Re: ipfilter mystery

[Fbsd8]

Fbsd8 wrote:

Running 9.0 and connecting to Time Warner for the first time.
I have private lan behind my 9.0 box.
I have made a real simple rule set and nat rule just to get log
of what is happing.

ipfilter rules.  dc0 faces lan, fxp0 faces public internet

pass in  log quick on dc0 all
pass out log quick on dc0 all

#pass in quick on fxp0 from 10.2.0.1

pass in  log quick on fxp0 all
pass out log quick on fxp0 all

pass in  quick on lo0 all

pass out quick on lo0 all

nat rule
map fxp0 10.0.10.0/29 - 0/32

Ipmon log
fxp0 @0:2 p 10.2.0.1,67 - 255.255.255.255,68 PR udp len 20 328 IN bad 
broadcast
fxp0 @0:2 p 10.2.0.1,67 - 255.255.255.255,68 PR udp len 20 328 IN bad 
broadcast
fxp0 @0:2 p 10.2.0.1,67 - 255.255.255.255,68 PR udp len 20 328 IN bad 
broadcast
fxp0 @0:2 p 10.2.0.1,67 - 255.255.255.255,68 PR udp len 20 328 IN bad 
broadcast
fxp0 @0:2 p 10.2.0.1,67 - 255.255.255.255,68 PR udp len 20 384 IN bad 
broadcast
fxp0 @0:2 p 10.2.0.1,67 - 255.255.255.255,68 PR udp len 20 384 IN bad 
broadcast
fxp0 @0:2 p 10.2.0.1,67 - 255.255.255.255,68 PR udp len 20 328 IN bad 
broadcast

dc0  @0:1 p 10.0.10.1,55884 - 209.18.47.61,53 PR udp len 20 61 IN
fxp0 @0:2 p 177.99.209.140,55884 - 209.18.47.61,53 PR udp len 20 61 OUT 
NAT

fxp0 @0:2 p 209.18.47.61,53 - 10.0.10.1,55884 PR udp len 20 95 IN bad NAT
dc0  @0:1 p 209.18.47.61,53 - 10.0.10.1,55884 PR udp len 20 95 OUT bad
dc0  @0:1 p 10.0.10.1,55660 - 209.18.47.61,53 PR udp len 20 64 IN
fxp0 @0:2 p 177.99.209.140,55660 - 209.18.47.61,53 PR udp len 20 64 OUT 
NAT

dc0  @0:1 p 10.0.10.1,51926 - 209.18.47.61,53 PR udp len 20 62 IN
fxp0 @0:2 p 177.99.209.140,51926 - 209.18.47.61,53 PR udp len 20 62 OUT 
NAT

dc0  @0:1 p 10.0.10.1,58697 - 209.18.47.61,53 PR udp len 20 61 IN
fxp0 @0:2 p 177.99.209.140,58697 - 209.18.47.61,53 PR udp len 20 61 OUT 
NAT

fxp0 @0:2 p 209.18.47.61,53 - 10.0.10.1,55660 PR udp len 20 80 IN bad NAT
dc0  @0:1 p 209.18.47.61,53 - 10.0.10.1,55660 PR udp len 20 80 OUT bad
dc0  @0:1 p 10.0.10.1,49947 - 209.18.47.61,53 PR udp len 20 64 IN
fxp0 @0:2 p 177.99.209.140,49947 - 209.18.47.61,53 PR udp len 20 64 OUT 
NAT

fxp0 @0:2 p 209.18.47.61,53 - 10.0.10.1,58697 PR udp len 20 77 IN bad NAT
dc0  @0:1 p 209.18.47.61,53 - 10.0.10.1,58697 PR udp len 20 77 OUT bad
fxp0 @0:2 p 209.18.47.61,53 - 10.0.10.1,51926 PR udp len 20 100 IN bad NAT
dc0  @0:1 p 209.18.47.61,53 - 10.0.10.1,51926 PR udp len 20 100 OUT bad
dc0  @0:1 p 10.0.10.1,49901 - 209.18.47.61,53 PR udp len 20 63 IN
fxp0 @0:2 p 177.99.209.140,49901 - 209.18.47.61,53 PR udp len 20 63 OUT 
NAT

dc0  @0:1 p 10.0.10.1,59865 - 209.18.47.61,53 PR udp len 20 66 IN
fxp0 @0:2 p 177.99.209.140,59865 - 209.18.47.61,53 PR udp len 20 66 OUT 
NAT

fxp0 @0:2 p 209.18.47.61,53 - 10.0.10.1,59865 PR udp len 20 82 IN bad NAT
dc0  @0:1 p 209.18.47.61,53 - 10.0.10.1,59865 PR udp len 20 82 OUT bad
dc0  @0:1 p 10.0.10.1,53742 - 209.18.47.61,53 PR udp len 20 71 IN
fxp0 @0:2 p 177.99.209.140,53742 - 209.18.47.61,53 PR udp len 20 71 OUT 
NAT

fxp0 @0:2 p 209.18.47.61,53 - 10.0.10.1,49947 PR udp len 20 116 IN bad NAT
dc0  @0:1 p 209.18.47.61,53 - 10.0.10.1,49947 PR udp len 20 116 OUT bad
fxp0 @0:2 p 209.18.47.61,53 - 10.0.10.1,49901 PR udp len 20 99 IN bad NAT
dc0  @0:1 p 209.18.47.61,53 - 10.0.10.1,49901 PR udp len 20 99 OUT bad
fxp0 @0:2 p 209.18.47.61,53 - 10.0.10.1,53742 PR udp len 20 120 IN bad NAT
dc0  @0:1 p 209.18.47.61,53 - 10.0.10.1,53742 PR udp len 20 120 OUT bad
fxp0 @0:2 p 10.2.0.1,67 - 255.255.255.255,68 PR udp len 20 328 IN bad 
broadcast

dc0  @0:1 p 10.0.10.1,1320 - 69.147.83.34,80 PR tcp len 20 48 -S IN
fxp0 @0:2 p 177.99.209.140,1320 - 69.147.83.34,80 PR tcp len 20 48 -S 
OUT NAT


10.0.10.1 is the laptop in the lan.
10.2.0.1 is being sent by time warner
I can not understand why I am getting the IN bad NAT

The webpage loaded ok on the lan laptop.

I have been using ipfilter since release 3.2 and this is the first isp
i ever got this kind of problem with.




This turns out to be a bug in ipfilter. It’s now been reported as a bug 
to Darren Reed the maintainer of ipfilter.


___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org

ipfilter mystery

[Fbsd8]

Running 9.0 and connecting to Time Warner for the first time.
I have private lan behind my 9.0 box.
I have made a real simple rule set and nat rule just to get log
of what is happing.

ipfilter rules.  dc0 faces lan, fxp0 faces public internet

pass in  log quick on dc0 all
pass out log quick on dc0 all

#pass in quick on fxp0 from 10.2.0.1
pass in  log quick on fxp0 all
pass out log quick on fxp0 all

pass in  quick on lo0 all
pass out quick on lo0 all

nat rule
map fxp0 10.0.10.0/29 - 0/32

Ipmon log
fxp0 @0:2 p 10.2.0.1,67 - 255.255.255.255,68 PR udp len 20 328 IN bad 
broadcast
fxp0 @0:2 p 10.2.0.1,67 - 255.255.255.255,68 PR udp len 20 328 IN bad 
broadcast
fxp0 @0:2 p 10.2.0.1,67 - 255.255.255.255,68 PR udp len 20 328 IN bad 
broadcast
fxp0 @0:2 p 10.2.0.1,67 - 255.255.255.255,68 PR udp len 20 328 IN bad 
broadcast
fxp0 @0:2 p 10.2.0.1,67 - 255.255.255.255,68 PR udp len 20 384 IN bad 
broadcast
fxp0 @0:2 p 10.2.0.1,67 - 255.255.255.255,68 PR udp len 20 384 IN bad 
broadcast
fxp0 @0:2 p 10.2.0.1,67 - 255.255.255.255,68 PR udp len 20 328 IN bad 
broadcast

dc0  @0:1 p 10.0.10.1,55884 - 209.18.47.61,53 PR udp len 20 61 IN
fxp0 @0:2 p 177.99.209.140,55884 - 209.18.47.61,53 PR udp len 20 61 OUT NAT
fxp0 @0:2 p 209.18.47.61,53 - 10.0.10.1,55884 PR udp len 20 95 IN bad NAT
dc0  @0:1 p 209.18.47.61,53 - 10.0.10.1,55884 PR udp len 20 95 OUT bad
dc0  @0:1 p 10.0.10.1,55660 - 209.18.47.61,53 PR udp len 20 64 IN
fxp0 @0:2 p 177.99.209.140,55660 - 209.18.47.61,53 PR udp len 20 64 OUT NAT
dc0  @0:1 p 10.0.10.1,51926 - 209.18.47.61,53 PR udp len 20 62 IN
fxp0 @0:2 p 177.99.209.140,51926 - 209.18.47.61,53 PR udp len 20 62 OUT NAT
dc0  @0:1 p 10.0.10.1,58697 - 209.18.47.61,53 PR udp len 20 61 IN
fxp0 @0:2 p 177.99.209.140,58697 - 209.18.47.61,53 PR udp len 20 61 OUT NAT
fxp0 @0:2 p 209.18.47.61,53 - 10.0.10.1,55660 PR udp len 20 80 IN bad NAT
dc0  @0:1 p 209.18.47.61,53 - 10.0.10.1,55660 PR udp len 20 80 OUT bad
dc0  @0:1 p 10.0.10.1,49947 - 209.18.47.61,53 PR udp len 20 64 IN
fxp0 @0:2 p 177.99.209.140,49947 - 209.18.47.61,53 PR udp len 20 64 OUT NAT
fxp0 @0:2 p 209.18.47.61,53 - 10.0.10.1,58697 PR udp len 20 77 IN bad NAT
dc0  @0:1 p 209.18.47.61,53 - 10.0.10.1,58697 PR udp len 20 77 OUT bad
fxp0 @0:2 p 209.18.47.61,53 - 10.0.10.1,51926 PR udp len 20 100 IN bad NAT
dc0  @0:1 p 209.18.47.61,53 - 10.0.10.1,51926 PR udp len 20 100 OUT bad
dc0  @0:1 p 10.0.10.1,49901 - 209.18.47.61,53 PR udp len 20 63 IN
fxp0 @0:2 p 177.99.209.140,49901 - 209.18.47.61,53 PR udp len 20 63 OUT NAT
dc0  @0:1 p 10.0.10.1,59865 - 209.18.47.61,53 PR udp len 20 66 IN
fxp0 @0:2 p 177.99.209.140,59865 - 209.18.47.61,53 PR udp len 20 66 OUT NAT
fxp0 @0:2 p 209.18.47.61,53 - 10.0.10.1,59865 PR udp len 20 82 IN bad NAT
dc0  @0:1 p 209.18.47.61,53 - 10.0.10.1,59865 PR udp len 20 82 OUT bad
dc0  @0:1 p 10.0.10.1,53742 - 209.18.47.61,53 PR udp len 20 71 IN
fxp0 @0:2 p 177.99.209.140,53742 - 209.18.47.61,53 PR udp len 20 71 OUT NAT
fxp0 @0:2 p 209.18.47.61,53 - 10.0.10.1,49947 PR udp len 20 116 IN bad NAT
dc0  @0:1 p 209.18.47.61,53 - 10.0.10.1,49947 PR udp len 20 116 OUT bad
fxp0 @0:2 p 209.18.47.61,53 - 10.0.10.1,49901 PR udp len 20 99 IN bad NAT
dc0  @0:1 p 209.18.47.61,53 - 10.0.10.1,49901 PR udp len 20 99 OUT bad
fxp0 @0:2 p 209.18.47.61,53 - 10.0.10.1,53742 PR udp len 20 120 IN bad NAT
dc0  @0:1 p 209.18.47.61,53 - 10.0.10.1,53742 PR udp len 20 120 OUT bad
fxp0 @0:2 p 10.2.0.1,67 - 255.255.255.255,68 PR udp len 20 328 IN bad 
broadcast

dc0  @0:1 p 10.0.10.1,1320 - 69.147.83.34,80 PR tcp len 20 48 -S IN
fxp0 @0:2 p 177.99.209.140,1320 - 69.147.83.34,80 PR tcp len 20 48 -S 
OUT NAT


10.0.10.1 is the laptop in the lan.
10.2.0.1 is being sent by time warner
I can not understand why I am getting the IN bad NAT

The webpage loaded ok on the lan laptop.

