECTED] -- E7AC 1E9B 87D8 5BD2 E2F2 6F4A 3177 ED68 8185 480C ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Error compiling ipfw2 on FreeBSD 4.11-RELEASE and 4.11-p10
Hi, I have upgraded from FreeBSD 4.7 to 4.11-RELEASE via booting from CD 1. I have IPFW2 options already set in my kernel config file, and in /etc/make.conf Next, I recompile the kernel, and install it. Then I went to the /usr/src/sbin/ipfw dir:- /usr/src/sbin/ipfw-121 mailto:[EMAIL PROTECTED]:19pm]/usr/src/sbin/ipfw-121 # make clean rm -f ipfw ipfw2.o ipfw.8.gz ipfw.8.cat.gz /usr/src/sbin/ipfw-122 mailto:[EMAIL PROTECTED]:19pm]/usr/src/sbin/ipfw-122 # make -DIPFW2 cc -O -pipe -Wall -DIPFW2-c /usr/src/sbin/ipfw/ipfw2.c /usr/src/sbin/ipfw/ipfw2.c: In function `list': /usr/src/sbin/ipfw/ipfw2.c:1698: warning: `last' might be used uninitialized in this function cc -O -pipe -Wall -DIPFW2 -static -o ipfw ipfw2.o gzip -cn /usr/src/sbin/ipfw/ipfw.8 ipfw.8.gz /usr/src/sbin/ipfw-123 mailto:[EMAIL PROTECTED]:19pm]/usr/src/sbin/ipfw-123 # l total 226 2 drwxr-xr-x 2 root wheel512 Apr 10 17:32 ./ 2 drwxr-xr-x 82 root wheel 1536 Apr 10 17:20 ../ 2 -rw-r--r-- 1 root wheel196 Jul 24 2002 Makefile 64 -rw-r--r-- 1 root wheel 65358 Jun 16 2004 ipfw.8 62 -rw-r--r-- 1 root wheel 62391 Apr 10 17:20 ipfw.c 94 -rw-r--r-- 1 root wheel 95621 Nov 9 2004 ipfw2.c I have also tried running 'make' by itself (with out the -DIPFW2 switch) So just as a test, I tried doing the same thing from another FreeBSD 4.11-p10 server (IPFW2 was installed during the buildworld-installworld process). I got the same error when manually trying to compile IPFW2! I have never had a problem before. What am I doing wrong here? Any clues? Cheers, Paul ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
RE: Error compiling ipfw2 on FreeBSD 4.11-RELEASE and 4.11-p10
Hi, Thanks. Hmm, I am pretty sure you still need to re-compile IPFW etc. After a bit of a panic, and a dig around, I found that things have changed, and the compiled ipfw file is now located in: /usr/obj/usr/src/sbin/ipfw/ipfw this can then be copied to /sbin/ipfw same for the libalias.so.4 file. Whew! I don't think it was it was like this in 4.10. Must be a 4.11 thing. Cheers, Paul -Original Message- From: fbsd_user [mailto:[EMAIL PROTECTED] Sent: Monday, 13 June 2005 7:45 PM To: Paul Hamilton Subject: RE: Error compiling ipfw2 on FreeBSD 4.11-RELEASE and 4.11-p10 I think ipfw2 has replaced ipfw in the base release by 4.11. You nolonger have to do anything after compiling the kernel. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Paul Hamilton Sent: Monday, June 13, 2005 7:31 AM To: Freebsd-Questions Subject: Error compiling ipfw2 on FreeBSD 4.11-RELEASE and 4.11-p10 Hi, I have upgraded from FreeBSD 4.7 to 4.11-RELEASE via booting from CD 1. I have IPFW2 options already set in my kernel config file, and in /etc/make.conf Next, I recompile the kernel, and install it. Then I went to the /usr/src/sbin/ipfw dir:- /usr/src/sbin/ipfw-121 mailto:[EMAIL PROTECTED]:19pm]/usr/src/sbin/ipfw-121 # make clean rm -f ipfw ipfw2.o ipfw.8.gz ipfw.8.cat.gz /usr/src/sbin/ipfw-122 mailto:[EMAIL PROTECTED]:19pm]/usr/src/sbin/ipfw-122 # make -DIPFW2 cc -O -pipe -Wall -DIPFW2-c /usr/src/sbin/ipfw/ipfw2.c /usr/src/sbin/ipfw/ipfw2.c: In function `list': /usr/src/sbin/ipfw/ipfw2.c:1698: warning: `last' might be used uninitialized in this function cc -O -pipe -Wall -DIPFW2 -static -o ipfw ipfw2.o gzip -cn /usr/src/sbin/ipfw/ipfw.8 ipfw.8.gz /usr/src/sbin/ipfw-123 mailto:[EMAIL PROTECTED]:19pm]/usr/src/sbin/ipfw-123 # l total 226 2 drwxr-xr-x 2 root wheel512 Apr 10 17:32 ./ 2 drwxr-xr-x 82 root wheel 1536 Apr 10 17:20 ../ 2 -rw-r--r-- 1 root wheel196 Jul 24 2002 Makefile 64 -rw-r--r-- 1 root wheel 65358 Jun 16 2004 ipfw.8 62 -rw-r--r-- 1 root wheel 62391 Apr 10 17:20 ipfw.c 94 -rw-r--r-- 1 root wheel 95621 Nov 9 2004 ipfw2.c I have also tried running 'make' by itself (with out the -DIPFW2 switch) So just as a test, I tried doing the same thing from another FreeBSD 4.11-p10 server (IPFW2 was installed during the buildworld-installworld process). I got the same error when manually trying to compile IPFW2! I have never had a problem before. What am I doing wrong here? Any clues? Cheers, Paul ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Problems with ipfw2 ?
Hi! I have a very strange problem with our firewall using ipfw2. Below is my configuration file. The firewall is a briding firewall (em2,em3). After a few seconds (7-12 seconds) of ICMP pings to a machine behind the firewall suddenly starts blocking all traffic to that specific host. This is also true for networks that I have permitted at the top of the config. It rejects everything regardless of any rules I have made. Any ideas anyone ? # Trusted networks add permit ip from /28 to any add permit ip from /26 to any add permit ip from /25 to any add permit ip from any to any established # DNS add permit ip from any to any 53 # ICMP add permit icmp from any to any # HTTP add permit ip from any to any 80 add permit ip from any to any 443 # SSH add permit ip from any to any 22 # Deny everything else add deny ip from any to any ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
IPFW2 verrevpath versrcreach antispoof
Greetings... I recently build world and kernel with ipfw support. Can someone provide examples on how to use these options (verrevpath, versrcreach and antispoof). What can they be used for and can't! and how to use them (proper syntax). Execuse my poor english! I am knew to FreeBSD and UNIX / LINUX. however thanks to searching the mailling lists I managed to setup a FreeBSD box. I use it as a router with squid as a transparent proxy and Bind forwarding DNS. FreeBSD *.*5.4-PRERELEASE FreeBSD 5.4-PRERELEASE #0: Sat Feb 26 07:19:15 IST 2005 [EMAIL PROTECTED]:/usr/obj/usr/src/sys/XNET530 i386 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: IPFW2 verrevpath versrcreach antispoof
I hope I am sending this post to the right mailing list !!! On Mon, 28 Feb 2005 07:06:58 +0200, abu khaled [EMAIL PROTECTED] wrote: Greetings... I recently build world and kernel with ipfw support. Can someone provide examples on how to use these options (verrevpath, versrcreach and antispoof). What can they be used for and can't! and how to use them (proper syntax). Execuse my poor english! I am knew to FreeBSD and UNIX / LINUX. however thanks to searching the mailling lists I managed to setup a FreeBSD box. I use it as a router with squid as a transparent proxy and Bind forwarding DNS. FreeBSD *.*5.4-PRERELEASE FreeBSD 5.4-PRERELEASE #0: Sat Feb 26 07:19:15 IST 2005 [EMAIL PROTECTED]:/usr/obj/usr/src/sys/XNET530 i386 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
problems with ipfw2 divert
Hi: I am trying to set up a freebsd machine as a bridge to implement a sort of firewall at the bridging layer. I am running: FreeBSD 4.11-PRERELEASE i386 I have a divert socket bound to the port 8668 for outgoing traffic and I have another divert socket bound to the port 8669 for incoming traffic. I am using ipfw2 for diverting traffic. has anybody experienced this problem; only one side of the traffic gets diverted and the other side is never touched? if so, has anyone fixed this problems? here is my simple ipfw2 rule set: rp6# ipfw show 00100 8458 2774224 divert 8668 udp from any 68 to any dst-port 67 recv dc0 00101 0 0 divert 8669 udp from any 67 to any dst-port 68 recv dc1 65535 502777 113629564 allow ip from any to any these are some of my kernel variables for bridging. rp6# sysctl -a |grep bridg net.link.ether.bridge_cfg: dc0,dc1 net.link.ether.bridge: 1 net.link.ether.bridge_ipfw: 1 net.link.ether.bridge_ipf: 0 net.link.ether.bridge_ipfw_drop: 0 net.link.ether.bridge_ipfw_collisions: 0 thank you ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
ipfw2 and preproc
I have read the man page for ipfw and searched the web looking for examples of using ipfw2 and the preprocessor option. Does anybody have any examples? Could I use the preproc option to create a deep packet inspection program? Please help! Thank you. -- Thomas J. Raef e-Based Security, Inc. [EMAIL PROTECTED] You're either hardened - or you're hacked! ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: ipfw2 and preproc
[EMAIL PROTECTED] wrote: I have read the man page for ipfw and searched the web looking for examples of using ipfw2 and the preprocessor option. Does anybody have any examples? Try somthing like the following in /etc/rc.conf: #firewall_type='/etc/MY_firewall' #firewall_flags='-p /usr/bin/cpp' ...and create /etc/MY_firewall containing: # set these to your inside interface network and netmask and ip #define IIF sis0 #define INET 192.168.1.0/24 #define IIP 192.168.1.2 # port number ranges #define LOPORTS 1-1023 #define HIPORTS 1024-65535 # dynamic rules add check-state add allow tcp from any HIPORTS to INET 22,80,143,443,3128 setup keep-state add allow ip from INET to any keep-state add 65000 deny log ip from any to any -- -Chuck ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
IPFW2
Dear sir, Now I'm using FreeBSD 5.2.1 release but now I can't compile new kernel with IPFIREWALL_FORWARD option. Please tell me port forwarding work or not work on FreeBSD 5.2.1 release. I think maybe IPFIREWALL options already included. Best regards Doloonkhuch.A ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: IPFW2
Doloonkhuch wrote: Dear sir, Now I'm using FreeBSD 5.2.1 release but now I can't compile new kernel with IPFIREWALL_FORWARD option. Please tell me port forwarding work or not work on FreeBSD 5.2.1 release. I think maybe IPFIREWALL options already included. Best regards Doloonkhuch.A There is no need for the IPFIREWALL_FORWARD option; this functionality is built in and has been for a long time. Refer to: http://lists.freebsd.org/pipermail/freebsd-current/2003-November/014599.html HTH, Kevin Kinsey ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
panic with 4.10p4 and ipfw2
Hello.
