RE: natd or firewall problem?
I think that has to depend on how your natting and firewalling is set up. Aka how do you manage incoming traffic, outgoing and forwarding traffic between 2 interfaces. I'm using ipchains for it, and I got my rules per interface setup, and do thorough checks regarding sources. But it is something that could work. Just have to work out your firewall rules. I use 2 types of dns, one for internal use, and the other for external. My 0,2 cents Patrick > -Original Message- > From: Chris Hodgins [mailto:[EMAIL PROTECTED] > Sent: Saturday, February 05, 2005 4:06 PM > To: Gelsema, Patrick > Cc: 'Cristian Salan'; 'Gelsema, Patrick'; > freebsd-questions@freebsd.org > Subject: Re: natd or firewall problem? > > > Gelsema, Patrick wrote: > > Thats right, you can do the following: > > Put the ip-address with its FQDn > (www.webserverwhatever.com) in every > > hosts file (taken its windows) or in its hosts file on > freebsd. Or you > > run an internal DNS with an internal zone for your domain whilst > > running on the internet the external zone. > > > > Regards, > > > > Patrick > > > > Out of interest, why would using the external ip address not work. > Would the packets not just be directed out to the router as per usual > and then the router would notice it should forward the packets to the > www server? What am I missing? The only problem I can think > of might > be sending packets back to the internal ip address. > > Thanks > Chris > > [snip] > ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: natd or firewall problem?
Gelsema, Patrick wrote: Thats right, you can do the following: Put the ip-address with its FQDn (www.webserverwhatever.com) in every hosts file (taken its windows) or in its hosts file on freebsd. Or you run an internal DNS with an internal zone for your domain whilst running on the internet the external zone. Regards, Patrick Out of interest, why would using the external ip address not work. Would the packets not just be directed out to the router as per usual and then the router would notice it should forward the packets to the www server? What am I missing? The only problem I can think of might be sending packets back to the internal ip address. Thanks Chris [snip] ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: natd or firewall problem?
On Sat, 5 Feb 2005 13:54:23 +0100, Gelsema, Patrick <[EMAIL PROTECTED]> wrote: > Thats right, you can do the following: > Put the ip-address with its FQDn (www.webserverwhatever.com) in every hosts > file (taken its windows) or in its hosts file on freebsd. Or you run an > internal DNS with an internal zone for your domain whilst running on the > internet the external zone. > > Regards, > > Patrick Thank you Patrick, that's what I was afraid of. I've never managed to understand the DNS service but I think the time has come. Best regards, Cristian Salan ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
RE: natd or firewall problem?
Thats right, you can do the following: Put the ip-address with its FQDn (www.webserverwhatever.com) in every hosts file (taken its windows) or in its hosts file on freebsd. Or you run an internal DNS with an internal zone for your domain whilst running on the internet the external zone. Regards, Patrick > -Original Message- > From: Cristian Salan [mailto:[EMAIL PROTECTED] > Sent: Saturday, February 05, 2005 1:51 PM > To: Gelsema, Patrick > Cc: freebsd-questions@freebsd.org > Subject: Re: natd or firewall problem? > > > > > Hello dear list, > > > > > > I have one FreeBSD router in front of the internal > network. Now I've > > > installed another FreeBSD box which must be the www sever. I've > > > managed to redirect the port 80 at the router and the web > server is > > > visible to the outside world. But the problem is now at the other > > > internal workstations which are unable to browse the web server. > > > > > > Please enlighten me, > > > Cristian Salan > > On Sat, 5 Feb 2005 12:42:13 +0100 (CET), Gelsema, Patrick > <[EMAIL PROTECTED]> wrote: > > Hi, > > > > IN order to enlighten you we need some more information. > Sounds to me > > you could be having issues with internal/external DNS and > > ip-addresses. In other words, you are querying your www > server from a > > dns and is getting the Internet ip back instead of the lan > ip. Can you > > connect to your www server with ip? > > I can only connect using the internal ip address. Otherwise, > yes, when querying for the name I get the external IP > address. There is no DNS server on this lan. Is this the problem? > > Cristian Salan > ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: natd or firewall problem?
> > Hello dear list, > > > > I have one FreeBSD router in front of the internal network. Now I've > > installed another FreeBSD box which must be the www sever. > > I've managed to redirect the port 80 at the router and the web server > > is visible to the outside world. But the problem is now at the other > > internal workstations which are unable to browse the web server. > > > > Please enlighten me, > > Cristian Salan On Sat, 5 Feb 2005 12:42:13 +0100 (CET), Gelsema, Patrick <[EMAIL PROTECTED]> wrote: > Hi, > > IN order to enlighten you we need some more information. Sounds to me you > could be having issues with internal/external DNS and ip-addresses. In > other words, you are querying your www server from a dns and is getting > the Internet ip back instead of the lan ip. Can you connect to your www > server with ip? I can only connect using the internal ip address. Otherwise, yes, when querying for the name I get the external IP address. There is no DNS server on this lan. Is this the problem? Cristian Salan ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: natd or firewall problem?