I have been using ipfilter since release 3.2 and this is the first isp
i ever got this kind of problem with.


___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org

Re: IPFilter and IPMon logging to syslog

[n j]

On Tue, Mar 1, 2011 at 8:38 PM, Dean E. Weimer dwei...@dweimer.net wrote:
 I have been doing some work with cleaning up my log files to make them
 easier to read, and for the life of me can't figure out how to get my
 IPFilter logs to stop going into the /var/log/messages log.  I have a syslog
 entry for local0.* /var/log/ipfilter.log which works great, and captures all
 the logs I want.  I have tried adding local0.none on the /var/log/messages
 line, but it seems to have no effect.  Can anyone tell me what I am doing
 wrong here, the below lines are from my syslog.conf configuration file.

 *.notice;authpriv.none;kern.debug;lpr.info;mail.crit;news.err;local0.none
     /var/log/messages
 local0.*       /var/log/ipfilter.log

I usually do it this way:

!-local0 # disable logging of local0
[log whatever] /var/log/messages

!local0 # enable logging of local0
local0.* /var/log/ipfilter.log

Regards,
-- 
Nino
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org

Re: IPFilter and IPMon logging to syslog

[Dean E. Weimer]

On Wed, 02 Mar 2011 12:23:27 +0100, Bernt Hansson wrote:


Put this in your rc.conf ipmon_flags=-D -f /var/log/ipf.log



I don't doubt that would work, but I would rather stick with using 
syslogd to handle the logging.  As I am hoping to implement remote 
logging to another server for log consolidation of several servers, 
which is why I started the process of cleaning up the local logs.


---

Thanks,
 Dean E. Weimer
 http://www.dweimer.net/
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org

Re: IPFilter and IPMon logging to syslog

[Dean E. Weimer]

On Wed, 2 Mar 2011 09:34:39 +0100, n j wrote:


On Tue, Mar 1, 2011 at 8:38 PM, Dean E. Weimer wrote:
I have been doing some work with cleaning up my log files to make 
them
easier to read, and for the life of me can't figure out how to get 
my

IPFilter logs to stop going into the /var/log/messages log. I have a
syslog entry for local0.* /var/log/ipfilter.log which works great, 
and

captures all the logs I want. I have tried adding local0.none on the
/var/log/messages line, but it seems to have no effect. Can anyone 
tell
me what I am doing wrong here, the below lines are from my 
syslog.conf

configuration file.



*.notice;authpriv.none;kern.debug;lpr.info;mail.crit;news.err;local0.none

/var/log/messages local0.* /var/log/ipfilter.log

I usually do it this way: !-local0 # disable logging of local0 [log
whatever] /var/log/messages !local0 # enable logging of local0 
local0.*

/var/log/ipfilter.log Regards, -- Nino
___
freebsd-questions@freebsd.org [2] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions [3] To
unsubscribe, send any mail to 
freebsd-questions-unsubscr...@freebsd.org

[4]



Interesting method, I will keep this in mind for the future.

One thing to note, my config above seems to have started working after 
the messages log rotated.  I had restarted the syslog process by running 
/etc/rc.d/syslogd restart, but for some reason these messages continued 
until the newsyslog process rotated the messages file.


Now to get the rest of my servers local logs cleaned up and implement a 
new server for log consolidation.


---

Thanks,
 Dean E. Weimer
 http://www.dweimer.net/
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org

IPFilter and IPMon logging to syslog

[Dean E. Weimer]

I have been doing some work with cleaning up my log files to make them 
easier to read, and for the life of me can't figure out how to get my 
IPFilter logs to stop going into the /var/log/messages log.  I have a 
syslog entry for local0.* /var/log/ipfilter.log which works great, and 
captures all the logs I want.  I have tried adding local0.none on the 
/var/log/messages line, but it seems to have no effect.  Can anyone tell 
me what I am doing wrong here, the below lines are from my syslog.conf 
configuration file.


*.notice;authpriv.none;kern.debug;lpr.info;mail.crit;news.err;local0.none 
  /var/log/messages

local0.*   /var/log/ipfilter.log


--

Thanks,
 Dean E. Weimer
 http://www.dweimer.net/
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org

ipfilter rules question

[Anton Shterenlikht]

I'm using ipfilter on -current.

Here's a fragment of the outgoing rules:

# ipfstat -on

*skip*
@14 pass out quick on bge0 proto udp from any to any port = 8649 keep state
*skip*
@18 pass out log first quick on bge0 all


And I see these ipmon entries in /var/log/ipfilter.log:

ipmon[765]: 00:01:04.242290 bge0 @0:18 p 137.222.187.221,10280 - 
239.2.11.71,8649 PR udp len 20 96 OUT multicast
ipmon[765]: 00:01:09.702391 5x bge0 @0:18 p 137.222.187.221,10280 - 
239.2.11.71,8649 PR udp len 20 92 OUT multicast
ipmon[765]: 00:01:24.062025 7x bge0 @0:18 p 137.222.187.221,10280 - 
239.2.11.71,8649 PR udp len 20 92 OUT multicast

I don't understand why these packets are not
sent via rule 14. Is rule 14 not matched?
Or I'm missing someting else?

many thanks
anton

-- 
Anton Shterenlikht
Room 2.6, Queen's Building
Mech Eng Dept
Bristol University
University Walk, Bristol BS8 1TR, UK
Tel: +44 (0)117 331 5944
Fax: +44 (0)117 929 4423
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org

ipfilter unwanted blocking

[Oleksii Krykun]

Hi,

I use FreeBSD 7.2-RELEASE with IPFilter used as proxy server for our LAN.
I have following rules for external interface:

block in log on rl0 all head 100
block out log on rl0 all head 200

pass out quick proto udp from a.b.c.d/32 to any keep state group 200
pass out quick proto tcp from a.b.c.d/32 to any  flags S/SA keep state keep
frags group 200

All works but sometimes IPF block all (or most of them) packets to ports 80
and 53 for about 2-3 up to 40-50 s.
After this IPF returns to normal operation.

How to investigate this problem? I tried remove flags and keep frags but
without success.
No regularity.

Is this a IPF problem, wrong packages or kernel settings? Any idea?
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org

ipfilter nat redirect udp packets

[Fbsd1]

Have this nat rule
rdr rl0 0.0.0.0/0 port 6355 - 10.0.10.3 port 6355

I can see in the log that tcp packets are being redirected but udp
packets are not. Can not find any verbiage in man 5 0r 8 ipnat that
states rdr rule only matches on tcp packets. I thought tcp/udp packets
should be redirected?  Can anyone clarify this?

___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org

ipfilter nat redirect udp packets

[Fbsd1]

Have this nat rule
rdr rl0 0.0.0.0/0 port 6355 - 10.0.10.3 port 6355

I can see in the log that tcp packets are being redirected but udp 
packets are not. Can not find any verbiage in man 5 0r 8 ipnat that 
states rdr rule only matches on tcp packets. I thought tcp/udp packets 
should be redirected?  Can anyone clarify this?

___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org

ioctl (SIOCIPFL6): input/output error. when start ipfilter at freebsd 7.2 x64

[sailer]

This is my freebsd 7.2:
[code]
FreeBSD fbsd.test.com 7.2-RELEASE FreeBSD 7.2-RELEASE #0: Mon Aug  3
06:40:56 UTC 2009
r...@vfbsd.shstorm.com:/usr/src/sys/amd64/compile/kernel_IPF  amd64
[/code]

In kenrel_IPF, I add these lines:
[code]
options IPFILTER
options IPFILTER_LOG
[/code]

Add these lines in /etc/rc.conf:
[code]
ipfilter_enable=YES
ipfilter_program=/sbin/ipf
ipfilter_rules=/etc/ipf.rules
ipfilter_flags=-D
ipmon_enable=YES
ipmon_flags=-D /var/log/ipfilter.log
[/code]

This is /etc/ipf.rules:
[code]
pass out quick on lo0 all
pass in quick on lo0 all

block in on re0 all
block out on re0 all

block in log quick all with short
block in log quick all with ipopts
block in log quick all with frag
block in log quick all with opt lsrr
block in log quick all with opt ssrr

pass in on re0 proto tcp from any to any port = 80 flags S/SA keep state
pass in on re0 proto tcp from any to any port = 22 flags S/SA keep state
pass in on re0 proto tcp from any to any port = ftp flags S/SA keep state

pass in on re0 proto tcp from any to any port = ftp-data flags S/SA keep
state
pass in on re0 proto tcp from any to any port 3  50001 flags S/SA keep
state
[/code]

When start system, it shows some error messages:
[code]
..
Enabling ipfilter
ioctl (SIOCIPFL6): input/output error.
..
[/code]

Who can help me?
-- 
View this message in context: 
http://www.nabble.com/%22ioctl-%28SIOCIPFL6%29%3A-input-output-error.%22-when-start-ipfilter-at-freebsd-7.2-x64-tp24787848p24787848.html
Sent from the freebsd-questions mailing list archive at Nabble.com.

___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org

ipfilter, ipnat, and if driver ath: what's just changed?

[dacoder]

updating my system friday from the feb 7 version of 7.1 to the latest broke
tcp and udp (but *not* icmp) over ipnat, which had worked forever with my
current ipfilter rules and ipnat mapping rules, which are pretty simple.
what has changed?

/etc/ipnat.rules:

map age0 10.0.0.0/24 - external ip/32

@ the top of /etc/ipf.rules:

pass out quick on age0 proto tcp/udp from any to any keep state keep 
frags
pass out quick on age0 proto icmp from any to any keep state keep frags

that used to work.  now it doesn't, witness ipmon:

01/03/2009 13:07:46.274707 age0 @0:28 b 74.125.93.102,80 - 10.0.0.253,2914
PR tcp len 20 48 -AS IN NAT

what's changed?  ipf?  ipnat?  age?  am i using an obsolete  therefore
unworkable set of ipfilter rules?  icmp still works, btw.

i'd be grateful for any help.

thx.

david coder
network engineer emeritus
ntt/verio

___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org

Re: ipfilter, ipnat, and if driver ath [should have been age]: what's just changed?

[dacoder]

+++ dacoder [01/03/09 13:17 -0500]:

updating my system friday from the feb 7 version of 7.1 to the latest broke
tcp and udp (but *not* icmp) over ipnat, which had worked forever with my
current ipfilter rules and ipnat mapping rules, which are pretty simple.
what has changed?