A box of mine, which acts as firewall/bridge, is experiencing frequent
panics.
As said in the subject line, it's a 4.10-RELEASE-p4 with ipfw2 enabled
in the kernel.
I've run through post mortem kernel analisys and found out that the
crashes are always related to ipfw2; specifically I get:
panic: free: multiple frees
Here is the complete backtrack:
#0 dumpsys () at /usr/src/sys/kern/kern_shutdown.c:487
#1 0xc0150993 in boot (howto=260) at /usr/src/sys/kern/kern_shutdown.c:316
#2 0xc0150db8 in poweroff_wait (junk=0xc02354ac, howto=-1071427665)
at /usr/src/sys/kern/kern_shutdown.c:595
#3 0xc0208a3e in trap_fatal (frame=0xc023a3e4, eva=48)
at /usr/src/sys/i386/i386/trap.c:974
#4 0xc0208711 in trap_pfault (frame=0xc023a3e4, usermode=0, eva=48)
at /usr/src/sys/i386/i386/trap.c:867
#5 0xc02082fb in trap (frame={tf_fs = 16, tf_es = 16, tf_ds = 16, tf_edi = 0,
tf_esi = 0, tf_ebp = -1071406036, tf_isp = -1071406064,
tf_ebx = -1071330820, tf_edx = 6864896, tf_ecx = -1054588914,
tf_eax = 0, tf_trapno = 12, tf_err = 0, tf_eip = -1071892584, tf_cs = 8,
tf_eflags = 66182, tf_esp = -967647568, tf_ss = 0})
at /usr/src/sys/i386/i386/trap.c:466
#6 0xc01c3798 in acquire_lock (lk=0xc024c9fc)
at /usr/src/sys/ufs/ffs/ffs_softdep.c:266
#7 0xc01c8e7c in softdep_count_dependencies (bp=0xc652deb0, wantcount=0)
at /usr/src/sys/ufs/ffs/ffs_softdep.c:4792
#8 0xc01cc0d8 in ffs_fsync (ap=0xc023a4a0)
at /usr/src/sys/ufs/ffs/ffs_vnops.c:168
#9 0xc01cabab in ffs_sync (mp=0xc123fc00, waitfor=2, cred=0xc0a3e800,
p=0xc026dbe0) at vnode_if.h:558
#10 0xc0181737 in sync (p=0xc026dbe0, uap=0x0)
at /usr/src/sys/kern/vfs_syscalls.c:583
#11 0xc015072e in boot (howto=256) at /usr/src/sys/kern/kern_shutdown.c:235
#12 0xc0150db8 in poweroff_wait (junk=0xc0218cff, howto=-1051816704)
at /usr/src/sys/kern/kern_shutdown.c:595
#13 0xc014c41f in free (addr=0xc18fc100, type=0xc0249420)
at /usr/src/sys/kern/kern_malloc.c:385
#14 0xc01a56ce in lookup_dyn_rule (pkt=0xc023a650, match_direction=0xc023a5c8,
tcp=0xc0b26b50) at /usr/src/sys/netinet/ip_fw2.c:784
#15 0xc01a6ae7 in ipfw_chk (args=0xc023a630)
at /usr/src/sys/netinet/ip_fw2.c:1900
#16 0xc01aa5f5 in ip_output (m0=0xc0b26b00, opt=0x0, ro=0xd0bfb0fc, flags=0,
imo=0x0, inp=0xd0bfb0c0) at /usr/src/sys/netinet/ip_output.c:733
#17 0xc01afc51 in tcp_output (tp=0xd0bfb180)
at /usr/src/sys/netinet/tcp_output.c:953
#18 0xc01ae977 in tcp_input (m=0xc0b26b00, off0=20, proto=6)
at /usr/src/sys/netinet/tcp_input.c:2229
#19 0xc01a8f1c in ip_input (m=0xc0b26b00)
at /usr/src/sys/netinet/ip_input.c:934
#20 0xc01a8f7b in ipintr () at /usr/src/sys/netinet/ip_input.c:955
#21 0xc01fbd89 in swi_net_next ()
#22 0xc0156a69 in softclock () at /usr/src/sys/kern/kern_timeout.c:131
#23 0xc01fbd43 in doreti_swi ()
So, free is called from the following fragment:
/**
* lookup a dynamic rule.
*/
static ipfw_dyn_rule *
lookup_dyn_rule(struct ipfw_flow_id *pkt, int *match_direction,
struct tcphdr *tcp)
{
/*
* stateful ipfw extensions.
* Lookup into dynamic session queue
*/
#define MATCH_REVERSE 0
#define MATCH_FORWARD 1
#define MATCH_NONE 2
#define MATCH_UNKNOWN 3
int i, dir = MATCH_NONE;
ipfw_dyn_rule *prev, *q=NULL;
if (ipfw_dyn_v == NULL)
goto done; /* not found */
i = hash_packet( pkt );
for (prev=NULL, q = ipfw_dyn_v[i] ; q != NULL ; ) {
if (q-dyn_type == O_LIMIT_PARENT q-count)
goto next;
if (TIME_LEQ( q-expire, time_second)) { /* expire entry */
= UNLINK_DYN_RULE(prev, ipfw_dyn_v[i], q);
continue;
}
if (pkt-proto == q-id.proto
q-dyn_type != O_LIMIT_PARENT) {
I'm no kernel expert, so take my observation for what they might be
worth, but:
(kgdb) p *q
$24 = {next = 0xc18a2d00, rule = 0xc6523b3c, parent = 0xd0001,
pcnt = 13916504069872025600, bcnt = 11709303859986432, id = {dst_ip = 0,
src_ip = 0, dst_port = 15744, src_port = 49469, proto = 164 '\244',
flags = 129 '\201'}, expire = 0, bucket = 4294967295, state = 4294967295,
ack_fwd = 0, ack_rev = 0, dyn_type = 0, count = 0}
(kgdb)
These values do not make much sense to me... maybe the mess has already
happened?
Any hint?
Is ipfw2 known to be broken in 4_10? Should I upgrade to 4_STABLE?
Or is it just a matter of finding a better configuration for all the
relevant sysctl (which are all set to their default values)?
Really any help is appreciated!!!
bye Thanks
av.
___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]
Mac filtering with ipfw2
Hello, I have tried and tried and tried to get mac filtering to work with ipfw2. I have tried the usual sources (Google Groups, google, mailling list, man pages, etc). Here it goes: I basically want to allow traffic to come from one mac address. I am trying to get the following rule to work: ipfw add accept tcp from any to any MAC any 10:20:30:40:50:60 Yes, ipfw2 is on my freebsd system. This rule is basically: allow traffic from mac address 10:20:30:40:50:60 to anywhere on the network. What am I doing wrong? - Steve ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Mac filtering with ipfw2
On Aug 31, 2004, at 12:07 PM, Steve Quezadas wrote: I basically want to allow traffic to come from one mac address. I am trying to get the following rule to work: ipfw add accept tcp from any to any MAC any 10:20:30:40:50:60 OK, that looks about right. Yes, ipfw2 is on my freebsd system. This rule is basically: allow traffic from mac address 10:20:30:40:50:60 to anywhere on the network. What am I doing wrong? Dunno. You've told us what you want to do, but you haven't told us what the problem is that you are having. If you add the log keyword to your rules, you might have a better shot at seeing what they are doing; also look at ipfw -a list. -- -Chuck ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Mac filtering with ipfw2
On Tuesday 31 August 2004 18:07, Steve Quezadas wrote: Hello, I have tried and tried and tried to get mac filtering to work with ipfw2. I have tried the usual sources (Google Groups, google, mailling list, man pages, etc). Here it goes: I basically want to allow traffic to come from one mac address. I am trying to get the following rule to work: ipfw add accept tcp from any to any MAC any 10:20:30:40:50:60 Yes, ipfw2 is on my freebsd system. This rule is basically: allow traffic from mac address 10:20:30:40:50:60 to anywhere on the network. What am I doing wrong? Did you set the sysctl net.link.ether.ipfw=1? You can do this in /etc/sysctl.conf or via the sysctl command. If you want to establish any kind of useful communication, you need to allow incoming and outgoing traffic for the specified MAC. # ipfw add pass MAC any 10:20:30:40:50:60 # ipfw add pass MAC 10:20:30:40:50:60 any To use arp requests (which are addressed to ff:ff:ff:ff:ff:ff) you need to allow them a way out, too. # ipfw add pass MAC any ff:ff:ff:ff:ff:ff Cheers, ch -- Christian Hiris [EMAIL PROTECTED] | OpenPGP KeyID 0x941B6B0B OpenPGP-Key at hkp://wwwkeys.eu.pgp.net and http://pgp.mit.edu pgpYBBCA4Pdxq.pgp Description: signature
ipfw2 or ipfilter
Hi! I'm looking into if I should go with ipfw2 or ipfilter, anyone that could point me to some links or tell me pro's and con's (both feature and performance wise). Kind Regards, Stefan Cars -- Stefan Cars Snowfall Communications http://www.snowfall.se Tel: +46 (0)18 430 80 50 - Direct: +46 (0)18 430 80 51 Mobile: +46 (0)708 44 36 00 - Fax: +46 (0)708 44 36 04 ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: ipfw2 or ipfilter
On Mon, Aug 16, 2004 at 06:46:23PM +0200, Stefan Cars wrote: I'm looking into if I should go with ipfw2 or ipfilter, anyone that could point me to some links or tell me pro's and con's (both feature and performance wise). Unless your running quite a complicated setup or have specific requirements then there isn't really any preference for one over the other. If you're running a typical home system, even with say, a 10Mbit/s cable modem connection, any reasonably modern FreeBSD machine is going to be able to do firewall filtering without breaking into a sweat. You'ld need so quite fancy hardware to detect performance differences between the two. Probably the biggest reason to choose one over the other is simple personal preference between the different rule-set styles. ipfw is 'first match wins' (hence rule sets tend to be ordered from most to least specific). ipfilter is 'last match wins', so the most general rules tend to go at the top of rulesets -- although there are special 'quick' rules that can shortcut the process. In general both firewalls have very similar functionality. ipfw(8) can act as a filtering bridge and it can provide weighted fair queuing and bandwidth limited pipes in conjunction with dummynet(4). ipfilter seems to have more complete IPv6 support than ip6fw. Cheers, Matthew -- Dr Matthew J Seaman MA, D.Phil. 26 The Paddocks Savill Way PGP: http://www.infracaninophile.co.uk/pgpkey Marlow Tel: +44 1628 476614 Bucks., SL7 1TH UK pgpqIxTh2d78B.pgp Description: PGP signature
FreeBSD 4.0 with ipnat/ipfw2 1:1 NAT
Hello all, Was just wondering everyone's opinion on this subject Got a FreeBSD box ... 2.4 ghz Xeon with 1 gig RAM and two gb nic cards. This box's job is to do a 1:1 NAT for about 2000 workstations. In everyone's opinion, is IPNAT and IPFW2 a good solution for this? Also, will that box handle that (I'm pretty sure it will), and if so, any security recommendations? (other than custom kernel, local firewall, and securelevel 2). Thanks! -Matt ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
IPFW2 strange issues on BSD-5.2.1 (RESENT)