Hi, IN order to enlighten you we need some more information. Sounds to me you could be having issues with internal/external DNS and ip-addresses. In other words, you are querying your www server from a dns and is getting the Internet ip back instead of the lan ip. Can you connect to your www server with ip? Regards Patrick > Hello dear list, > > I have one FreeBSD router in front of the internal network. Now I've > installed another FreeBSD box which must be the www sever. > I've managed to redirect the port 80 at the router and the web server > is visible to the outside world. But the problem is now at the other > internal workstations which are unable to browse the web server. > > Please enlighten me, > Cristian Salan > ___ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to > "[EMAIL PROTECTED]" > ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
natd or firewall problem?
Hello dear list, I have one FreeBSD router in front of the internal network. Now I've installed another FreeBSD box which must be the www sever. I've managed to redirect the port 80 at the router and the web server is visible to the outside world. But the problem is now at the other internal workstations which are unable to browse the web server. Please enlighten me, Cristian Salan ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: firewall problem??
On Tue, Mar 02, 2004 at 03:23:24AM -0700, RYAN vAN GINNEKEN wrote: > Thank you for your reply > Here is my kernel config file well just the options i added do you need > more of it? > which samples are you refering to and how come i never had problems like > this before?? Compare to GENERIC or LINT (called NOTES on 5.x) Kris pgp0.pgp Description: PGP signature
Re: firewall problem??
Thank you for your reply Here is my kernel config file well just the options i added do you need more of it? which samples are you refering to and how come i never had problems like this before?? options IPFIREWALL options IPFIREWALL_VERBOSE options IPFIREWALL_VERBOSE_LIMIT=100 options IPDIVERT #optionsTCP_DROP_SYNFIN Kris Kennaway wrote: On Tue, Mar 02, 2004 at 03:03:37AM -0700, RYAN vAN GINNEKEN wrote: Contents of my rc.conf file are included below. This machine is eventually going to be a server (sendmail bind apache samba ) for a differnt network so lots of stuff is commented out. I am new at running more than on BSD box on the same network and not sure if i need natd or firewall enabled. You didn't include your kernel config file, but the default firewall behaviour is to deny all traffic. There's a kernel config option to change this - see the sample config files. Kris ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: firewall problem??
On Tue, Mar 02, 2004 at 03:03:37AM -0700, RYAN vAN GINNEKEN wrote: > Contents of my rc.conf file are included below. This machine is > eventually going to be a server (sendmail bind apache samba ) for a > differnt network so lots of stuff is commented out. I am new at running > more than on BSD box on the same network and not sure if i need natd or > firewall enabled. You didn't include your kernel config file, but the default firewall behaviour is to deny all traffic. There's a kernel config option to change this - see the sample config files. Kris pgp0.pgp Description: PGP signature
firewall problem??
Built a new freebsd 4.9 stable machine got it working ok could send and recieve packets and the like. Did a cvsup and make world on it now it does not seem to be sending or recieveing anything. Have been playing around with it now for several weeks off and on. With a fresh reboot it does not seem too send or recieve anything when i try to ping google.ca i get cannot resolve google.ca :host name lookup failure when i ping 192.168.0.202 my gateway i get ping: send to: permission denied Seeing these error i think it must be firewalling everything out even me so I issue the following command. ipfw add 00100 allow ip from any to any Great now i can ping google and my own machines also most important i can login remotely. ipfw shows this v23# ipfw show 00100 291 27273 allow ip from any to any 65535 77 11673 deny ip from any to any contents of /etc/resolv.conf are as follows. search computerking.ca nameserver 192.168.0.202 nameserver 24.71.223.144 nameserver 24.71.223.144 Contents of my rc.conf file are included below. This machine is eventually going to be a server (sendmail bind apache samba ) for a differnt network so lots of stuff is commented out. I am new at running more than on BSD box on the same network and not sure if i need natd or firewall enabled. # #/etc/rc.conf @V23.computerking.ca #== #-- System #-- hostname="v23.computerking.ca" defaultrouter="192.168.0.202" ifconfig_fxp0="DHCP" ntpdate_enable="YES" ntpdate_flags="ntp1.cmc.ec.gc.ca" sshd_enable="YES" #kern_securelevel_enable="NO" #-- #Server firewall and natd #-- #ifconfig_xl0="inet 192.168.0.202 netmask 255.255.255.0" #gateway_enable="YES" #firewall_enable="YES" #firewall_type="OPEN" #firewall_quiet="NO" #firewall_script="/etc/rc.firewall" #natd_enable="YES" #natd_interface="fxp0" #natd_flags="-f /etc/natd.conf #== # end of file ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Firewall problem