/etc/ipnat.rules:

map age0 10.0.0.0/24 - external ip/32

@ the top of /etc/ipf.rules:

	pass out quick on age0 proto tcp/udp from any to any keep state keep 
	frags
	pass out quick on age0 proto icmp from any to any keep state keep 
	frags


that used to work.  now it doesn't, witness ipmon:

01/03/2009 13:07:46.274707 age0 @0:28 b 74.125.93.102,80 - 10.0.0.253,2914
PR tcp len 20 48 -AS IN NAT

what's changed?  ipf?  ipnat?  age?  am i using an obsolete  therefore
unworkable set of ipfilter rules?  icmp still works, btw.

i'd be grateful for any help.

thx.

david coder
network engineer emeritus
ntt/verio

___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org


i meant, of course, age, not ath in my subject line.

sorry for the confusion.

___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org

RE: IPFilter section in Handbook needs updating

[Dean Weimer]

First, thanks for your work on writing the section in the handbook, its greatly 
appreciated.  The updates about where ipmon logging to local0 looks good.  Not 
sure whether or not you want to change the bumping the syslogd using the ps and 
kill commands as /etc/rc.d/syslogd reload does work, and would be easier for 
someone that is just learning how everything works.

Thanks,
 Dean Weimer
 Network Administrator
 Orscheln Management Co

-Original Message-
From: Fbsd1 [mailto:[EMAIL PROTECTED] 
Sent: Saturday, December 06, 2008 9:05 PM
To: [EMAIL PROTECTED]
Cc: freebsd-questions@freebsd.org; Dean Weimer
Subject: Re: IPFilter section in Handbook needs updating

G magicman wrote:
 And incomplete yes i agree that the doc does need to be updated and examples 
 (more) need to be added.
 
 --- On Fri, 12/5/08, Dean Weimer [EMAIL PROTECTED] wrote:
 From: Dean Weimer [EMAIL PROTECTED]
 Subject: IPFilter section in Handbook needs updating
 To: freebsd-questions@freebsd.org
 Date: Friday, December 5, 2008, 10:07 AM
 
 I was just setting up ipfilter and ipmon on a FreeBSD 7 server, and noticed 
 that
 the ipmon and syslog information under the ipfilter section of the handbook is
 incorrect.
 
 The section reads:
 -snip-
 31.5.7 IPMON Logging
 Syslogd uses its own special method for segregation of log data. It uses
 special groupings called facility and level. IPMON in
 -Ds mode uses security as the facility name. All IPMON logged data
 goes to security The following levels can be used to further segregate the
 logged data if desired:
 LOG_INFO - packets logged using the log keyword as the action
 rather than pass or block.
 LOG_NOTICE - packets logged which are also passed
 LOG_WARNING - packets logged which are also blocked
 LOG_ERR - packets which have been logged and which can be considered short
 To setup IPFILTER to log all data to /var/log/ipfilter.log, you will need to
 create the file. The following command will do that:
 # touch /var/log/ipfilter.log
 The syslog function is controlled by definition statements in the
 /etc/syslog.conf file. The syslog.conf file offers considerable flexibility in
 how syslog will deal with system messages issued by software applications like
 IPF.
 Add the following statement to /etc/syslog.conf:
 security.* /var/log/ipfilter.log
 The security.* means to write all the logged messages to the coded file
 location.
 To activate the changes to /etc/syslog.conf you can reboot or bump the syslog
 task into re-reading /etc/syslog.conf by running /etc/rc.d/syslogd reload
 Do not forget to change /etc/newsyslog.conf to rotate the new log you just
 created above.
 -snip-
 
 In trying to configure this I found that ipmon -Dsa doesn't log to
 security, but logs to local0 instead.  Reading the man page for ipmon does in
 fact state this.  However it also list the -L option as being able to change
 this default behavior, I tried ipmon -DSa -L security, it excepts this, but
 doesn't actually change the logging to use security.  It still only outputs
 to the syslog using local0, I also tried using ipmon -DSa -L local7 as well,
 still outputs to local0.  It was easy enough to modify my syslog.conf to 
 output
 the local0.* as well as security.* to the /var/log/security file.  However it
 would be greatly appreciated if someone that actually understands what's
 going on here could get this info updated.  It would have saved me some time, 
 as
 well as I am sure some other people in the future.  Of course it's always
 possible I am missing something simple here that is causing this discrepancy,
 please do inform me if I did.  It's probably worth mentioning that I am
 starting ipmon using the rc.conf file with ipmon_enable=YES and
 ipmon_flags=-DSa, just in case the /etc/rc.d/ipmon script actually
 changes the default behavior of ipmon in some way, though I didn't see
 anything in it that should.  And ps wwaux | grep ipmon does display the 
 process
 running with the flags exactly as stated on the ipmon_flags line of the
 /etc/rc.conf file.
 
 Thanks,
  Dean Weimer
  Network Administrator
  Orscheln Management Co
 

I wrote that whole firewall handbook section. How is the following for 
complete replacement of the 31.5.7 IPMON Logging section?

31.5.7 IPMON Logging
Syslogd uses its own special method for segregation of log data. It uses 
special groupings called 'facility' and 'level'. IPMON in -Ds mode uses 
local0 as the 'facility' name. All IPMON logged data goes to local0.
You have to manually configure the /etc/syslog.conf file by adding the 
statements to direct the Local0 'facility' to the log file name 
recording the log records. FBSD keeps all of its syslog files in 
/var/log/ directory.

First allocate the new named log file for the IPFMON logged data.

touch /var/log/ipfilter.log # will allocate the file

The syslog function is controlled by definition statements in the 
/etc/syslog.conf file.
You will have to edit the /etc

Re: IPFilter section in Handbook needs updating

[Fbsd1]

G magicman wrote:

And incomplete yes i agree that the doc does need to be updated and examples 
(more) need to be added.

--- On Fri, 12/5/08, Dean Weimer [EMAIL PROTECTED] wrote:
From: Dean Weimer [EMAIL PROTECTED]
Subject: IPFilter section in Handbook needs updating
To: freebsd-questions@freebsd.org
Date: Friday, December 5, 2008, 10:07 AM

I was just setting up ipfilter and ipmon on a FreeBSD 7 server, and noticed that
the ipmon and syslog information under the ipfilter section of the handbook is
incorrect.

The section reads:
-snip-
31.5.7 IPMON Logging
Syslogd uses its own special method for segregation of log data. It uses
special groupings called facility and level. IPMON in
-Ds mode uses security as the facility name. All IPMON logged data
goes to security The following levels can be used to further segregate the
logged data if desired:
LOG_INFO - packets logged using the log keyword as the action
rather than pass or block.
LOG_NOTICE - packets logged which are also passed
LOG_WARNING - packets logged which are also blocked
LOG_ERR - packets which have been logged and which can be considered short
To setup IPFILTER to log all data to /var/log/ipfilter.log, you will need to
create the file. The following command will do that:
# touch /var/log/ipfilter.log
The syslog function is controlled by definition statements in the
/etc/syslog.conf file. The syslog.conf file offers considerable flexibility in
how syslog will deal with system messages issued by software applications like
IPF.
Add the following statement to /etc/syslog.conf:
security.* /var/log/ipfilter.log
The security.* means to write all the logged messages to the coded file
location.
To activate the changes to /etc/syslog.conf you can reboot or bump the syslog
task into re-reading /etc/syslog.conf by running /etc/rc.d/syslogd reload
Do not forget to change /etc/newsyslog.conf to rotate the new log you just
created above.
-snip-

In trying to configure this I found that ipmon -Dsa doesn't log to
security, but logs to local0 instead.  Reading the man page for ipmon does in
fact state this.  However it also list the -L option as being able to change
this default behavior, I tried ipmon -DSa -L security, it excepts this, but
doesn't actually change the logging to use security.  It still only outputs
to the syslog using local0, I also tried using ipmon -DSa -L local7 as well,
still outputs to local0.  It was easy enough to modify my syslog.conf to output
the local0.* as well as security.* to the /var/log/security file.  However it
would be greatly appreciated if someone that actually understands what's
going on here could get this info updated.  It would have saved me some time, as
well as I am sure some other people in the future.  Of course it's always
possible I am missing something simple here that is causing this discrepancy,
please do inform me if I did.  It's probably worth mentioning that I am
starting ipmon using the rc.conf file with ipmon_enable=YES and
ipmon_flags=-DSa, just in case the /etc/rc.d/ipmon script actually
changes the default behavior of ipmon in some way, though I didn't see
anything in it that should.  And ps wwaux | grep ipmon does display the process
running with the flags exactly as stated on the ipmon_flags line of the
/etc/rc.conf file.

Thanks,
 Dean Weimer
 Network Administrator
 Orscheln Management Co



I wrote that whole firewall handbook section. How is the following for 
complete replacement of the 31.5.7 IPMON Logging section?


31.5.7 IPMON Logging
Syslogd uses its own special method for segregation of log data. It uses 
special groupings called ‘facility’ and ‘level’. IPMON in –Ds mode uses 
local0 as the ‘facility’ name. All IPMON logged data goes to local0.
You have to manually configure the /etc/syslog.conf file by adding the 
statements to direct the Local0 'facility' to the log file name 
recording the log records. FBSD keeps all of its syslog files in 
/var/log/ directory.


First allocate the new named log file for the IPFMON logged data.

touch /var/log/ipfilter.log # will allocate the file

The syslog function is controlled by definition statements in the 
/etc/syslog.conf file.

You will have to edit the /etc/syslog.conf file.

Add the following statement to syslog.conf:

local0.* /var/log/ipfilter.log

The local0.* means to write all the logged messages to the coded file 
location.
To activate the changes to /etc/syslog.conf you can reboot or bump the 
syslog task into re-reading /etc/syslog.conf by kill –HUP pid. You get 
the pid (IE: process number) by listing the tasks with the ps ax 
command. Find syslog in the display and the pid number is the number in 
the left column.
Don’t forget to change /etc/newsyslog.conf to rotate the new named 
IPFILTER log you just created above.


___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail

IPFilter section in Handbook needs updating

[Dean Weimer]

I was just setting up ipfilter and ipmon on a FreeBSD 7 server, and noticed 
that the ipmon and syslog information under the ipfilter section of the 
handbook is incorrect.

The section reads:
-snip-
31.5.7 IPMON Logging
Syslogd uses its own special method for segregation of log data. It uses 
special groupings called facility and level. IPMON in -Ds mode uses 
security as the facility name. All IPMON logged data goes to security The 
following levels can be used to further segregate the logged data if desired:
LOG_INFO - packets logged using the log keyword as the action rather than 
pass or block.
LOG_NOTICE - packets logged which are also passed
LOG_WARNING - packets logged which are also blocked
LOG_ERR - packets which have been logged and which can be considered short
To setup IPFILTER to log all data to /var/log/ipfilter.log, you will need to 
create the file. The following command will do that:
# touch /var/log/ipfilter.log
The syslog function is controlled by definition statements in the 
/etc/syslog.conf file. The syslog.conf file offers considerable flexibility in 
how syslog will deal with system messages issued by software applications like 
IPF.
Add the following statement to /etc/syslog.conf:
security.* /var/log/ipfilter.log
The security.* means to write all the logged messages to the coded file 
location.
To activate the changes to /etc/syslog.conf you can reboot or bump the syslog 
task into re-reading /etc/syslog.conf by running /etc/rc.d/syslogd reload
Do not forget to change /etc/newsyslog.conf to rotate the new log you just 
created above.
-snip-

In trying to configure this I found that ipmon -Dsa doesn't log to security, 
but logs to local0 instead.  Reading the man page for ipmon does in fact state 
this.  However it also list the -L option as being able to change this default 
behavior, I tried ipmon -DSa -L security, it excepts this, but doesn't actually 
change the logging to use security.  It still only outputs to the syslog using 
local0, I also tried using ipmon -DSa -L local7 as well, still outputs to 
local0.  It was easy enough to modify my syslog.conf to output the local0.* as 
well as security.* to the /var/log/security file.  However it would be greatly 
appreciated if someone that actually understands what's going on here could get 
this info updated.  It would have saved me some time, as well as I am sure some 
other people in the future.  Of course it's always possible I am missing 
something simple here that is causing this discrepancy, please do inform me if 
I did.  It's probably worth mentioning that I am starting ipmon using the 
rc.conf file with ipmon_enable=YES and ipmon_flags=-DSa, just in case the 
/etc/rc.d/ipmon script actually changes the default behavior of ipmon in some 
way, though I didn't see anything in it that should.  And ps wwaux | grep ipmon 
does display the process running with the flags exactly as stated on the 
ipmon_flags line of the /etc/rc.conf file.