This is a resent message, as noone has bothered to reply (yet). RESENT MESSAGE TEXT FOLLOWS ___ I'm using FreeBSD 5.2.1 with IPFW2 as a firewall/router on a network. The firewall itself does not need to be terribly sophisticated -- on the other hand, it is having some problems. I'm seeing some very strange things in the dynamic ruleset. The last 4 entries in the list are the issues. You can see that none of the informatin in the last 4 dynamic rules makes any sense -- not the #/packets or bytes, the rule #, or even the protocol. The IP addresses referred to are not local to any part of the network, and some aren't even listed in the appropriate WHOIS database. I'm totally lost on this. Any help would be appreciated, including suggestions as to how to generate better log information. Nothing shows in my logs, either. Interestingly, these last (wierd) rules appear disappear at random intervals, with different information each time -- different rule numebrs (but non-existent in my ruleset), different Ips, and different protocols. host-64-179-35-23# ipfw -de show 00050 35654 14976392 divert 8668 ip from any to any via xl0 00100 29882071714 allow ip from 127.0.0.0/8 to 127.0.0.0/8 00200 0 0 deny ip from 127.0.0.0/8 to any 00300 0 0 deny ip from any to 127.0.0.0/8 00310 0 0 allow ip from 224.0.0.1 to any 00311110 3960 allow ip from any to 224.0.0.1 00350 0 0 deny log argus from any to any 00351 0 0 deny log scps from any to any 00352 0 0 deny log igmp from any to any 00354 0 0 deny log netblt from any to any 00355 0 0 deny ip from 0.0.0.0 to any 00356 0 0 deny ip from any to 0.0.0.0 00357 0 0 deny ipv6-nonxt from any to any 00359 0 0 deny log trunk-2 from any to any 00360 99 6224 deny log icmp from any to any 00400891 111330 allow ip from 205.201.9.0/24 to me setup keep-state 00410 0 0 allow ip from 151.201.141.231 to me setup keep-state 00420 0 0 deny ip from any to me dst-port 22 00450 1272 539440 allow ip from any to me dst-port 25 setup keep-state 00451151 12032 allow ip from me to any dst-port 21 setup keep-state 00452 0 0 allow ip from me to any dst-port 20 setup keep-state 00453 115131798157 allow ip from me to any dst-port 80 setup keep-state 00454 11 1457 allow ip from me to any dst-port 443 setup keep-state 00455 0 0 allow ip from any 20 to me setup keep-state 00457 0 0 allow ip from me to any dst-port 22 setup keep-state 00458 0 0 allow ip from any 25 to me setup keep-state 00459 0 0 allow ip from any to me dst-port 80 setup keep-state 00498 2373 267409 allow ip from any to me 00499 62671635428 allow ip from me to any 00520 0 0 allow ip from 224.0.0.1 to any 00530 0 0 allow ip from any to 224.0.0.1 00800 11739 allow udp from any to 207.69.188.200 dst-port 53 00810 22 10768 allow udp from 207.69.188.200 53 to any 00820250 15731 allow udp from any to 64.65.223.6 dst-port 53 00830498 141930 allow udp from 64.65.223.6 53 to any 00840 94 6784 allow udp from any to any dst-port 53 00841122 36608 allow udp from any 53 to any 00850 0 0 allow ip from 255.255.255.255 to any 00860232 70064 allow ip from any to 255.255.255.255 00998 82 18216 allow ip from 192.168.1.0/24 to 192.168.1.0/24 not via xl0 00999 0 0 check-state 01000 0 0 allow ip from any to 192.168.1.5 dst-port 25 setup keep-state 01010 1115 517038 allow ip from any to 192.168.1.5 dst-port 80 setup keep-state 01020 0 0 allow ip from any to 192.168.1.5 dst-port 2500 setup keep-state 01100332 49019 allow ip from 192.168.1.5 to any dst-port 25 setup keep-state 01110 1177 978983 allow ip from 192.168.1.5 to any dst-port 80 setup keep-state 01115 0 0 allow ip from 192.168.1.5 to any dst-port 443 setup keep-state 01120 0 0 allow ip from 192.168.1.5 to any dst-port 21 setup keep-state 01125 0 0 allow ip from 192.168.1.5 to any dst-port 20 setup keep-state 01130 0 0 allow ip from 192.168.1.5 20 to any setup keep-state 01998 83 3704 deny log ip from 192.168.1.5 to any 01999 36 1440 deny log ip from any to 192.168.1.5 02010 0 0 allow ip from 192.168.1.0/24 to any dst-port 20 setup keep-state 02020 40906 23355938 allow ip from 192.168.1.0/24 to any dst-port 80 setup keep-state 02030 39 20505 allow ip from
Re: [from newbies] RE: IPFW2 + 4.10
Matt, IPFW2 is not compiled into 4.10 by default. At a shell, type man ipfw, then a single forward slash (to bring up the search tool), then search for STABLE a couple of times directions are in there Here it is anyway USING IPFW2 IN FreeBSD-STABLE ipfw2 is standard in FreeBSD CURRENT, whereas FreeBSD STABLE still uses ipfw1 unless the kernel is compiled with options IPFW2, and /sbin/ipfw and /usr/lib/libalias are recompiled with -DIPFW2 and reinstalled (the same effect can be achieved by adding IPFW2=TRUE to /etc/make.conf before a buildworld). Hope that helps, Matt clayton rollins wrote: On June 28, 2004, Matt [EMAIL PROTECTED] wrote: Hello freebsd-newbies, I am still fairly new at the BSD level, migrated from linux. The question that I have is, is Version 4.10 kernel compiled with IPFW2, I know the doc's say that CURRENT version has and that it was implemented in 2002, yet the doc's say that STABLE does not have it compiled into the kernel. Can some one please clarify -- Best regards, Matt mailto:[EMAIL PROTECTED] Hi Matt, (Can't reply on -newbies, it's a list charter thing :).) 4.x versions come from the STABLE branch and, so, do not have ipfw2 compiled in the kernel by default. (Instead, they use the older, and more tested, ipfw.) If you want ipfw2, refer to 'man 8 ipfw', the section using ipfw2 on freebsd-stable, for very good instructions. Regards, Clayton _ FREE pop-up blocking with the new MSN Toolbar get it now! http://toolbar.msn.click-url.com/go/onm00200415ave/direct/01/ ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] !DSPAM:40df08f8545962012013677! ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
IPFW2 strange issues on BSD-5.2.1
I'm using FreeBSD 5.2.1 with IPFW2 as a firewall/router on a network. I'm seeing some very strange things in the dynamic ruleset. The last 4 entries in the list are the issues. You can see that none of the informatin in the last 4 dynamic rules makes any sense -- not the #/packets or bytes, the rule #, or even the protocol. The IP addresses referred to are not local to any part of the network, and some aren't even listed in the appropriate WHOIS database. I'm totally lost on this. Any help would be appreciated, including suggestions as to how to generate better log information. Nothing shows in my logs, either. Interestingly, these last (wierd) rules appear disappear at random intervals, with different information each time -- different rule numebrs (but non-existent in my ruleset), different Ips, and different protocols. host-64-179-35-23# ipfw -de show 00050 35654 14976392 divert 8668 ip from any to any via xl0 00100 29882071714 allow ip from 127.0.0.0/8 to 127.0.0.0/8 00200 0 0 deny ip from 127.0.0.0/8 to any 00300 0 0 deny ip from any to 127.0.0.0/8 00310 0 0 allow ip from 224.0.0.1 to any 00311110 3960 allow ip from any to 224.0.0.1 00350 0 0 deny log argus from any to any 00351 0 0 deny log scps from any to any 00352 0 0 deny log igmp from any to any 00354 0 0 deny log netblt from any to any 00355 0 0 deny ip from 0.0.0.0 to any 00356 0 0 deny ip from any to 0.0.0.0 00357 0 0 deny ipv6-nonxt from any to any 00359 0 0 deny log trunk-2 from any to any 00360 99 6224 deny log icmp from any to any 00400891 111330 allow ip from 205.201.9.0/24 to me setup keep-state 00410 0 0 allow ip from 151.201.141.231 to me setup keep-state 00420 0 0 deny ip from any to me dst-port 22 00450 1272 539440 allow ip from any to me dst-port 25 setup keep-state 00451151 12032 allow ip from me to any dst-port 21 setup keep-state 00452 0 0 allow ip from me to any dst-port 20 setup keep-state 00453 115131798157 allow ip from me to any dst-port 80 setup keep-state 00454 11 1457 allow ip from me to any dst-port 443 setup keep-state 00455 0 0 allow ip from any 20 to me setup keep-state 00457 0 0 allow ip from me to any dst-port 22 setup keep-state 00458 0 0 allow ip from any 25 to me setup keep-state 00459 0 0 allow ip from any to me dst-port 80 setup keep-state 00498 2373 267409 allow ip from any to me 00499 62671635428 allow ip from me to any 00520 0 0 allow ip from 224.0.0.1 to any 00530 0 0 allow ip from any to 224.0.0.1 00800 11739 allow udp from any to 207.69.188.200 dst-port 53 00810 22 10768 allow udp from 207.69.188.200 53 to any 00820250 15731 allow udp from any to 64.65.223.6 dst-port 53 00830498 141930 allow udp from 64.65.223.6 53 to any 00840 94 6784 allow udp from any to any dst-port 53 00841122 36608 allow udp from any 53 to any 00850 0 0 allow ip from 255.255.255.255 to any 00860232 70064 allow ip from any to 255.255.255.255 00998 82 18216 allow ip from 192.168.1.0/24 to 192.168.1.0/24 not via xl0 00999 0 0 check-state 01000 0 0 allow ip from any to 192.168.1.5 dst-port 25 setup keep-state 01010 1115 517038 allow ip from any to 192.168.1.5 dst-port 80 setup keep-state 01020 0 0 allow ip from any to 192.168.1.5 dst-port 2500 setup keep-state 01100332 49019 allow ip from 192.168.1.5 to any dst-port 25 setup keep-state 01110 1177 978983 allow ip from 192.168.1.5 to any dst-port 80 setup keep-state 01115 0 0 allow ip from 192.168.1.5 to any dst-port 443 setup keep-state 01120 0 0 allow ip from 192.168.1.5 to any dst-port 21 setup keep-state 01125 0 0 allow ip from 192.168.1.5 to any dst-port 20 setup keep-state 01130 0 0 allow ip from 192.168.1.5 20 to any setup keep-state 01998 83 3704 deny log ip from 192.168.1.5 to any 01999 36 1440 deny log ip from any to 192.168.1.5 02010 0 0 allow ip from 192.168.1.0/24 to any dst-port 20 setup keep-state 02020 40906 23355938 allow ip from 192.168.1.0/24 to any dst-port 80 setup keep-state 02030 39 20505 allow ip from 192.168.1.0/24 to any dst-port 443 setup keep-state 02040 0 0 allow ip from 192.168.1.0/24 to any dst-port 21 setup keep-state 02050 0 0 allow ip from 192.168.1.0/24 20 to any setup keep-state 65000
[from newbies] RE: IPFW2 + 4.10
On June 28, 2004, Matt [EMAIL PROTECTED] wrote: Hello freebsd-newbies, I am still fairly new at the BSD level, migrated from linux. The question that I have is, is Version 4.10 kernel compiled with IPFW2, I know the doc's say that CURRENT version has and that it was implemented in 2002, yet the doc's say that STABLE does not have it compiled into the kernel. Can some one please clarify -- Best regards, Matt mailto:[EMAIL PROTECTED] Hi Matt, (Can't reply on -newbies, it's a list charter thing :).) 4.x versions come from the STABLE branch and, so, do not have ipfw2 compiled in the kernel by default. (Instead, they use the older, and more tested, ipfw.) If you want ipfw2, refer to 'man 8 ipfw', the section using ipfw2 on freebsd-stable, for very good instructions. Regards, Clayton _ FREE pop-up blocking with the new MSN Toolbar get it now! http://toolbar.msn.click-url.com/go/onm00200415ave/direct/01/ ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
IPFW2 Mac Address Filtering
I've searched high and low, and have read many times that doing mac address filtering with ipfw is possible. I'm running 4.9, have recompiled the kernel with 'options ipfw2', and have recompiled libalias ipfw with ipfw2 support. I've read through the man pages, and I can't make this particular rule work. I need to block all IP packets EXCEPT for packets coming from specific MAC addresses. Can anyone give me an example of specifically how I should form this rule? Elijah Chancey NetlinkIP Sysadmin ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: IPFW2 Mac Address Filtering
On Tuesday 25 May 2004 17:57, Elijah A.Chancey wrote:
I've searched high and low, and have read many times that doing mac
address filtering with ipfw is possible.