> How does one get started on IPF... By reading the IPFilter Howto: http://www.obfuscation.org/ipf/ipf-howto.html Enjoy :-) -- Toomas Aas | [EMAIL PROTECTED] | http://www.raad.tartu.ee/~toomas/ * I take my wife everywhere, but she keeps finding her way back. ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
firewall problem - doesn't seem to be getting read
I have an old machine running FBSD-4.0 using ipfw. It's been working as is for a few years, but I decided to look it over and make some adjustments. I noticed what appears to be a problem - even though rc.conf calls for firewall_type=client, when I run ipfw show I get only lines - the divert 8668 line for nat allow ip from any to any deny ip from any to any The rc.conf calls firewall_script=/etc/rc.firewall which is the standard that comes installed in FBSD. I have changed the line firewall_type to open and simple and they both result in the same ipfw show response. My kernel is compiled without ipfirewall_default_accept, so it should be default to deny. I know the machine needs to be upgraded but it has been working fine for years. I was looking into blocking instant messaging occasionally so my son can concentrate on his homework, and some how speed up my peer to peer connections which appear to rely on udp. Anyway, any idea what might be wrong with my setup, it not reading the rc.firewall script. -- chip ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Firewall problem
Hello Kevin, Wednesday, October 1, 2003, 2:14:16 PM, you wrote: SP> Yes, in this case, since this is ipfw, and "first match wins." SP> Using ipf, it's the opposite; gotta love 'Nix! ;-) Yah, really How does one get started on IPF... IIRC, they have more ftures / context ... -- Best regards, Gary ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Firewall problem
Andrew L. Gould wrote: On Wednesday 01 October 2003 01:18 pm, Gary wrote: I have set my firewall to firewall_type="open" firewall_enable="YES" and when I want to drop a specific IP, I enter it manually, it accepts it, but it does not drop the packets.. I am getting a lot of virus activity on my SMTP port 25. So I wanted to drop a few IP ranges/addresses.. 00100 62054 5483792 allow ip from any to any via lo0 00200 0 0 deny ip from any to 127.0.0.0/8 00300 0 0 deny ip from 127.0.0.0/8 to any 65000 873327 293931424 allow ip from any to any 65100 0 0 deny tcp from 24.92.226.153 to any 65110 0 0 deny ip from 213.191.102.86 to any 65535 0 0 deny ip from any to any Yet, checking later in my SMTP logs, I am still getting pounded by the listed addresses. Can anyone explain why this isn't working? Thanks, I'm a newbie at firewalls; but I'll take a guess: Doesn't rule 65000 let all ip packets in before rules 65100 and 65110 are considered? Andrew Yes, in this case, since this is ipfw, and "first match wins." Using ipf, it's the opposite; gotta love 'Nix! ;-) ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Firewall problem
On Wed, Oct 01, 2003 at 02:24:51PM -0400 or thereabouts, Rob Ellis wrote: > On Wed, Oct 01, 2003 at 01:18:17PM -0500, Gary wrote: > > I am getting a lot of virus activity on my SMTP port 25. So I wanted to > > drop a few IP ranges/addresses.. > > > > 00100 62054 5483792 allow ip from any to any via lo0 > > 00200 0 0 deny ip from any to 127.0.0.0/8 > > 00300 0 0 deny ip from 127.0.0.0/8 to any > > 65000 873327 293931424 allow ip from any to any > > 65100 0 0 deny tcp from 24.92.226.153 to any > > 65110 0 0 deny ip from 213.191.102.86 to any > > 65535 0 0 deny ip from any to any > > > > Yet, checking later in my SMTP logs, I am still getting pounded by the > > listed addresses. Can anyone explain why this isn't working? > > > > Your deny rules have to be added before the 'allow ip from any to any'. > > ipfw add 100 deny tcp from 24.92.226.153 to any Ah, yes, I can see that. Thanks very much guys for your input. Appreciate the input... works well now.. -- Gary ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Firewall problem