Thanks,
 Dean Weimer
 Network Administrator
 Orscheln Management Co

___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

Re: IPFilter section in Handbook needs updating

[Chris]

On Dec 5, 2008, at 7:07 AM, Dean Weimer wrote:

I was just setting up ipfilter and ipmon on a FreeBSD 7 server, and  
noticed that the ipmon and syslog information under the ipfilter  
section of the handbook is incorrect.



A couple of years back, I submitted a one liner to some email
address of a documentation maintainer. I just looked on the
site and couldn't find this address. Instead, it said if you have
a change, it suggested putting in a PR. It sounds like it you
should create a diff of the current wording and your recommended
change.

Here is where I was looking:
http://www.freebsd.org/docproj/submitting.html


The section reads:
-snip-
31.5.7 IPMON Logging
Syslogd uses its own special method for segregation of log data. It  
uses special groupings called facility and level. IPMON in -Ds  
mode uses security as the facility name. All IPMON logged data  
goes to security The following levels can be used to further  
segregate the logged data if desired:
LOG_INFO - packets logged using the log keyword as the action  
rather than pass or block.

LOG_NOTICE - packets logged which are also passed
LOG_WARNING - packets logged which are also blocked
LOG_ERR - packets which have been logged and which can be  
considered short
To setup IPFILTER to log all data to /var/log/ipfilter.log, you  
will need to create the file. The following command will do that:

# touch /var/log/ipfilter.log
The syslog function is controlled by definition statements in the / 
etc/syslog.conf file. The syslog.conf file offers considerable  
flexibility in how syslog will deal with system messages issued by  
software applications like IPF.

Add the following statement to /etc/syslog.conf:
security.* /var/log/ipfilter.log
The security.* means to write all the logged messages to the coded  
file location.
To activate the changes to /etc/syslog.conf you can reboot or bump  
the syslog task into re-reading /etc/syslog.conf by running /etc/ 
rc.d/syslogd reload
Do not forget to change /etc/newsyslog.conf to rotate the new log  
you just created above.

-snip-

In trying to configure this I found that ipmon -Dsa doesn't log to  
security, but logs to local0 instead.  Reading the man page for  
ipmon does in fact state this.  However it also list the -L option  
as being able to change this default behavior, I tried ipmon -DSa - 
L security, it excepts this, but doesn't actually change the  
logging to use security.  It still only outputs to the syslog using  
local0, I also tried using ipmon -DSa -L local7 as well, still  
outputs to local0.  It was easy enough to modify my syslog.conf to  
output the local0.* as well as security.* to the /var/log/security  
file.  However it would be greatly appreciated if someone that  
actually understands what's going on here could get this info  
updated.  It would have saved me some time, as well as I am sure  
some other people in the future.  Of course it's always possible I  
am missing something simple here that is causing this discrepancy,  
please do inform me if I did.  It's probably worth mentioning that  
I am starting ipmon using the rc.conf file with ipmon_enable=YES  
and ipmon_flags=-DSa, just in case the /etc/rc.d/ipmon script  
actually changes the default behavior of ipmon in some way, though  
I didn't see anything in it that should.  And ps wwaux | grep ipmon  
does display the process running with the flags exactly as stated  
on the ipmon_flags line of the /etc/rc.conf file.


Thanks,
 Dean Weimer
 Network Administrator
 Orscheln Management Co

___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to freebsd-questions- 
[EMAIL PROTECTED]




___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

Re: IPFilter section in Handbook needs updating

[G magicman]

And incomplete yes i agree that the doc does need to be updated and examples 
(more) need to be added.

--- On Fri, 12/5/08, Dean Weimer [EMAIL PROTECTED] wrote:
From: Dean Weimer [EMAIL PROTECTED]
Subject: IPFilter section in Handbook needs updating
To: freebsd-questions@freebsd.org
Date: Friday, December 5, 2008, 10:07 AM

I was just setting up ipfilter and ipmon on a FreeBSD 7 server, and noticed that
the ipmon and syslog information under the ipfilter section of the handbook is
incorrect.

The section reads:
-snip-
31.5.7 IPMON Logging
Syslogd uses its own special method for segregation of log data. It uses
special groupings called facility and level. IPMON in
-Ds mode uses security as the facility name. All IPMON logged data
goes to security The following levels can be used to further segregate the
logged data if desired:
LOG_INFO - packets logged using the log keyword as the action
rather than pass or block.
LOG_NOTICE - packets logged which are also passed
LOG_WARNING - packets logged which are also blocked
LOG_ERR - packets which have been logged and which can be considered short
To setup IPFILTER to log all data to /var/log/ipfilter.log, you will need to
create the file. The following command will do that:
# touch /var/log/ipfilter.log
The syslog function is controlled by definition statements in the
/etc/syslog.conf file. The syslog.conf file offers considerable flexibility in
how syslog will deal with system messages issued by software applications like
IPF.
Add the following statement to /etc/syslog.conf:
security.* /var/log/ipfilter.log
The security.* means to write all the logged messages to the coded file
location.
To activate the changes to /etc/syslog.conf you can reboot or bump the syslog
task into re-reading /etc/syslog.conf by running /etc/rc.d/syslogd reload
Do not forget to change /etc/newsyslog.conf to rotate the new log you just
created above.
-snip-

In trying to configure this I found that ipmon -Dsa doesn't log to
security, but logs to local0 instead.  Reading the man page for ipmon does in
fact state this.  However it also list the -L option as being able to change
this default behavior, I tried ipmon -DSa -L security, it excepts this, but
doesn't actually change the logging to use security.  It still only outputs
to the syslog using local0, I also tried using ipmon -DSa -L local7 as well,
still outputs to local0.  It was easy enough to modify my syslog.conf to output
the local0.* as well as security.* to the /var/log/security file.  However it
would be greatly appreciated if someone that actually understands what's
going on here could get this info updated.  It would have saved me some time, as
well as I am sure some other people in the future.  Of course it's always
possible I am missing something simple here that is causing this discrepancy,
please do inform me if I did.  It's probably worth mentioning that I am
starting ipmon using the rc.conf file with ipmon_enable=YES and
ipmon_flags=-DSa, just in case the /etc/rc.d/ipmon script actually
changes the default behavior of ipmon in some way, though I didn't see
anything in it that should.  And ps wwaux | grep ipmon does display the process
running with the flags exactly as stated on the ipmon_flags line of the
/etc/rc.conf file.

Thanks,
 Dean Weimer
 Network Administrator
 Orscheln Management Co

___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to
[EMAIL PROTECTED]




___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

freebsd6.2-stable + ipfilter + policy routing mbuf leak

[Colin Yuile]

Hi all,

I have a server running 6.2-stable that experiences mbuf leakage
if I perform policy routing with ipfilter. This is independent of the 
hardware as I have moved the disk to a different machine with different 
MB, NICs etc and had the same result.

The server is running quagga, postfix and ipfilter for some basic 
firewalling. The policy routing was to route outgoing web traffic to
a second internet link.

I have been running the same setup for several years on a 4.11 machine
without any problems.

Can anyone confirm this problem?

Cheers,

Colin
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

Strange problem of ipfilter

[budsz]

Hallo,

I got strange problem ipfilter on FreeBSD 6.2-STABLE. After uptime my
machine running 7 days until 10 days, I can't access DNS, sometime
SSH, and etc,  to my box, but this happen randomly. For example I've
rule like this:

# SSH
pass  in   quick on rl0 proto tcp from 192.168.0.0/24 to
192.168.0.100/32 port = 22 keep state

# DNS
pass  in   quick proto udp from 192.168.0.0/24 to
192.168.0.100/32 port = 53 keep state

Whereis:

192.168.0.0/24 my client block ip, 192.168.0.200/32 ip box running ipfilter.

I try to create rule:

pass in all
pass out all

Then reload ipfilter rule. Or I try to restart my machine with my
default rule. So everything gone be alright. FYI, I use:

root:~# ipf -V
ipf: IP Filter: v4.1.13 (416)
Kernel: IP Filter: v4.1.13
Running: yes
Log Flags: 0 = none set
Default: block all, Logging: available
Active list: 0
Feature mask: 0xa

root:~# uname -srm
FreeBSD 6.2-STABLE i386

I do compile ipfilter with default block in kernel configuration. This
night I'll try to make world my FreeBSD box and I hope FreeBSD's
commiter already revision with this bug.

Would you give some clue to fix this problem. Thanks you for your help.


TIA
-- 
budsz
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

ipfilter and DHCP

[J.D. Bronson]

Ok...what do you guys do to handle a change of IP/network via DHCP 
with ipfilter?


I have been told that if my IP changes while the machine is up and 
running that ipfilter WON'T see this change and needs to be 
told...supposedly it only reads the IP when it starts itself.


If this is true, is there any easy way to fix this?
I run ipcheck.py and that can invoke a script if needed if it notices 
and IP changed


ipnat.conf:
map bge1 192.43.82.0/24 - 0/32 proxy port ftp ftp/tcp
map bge1 192.43.82.0/24 - 0/32 portmap tcp/udp auto
map bge1 192.43.82.0/24 - 0/32

rdr bge1 0.0.0.0/0 port 25 - 192.43.82.170 port 25


I presume if it reads the IP and fills in the '0/32' + '0.0.0.0/0' 
values at startup...having my IP change could be disasterous.


thanks for any tips-

-JD

___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

Re: ipfilter and DHCP

[Lowell Gilbert]

J.D. Bronson [EMAIL PROTECTED] writes:

 Ok...what do you guys do to handle a change of IP/network via DHCP
 with ipfilter?

 I have been told that if my IP changes while the machine is up and
 running that ipfilter WON'T see this change and needs to be
 told...supposedly it only reads the IP when it starts itself.

 If this is true, is there any easy way to fix this?
 I run ipcheck.py and that can invoke a script if needed if it notices
 and IP changed

 ipnat.conf:
 map bge1 192.43.82.0/24 - 0/32 proxy port ftp ftp/tcp
 map bge1 192.43.82.0/24 - 0/32 portmap tcp/udp auto
 map bge1 192.43.82.0/24 - 0/32

 rdr bge1 0.0.0.0/0 port 25 - 192.43.82.170 port 25


 I presume if it reads the IP and fills in the '0/32' + '0.0.0.0/0'
 values at startup...having my IP change could be disasterous.

When your IP changes, you can have dhclient trigger a script of your
choosing.  You can use that to alter your firewall rules.

There are probably other approaches too.
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

Re: ipfilter and DHCP

[RW]

On Tue, 10 Apr 2007 15:26:36 -0400
Lowell Gilbert [EMAIL PROTECTED] wrote:

 J.D. Bronson [EMAIL PROTECTED] writes:
 
  Ok...what do you guys do to handle a change of IP/network via DHCP
  with ipfilter?
 