I'm running 4.9, have recompiled the kernel with 'options ipfw2', and
have recompiled libalias ipfw with ipfw2 support.
I've read through the man pages, and I can't make this particular rule
work.
I need to block all IP packets EXCEPT for packets coming from specific
MAC addresses.
Can anyone give me an example of specifically how I should form this
rule?
Elijah Chancey
NetlinkIP Sysadmin
Don't forget to set sysctl net.link.ether.ipfw=1.
[...]
# eth0: MAC of firewall NIC
# eth1: MAC of NIC to allow
# eth_broadcast: broadcast address
eth0=00:04:00:00:00:01
eth1=00:04:00:00:00:02
eth_broadcast=ff:ff:ff:ff:ff:ff
${fwcmd} add pass MAC ${eth0} ${eth1}
${fwcmd} add pass MAC ${eth1} ${eth0}
${fwcmd} add pass MAC ${eth_broadcast} ${eth0}
${fwcmd} add pass MAC ${eth_broadcast} ${eth1}
[...]
regards
ch
--
Christian Hiris [EMAIL PROTECTED] | OpenPGP KeyID 0x941B6B0B
OpenPGP-Key at hkp://wwwkeys.eu.pgp.net and http://pgp.mit.edu
pgpxi3Pdngqfq.pgp
Description: signature
ipfw2: mac any any blocks ipfw rule
Hi, I use FreeBSD 4.9-Stable, with IPFW2 compiled in. I have an ipfw rule as follows: ipfw allow udp from 11.22.33.44 to any in via rl0 which works fine for my purpose (I faked the IP address for this email). Next I needed to add MAC-checking on this rule, so to begin with I tried to add a dummy mac-check (allow all mac addresses in out): ipfw allow udp from 11.22.33.44 to any in via rl0 mac any any But this will block, whatever was allowed by the previous version of this rule. How is that possible? In this mailinglist I also found a note on: sysctl net.link.ether.ipfw=1 which I did, to no avail. Any ideas, or is MAC-checking broken with ipfw2? Thanks, Rob. ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: 5.2 + ipfw2 + keep-state rules Bug
fbsd_user wrote: Using an fresh install of FBSD 5.2 RC2 I am trying to get stateful rules to function. For some reason ipfw2 seems to be issuing an ICMP:3.3 packet to my ISP's dns. [ ... ] # Internal gateway housekeeping $cmd 00100 allow all from any to any via lo0 # allow all localhost $cmd 00105 allow all from any to any via xl0 # allow all local Lan $cmd 00110 check-state log logamount 500 $cmd 00150 divert natd all from any to any $cmd 00170 count log logamount 500 all from any to any $cmd 00310 allow log logamount 500 tcp from any to any 53 out via rl0 setup keep-state $cmd 00311 allow log logamount 500 udp from any to any 53 out via rl0 keep-state $cmd 00315 allow log logamount 500 tcp from any to any 80 out via rl0 setup keep-state $cmd 00350 allow log logamount 500 icmp from any to any out via rl0 keep-state $cmd 00500 deny log logamount 500 all from any to any Something like the following would be better in terms of DNS and not blocking essential types of ICMP traffic: allow tcp from any to any 53 out via rl0 setup keep-state allow udp from any to any 53 allow icmp from any to any icmptypes 0,3,4,8,11,12 This allows bidirectional UDP-based DNS queries, but only outbound long (TCP-based) DNS queries like zone-transfers. YMMV, and it may not solve your problem-- it looked like your queries were coming from an internal host (10.0.10.5) using NAT? Are you sure that natd is okay? Maybe put the divert statement before the check-state rule? -- -Chuck ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
5.2 + ipfw2 + keep-state rules Bug
Using an fresh install of FBSD 5.2 RC2 I am trying to get stateful rules to function. For some reason ipfw2 seems to be issuing an ICMP:3.3 packet to my ISP's dns. Here is my rules file # Flush out the list before we begin. /sbin/ipfw -q -f flush # Set rules command prefix cmd=ipfw -q add # Internal gateway housekeeping $cmd 00100 allow all from any to any via lo0 # allow all localhost $cmd 00105 allow all from any to any via xl0 # allow all local Lan $cmd 00110 check-state log logamount 500 $cmd 00150 divert natd all from any to any $cmd 00170 count log logamount 500 all from any to any $cmd 00310 allow log logamount 500 tcp from any to any 53 out via rl0 setup keep-state $cmd 00311 allow log logamount 500 udp from any to any 53 out via rl0 keep-state $cmd 00315 allow log logamount 500 tcp from any to any 80 out via rl0 setup keep-state $cmd 00350 allow log logamount 500 icmp from any to any out via rl0 keep-state $cmd 00500 deny log logamount 500 all from any to any Here is the ipfw2 log Ipfw: 110 UNKNOWN UDP 10.0.10.5:1181 208.206.15.11:53 out via rl0 Ipfw: 170 Count UDP 67.20.101.103:1181 208.206.15.11:53 out via rl0 Ipfw: 311 Accept UDP 67.20.101.103:1181 208.206.15.11:53 out via rl0 Ipfw: 110 UNKNOWN UDP 208.206.15.11:53 67.20.101.103:1181 in via rl0 Ipfw: 311 Accept UDP 208.206.15.11:53 67.20.101.103:1181 in via rl0 Ipfw: 110 UNKNOWN ICMP:3.3 67.20.101.103 208.206.15.11 out via rl0 Ipfw: 170 Count ICMP:3.3 67.20.101.103 208.206.15.11 out via rl0 Ipfw: 350 Accept ICMP:3.3 67.20.101.103 208.206.15.11 out via rl0 Ipfw: 110 UNKNOWN UDP 10.0.10.5:1181 208.206.15.11:53 out via rl0 Ipfw: 170 Count UDP 67.20.101.103:1181 208.206.15.11:53 out via rl0 Ipfw: 311 Accept UDP 67.20.101.103:1181 208.206.15.11:53 out via rl0 Ipfw: 110 UNKNOWN UDP 208.206.15.11:53 67.20.101.103:1181 in via rl0 Ipfw: 311 Accept UDP 208.206.15.11:53 67.20.101.103:1181 in via rl0 Ipfw: 110 UNKNOWN ICMP:3.3 67.20.101.103 208.206.15.11 out via rl0 Ipfw: 350 Accept ICMP:3.3 67.20.101.103 208.206.15.11 out via rl0 Ipfw: 110 UNKNOWN UDP 10.0.10.5:1181 208.206.15.12:53 out via rl0 Ipfw: 170 Count UDP 67.20.101.103:1181 208.206.15.12:53 out via rl0 Ipfw: 311 Accept UDP 67.20.101.103:1181 208.206.15.12:53 out via rl0 Ipfw: 110 UNKNOWN UDP 208.206.15.12:53 67.20.101.103:1181 in via rl0 Ipfw: 311 Accept UDP 208.206.15.12:53 67.20.101.103:1181 in via rl0 Ipfw: 110 UNKNOWN ICMP:3.3 67.20.101.103 208.206.15.12 out via rl0 Ipfw: 170 Count ICMP:3.3 67.20.101.103 208.206.15.12 out via rl0 Ipfw: 350 Accept ICMP:3.3 67.20.101.103 208.206.15.12 out via rl0 When I change the rules to use pass all just to test if there is something wrong with my ISP's dns server, everything works. So there is no reason for the icmp 3.3 packet. # Flush out the list before we begin. /sbin/ipfw -q -f flush # Set rules command prefix cmd=ipfw -q add # Internal gateway housekeeping $cmd 00100 allow all from any to any via lo0 # allow all localhost $cmd 00105 allow all from any to any via xl0 # allow all local Lan $cmd 00150 divert natd all from any to any $cmd 00160 allow log logamount 500 all from any to any Log from about rules file Ipfw: 160 Accept UDP 67.20.101.103:1175 208.206.15.11:53 out via rl0 Ipfw: 160 Accept UDP 208.206.15.11:53 10.0.10.5:1175 in via rl0 Ipfw: 160 Accept TCP 67.20.101.103:1176 216.136.204.117:80 out via rl0 Ipfw: 160 Accept TCP 216.136.204.117:80 10.0.10.5:1176 in via rl0 Ipfw: 160 Accept TCP 67.20.101.103:1176 216.136.204.117:80 out via rl0 Ipfw: 160 Accept TCP 67.20.101.103:1176 216.136.204.117:80 out via rl0 Ipfw: 160 Accept TCP 216.136.204.117:80 10.0.10.5:1176 in via rl0 Ipfw: 160 Accept TCP 67.20.101.103:1176 216.136.204.117:80 out via rl0 Ipfw: 160 Accept TCP 216.136.204.117:80 10.0.10.5:1176 in via rl0 This looks like 5.2 ipfw2 bug to me. Any body explain why ipfw2 is doing this? ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
gray network and ipfw2
hi all
i have freebsd 4.8 installed and i use ipfw2 with the rules
#!/bin/sh
fwcmd=/sbin/ipfw
${fwcmd} -f flush
#!/bin/sh
ipfw='/sbin/ipfw'
$ipfw -f flush
$ipfw add divert natd all from any to any via ppp0
$ipfw add allow log all from any to any
my local ethernet card has 192.168.133.7 ip address
and my ppp0 interface has 217.15.x.x ip address.
when i tried to connect to 195.54.192.44:21 from my local box i got the lines
Accept TCP 172.16.202.106:4802 195.54.192.44:21 out via ppp0
Accept TCP 195.54.192.44:21 172.16.202.106:4802 in via ppp0
and so on.
as i know 172.16.0.0 are gray addresses and i haven't got any 172.16.x.x networks
in my environment.