On Wed, 2003-10-01 at 11:18, Gary wrote: > I have set my firewall to > > firewall_type="open" > firewall_enable="YES" > > and when I want to drop a specific IP, I enter it manually, it accepts it, > but it does not drop the packets.. > > I am getting a lot of virus activity on my SMTP port 25. So I wanted to > drop a few IP ranges/addresses.. > > 00100 62054 5483792 allow ip from any to any via lo0 > 00200 0 0 deny ip from any to 127.0.0.0/8 > 00300 0 0 deny ip from 127.0.0.0/8 to any > 65000 873327 293931424 allow ip from any to any No rule with a number greater than 65000 will have any effect. The packet has already passed. > 65100 0 0 deny tcp from 24.92.226.153 to any > 65110 0 0 deny ip from 213.191.102.86 to any > 65535 0 0 deny ip from any to any Try renumbering the rules in th 64K range. > > Yet, checking later in my SMTP logs, I am still getting pounded by the > listed addresses. Can anyone explain why this isn't working? > > Thanks, -- Micheas Herman <[EMAIL PROTECTED]> ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Firewall problem
On Wednesday 01 October 2003 01:18 pm, Gary wrote: > I have set my firewall to > > firewall_type="open" > firewall_enable="YES" > > and when I want to drop a specific IP, I enter it manually, it accepts it, > but it does not drop the packets.. > > I am getting a lot of virus activity on my SMTP port 25. So I wanted to > drop a few IP ranges/addresses.. > > 00100 62054 5483792 allow ip from any to any via lo0 > 00200 0 0 deny ip from any to 127.0.0.0/8 > 00300 0 0 deny ip from 127.0.0.0/8 to any > 65000 873327 293931424 allow ip from any to any > 65100 0 0 deny tcp from 24.92.226.153 to any > 65110 0 0 deny ip from 213.191.102.86 to any > 65535 0 0 deny ip from any to any > > Yet, checking later in my SMTP logs, I am still getting pounded by the > listed addresses. Can anyone explain why this isn't working? > > Thanks, I'm a newbie at firewalls; but I'll take a guess: Doesn't rule 65000 let all ip packets in before rules 65100 and 65110 are considered? Andrew ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
RE: Firewall problem
you have "allow ip from any to any" before your deny rules, unless my memory is seriously faulty (always possible) a packet will match that rule and never get to your deny rules. > -Original Message- > From: Gary [mailto:[EMAIL PROTECTED] > Sent: 01 October 2003 19:18 > To: FreeBSD > Subject: Firewall problem > > > I have set my firewall to > > firewall_type="open" > firewall_enable="YES" > > and when I want to drop a specific IP, I enter it manually, > it accepts it, > but it does not drop the packets.. > > I am getting a lot of virus activity on my SMTP port 25. So I > wanted to > drop a few IP ranges/addresses.. > > 00100 62054 5483792 allow ip from any to any via lo0 > 00200 0 0 deny ip from any to 127.0.0.0/8 > 00300 0 0 deny ip from 127.0.0.0/8 to any > 65000 873327 293931424 allow ip from any to any > 65100 0 0 deny tcp from 24.92.226.153 to any > 65110 0 0 deny ip from 213.191.102.86 to any > 65535 0 0 deny ip from any to any > > Yet, checking later in my SMTP logs, I am still getting pounded by the > listed addresses. Can anyone explain why this isn't working? > > Thanks, > > -- > Gary > ___ > [EMAIL PROTECTED] mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to > "[EMAIL PROTECTED]" > ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Firewall problem
On Wed, Oct 01, 2003 at 01:18:17PM -0500, Gary wrote: > I have set my firewall to > > firewall_type="open" > firewall_enable="YES" > > and when I want to drop a specific IP, I enter it manually, it accepts it, > but it does not drop the packets.. > > I am getting a lot of virus activity on my SMTP port 25. So I wanted to > drop a few IP ranges/addresses.. > > 00100 62054 5483792 allow ip from any to any via lo0 > 00200 0 0 deny ip from any to 127.0.0.0/8 > 00300 0 0 deny ip from 127.0.0.0/8 to any > 65000 873327 293931424 allow ip from any to any > 65100 0 0 deny tcp from 24.92.226.153 to any > 65110 0 0 deny ip from 213.191.102.86 to any > 65535 0 0 deny ip from any to any > > Yet, checking later in my SMTP logs, I am still getting pounded by the > listed addresses. Can anyone explain why this isn't working? > Your deny rules have to be added before the 'allow ip from any to any'. ipfw add 100 deny tcp from 24.92.226.153 to any - Rob ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Firewall problem
I have set my firewall to firewall_type="open" firewall_enable="YES" and when I want to drop a specific IP, I enter it manually, it accepts it, but it does not drop the packets.. I am getting a lot of virus activity on my SMTP port 25. So I wanted to drop a few IP ranges/addresses.. 00100 62054 5483792 allow ip from any to any via lo0 00200 0 0 deny ip from any to 127.0.0.0/8 00300 0 0 deny ip from 127.0.0.0/8 to any 65000 873327 293931424 allow ip from any to any 65100 0 0 deny tcp from 24.92.226.153 to any 65110 0 0 deny ip from 213.191.102.86 to any 65535 0 0 deny ip from any to any Yet, checking later in my SMTP logs, I am still getting pounded by the listed addresses. Can anyone explain why this isn't working? Thanks, -- Gary ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"