  I have been told that if my IP changes while the machine is up and
  running that ipfilter WON'T see this change and needs to be
  told...supposedly it only reads the IP when it starts itself.
 
  If this is true, is there any easy way to fix this?
  I run ipcheck.py and that can invoke a script if needed if it
  notices and IP changed
 
  ipnat.conf:
  map bge1 192.43.82.0/24 - 0/32 proxy port ftp ftp/tcp
  map bge1 192.43.82.0/24 - 0/32 portmap tcp/udp auto
  map bge1 192.43.82.0/24 - 0/32
 
  rdr bge1 0.0.0.0/0 port 25 - 192.43.82.170 port 25
 
 
  I presume if it reads the IP and fills in the '0/32' + '0.0.0.0/0'
  values at startup...having my IP change could be disasterous.
 
 When your IP changes, you can have dhclient trigger a script of your
 choosing.  You can use that to alter your firewall rules.

Does it matter though?

# rcorder /etc/rc.d/* |egrep  ipfil|dhc
/etc/rc.d/ipfilter
/etc/rc.d/dhclient

ipfilter doesn't actually have an ip address for the interface when it
starts up, so it seem unlikely it can't cope with a new address.

It wouldn't hurt to do an /etc/rc.d/ipfilter resync though
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

Re: Improvement to IPFilter / nfsd in FBSD (6.2+?)

[Patrick Lamaizière]

Garrett Cooper :

Hello,

 Just wondering if anyone has IPFilter / nfsd setup properly on their
 boxes with any beta versions of FBSD.

 I am having loads of issues transferring large files (~300MB apiece) or
 issues transferring a large number of smaller files (3MB ~ 10MB apiece)
 from a FBSD 6.1 client to a FBSD 6.1 server, where it transfers part of
 the files, then cp / mv get stuck indefinitely on the client system. The
 stuck cp / mv processes cause the client to hang on reboot, and then
 terminate before all of the buffers are written to disk (which forces
 fsck on next boot).

Did you try to use tcp transport with NFS ? See the '-T' option of 
mount_nfs(8). See also the -i option (Make the mount interruptible).

Regards.
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

Improvement to IPFilter / nfsd in FBSD (6.2+?)

[Garrett Cooper]

Just wondering if anyone has IPFilter / nfsd setup properly on their 
boxes with any beta versions of FBSD.


I am having loads of issues transferring large files (~300MB apiece) or 
issues transferring a large number of smaller files (3MB ~ 10MB apiece) 
from a FBSD 6.1 client to a FBSD 6.1 server, where it transfers part of 
the files, then cp / mv get stuck indefinitely on the client system. The 
stuck cp / mv processes cause the client to hang on reboot, and then 
terminate before all of the buffers are written to disk (which forces 
fsck on next boot).


Also if you suggest 7-CURRENT, what's the CVS tag for that version?

-Garrett
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

Re: Improvement to IPFilter / nfsd in FBSD (6.2+?)

[Chuck Swiger]

On Jan 11, 2007, at 10:58 AM, Garrett Cooper wrote:
Just wondering if anyone has IPFilter / nfsd setup properly on  
their boxes with any beta versions of FBSD.


It is typically not useful to implement firewall rules between NFS  
servers and legitimate NFS clients.


The large number of RPC services using randomly assigned ports needed  
by NFS and the fact that machines which trust each other enough to  
permit filesharing and generally utilize a common set of directory  
services to keep the user/group mappings synced mean that the NFS  
server  clients should be considered in the same trust domain in  
most cases.



Also if you suggest 7-CURRENT, what's the CVS tag for that version?


The HEAD of the CVS tree (aka .).  Updating the 7-CURRENT won't  
have any affect upon firewall configuration for NFS, however.


--
-Chuck

___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

Firewalls and RPC (was Re: Improvement to IPFilter / nfsd in FBSD (6.2+?))

[Garrett Cooper]

Chuck Swiger wrote:

On Jan 11, 2007, at 10:58 AM, Garrett Cooper wrote:
Just wondering if anyone has IPFilter / nfsd setup properly on their 
boxes with any beta versions of FBSD.


It is typically not useful to implement firewall rules between NFS 
servers and legitimate NFS clients.


The large number of RPC services using randomly assigned ports needed 
by NFS and the fact that machines which trust each other enough to 
permit filesharing and generally utilize a common set of directory 
services to keep the user/group mappings synced mean that the NFS 
server  clients should be considered in the same trust domain in 
most cases.
Right, ok. I suppose I was just being lazy/trying to blanket support all 
machines on my subnet without having to delve into individual hosts, but 
that makes perfect sense. rpcbind (and RPC in general) strictly uses 
ports under 1023--assuming that there are enough allocatable ports 
available for each RPC service in the port range 1-1023--if running as 
root, does it not?


Does the same rationale apply for Samba? That's part of the reason why 
I'm concerned with running a firewall.. I run smbd/nmbd on the server 
machine.


Either that, or I could switch to another firewall setup (albeit it'd be 
sort of a pain). Does ipfw / pf work better with RPC than IPFilter?



Also if you suggest 7-CURRENT, what's the CVS tag for that version?


The HEAD of the CVS tree (aka .).  Updating the 7-CURRENT won't have 
any affect upon firewall configuration for NFS, however.
Right. I was just going to see if there was any improvement in how 
things were implemented in 7-CURRENT, because maybe the issues that I'm 
encountering had been 'solved' in 7-CURRENT (although I would probably 
have more issues with core kernel items as they're under heavy 
development it appears given traffic on the current@ list).


Thanks Chuck!
-Garrett
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

Re: Firewalls and RPC (was Re: Improvement to IPFilter / nfsd in FBSD (6.2+?))

[Chuck Swiger]

On Jan 11, 2007, at 12:54 PM, Garrett Cooper wrote:
It is typically not useful to implement firewall rules between NFS  
servers and legitimate NFS clients.


The large number of RPC services using randomly assigned ports  
needed by NFS and the fact that machines which trust each other  
enough to permit filesharing and generally utilize a common set of  
directory services to keep the user/group mappings synced mean  
that the NFS server  clients should be considered in the same  
trust domain in most cases.


Right, ok. I suppose I was just being lazy/trying to blanket  
support all machines on my subnet without having to delve into  
individual hosts, but that makes perfect sense. rpcbind (and RPC in  
general) strictly uses ports under 1023--assuming that there are  
enough allocatable ports available for each RPC service in the port  
range 1-1023--if running as root, does it not?


Actually, no.  While rpcbind/portmap/portmapper is assigned to 111/ 
tcp  udp, most other RPC services get assigned high port numbers in  
the 327xx range, but that varies considerably from platform to platform.


Does the same rationale apply for Samba? That's part of the reason  
why I'm concerned with running a firewall.. I run smbd/nmbd on the  
server machine.


Somewhat, yes.  Samba/CIFS filesharing can require less trust between  
server and client as accessing a Samba share does not require  
superuser permissions, just limited user access, but Samba does  
require root access to start up and bind to the low ports it uses,  
and it also involves the network browse master (which nmbd can do)  
and so forth which involve subnet-oriented broadcast traffic.


Samba/CIFS is a chatty protocol.

Either that, or I could switch to another firewall setup (albeit  
it'd be sort of a pain). Does ipfw / pf work better with RPC than  
IPFilter?


No, not really.  What you probably want to focus on is protecting  
your entire subnet, including the fileserver and clients, from  
malicious traffic via your Internet link(s), and then worry about  
egress filtering, dividing your machines into a trusted internal LAN  
and a semi-trusted DMZ, and so forth.


A firewall system should not be running any kind of filesharing;  
while you can run PF, IPFW, etc on your fileserver, that ought to be  
a secondary line of protection for defense in depth, and your  
Internet connection ought to have a dual-homed or multihomed firewall  
machine which is dedicated to that role and which runs zero services.


--
-Chuck

___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

Re: Firewalls and RPC (was Re: Improvement to IPFilter / nfsd in FBSD (6.2+?))

[Garrett Cooper]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Chuck Swiger wrote:

 Actually, no.  While rpcbind/portmap/portmapper is assigned to 111/tcp 
 udp, most other RPC services get assigned high port numbers in the 327xx
 range, but that varies considerably from platform to platform.

True. NFS is port 2049 by default, anyhow..

 Somewhat, yes.  Samba/CIFS filesharing can require less trust between
 server and client as accessing a Samba share does not require superuser
 permissions, just limited user access, but Samba does require root
 access to start up and bind to the low ports it uses, and it also
 involves the network browse master (which nmbd can do) and so forth
 which involve subnet-oriented broadcast traffic.
 
 Samba/CIFS is a chatty protocol.

No kidding. The funny thing is that smbclient (Xbox Media Center runs
smbclient) I've learned requires more open ports than regular CIFS
enabled Windows XP hosts to RPC services, which has caused more issues
than it's worth in the past.

 No, not really.  What you probably want to focus on is protecting your
 entire subnet, including the fileserver and clients, from malicious
 traffic via your Internet link(s), and then worry about egress
 filtering, dividing your machines into a trusted internal LAN and a
 semi-trusted DMZ, and so forth.

 A firewall system should not be running any kind of filesharing; while
 you can run PF, IPFW, etc on your fileserver, that ought to be a
 secondary line of protection for defense in depth, and your Internet
 connection ought to have a dual-homed or multihomed firewall machine
 which is dedicated to that role and which runs zero services.

Right. However, I don't trust the rest of the clients on my subnet other
than the ones I maintain, so that's why I have setup the firewall rules
I have.

Sorry for not more clearly defining the situation earlier, but here's
the reasoning / rationale for what I'm doing..


IT nightmare

- -I live in a house with a shared LAN with a total of around 50 hosts
connected / disconnected at various times of the day.

- -I don't trust any of the Windows clients devoid a small handful because
I have had a variety of connectivity problems caused by improperly
managed personal machines, virii, and spyware on machines here.

- -There isn't a real means of properly controlling IP distribution and
people are free to change their IP addresses to whatever they choose
(host information is set statically, not dynamically).

- -I have 5 machines which have access to the network--2 serving machines
and 3 clients which aren't always attached to the network. I have set
the IP addresses up so they all lie in a range, but I don't trust
whether someone will IP squat my address and do whatever they want to my
serving machines (whether they mean to or it happens by accident).

- -Some of the machines on the network have access to the machine serving
via Samba, but that's a limited number.

/IT nightmare

- -Garrett
-BEGIN PGP SIGNATURE-
Version: GnuPG v2.0.1 (FreeBSD)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFFprE4EnKyINQw/HARAjwyAKCY9F8O2rkdet2/gxNNqCQXij0xgwCfSF3/
tswDC5ovt0A5r3Tg7s7BSqE=
=iVhr
-END PGP SIGNATURE-
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

Re: Firewalls and RPC (was Re: Improvement to IPFilter / nfsd in FBSD (6.2+?))

[Chuck Swiger]

On Jan 11, 2007, at 1:50 PM, Garrett Cooper wrote:
Actually, no.  While rpcbind/portmap/portmapper is assigned to 111/ 
tcp 
udp, most other RPC services get assigned high port numbers in the  
327xx

range, but that varies considerably from platform to platform.


True. NFS is port 2049 by default, anyhow..


Good example, yet this is true on some platforms but not on others.

A firewall system should not be running any kind of filesharing;  
while

you can run PF, IPFW, etc on your fileserver, that ought to be a
secondary line of protection for defense in depth, and your  
Internet

connection ought to have a dual-homed or multihomed firewall machine
which is dedicated to that role and which runs zero services.