Could anybody tell me what 172.16.202.106:4802 does in my log file.
Thanks
vanyushenkov al
___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw
To unsubscribe, send any mail to [EMAIL PROTECTED]
___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]
RE: ipfw2
From man ipfw
---
src and dst: {addr | { addr or ... }} [[not] ports]
addr: [not] {any | me | addr-list | addr-set}
addr-set: addr[/masklen]{list}
list: {num | num-num}[,list]
---
I think that it's right:
ipfw 1000 add permit all from 192.168.1.1/24{3,5,9} to any
but I see follwing:
ipfw: bad width ``243''
If I do:
ipfw 10005 add permit all from
192.168.1.3,192.168.1.5,192.168.1.9 to any
What are you trying to do/say?
192.168.1.1/24{3,5,9} translates to 192.168.1.1/243, 192.168.1.1/245 or
192.168.1.1/249.
All of which are illegal, /xx cannot exceed 32 in value (32 bits to a IPv4
internet address). Hence
the bad width error message.
-lee
___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: ipfw2
On Tue, Dec 23, 2003 at 08:51:57AM -0500, Lee Dilkie wrote:
I think that it's right:
ipfw 1000 add permit all from 192.168.1.1/24{3,5,9} to any
but I see follwing:
ipfw: bad width ``243''
192.168.1.1/24{3,5,9} translates to 192.168.1.1/243, 192.168.1.1/245 or
192.168.1.1/249.
Uh, at least, not in ipfw2 rulesets it doesn't. Where it does expand
like that is in csh(1), bash(1), zsh(1) and similar shells (but not
sh(1)):
% echo 192.168.1.1/24{3,5,9}
192.168.1.1/243 192.168.1.1/245 192.168.1.1/249
Perhaps the original poster was typing the rules in at the command
prompt? In which case, simply use a few quote marks to stop the
shell interfering:
# ipfw add 1000 permit all from '192.168.1.1/24{3,5,9}'
Or load the rules out of a file.
Cheers,
Matthew
--
Dr Matthew J Seaman MA, D.Phil. 26 The Paddocks
Savill Way
PGP: http://www.infracaninophile.co.uk/pgpkey Marlow
Tel: +44 1628 476614 Bucks., SL7 1TH UK
pgp0.pgp
Description: PGP signature
ipfw2
Good morning!
I have 4.9-release. I'm interesting ipfw2.
I have builded /usr/src/lib/libalias and /usr/src/sbin/ipfw with
-DIPFW2, kernet with option IPFW2.
From man ipfw
---
src and dst: {addr | { addr or ... }} [[not] ports]
addr: [not] {any | me | addr-list | addr-set}
addr-set: addr[/masklen]{list}
list: {num | num-num}[,list]
---
I think that it's right:
ipfw 1000 add permit all from 192.168.1.1/24{3,5,9} to any
but I see follwing:
ipfw: bad width ``243''
If I do:
ipfw 10005 add permit all from 192.168.1.3,192.168.1.5,192.168.1.9 to any
then
10005 allow ip from 192.168.1.3,192.168.1.5,192.168.1.9 to any
Can you help me?
Thank you.
--
Lev Klimin mailto:[EMAIL PROTECTED]
(8362) 42-15-49
19:37:26 22 DEC 2003 .
___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]
jails and ipfw2
My server, with a public IP address, is running named and sshd. This server is also running IPFW2. There is a jail also running, with it's own unique public IP address. I have found that IPFW2 will filter traffic to/from the jail, no matter if I put the jail's alias on the ethernet device (fxp0) or the loopback device (lo0). Is there an advantage or disadvantage to doing it one way vs the other? Thanks, Chris ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
ipfw2/dummynet + ipfilter not working together ?
Hi, I have 4.9-RC router on a ADSL access and currently using ipfilter for statefull filtering+nat that is working well. ipfw2 is configured for a long time with a pass all policy. When i try to configure a pipe with queues for traffic shaping as described in the following message (see URL) the TCP connection gets frozen : http://mail.gnu.org/archive/html/mldonkey-users/2003-01/msg00911.html I tried to diagnose what happens and discovered that some packets are said accepted by IPfilter but never gets out of tun0 with pipe/queue activated. If i delete all IPFilter rules (pass all policy) traffic shaping is working right. Everything is working fine if i flush all pipes/queues from ipfw2 configuration but i have no traffic shaping. :/ So, my question is : Is there some incompatabilities between ipfw2/dummynet and IPFilter or maybe there is a bug somewhere ? -- Best regards, Artur Pydo. ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: ipfw2/dummynet + ipfilter not working together ?
On Mon, Oct 06, 2003 at 11:20:20PM +0200, Artur Pydo wrote: So, my question is : Is there some incompatabilities between ipfw2/dummynet and IPFilter or maybe there is a bug somewhere ? I use ipf for filtering and ipfw2 for dummynet without a problem - sounds like a problem with the dummynet side if you have ipf running ok and ipfw2 with an allow all policy. -- Jez Hancock - System Administrator / PHP Developer http://munk.nu/ ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: IPFW2
[Redirected to -questions] On Mon, Sep 22, 2003 at 08:07:13PM +0200, Uwe Klann wrote: From the Log file IPFW:- Sep 22 00:24:13 muc /kernel: ipfw: 3300 Accept TCP 217.10.213.30:4418 217.9.121.209:21 in via fxp0 How can I extend on FreeBSD 4.8 (ipfw2) the log contens to see the tranfered data File and the amount of bytes went out? Thank you in advance for your help. It isn't ipfw's job to do this. Configure logging on your ftp daemon by reading the appropriate manual pages. If you need a logging ftp proxy for some other reason check the ports tree. BMS ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
ipfw2 loss of feature ?
With ipfw1 on 4.8 I use this:
ipfw add 10 check-state
ipfw add 20 allow tcp from xxx.xxx.xxx.0/24 to any keep-state limit src-addr 10
to provide stateful firewalling, and limit the number of simultaneous
tcp sessions to 10 per client. Seems to work great.
On 4.8 I tried ipfw2
(kernel with options IPFW2 and rebuilt ipfw and libalias with -DIPFW2
as instructed in man ipfw)
When I tried ipfw2, as I wanted keepalives, I get an error
when I run ipfw
only one of keep-state and limit is allowed
How can I do both the stateful firewalling and limit
the simultaneous sessions, with ipfw2 ?
Thanks
ps. As an aside, I also patch /usr/src/sys/netinet/ip_fw.c to
be more verbose when it drops a session...
--- ip_fw.c Sun Sep 14 15:33:16 2003
+++ ip_fw.old Sun Sep 14 15:31:10 2003
@@ -999,9 +999,7 @@
if (fw_verbose last_log != time_second) {
last_log = time_second;
log(LOG_SECURITY | LOG_DEBUG,
- drop session 0x%08x %u - 0x%08x %u, TOO many entries
\n,
- (args-f_id.src_ip), (args-f_id.src_port),
- (args-f_id.dst_ip), (args-f_id.dst_port));
+ drop session, too many entries\n);
}
return 1;
}
--
Bruce Campbell
Engineering Computing
CPH-2374B
University of Waterloo
(519)888-4567 ext 5889
This mail sent through www.mywaterloo.ca
___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]
ipfw2 conversion?
Hello, I am still compiling and using ipfw1 because I can't seem to figure out how to convert my rules to the ipfw2 lingo... Here are my rules... #!/bin/sh /sbin/ipfw -f flush /sbin/ipfw add divert natd ip from any to any /sbin/ipfw add allow all from any to any Now I hear that ipfw2 is backwards compatible with ipfw1 but have not been able to get this to work... Any IDEAS? Thanx, Douglas A. Maske ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Question: ipfw2, MAC addresses and divert.
Hi, I'm trying to write some ipfw rules to divert packets from a machine matching a MAC address to a natd process running on a custom divert port. Here are the rules I tries that don't work: ipfw add 99 divert 8669 mac any 00:E0:18:F1:57:94 via wi0 ipfw add 99 divert 8669 mac 00:E0:18:F1:57:94 any via wi0 These do not match and the packets don't get diverted. However, something like this does work: ipfw add 49 deny mac any 00:E0:18:F1:57:94 via wi0 ipfw add 49 deny mac 00:E0:18:F1:57:94 any via wi0 Packets are appropriately denied. This will work, using the ipaddress of the machine instead of its MAC: ipfw add 99 divert 8669 ip from 10.0.0.243 to any via wi0 ipfw add 99 divert 8669 ip from any to 10.0.0.243 via wi0 What changes between using deny versus divert as a rule action that MAC addresses don't match? Any suggestions? Thank you. -- [EMAIL PROTECTED]To be sure of hitting the target, shoot first, and call whatever you hit the target. -Ashleigh Brilliant ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Problem with natd on ipfw2
Why natd don't divert packets? *screenshot*** #ipfw add divert tcp from any to any 7 #ipfw add divert tcp from any 7 to any #natd -v -p -a 172.16.0.102 -redirect_port tcp 172.16.0.253:7 7 In [TCP] [TCP] 172.16.0.104:49169 - 172.16.0.102:7 aliased to [TCP] 172.16.0.104:49169 - 172.16.0.253:7 In [TCP] [TCP] 172.16.0.104:49169 - 172.16.0.102:7 aliased to [TCP] 172.16.0.104:49169 - 172.16.0.253:7 ^C *screenshot*** Where is Out[TCP]? This constructions fine work on FreeBSD4.7(ipfw1) but don't work on FreeBSD 5.0-CURRENT(ipfw2). What i am doing wrong? ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: how to aggregate rules using ipfw2 ?
On 2003.03.30 20:18:53 +0600, Ilia E. Chipitsine wrote:
how can I aggregate rules ...
ipfw add allow ip from any to 192.168.0.0/16
ipfw add allow ip from any to 10.0.0.0/8
... into the single rule, probably using { .. or .. } syntax?
I read man page, tried few combination, but them don't work for me.
ipfw add allow ip from any to { 192.168.0.0/16 or 10.0.0.0/8 }
should do the trick.
--
Simon L. Nielsen
pgp0.pgp
Description: PGP signature
Re: how to aggregate rules using ipfw2 ?
Hi!
I remember having difficulty getting this to work when I first got IPFW2,
turns out it wouldn't accept it because there _has_ to be a space between
the { and }.
For example...
ipfw add allow ip from any to { 192.168.0.0/16 or 10.0.0.0/8 }
not
ipfw add allow ip from any to {192.168.0.0/16 or 10.0.0.0/8}
Markie
- Original Message -
From: Ilia E. Chipitsine [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Cc: [EMAIL PROTECTED]
Sent: Sunday, March 30, 2003 3:18 PM
Subject: how to aggregate rules using ipfw2 ?
Dear Sirs,
how can I aggregate rules ...
ipfw add allow ip from any to 192.168.0.0/16
ipfw add allow ip from any to 10.0.0.0/8
... into the single rule, probably using { .. or .. } syntax?
I read man page, tried few combination, but them don't work for me.
Cheers,
Ilia Chipitsine
___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to
[EMAIL PROTECTED]
___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: how to aggregate rules using ipfw2 ? Follow-up, Why Aggregate?
Markie said:
snip
ipfw add allow ip from any to { 192.168.0.0/16 or 10.0.0.0/8 }
Why aggregate? Is it more efficient?
--
Joe Sotham
If the only prayer you say in your entire life is Thank You,
that will suffice.
- Meister Eckhart
___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: how to aggregate rules using ipfw2 ? Follow-up, Why Aggregate?
More efficient in the way of typing (less of it) :) and I find it easier to
read. That's just my personal opinion though.
Can't say whether there's any speed improvement though, because I just don't
know.
Markie
- Original Message -
From: Joe Sotham [EMAIL PROTECTED]
To: Markie [EMAIL PROTECTED];
[EMAIL PROTECTED]
Cc: @
Sent: Sunday, March 30, 2003 5:55 PM
Subject: Re: how to aggregate rules using ipfw2 ? Follow-up, Why Aggregate?
Markie said:
snip
ipfw add allow ip from any to { 192.168.0.0/16 or 10.0.0.0/8 }
Why aggregate? Is it more efficient?
--
Joe Sotham
If the only prayer you say in your entire life is Thank You,
that will suffice.
- Meister Eckhart
___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]
how to aggregate rules using ipfw2 ?
Dear Sirs,
how can I aggregate rules ...
ipfw add allow ip from any to 192.168.0.0/16
ipfw add allow ip from any to 10.0.0.0/8
... into the single rule, probably using { .. or .. } syntax?
I read man page, tried few combination, but them don't work for me.
Cheers,
Ilia Chipitsine
___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: How Do I Build IPFW2 Only (Was Re: How Do I Specify -DIPFW2 In make.conf?)
On Mon, Mar 10, 2003 at 04:25:14PM -0800, Drew Tomlinson wrote: - Original Message - From: Ceri Davies [EMAIL PROTECTED] To: Drew Tomlinson [EMAIL PROTECTED] Cc: FreeBSD Questions [EMAIL PROTECTED] Sent: Monday, March 10, 2003 12:55 PM On Mon, Mar 10, 2003 at 11:20:40AM -0800, Drew Tomlinson wrote: I would like to enable IPFW2 support in 4.7-STABLE. The Handbook (http://www.freebsd.org/releases/4.7R/relnotes-i386.html#AEN78) tells me to add 'options IPFW2' to the kernel config file and I understand that. Then it tells me to compile libalias and ipfw with the -DIPFW2 make option. If I understand the purpose of /etc/make.conf correctly, I should be able to specify -DIPFW2 there? How do I accomplish this? I'm sure this has been covered previously but my searches on Google are not turning it up. Thanks for a nudge to the appropriate docs! IPFW2= true Thank you for your response. I have added this to make.conf. Prior to adding it, I ran 'make buildworld'. How can I just rebuild IPFW so it is IPFW2 instead without rebuilding my whole world? I saw in the Handbook http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/makeworld.html#Q21 .4.15.1 an example for building pieces. Based on this example, I went to /usr/src/sys/netinet and tried issuing make but without success. I don't really understand the make process very well but I'm sure it didn't work because there was no Makefile. Can I just build IPFW2 instead of rebuilding the whole world? You could try cd /usr/src; make -DNOCLEAN buildworld. That should just rebuild the bits that are different, but may not work. If a buildworld doesn't take you a long time, then I'd just do another one if I were you. Thanks for helping me through this. No problem. Ceri -- To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message
How Do I Build IPFW2 Only (Was Re: How Do I Specify -DIPFW2 In make.conf?)
- Original Message - From: Ceri Davies [EMAIL PROTECTED] To: Drew Tomlinson [EMAIL PROTECTED] Cc: FreeBSD Questions [EMAIL PROTECTED] Sent: Monday, March 10, 2003 12:55 PM On Mon, Mar 10, 2003 at 11:20:40AM -0800, Drew Tomlinson wrote: I would like to enable IPFW2 support in 4.7-STABLE. The Handbook (http://www.freebsd.org/releases/4.7R/relnotes-i386.html#AEN78) tells me to add 'options IPFW2' to the kernel config file and I understand that. Then it tells me to compile libalias and ipfw with the -DIPFW2 make option. If I understand the purpose of /etc/make.conf correctly, I should be able to specify -DIPFW2 there? How do I accomplish this? I'm sure this has been covered previously but my searches on Google are not turning it up. Thanks for a nudge to the appropriate docs! IPFW2= true Thank you for your response. I have added this to make.conf. Prior to adding it, I ran 'make buildworld'. How can I just rebuild IPFW so it is IPFW2 instead without rebuilding my whole world? I saw in the Handbook http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/makeworld.html#Q21 .4.15.1 an example for building pieces. Based on this example, I went to /usr/src/sys/netinet and tried issuing make but without success. I don't really understand the make process very well but I'm sure it didn't work because there was no Makefile. Can I just build IPFW2 instead of rebuilding the whole world? Thanks for helping me through this. Drew To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message
Question about divert in ipfw2 on 5.0 release
I write program simular to natd, witch receives packets at divert port X. Question: On ipfw1 (FreeBSD 4.7) this rules work excellent: ipfw add divert X from any to any Y ipfw add divert X from any Y to any We're diverting all received and sended packets (from\to port Y) to divert port X. But these rules are not working together with ipfw2 (5.0 Release). Each single rule works fine, but when i combine them together only first of them triggers. The order doesn't matter. What am I doing wrong? To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message
Re: ipfw2 dynamic rules not dying
Jason Morgan [EMAIL PROTECTED] writes: I have a problem with my dynamic IPFW2 rules - they aren't dying. The system has been up now for 14 days, with it acting as firewall to two systems inside. One of the systems inside is also running IPFW2, but is in an open state. Here is the ruleset I am running, I have made no changes to the kernel variables regulating packet time-out - oh, and I'm running 4.7. [ruleset] Currently, I have more than 180 dynamic rules active, most are attached to rule 00610. 180 rules seems to be excessive, and they don't seem to be timing out. Is my ruleset screwed up? Thanks Jason IPFW2 will attempt to test if a connection is still open, and if it is will keep the matching rule intact. Search for keepalive on the ipfw manpage. -- Dan Pelleg To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message
ipfw2 dynamic rules not dying
I have a problem with my dynamic IPFW2 rules - they aren't dying. The system has been up now for 14 days, with it acting as firewall to two systems inside. One of the systems inside is also running IPFW2, but is in an open state. Here is the ruleset I am running, I have made no changes to the kernel variables regulating packet time-out - oh, and I'm running 4.7. # ipfw list 00010 allow ip from any to any via lo0 00020 deny log logamount 10 ip from any to 127.0.0.0/8 00030 deny log logamount 10 ip from 127.0.0.0/8 to any 00040 deny log logamount 10 ip from any to any frag 00050 deny log logamount 10 ip from 10.0.0.0/8 to any in via xl0 00060 deny log logamount 10 ip from 172.16.0.0/12 to any in via xl0 00100 divert 8668 ip from any to any via xl0 00101 count ip from 10.0.0.1 to any 00102 count ip from any to 10.0.0.1 00103 count ip from any to 192.168.1.101 00104 count ip from 192.168.1.101 to any 00105 count ip from 10.0.0.2 to any 00106 count ip from any to 10.0.0.2 00107 count ip from 10.0.0.3 to any 00108 count ip from any to 10.0.0.3 00200 deny log logamount 10 icmp from any to any in via xl0 icmptypes 8 00300 check-state 00400 allow icmp from any to any out via xl0 icmptypes 8 keep-state 00410 allow icmp from 10.0.0.0/8 to any keep-state 00420 deny log logamount 10 icmp from any to any 00500 deny log logamount 10 udp from any to any established 00510 allow udp from 10.0.0.0/8 to any setup keep-state 00520 allow udp from 192.168.1.101 to any keep-state 00530 allow udp from any to any dst-port 53 in keep-state 00600 deny log logamount 10 tcp from any to any established 00610 allow tcp from any to any dst-port 22,25,80 in setup keep-state 00620 allow tcp from 10.0.0.0/8 to any setup keep-state 00630 allow tcp from 192.168.1.101 to any setup keep-state 65000 deny log ip from any to any 65535 deny ip from any to any One last thing, my server is behind a ZyXel ADSL router, which is addressed as 192.168.1.1 on the inside. xl0 is my outside NIC. Currently, I have more than 180 dynamic rules active, most are attached to rule 00610. 180 rules seems to be excessive, and they don't seem to be timing out. Is my ruleset screwed up? Thanks Jason To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message
IPFW2 setup
OK, I've read the man page for IPFW a couple times and I am still having difficulty setting up a working firewall. The firewall acts as a gateway to my inside network as well as a web server and mail server. I also need ssh connectivity from inside and out. Also, one odd thing is that I have a Zyxel Prestige 643 acting as an additional router between me and my DSL connection (I couldn't figure out how to get the router in pure bridging mode). It comes in handy, though, as it has a 4-port switch built in and can also act a firewall and does the PPPoE easy enough. NICs: xl0 as 192.168.1.101 (to Zyxel and outside) dc0 as 10.0.0.1 (inside) Current IPFW config: - # Basics add 00010 pass all from any to any via lo0 add 00020 deny all from any to 127.0.0.0/8 add 00030 deny ip from 127.0.0.0/8 to any add 00040 deny ip from any to any frag # Spoofing Check add 00050 deny all from 10.0.0.0/8 to any in via xl0 add 00060 deny all from 172.16.0.0/12 to any in via xl0 add 00080 allow all from 192.168.1.1 to any in via xl0 add 00085 deny all from 192.168.0.0/16 to any in via xl0 # Divert add 00100 divert natd all from any to any via xl0 # Allowances add 00200 allow all from any to any in via dc0 # Check state of dynamic rules add 00220 check-state # UDP add 00300 allow udp from any to any out setup add 00310 deny udp from any to any established add 00320 allow udp from any to any 53 in via xl0 setup keep-state # TCP add 00400 allow tcp from any to any out setup keep-state add 00410 deny tcp from any to any established add 00420 allow tcp from any to any 22,25,80 in setup keep-state add 32000 allow all from any to any Could anyone offer some advice? Regards, Jason To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message