Right. However, I don't trust the rest of the clients on my subnet  
other
than the ones I maintain, so that's why I have setup the firewall  
rules

I have.


You really don't want to mix machines which are trusted with machines  
which are not trusted on the same subnet.  If you can't control which  
client machines get which IPs, you pretty much cannot use firewall  
rules to restrict filesharing only to the legit clients.



Sorry for not more clearly defining the situation earlier, but here's
the reasoning / rationale for what I'm doing..

IT nightmare

- -I live in a house with a shared LAN with a total of around 50 hosts
connected / disconnected at various times of the day.

- -I don't trust any of the Windows clients devoid a small handful  
because

I have had a variety of connectivity problems caused by improperly
managed personal machines, virii, and spyware on machines here.

- -There isn't a real means of properly controlling IP distribution  
and

people are free to change their IP addresses to whatever they choose
(host information is set statically, not dynamically).

- -I have 5 machines which have access to the network--2 serving  
machines

and 3 clients which aren't always attached to the network. I have set
the IP addresses up so they all lie in a range, but I don't trust
whether someone will IP squat my address and do whatever they want  
to my

serving machines (whether they mean to or it happens by accident).

- -Some of the machines on the network have access to the machine  
serving

via Samba, but that's a limited number.


Perhaps you should consider setting up your own private subnet for  
your machines, and having a firewall guarding access to your machines  
which performs static NAT for the set of five IP addresses you've  
made claim to.


--
-Chuck

___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

Re: Firewalls and RPC (was Re: Improvement to IPFilter / nfsd in FBSD (6.2+?))

[Garrett Cooper]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Chuck Swiger wrote:

snip

 You really don't want to mix machines which are trusted with machines
 which are not trusted on the same subnet.  If you can't control which
 client machines get which IPs, you pretty much cannot use firewall rules
 to restrict filesharing only to the legit clients.

Excellent point.

snip

 Perhaps you should consider setting up your own private subnet for your
 machines, and having a firewall guarding access to your machines which
 performs static NAT for the set of five IP addresses you've made claim to.

I'm really starting to think that'd be a good idea. Thanks again for the
comments--it really helps.
- -Garrett
-BEGIN PGP SIGNATURE-
Version: GnuPG v2.0.1 (FreeBSD)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFFprRBEnKyINQw/HARAo8cAJ4sHIowqgCRbFMv6JDufsowxEDGGACePLKj
NqyrOFDj6gbTQscMws0q6zg=
=mDqk
-END PGP SIGNATURE-
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

Quality of Services with FreeBSD NAT and IPFilter

[Office of CEO- rithy4u.NET]

Dear all,

I have install one FreeBSD Firewall in my office and its running NATD 
and IPFilter now. My external Interface is connected to my ISP through 
Wimax PPPoE (256 kbps).


I have install another PC for PC-to-Phone VoIP Call and there is no 
Internet Application running on that PC except Ring-Voiz Dialer. I have 
asked my ISP they said they already optimized the QoS for This VoIP 
Services already (Media ring), but my ISP backbone is locate in US and 
the server that I will connect to make call to Hong Kong and other asia 
countries in at Singapore (as I knew).


Any ideas how to optimize my Gateway (FreeBSD/NATD/IPFilter) to ensure 
that it will reserv the bandwidth priority for my VoIP Application?


Thanks for your comments.
--
*Rithy Ray, RCSA*
Chief Executive Officer
Web: www.rithy4u.net http://www.rithy4u.net
Email: [EMAIL PROTECTED] mailto:[EMAIL PROTECTED]
Phone: (855) 12 403 001

--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

Re: Quality of Services with FreeBSD NAT and IPFilter

[Mike Tancsa]

On Sat, 28 Oct 2006 08:59:40 +0700, in sentex.lists.freebsd.questions
you wrote:


Any ideas how to optimize my Gateway (FreeBSD/NATD/IPFilter) to ensure 
that it will reserv the bandwidth priority for my VoIP Application?


You are better off using pf+ALTQ rather than mixing ipfilter and natd.
If you want to use ipfilter (pf is better) than get rid of natd and
use the built in ipnat in ipfilter.
There are some good writeups around on pf and altq as well
e.g.
http://www.benzedrine.cx/pf.html

and

http://www.benzedrine.cx/ackpri.html

---Mike

Mike Tancsa, Sentex communications http://www.sentex.net
Providing Internet Access since 1994
[EMAIL PROTECTED], (http://www.tancsa.com)
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

ipfilter / ipnat /usr/sbin/ppp ?

[Nathan Vidican]

using:


ppp -ddial -nat profile

How does the -nat flag implement nat for PPPoE ? Using ipfw/natd, 
ipnat/ipfilter, and is it hard-coded or can it be optionally changed?

Can I use rules created for/through ipfilter/ipnat, or should I simply 
disable NAT translation on the ppp interface and enable it through ipnat on 
it's own? 

--
Nathan Vidican
[EMAIL PROTECTED]
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

Re: ipfilter / ipnat /usr/sbin/ppp ? (answered)

[Nathan Vidican]

Answer found, NAT implemented using libalias library:  man 3 libalias


--
Nathan Vidican
[EMAIL PROTECTED]

On Wed, 18 Oct 2006 13:59:29 -0400, Nathan Vidican wrote
 using:
 
 ppp -ddial -nat profile
 
 How does the -nat flag implement nat for PPPoE ? Using ipfw/natd, 
 ipnat/ipfilter, and is it hard-coded or can it be optionally changed?
 
 Can I use rules created for/through ipfilter/ipnat, or should I 
 simply disable NAT translation on the ppp interface and enable it 
 through ipnat on it's own?
 
 --
 Nathan Vidican
 [EMAIL PROTECTED]
 ___
 freebsd-questions@freebsd.org mailing list
 http://lists.freebsd.org/mailman/listinfo/freebsd-questions
 To unsubscribe, send any mail to freebsd-questions-
[EMAIL PROTECTED]

___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

Dummynet in an IPFilter setup

[Odhiambo Washington]

Hiya,

Since freebsd-ipfw is dead and mostly for spammers, let me try my luck 
here once more ;)

I am trying to prove a point to a customer - that he can save the cost
of expensive routing hardware by just having a FreeBSD box on their LAN.
Unfortunately, this also means that I need to spend days reading about
IPFW, which, sincerely, is not one of those firewall implementations 
that is easy for me. I therefore need help to prove a point and keep
a customer..

The scenario:

I am running a FreeBSD 5.x box with IPFilter/IPNAT. The box has two 
interfaces at the moment, external interface connected to the hostile
Internet and internal interface connected to a switch for the LAN.

The ISP gives 256Kbit/s on the external interface. Out of this, I
need to dedicate/guarantee 128Kbit/s to just one machine.

A streaming server has been introduced on the LAN, and it is considered
a VIP host as far as bandwidth allocation is concerned.
The problem is that p2p is also officially allowed on the LAN. I hate
it but it is allowed. Period. No argument about it.

I need to guarantee 128Kbit/s of the available bandwidth to the 
streaming host (server, if you can call it).


My thinking/plan:

1. Add one more NIC to the FreeBSD box (it's also the router, 
  firewall, _everything_ server) and put this on a separate IP block.
  To this NIC I will connect the VIP host, which needs the guaranteed
  bandwidth. I will therefore NAT traffic to/from it.

2. Restrict the current LAN hosts to 128Kbit/s via ipfw pipe. To me, 
   this means that:
   (a) They cannot go beyond 128Kbit/s
   (b) The VIP box will go above 128K/bit's in case the throttled
   LAN is not using all of the 128Kbit/s

I need to control bandwidth on the external interface only, not on the
LAN (internal interfaces).

Is this rightful thinking or sheer imagination which is not practical?


My problem:


Most important is being dumb when it comes to IPFW and hence the pipes
and all that pertains to it.

Here is my ipfw configuration, in black and white (firewall_type=OPEN)


# Outside interface network and netmask and ip
oif=bfe0
iif=xl0
onet=62.8.68.0
omask=255.255.255.252
oip=62.8.68.22

# Inside interface network and netmask and ip
iif=xl0
inet=10.0.0.0
imask=255.255.255.0
iip=10.0.0.2

ipfw pipe 1 config bw 128Kbit/s

# Allow any traffic to or from my own net.
${fwcmd} add pass all from ${iip} to ${inet}:${imask}
${fwcmd} add pass all from ${inet}:${imask} to ${iip}

# Throttle now
ipfw add pipe 1 tcp from $${inet}:${imask} to any out via ${oif} state
${fwcmd} add 65000 pass all from any to any


With this configuration, it seems like even LAN-LAN communication is 
being restricted to 128Kbit/s. I am not sure why, as simple as it looks!
Can someone tell me why that is happening?

Now, supposing the 3rd NIC was on 10.0.1.0/24 network, and there is no
bandwidth limitation configuration, is it not true that I will have 
achieved my goal?

I'll simply give the FreeBSD box 10.0.1.1 and the VIP box 10.0.1.2 and
have a static route for the VIP box, with NAT for any connections 
to/from it.


I'll really appreciate any help/advise towards a perfect configuration
for the firewall, and how I can get this to work.

Thanks in advance.



-Wash

http://www.netmeister.org/news/learn2quote.html

DISCLAIMER: See http://www.wananchi.com/bms/terms.php

--
+==+
|\  _,,,---,,_ | Odhiambo Washington[EMAIL PROTECTED]
Zzz /,`.-'`'-.  ;-;;,_ | Wananchi Online Ltd.   www.wananchi.com
   |,4-  ) )-,_. ,\ (  `'-'| Tel: +254 20 313985-9  +254 20 313922
  '---''(_/--'  `-'\_) | GSM: +254 722 743223   +254 733 744121
+==+

Minnie Mouse is a slow maze learner.
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

Re: Dummynet in an IPFilter setup

[Bill Moran]

In response to Odhiambo Washington [EMAIL PROTECTED]:

[snip]

 The scenario:
 
 I am running a FreeBSD 5.x box with IPFilter/IPNAT. The box has two 
 interfaces at the moment, external interface connected to the hostile
 Internet and internal interface connected to a switch for the LAN.
 
 The ISP gives 256Kbit/s on the external interface. Out of this, I
 need to dedicate/guarantee 128Kbit/s to just one machine.
 
 A streaming server has been introduced on the LAN, and it is considered
 a VIP host as far as bandwidth allocation is concerned.
 The problem is that p2p is also officially allowed on the LAN. I hate
 it but it is allowed. Period. No argument about it.
 
 I need to guarantee 128Kbit/s of the available bandwidth to the 
 streaming host (server, if you can call it).
 
 
 My thinking/plan:
 
 1. Add one more NIC to the FreeBSD box (it's also the router, 
   firewall, _everything_ server) and put this on a separate IP block.
   To this NIC I will connect the VIP host, which needs the guaranteed
   bandwidth. I will therefore NAT traffic to/from it.
 
 2. Restrict the current LAN hosts to 128Kbit/s via ipfw pipe. To me, 
this means that:
(a) They cannot go beyond 128Kbit/s
(b) The VIP box will go above 128K/bit's in case the throttled
LAN is not using all of the 128Kbit/s
 
 I need to control bandwidth on the external interface only, not on the
 LAN (internal interfaces).
 
 Is this rightful thinking or sheer imagination which is not practical?

Seems reasonable.  See below ...

 My problem:
 
 
 Most important is being dumb when it comes to IPFW and hence the pipes
 and all that pertains to it.
 