Re: IPFW2 setup
Kernel firewall settings: options IPFW2 options IPFIREWALL #Firewall options IPFIREWALL_VERBOSE #print info about dropped packets options IPFIREWALL_VERBOSE_LIMIT=10 #limit verbosity options IPV6FIREWALL options IPV6FIREWALL_VERBOSE options IPV6FIREWALL_VERBOSE_LIMIT=10 options IPDIVERT#Divert sockets options IPSTEALTH #support stealth forwarding options ICMP_BANDLIM#Rate limit bad replies options ACCEPT_FILTER_DATA options ACCEPT_FILTER_HTTP I can't reach the web from the inside, nor can I ssh to my server. Everything seems to be getting hung up on rules 310 and 410. I, of course, want to do away with 32000. In order to get through, I have temporarily added an 'allow all from any to any' at 210. I'll start logging the denys and see what happens. -jason On Fri, Jan 31, 2003 at 11:56:02AM -0500, Steve Bertrand wrote: What part is not working? Can you nat through? Perhaps you could add some logging to see which packets are failing and why. Do you have the following in the kernel? optionsIPFIREWALL optionsIPFIREWALL_VERBOSE optionsIPDIVERT Let us know. Steve Jason Morgan wrote: OK, I've read the man page for IPFW a couple times and I am still having difficulty setting up a working firewall. The firewall acts as a gateway to my inside network as well as a web server and mail server. I also need ssh connectivity from inside and out. Also, one odd thing is that I have a Zyxel Prestige 643 acting as an additional router between me and my DSL connection (I couldn't figure out how to get the router in pure bridging mode). It comes in handy, though, as it has a 4-port switch built in and can also act a firewall and does the PPPoE easy enough. NICs: xl0 as 192.168.1.101 (to Zyxel and outside) dc0 as 10.0.0.1 (inside) Current IPFW config: - # Basics add 00010 pass all from any to any via lo0 add 00020 deny all from any to 127.0.0.0/8 add 00030 deny ip from 127.0.0.0/8 to any add 00040 deny ip from any to any frag # Spoofing Check add 00050 deny all from 10.0.0.0/8 to any in via xl0 add 00060 deny all from 172.16.0.0/12 to any in via xl0 add 00080 allow all from 192.168.1.1 to any in via xl0 add 00085 deny all from 192.168.0.0/16 to any in via xl0 # Divert add 00100 divert natd all from any to any via xl0 # Allowances add 00200 allow all from any to any in via dc0 # Check state of dynamic rules add 00220 check-state # UDP add 00300 allow udp from any to any out setup add 00310 deny udp from any to any established add 00320 allow udp from any to any 53 in via xl0 setup keep-state # TCP add 00400 allow tcp from any to any out setup keep-state add 00410 deny tcp from any to any established add 00420 allow tcp from any to any 22,25,80 in setup keep-state add 32000 allow all from any to any Could anyone offer some advice? Regards, Jason To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message
Configuring FreeBSD 4.7 for IPFW2
Hi All, I have upgraded FreeBSD from 4.3 to 4.7 - no problems. I now want to run with IPFW, so as the man file says, I compiled my new kernel for 'options IPFW2' I then ran 'make -DIPFW2 ipfw2' in the /usr/srs/sbin/ipfw dir. This compiled ok, and I manually copied it to the /sbin dir. I tried that same with /usr/lib/libalias and got the following: root@fred[5:46pm]/usr/src/lib/libalias-107# make -DIPFW2 alias cc -O -pipe -Wall -Wmissing-prototypes -DIPFW2 /usr/src/lib/libalias/alias.c -o alias /usr/lib/crt1.o: In function `_start': /usr/lib/crt1.o(.text+0x79): undefined reference to `main' /var/tmp/cctpxMD2.o: In function `TcpMonitorIn': /var/tmp/cctpxMD2.o(.text+0x1c): undefined reference to `GetStateIn' /var/tmp/cctpxMD2.o(.text+0x4d): undefined reference to `SetStateIn' /var/tmp/cctpxMD2.o(.text+0x61): undefined reference to `SetStateIn' snip /var/tmp/cctpxMD2.o: In function `PacketUnaliasOut': /var/tmp/cctpxMD2.o(.text+0x1788): undefined reference to `FindUdpTcpIn' /var/tmp/cctpxMD2.o(.text+0x17a8): undefined reference to `FindIcmpIn' /var/tmp/cctpxMD2.o(.text+0x17d3): undefined reference to `GetOriginalAddress' /var/tmp/cctpxMD2.o(.text+0x17df): undefined reference to `GetOriginalPort' /var/tmp/cctpxMD2.o(.text+0x18bf): undefined reference to `DifferentialChecksum' /var/tmp/cctpxMD2.o(.text+0x1917): undefined reference to `GetOriginalAddress' /var/tmp/cctpxMD2.o(.text+0x1923): undefined reference to `GetOriginalPort' /var/tmp/cctpxMD2.o(.text+0x197f): undefined reference to `DifferentialChecksum' *** Error code 1 Stop in /usr/src/lib/libalias. Any idea on what is going wrong? Is there a way to compile all the files in the libalias/ dir? PS. I got it compiled in the end by doing a 'make buildworld', slow, but IPFW2 runs. I would like to know to get alias's compiled, so I don't have to go around running buildworld. Cheers, Paul Hamilton To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message
ipfw2 and natd
Didn't get an answer for this. Is it because it's supposed to be asked in freebsd-current? I've found that natd with ipfw2 breaks my simple ipfw rules in which state information is kept for new outgoing tcp packets: with 0,1.. as example rule numbers. 0 divert natd all from any to any via tun0 1 allow tcp from any to any out xmit tun0 setup 2 allow tcp from any to any via tun0 established 3 allow icmp from any to any 0 is ok 1 is ok 3 is ok but 2 doesn't work. I read in the man, that natd might lose information that might cause rule 2 to break. What's the proper way to do this with ipfw2? -- Khairil Yusof [EMAIL PROTECTED] signature.asc Description: This is a digitally signed message part
natd + ipfw2 + dynamic rules
I just tracked down, that having the line: add divert natd all from any to any via tun0 No longer works (used to work with ipfw) man page says this: According to man, packets diverted to userland and reinserted lose their attributes. The following rules work: allow icmp from any to any allow udp from any to 161.142.1.17 53 via tun0 allow udp from 161.142.1.17 53 to any via tun0 But stateful rules like below don't: add allow tcp from any to any out xmit tun0 setup add allow tcp from any to any via tun0 established add allow udp from any to 61.6.32.62 123 keep-state So, does this mean that a tcp packet goes out sets up a dynamic rule before going out via natd. But coming in.. it is diverted via natd, loses some info about state, and doesn't get passed through any rules? For the tcp dynamic rules, 10 packets get diverted by natd rule 5 packets match the tcp rule via tun0 setup 0 packets are denied by the last deny all rule. What happened to the packets that are supposed to be coming in via the setup rule? What's the proper way to do natd with ipfw2? So far, it's the only problem with my recent testing of current :(. As a relative newbie, updating from src was painless. So it looks like it will be a pretty smooth upgrade for FreeBSD 5.0. It's amazing how well the FreeBSD team does things. Any help much appreciated as always. -- Khairil Yusof [EMAIL PROTECTED] signature.asc Description: This is a digitally signed message part
IPFW2 denies packet although they match ALLOW rule?
Excuse me if I'm posting to the wrong list, I thought at first that freebsd-ipfw
should be
the correct one, but obviously only discussion about the redesign of IPFW should be
discussed there.
Anyways, I hope someone can help me here..
A week ago, I made the transition from IPFW to IPFW2 (on my 4.7-Stable box), and I
thought it would
be a good idea to rewrite my previous stateless rules to stateful.
After a few days I noticed in /var/log security that IPFW once in a while blocks
outbound
packets to my pop servers and a webserver, which I've allowed in a previously rule
(0310).
I still can pop my mail and browse the web without any problems, but I'm stil curious
why it denies the packets. Can it be
that the stateful rule has expired and the interface is resending/receiving some old
packets? If so, is that normal or an
indication of a broken NIC?
Or is any of the sysctl variables net.inet.ip.fw.* too short? (Haven't touched them
yet)
Log snippet of /var/log/security:
Nov 8 00:25:42 grendel /kernel: ipfw: 1000 Deny TCP 213.64.x.x:1938
207.174.189.161:80 out via ep1
Nov 8 00:26:12 grendel /kernel: ipfw: 1000 Deny TCP 213.64.x.x:1940
207.174.189.161:80 out via ep1
Nov 8 00:26:12 grendel /kernel: ipfw: 1000 Deny TCP 213.64.x.x:1938
207.174.189.161:80 out via ep1
Nov 8 00:26:14 grendel /kernel: ipfw: 1000 Deny TCP 213.64.x.x:1940
207.174.189.161:80 out via ep1
Nov 8 00:26:18 grendel /kernel: ipfw: 1000 Deny TCP 213.64.x.x:1940
207.174.189.161:80 out via ep1
Nov 8 00:26:26 grendel /kernel: ipfw: 1000 Deny TCP 213.64.x.x:1940
207.174.189.161:80 out via ep1
Nov 8 00:26:27 grendel /kernel: ipfw: 1000 Deny TCP 213.64.x.x:1939
207.174.189.161:80 out via ep1
Nov 8 00:26:29 grendel /kernel: ipfw: 1000 Deny TCP 213.64.x.x:1939
207.174.189.161:80 out via ep1
Nov 8 00:26:33 grendel /kernel: ipfw: 1000 Deny TCP 213.64.x.x:1939
207.174.189.161:80 out via ep1
Nov 8 00:26:41 grendel /kernel: ipfw: 1000 Deny TCP 213.64.x.x:1939
207.174.189.161:80 out via ep1
Nov 8 00:26:42 grendel /kernel: ipfw: 1000 Deny TCP 213.64.x.x:1940
207.174.189.161:80 out via ep1
Nov 8 00:26:45 grendel /kernel: ipfw: 1000 Deny TCP 213.64.x.x:1938
207.174.189.161:80 out via ep1
Nov 8 00:26:57 grendel /kernel: ipfw: 1000 Deny TCP 213.64.x.x:1939
207.174.189.161:80 out via ep1
Nov 8 00:27:15 grendel /kernel: ipfw: 1000 Deny TCP 213.64.x.x:1940
207.174.189.161:80 out via ep1
Nov 8 00:27:30 grendel /kernel: ipfw: 1000 Deny TCP 213.64.x.x:1939
207.174.189.161:80 out via ep1
Nov 8 00:27:49 grendel /kernel: ipfw: 1000 Deny TCP 213.64.x.x:1938
207.174.189.161:80 out via ep1
...