 Here is my ipfw configuration, in black and white (firewall_type=OPEN)
 
 
 # Outside interface network and netmask and ip
 oif=bfe0
 iif=xl0
 onet=62.8.68.0
 omask=255.255.255.252
 oip=62.8.68.22
 
 # Inside interface network and netmask and ip
 iif=xl0
 inet=10.0.0.0
 imask=255.255.255.0
 iip=10.0.0.2
 
 ipfw pipe 1 config bw 128Kbit/s
 
 # Allow any traffic to or from my own net.
 ${fwcmd} add pass all from ${iip} to ${inet}:${imask}
 ${fwcmd} add pass all from ${inet}:${imask} to ${iip}
 
 # Throttle now
 ipfw add pipe 1 tcp from $${inet}:${imask} to any out via ${oif} state
   ^^

Is this direct cut/paste?  If so, you've got a sticky $ key.

 ${fwcmd} add 65000 pass all from any to any
 
 
 With this configuration, it seems like even LAN-LAN communication is 
 being restricted to 128Kbit/s. I am not sure why, as simple as it looks!
 Can someone tell me why that is happening?
 
 Now, supposing the 3rd NIC was on 10.0.1.0/24 network, and there is no
 bandwidth limitation configuration, is it not true that I will have 
 achieved my goal?
 
 I'll simply give the FreeBSD box 10.0.1.1 and the VIP box 10.0.1.2 and
 have a static route for the VIP box, with NAT for any connections 
 to/from it.
 
 
 I'll really appreciate any help/advise towards a perfect configuration
 for the firewall, and how I can get this to work.
 
 Thanks in advance.


-- 
Bill Moran
Collaborative Fusion Inc.
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

Re: Dummynet in an IPFilter setup

[Erik Norgaard]

Odhiambo Washington wrote:


I need to control bandwidth on the external interface only, not on the
LAN (internal interfaces).

Is this rightful thinking or sheer imagination which is not practical?


If you're happy with IPFilter and need to ensure minimum bandwidth for 
some network segment, take a look at packet filter, you can take much of 
your knowledge with you and then set up queues that will ensure the 
minimum bandwidth. And you don't need extra interfaces.


Cheers, Erik

--
Ph: +34.666334818  web: http://www.locolomo.org
X.509 Certificate: http://www.locolomo.org/crt/8D03551FFCE04F0C.crt
Key ID: 69:79:B8:2C:E3:8F:E7:BE:5D:C3:C3:B1:74:62:B8:3F:9F:1F:69:B9
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

Re: Dummynet in an IPFilter setup

[Odhiambo Washington]

* On 20/09/06 11:16 -0400, Bill Moran wrote:
| In response to Odhiambo Washington [EMAIL PROTECTED]:
| 
| [snip]
| 
|  The scenario:
|  
|  I am running a FreeBSD 5.x box with IPFilter/IPNAT. The box has two 
|  interfaces at the moment, external interface connected to the hostile
|  Internet and internal interface connected to a switch for the LAN.
|  
|  The ISP gives 256Kbit/s on the external interface. Out of this, I
|  need to dedicate/guarantee 128Kbit/s to just one machine.
|  
|  A streaming server has been introduced on the LAN, and it is considered
|  a VIP host as far as bandwidth allocation is concerned.
|  The problem is that p2p is also officially allowed on the LAN. I hate
|  it but it is allowed. Period. No argument about it.
|  
|  I need to guarantee 128Kbit/s of the available bandwidth to the 
|  streaming host (server, if you can call it).
|  
|  
|  My thinking/plan:
|  
|  1. Add one more NIC to the FreeBSD box (it's also the router, 
|firewall, _everything_ server) and put this on a separate IP block.
|To this NIC I will connect the VIP host, which needs the guaranteed
|bandwidth. I will therefore NAT traffic to/from it.
|  
|  2. Restrict the current LAN hosts to 128Kbit/s via ipfw pipe. To me, 
| this means that:
| (a) They cannot go beyond 128Kbit/s
| (b) The VIP box will go above 128K/bit's in case the throttled
| LAN is not using all of the 128Kbit/s
|  
|  I need to control bandwidth on the external interface only, not on the
|  LAN (internal interfaces).
|  
|  Is this rightful thinking or sheer imagination which is not practical?
| 
| Seems reasonable.  See below ...

Thanks, Bill for that verification.


|  My problem:
|  
|  
|  Most important is being dumb when it comes to IPFW and hence the pipes
|  and all that pertains to it.
|  
|  Here is my ipfw configuration, in black and white (firewall_type=OPEN)
|  
|  
|  # Outside interface network and netmask and ip
|  oif=bfe0
|  iif=xl0
|  onet=62.8.68.0
|  omask=255.255.255.252
|  oip=62.8.68.22
|  
|  # Inside interface network and netmask and ip
|  iif=xl0
|  inet=10.0.0.0
|  imask=255.255.255.0
|  iip=10.0.0.2
|  
|  ipfw pipe 1 config bw 128Kbit/s
|  
|  # Allow any traffic to or from my own net.
|  ${fwcmd} add pass all from ${iip} to ${inet}:${imask}
|  ${fwcmd} add pass all from ${inet}:${imask} to ${iip}
|  
|  # Throttle now
|  ipfw add pipe 1 tcp from $${inet}:${imask} to any out via ${oif} 
state
|^^
| 
| Is this direct cut/paste? If so, you've got a sticky $ key.

Yes, it was a paste in the process of modifying ;)
Noted with thanks.

| 
|  ${fwcmd} add 65000 pass all from any to any
|  
|  
|  With this configuration, it seems like even LAN-LAN communication is 
|  being restricted to 128Kbit/s. I am not sure why, as simple as it looks!
|  Can someone tell me why that is happening?
|  
|  Now, supposing the 3rd NIC was on 10.0.1.0/24 network, and there is no
|  bandwidth limitation configuration, is it not true that I will have 
|  achieved my goal?
|  
|  I'll simply give the FreeBSD box 10.0.1.1 and the VIP box 10.0.1.2 and
|  have a static route for the VIP box, with NAT for any connections 
|  to/from it.
|  
|  
|  I'll really appreciate any help/advise towards a perfect configuration
|  for the firewall, and how I can get this to work.
|  
|  Thanks in advance.


Bill, you did not say anything on my problem with intra-LAN traffic. 
Does that mean this configuration is okay, and should not at all affect 
traffic within the LAN?


 

Best regards,
Odhiambo Washington
Systems Admin,
Wananchi Online Ltd.

Are you hosting your domain name with the leaders??: 
See http://webhosting.info/webhosts/tophosts/Country/KE


DISCLAIMER: See http://www.wananchi.com/bms/terms.php
--+-
 Odhiambo WASHINGTON. WANANCHI ONLINE LTD (Nairobi, KE)
 http://www.wananchi.com/email/ . 1ere Etage, Laptrust Plaza, Loita St.,
 Mobile: (+254) 722 743 223 . # 10286, 00100 NAIROBI
--+-
Many are the plans in a man's heart,
but it is the Lord's purpose that prevails.
Proverbs 19:21
 

___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

Re: Dummynet in an IPFilter setup

[Odhiambo Washington]

* On 20/09/06 17:16 +0200, Erik Norgaard wrote:
| Odhiambo Washington wrote:
| 
| I need to control bandwidth on the external interface only, not on the
| LAN (internal interfaces).
| 
| Is this rightful thinking or sheer imagination which is not practical?
| 
| If you're happy with IPFilter and need to ensure minimum bandwidth for 
| some network segment, take a look at packet filter, you can take much of 
| your knowledge with you and then set up queues that will ensure the 
| minimum bandwidth. And you don't need extra interfaces.

That is the way to go ultimately, but I am still a newbie with PF.
I would not want to transfer my newbie-ness into a customers network ;)
I am happy with IPFilter, yes, but I am gradually shifting to PF, but
I have to graduate before I can put that out there.
At the moment, I just want to solve an immediate problem which has
presented itself.


-Wash

http://www.netmeister.org/news/learn2quote.html

DISCLAIMER: See http://www.wananchi.com/bms/terms.php

--
+==+
|\  _,,,---,,_ | Odhiambo Washington[EMAIL PROTECTED]
Zzz /,`.-'`'-.  ;-;;,_ | Wananchi Online Ltd.   www.wananchi.com
   |,4-  ) )-,_. ,\ (  `'-'| Tel: +254 20 313985-9  +254 20 313922
  '---''(_/--'  `-'\_) | GSM: +254 722 743223   +254 733 744121
+==+

A university is what a college becomes when the faculty loses interest
in students.
-- John Ciardi
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

Re: Dummynet in an IPFilter setup

[Bill Moran]

In response to Odhiambo Washington [EMAIL PROTECTED]:

 * On 20/09/06 11:16 -0400, Bill Moran wrote:
 | In response to Odhiambo Washington [EMAIL PROTECTED]:
 | 
 | [snip]
 | 
 |  The scenario:
 |  
 |  I am running a FreeBSD 5.x box with IPFilter/IPNAT. The box has two 
 |  interfaces at the moment, external interface connected to the hostile
 |  Internet and internal interface connected to a switch for the LAN.
 |  
 |  The ISP gives 256Kbit/s on the external interface. Out of this, I
 |  need to dedicate/guarantee 128Kbit/s to just one machine.
 |  
 |  A streaming server has been introduced on the LAN, and it is considered
 |  a VIP host as far as bandwidth allocation is concerned.
 |  The problem is that p2p is also officially allowed on the LAN. I hate
 |  it but it is allowed. Period. No argument about it.
 |  
 |  I need to guarantee 128Kbit/s of the available bandwidth to the 
 |  streaming host (server, if you can call it).
 |  
 |  
 |  My thinking/plan:
 |  
 |  1. Add one more NIC to the FreeBSD box (it's also the router, 
 |firewall, _everything_ server) and put this on a separate IP block.
 |To this NIC I will connect the VIP host, which needs the guaranteed
 |bandwidth. I will therefore NAT traffic to/from it.
 |  
 |  2. Restrict the current LAN hosts to 128Kbit/s via ipfw pipe. To me, 
 | this means that:
 | (a) They cannot go beyond 128Kbit/s
 | (b) The VIP box will go above 128K/bit's in case the throttled
 | LAN is not using all of the 128Kbit/s
 |  
 |  I need to control bandwidth on the external interface only, not on the
 |  LAN (internal interfaces).
 |  
 |  Is this rightful thinking or sheer imagination which is not practical?
 | 
 | Seems reasonable.  See below ...
 
 Thanks, Bill for that verification.
 
 
 |  My problem:
 |  
 |  
 |  Most important is being dumb when it comes to IPFW and hence the pipes
 |  and all that pertains to it.
 |  
 |  Here is my ipfw configuration, in black and white (firewall_type=OPEN)
 |  
 |  
 |  # Outside interface network and netmask and ip
 |  oif=bfe0
 |  iif=xl0
 |  onet=62.8.68.0
 |  omask=255.255.255.252
 |  oip=62.8.68.22
 |  
 |  # Inside interface network and netmask and ip
 |  iif=xl0
 |  inet=10.0.0.0
 |  imask=255.255.255.0
 |  iip=10.0.0.2
 |  
 |  ipfw pipe 1 config bw 128Kbit/s
 |  
 |  # Allow any traffic to or from my own net.
 |  ${fwcmd} add pass all from ${iip} to ${inet}:${imask}
 |  ${fwcmd} add pass all from ${inet}:${imask} to ${iip}
 |  
 |  # Throttle now
 |  ipfw add pipe 1 tcp from $${inet}:${imask} to any out via ${oif} 
 state
 |^^
 | 
 | Is this direct cut/paste? If so, you've got a sticky $ key.
 