Nov 8 16:47:10 grendel /kernel: ipfw: 1000 Deny TCP 213.64.x.x:2529 66.54.152.7:110
out via ep1
Nov 8 16:47:31 grendel /kernel: ipfw: 1000 Deny TCP 213.64.x.x:2529 66.54.152.7:110
out via ep1
Nov 8 16:48:14 grendel /kernel: ipfw: 1000 Deny TCP 213.64.x.x:2529 66.54.152.7:110
out via ep1
Nov 8 16:49:18 grendel /kernel: ipfw: 1000 Deny TCP 213.64.x.x:2529 66.54.152.7:110
out via ep1
Nov 8 16:50:22 grendel /kernel: ipfw: 1000 Deny TCP 213.64.x.x:2529 66.54.152.7:110
out via ep1
Nov 8 16:51:26 grendel /kernel: ipfw: 1000 Deny TCP 213.64.x.x:2529 66.54.152.7:110
out via ep1
Nov 8 16:52:30 grendel /kernel: ipfw: 1000 Deny TCP 213.64.x.x:2529 66.54.152.7:110
out via ep1
Nov 8 16:53:34 grendel /kernel: ipfw: 1000 Deny TCP 213.64.x.x:2529 66.54.152.7:110
out via ep1
Nov 8 16:54:38 grendel /kernel: ipfw: 1000 Deny TCP 213.64.x.x:2529 66.54.152.7:110
out via ep1
Nov 8 16:55:42 grendel /kernel: ipfw: 1000 Deny TCP 213.64.x.x:2529 66.54.152.7:110
out via ep1
Nov 8 16:56:46 grendel /kernel: ipfw: 1000 Deny TCP 213.64.x.x:2529 66.54.152.7:110
out via ep1
Nov 8 16:57:50 grendel /kernel: ipfw: 1000 Deny TCP 213.64.x.x:2529 66.54.152.7:110
out via ep1
Nov 8 16:58:54 grendel /kernel: ipfw: 1000 Deny TCP 213.64.x.x:2529 66.54.152.7:110
out via ep1
And my rules look like this:
# Identd
add 0200 reset log tcp from any to any 113
# Only allow outbound TCP connections I have created
add 0300 check-state
# Deny packets with ACK flag set which doesn't match the above rule
add 0305 deny tcp from any to any in established
# Allow all outgoing setup TCP connections (SYN)
add 0310 allow tcp from any to any out setup keep-state
# Allow login on ISP
add 0350 allow tcp from me to 10.0.0.6 80 setup keep-state
# Allow DNS
add 0400 allow udp from me to 10.0.0/24{1,2} 53 keep-state out xmit ep1
# Allow DHCP offers and requests
add 0500 allow udp from me 68 to 213.64.75.1 keep-state out via ep1
# Allow ntpd to lth.se and ntp1.sp.se
add 0600 allow ip from me 123 to 130.235.20.3 keep-state out via ep1
# Allow some ICMP types (dest. unreachable, source quench,
# echo reply/request, time exceed)
add 0650 allow icmp from any to any icmptypes 3,4
add 0655 allow icmp from any to any icmptypes 8 out
add 0660 allow icmp from any to any icmptypes 0,11 in
# Allow access to my webserver from school
add 0700 allow tcp from 193.10.0.0/16 to me 80 setup keep
Re: IPFW2 denies packet although they match ALLOW rule?
Please wrap your posts (everything except for computer output), below 70-80 columns. It's very hard to read otherwise :-/ Micael Ebbmar [EMAIL PROTECTED] wrote: : Excuse me if I'm posting to the wrong list, I thought at first that : freebsd-ipfw should be the correct one, but obviously only : discussion about the redesign of IPFW should be discussed there. True. : A week ago, I made the transition from IPFW to IPFW2 (on my : 4.7-Stable box), and I thought it would be a good idea to rewrite my : previous stateless rules to stateful. After a few days I noticed in : /var/log security that IPFW once in a while blocks outbound packets : to my pop servers and a webserver, which I've allowed in a previously : rule (0310). I still can pop my mail and browse the web without any : problems, but I'm stil curious why it denies the packets. Can it be : that the stateful rule has expired and the interface is : resending/receiving some old packets? If so, is that normal or an : indication of a broken NIC? Or is any of the sysctl variables : net.inet.ip.fw.* too short? (Haven't touched them yet) Web clients some times cache connections to web servers, hoping to save some time from avoiding a reconnect for every GET request. Could it be that your clients thinks that a cached connection is still valid long after the dynamic ipfw rule has expired? : Log snippet of /var/log/security: : : Nov 8 00:25:42 grendel /kernel: ipfw: 1000 Deny TCP 213.64.x.x:1938 :207.174.189.161:80 out via ep1 : Nov 8 00:26:12 grendel /kernel: ipfw: 1000 Deny TCP 213.64.x.x:1940 :207.174.189.161:80 out via ep1 : Nov 8 00:26:12 grendel /kernel: ipfw: 1000 Deny TCP 213.64.x.x:1938 :207.174.189.161:80 out via ep1 : [...] : And my rules look like this: : : add 0200 reset log tcp from any to any 113 : add 0300 check-state : add 0305 deny tcp from any to any in established : add 0310 allow tcp from any to any out setup keep-state : [...] : add 0350 allow tcp from me to 10.0.0.6 80 setup keep-state Doesn't rule 0310 make rule 0350 redundant? : add 1000 deny log logamount 1000 ip from any to any via ep1 To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message
Re: IPFW2 denies packet although they match ALLOW rule?
* Giorgos Keramidas [EMAIL PROTECTED] [021109 23:11]: Web clients some times cache connections to web servers, hoping to save some time from avoiding a reconnect for every GET request. Could it be that your clients thinks that a cached connection is still valid long after the dynamic ipfw rule has expired? Well, that's a possibility.. esp. with all those banners that refreshes every now and then. But that doesn't explain why the computer tries to contact the pop servers (through Fetchmail) even after the normal connection has been terminated. Since Fetchmail has finished the conversation with the popservers, the rule terminates. Then after some time, it tries to connect again (note: not initialize, since obviously the SYN isn't set and there it's blocked by rule 1000). I just find it very odd. : Log snippet of /var/log/security: : : Nov 8 00:25:42 grendel /kernel: ipfw: 1000 Deny TCP 213.64.x.x:1938 207.174.189.161:80 out via ep1 : Nov 8 00:26:12 grendel /kernel: ipfw: 1000 Deny TCP 213.64.x.x:1940 207.174.189.161:80 out via ep1 : Nov 8 00:26:12 grendel /kernel: ipfw: 1000 Deny TCP 213.64.x.x:1938 207.174.189.161:80 out via ep1 : [...] : And my rules look like this: : : add 0200 reset log tcp from any to any 113 : add 0300 check-state : add 0305 deny tcp from any to any in established : add 0310 allow tcp from any to any out setup keep-state : [...] : add 0350 allow tcp from me to 10.0.0.6 80 setup keep-state Doesn't rule 0310 make rule 0350 redundant? Ah, sure it is redundant! Thanx for pointing it out :) : add 1000 deny log logamount 1000 ip from any to any via ep1 Cheers, Micke To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message
IPFW2 on 4.7-RELEASE
Hi, Has anyone got IPFW2 working on 4.7-RELEASE? I've been using IPFW/natd successfully since 4.2 but my attempts to do the same with IPFW2 have failed. I added IPFW2=true to /etc/make.conf and options IPFW2 to my kernel config then rebuilt libalias, ipfw and my kernel. At boot I get the message output that natd has started but the boot process then stops at the point where it previously output Firewall Logging=YES to the console. My buildworld/installworld/mergemaster/MAKEDEV/buildkernel/installkernel etc. all executed without problems and things work as before using IPFW. Does anyone have any ideas or suggestions as to what's happening here? Regards, Neil Darlow M.Sc. -- Hardware/Software Design Consultants http://www.darlow.co.uk/ ICQ: 135505456 E-Mail, Jabber, MSNM: see following GPG identity 1024D/531F9048 1999-09-11 Neil Darlow [EMAIL PROTECTED] Key fingerprint = 359D B8FF 6273 6C32 BEAA 43F9 E579 E24A 531F 9048 To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message
Re: what is IPFW2 ?
On Fri, Oct 04, 2002 at 09:13:45AM +0600, ??? wrote: I seen few time IPFW1 and IPFW2. what is it ? I'm running 4.5 and 4.6 and 4.6.2, but I couldn't find it in LINT, so what is it ?? IPFW2 is the next version of the IPFW software. IPFW2 is the standard version of IPFW in 5-CURRENT, but changes to the configuration were so significant that it would have violated POLA to MFC it to 4-STABLE. Instead it was made a compile time option. It was added to 4-STABLE on 23 July (after the RELENG_4_6 branch was created), so it is in recent -STABLE and will be in 4.7-RELEASE. To enable, add: options IPFW2 to your kernel config (together with the other options to enable IPFW), and add: IPFW2= TRUE to /etc/make.conf Original announcement on [EMAIL PROTECTED]: http://docs.freebsd.org/cgi/getmsg.cgi?fetch=59316+0+archive/2002/freebsd-ipfw/20020728.freebsd-ipfw Works perfectly for me, worth installing just for the keepalives feature. Cheers, Matthew -- Dr Matthew J Seaman MA, D.Phil. 26 The Paddocks Savill Way Marlow Tel: +44 1628 476614 Bucks., SL7 1TH UK To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message
what is IPFW2 ?
Dear Sirs, I seen few time IPFW1 and IPFW2. what is it ? I'm running 4.5 and 4.6 and 4.6.2, but I couldn't find it in LINT, so what is it ?? Regards, (îÁÉÌÕÞÛÉÅ ÐÏÖÅÌÁÎÉÑ) Ilia Chipitsine (éÌØÑ ûÉÐÉÃÉÎ) To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message
Re: Upgrading to ipfw2?
On Thu, Sep 26, 2002 at 12:34:50AM +0200, Michael wrote: Could anyone explain or direct me to any procedures for upgrading to ipfw2? Firstly, make sure you're running a system version that includes ipfw2 support. You need to be running either 5-CURRENT or a recent version of 4-STABLE. If you're running 5-CURRENT then you've already got ipfw2 and don't need to do anything more, but you'll probably be more comfortable running 4-STABLE. So, assuming you're all set up to rebuild the world and the kernel, you need to: Add 'IPFW2=TRUE' to /etc/make.conf Add 'options IPFW2' to your kernel configuration. Then simply build and install a new system in the usual way (ie. according to the instructions in /usr/src/UPDATING) and away you go. Cheers, Matthew -- Dr Matthew J Seaman MA, D.Phil. 26 The Paddocks Savill Way Marlow Tel: +44 1628 476614 Bucks., SL7 1TH UK To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message
RE: Upgrading to ipfw2?
-Original Message- From: Michael [mailto:[EMAIL PROTECTED]] Sent: Thursday, September 26, 2002 00:35 To: [EMAIL PROTECTED] Subject: Upgrading to ipfw2? Could anyone explain or direct me to any procedures for upgrading to ipfw2? Assuming you already have options IPFW in your kernel, your world, kernel and sources are synced, and that you run i386: Lines may be broken: echo options IPFW2 /usr/src/sys/i386/conf/MYKERN cd /usr/src/sbin/ipfw make -DIPFW2 all make -DIPFW2 install cd /usr/src/lib/libalias make -DIPFW2 all make -DIPFW2 install cd /usr/src make kernel KERCONF=MYKERN reboot. To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message