 Yes, it was a paste in the process of modifying ;)
 Noted with thanks.
 
 | 
 |  ${fwcmd} add 65000 pass all from any to any
 |  
 |  
 |  With this configuration, it seems like even LAN-LAN communication is 
 |  being restricted to 128Kbit/s. I am not sure why, as simple as it looks!
 |  Can someone tell me why that is happening?
 |  
 |  Now, supposing the 3rd NIC was on 10.0.1.0/24 network, and there is no
 |  bandwidth limitation configuration, is it not true that I will have 
 |  achieved my goal?
 |  
 |  I'll simply give the FreeBSD box 10.0.1.1 and the VIP box 10.0.1.2 and
 |  have a static route for the VIP box, with NAT for any connections 
 |  to/from it.
 |  
 |  
 |  I'll really appreciate any help/advise towards a perfect configuration
 |  for the firewall, and how I can get this to work.
 |  
 |  Thanks in advance.
 
 
 Bill, you did not say anything on my problem with intra-LAN traffic. 
 Does that mean this configuration is okay, and should not at all affect 
 traffic within the LAN?

I assumed that any problems you were seeing were a result of the typo.

Seems to me that the config you propose will do what you want, but I
haven't spent a lot of time thinking about it.

Besides, these kind of configs rarely work perfectly on the first try,
it usually takes a bit of tweaking after you implement them, as a result
of unforseen consequences.  I think you've got a good starting point
and you should just monitor the set up for a while after implementation.

-- 
Bill Moran
Collaborative Fusion Inc.


IMPORTANT: This message contains confidential information and is
intended only for the individual named. If the reader of this
message is not an intended recipient (or the individual
responsible for the delivery of this message to an intended
recipient), please be advised that any re-use, dissemination,
distribution or copying of this message is prohibited. Please
notify the sender immediately by e-mail if you have received
this e-mail by mistake and delete this e-mail from your system.
E-mail transmission cannot be guaranteed to be secure

ipfilter dedicate firewall

[rithy4u- CEO]

Dear all,

I have tried to read some documents online and build my own firewall using 
ipfilter enabled in my kernel. but now I want some idea regarding a coperate, 
dedicate firewall for company upto 250 users something. what should we do to 
get those type of firewall system? how to scale for it? what options and things 
we should consider and config with this firewall server?

Best regards,

Richard Ben, CIO
-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

Re: ipfilter dedicate firewall

[Christophe Branchereau]

 Dear all,

 I have tried to read some documents online and build my own firewall using
 ipfilter enabled in my kernel. but now I want some idea regarding a
 coperate, dedicate firewall for company upto 250 users something. what
 should we do to get those type of firewall system? how to scale for it?
 what options and things we should consider and config with this firewall
 server?

 Best regards,

 Richard Ben, CIO
 --

Hint: you should consider running a VPN for those who travel and need to
access the (secure) internal network from the (insecure) outside world.

http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/ipsec.html


Regards

-- 
Christophe

___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

Re: ipfilter dedicate firewall

[jan gestre]

On 9/9/06, rithy4u- CEO [EMAIL PROTECTED] wrote:


Dear all,

I have tried to read some documents online and build my own firewall using
ipfilter enabled in my kernel. but now I want some idea regarding a
coperate, dedicate firewall for company upto 250 users something. what
should we do to get those type of firewall system? how to scale for it? what
options and things we should consider and config with this firewall server?

you may want to try a dedicated firewall system like pfsense and monowall,

they're based on FreeBSD, i for one use monowall.
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

Re: ipfilter on 6.1

[Giorgos Keramidas]

On 2006-08-26 20:31, J.D. Bronson [EMAIL PROTECTED] wrote:
 At 07:59 PM 8/26/2006, you wrote:
 I'd go for the simpler syntax of:
 
 MYADDR:
  ! /sbin/ipf -y
 
 well that didnt work either. what a pain. :(
 
 tun0: Warning: /etc/ppp/ppp.linkup: ! /sbin/ipf -y: Invalid command
 
 perhaps its time to write a script and simply reference the script 
 from ppp.linkup

This is indeed, a good idea :)

___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

ipfilter on 6.1

[J.D. Bronson]

I got a full load of 6.1p4 installed and all built. I have pppoe and 
ipfilter running almost perfect.


Clients can use the machine (as a router) and get out perfectly!
No issues with network performance at all. I am very pleased...until...

I found out that the router itself cant get out 100%.

My ipconfig is basically this:

bge0 - 10.43.82.174
alias 10.43.82.171 - for bind9 views
alias 10.43.82.51 - for bind9 views

bge1 - connected to dsl modem

well I cant even telnet from the machine to itself!
'destination unreachable'

DNS requests from the server itself (to itself - it runs bind) are 
unanswered yet it is able to fully answer requests from internal or 
external clients...just not itself!


If I use a public DNS server -or- use the IP of the machine I want to 
connect up to, the router is able to get out and uses the correct IP.


I used the same configs from solaris on here (ipf.conf and ipnat.conf)
and only needed to change sppp0 to tun0.

this should take care of anything the machine itself needs:

ipf.conf==
# Pass LAN traffic to/from bge0
pass in quick on bge0 all keep state keep frags
pass out quick on bge0 all keep state keep frags

# Pass traffic to WAN and keep state
pass out quick on tun0 proto tcp all flags S keep state keep frags
pass out quick on tun0 proto udp all keep state keep frags
pass out quick on tun0 proto icmp all keep state keep frags

==

I am totally baffled. Its like I am being blocked somehow but even 
with ipfilter WIDE open - traffic still wont pass.


I am wondering if this is some quirk with the interface 
aliases...although running the basic same setup on solaris - it works 
perfectly.



-JD

___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

Re: ipfilter on 6.1

[Giorgos Keramidas]

On 2006-08-26 15:02, J.D. Bronson [EMAIL PROTECTED] wrote:
 I got a full load of 6.1p4 installed and all built. I have
 pppoe and ipfilter running almost perfect.

 Clients can use the machine (as a router) and get out
 perfectly!  No issues with network performance at all. I am
 very pleased...until...

 I found out that the router itself cant get out 100%.

 My ipconfig is basically this:

 bge0 - 10.43.82.174 alias 10.43.82.171 - for bind9 views alias
 10.43.82.51 - for bind9 views

 bge1 - connected to dsl modem

 well I cant even telnet from the machine to itself!
 'destination unreachable'

 DNS requests from the server itself (to itself - it runs bind)
 are unanswered yet it is able to fully answer requests from
 internal or external clients...just not itself!

 If I use a public DNS server -or- use the IP of the machine I
 want to connect up to, the router is able to get out and uses
 the correct IP.

 I used the same configs from solaris on here (ipf.conf and
 ipnat.conf) and only needed to change sppp0 to tun0.

 this should take care of anything the machine itself needs:

 ipf.conf==
 # Pass LAN traffic to/from bge0
 pass in quick on bge0 all keep state keep frags
 pass out quick on bge0 all keep state keep frags

 # Pass traffic to WAN and keep state
 pass out quick on tun0 proto tcp all flags S keep state keep frags
 pass out quick on tun0 proto udp all keep state keep frags
 pass out quick on tun0 proto icmp all keep state keep frags
 ==

 I am totally baffled. Its like I am being blocked somehow but
 even with ipfilter WIDE open - traffic still wont pass.

 I am wondering if this is some quirk with the interface
 aliases...although running the basic same setup on solaris
 - it works perfectly.

Don't show us the ipf.conf file you are using, but the output of:

% ipfstat -hni
% ipfstat -hno

Then we can really know what rules you have loaded in IP Filter.

___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

Re: ipfilter on 6.1

[J.D. Bronson]

At 03:40 PM 8/26/2006, Giorgos Keramidas wrote:


Don't show us the ipf.conf file you are using, but the output of:

% ipfstat -hni
% ipfstat -hno

Then we can really know what rules you have loaded in IP Filter.



# ipfstat -hni
2 @1 pass in quick on bge0 all keep state keep frags

# ipfstat -hno
1 @1 pass out quick on bge0 all keep state keep frags
1 @2 pass out quick on tun0 proto tcp from any to any flags S/FSRPAU 
keep state keep frags

1 @3 pass out quick on tun0 proto udp from any to any keep state keep frags
0 @4 pass out quick on sppp0 proto icmp from any to any keep state keep frags


...they seem to match exactly.


___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

Re: ipfilter on 6.1

[J.D. Bronson]

At 04:05 PM 8/26/2006, J.D. Bronson wrote:


# ipfstat -hni
2 @1 pass in quick on bge0 all keep state keep frags

# ipfstat -hno
1 @1 pass out quick on bge0 all keep state keep frags
1 @2 pass out quick on tun0 proto tcp from any to any flags S/FSRPAU 
keep state keep frags

1 @3 pass out quick on tun0 proto udp from any to any keep state keep frags
0 @4 pass out quick on sppp0 proto icmp from any to any keep state keep frags


...they seem to match exactly.



ahh..so  I saw a typo aboveso I changed that from 'sppp0' to 
'tun0' but it make no differenceI thought I was onto something.


-JD 


___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

Re: ipfilter on 6.1

[Giorgos Keramidas]

On 2006-08-26 16:05, J.D. Bronson [EMAIL PROTECTED] wrote:
 At 03:40 PM 8/26/2006, Giorgos Keramidas wrote:
 
 Don't show us the ipf.conf file you are using, but the output of:
 
 % ipfstat -hni
 % ipfstat -hno
 
 Then we can really know what rules you have loaded in IP Filter.
 
 
 # ipfstat -hni
 2 @1 pass in quick on bge0 all keep state keep frags
 
 # ipfstat -hno
 1 @1 pass out quick on bge0 all keep state keep frags
 1 @2 pass out quick on tun0 proto tcp from any to any flags S/FSRPAU 
 keep state keep frags
 1 @3 pass out quick on tun0 proto udp from any to any keep state keep frags
 0 @4 pass out quick on sppp0 proto icmp from any to any keep state keep 
 frags
 
 ...they seem to match exactly.

Weird.  This doesn't seem ot include *ANY* block rules at all.

Is this a standard 6.1 installation, or do you have local IP Filter
modifications (like, for instance, a modified 'default' rule which
blocks everything, instead of allowing everything)?

___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

Re: ipfilter on 6.1

[J.D. Bronson]

At 05:07 PM 8/26/2006, Giorgos Keramidas wrote:

Weird.  This doesn't seem ot include *ANY* block rules at all.

Is this a standard 6.1 installation, or do you have local IP Filter
modifications (like, for instance, a modified 'default' rule which
blocks everything, instead of allowing everything)?


Yes and no.

I did build a kernel with BLOCK as a default...
but my IPF rules are pass it all with no specific blocking...

My next step was to try a kernel without the block, but I cant see 
how that should matter...since I 'am' allowing it out...?


-JD 


___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

Re: ipfilter on 6.1

[Giorgos Keramidas]

On 2006-08-26 17:10, J.D. Bronson [EMAIL PROTECTED] wrote:
 At 05:07 PM 8/26/2006, Giorgos Keramidas wrote:
 Weird.  This doesn't seem ot include *ANY* block rules at all.
 
 Is this a standard 6.1 installation, or do you have local IP Filter
 modifications (like, for instance, a modified 'default' rule which
 blocks everything, instead of allowing everything)?
 
 Yes and no.
 
 I did build a kernel with BLOCK as a default...
 but my IPF rules are pass it all with no specific blocking...

Well, there's your problem then.  If you are using a modified kernel
with block as the default action for IP Filter, hten you have to
*EXPLICITLY* allow traffic to travese the loopback interface, which you
haven't done.

Your current ipf.conf includes:

# Pass LAN traffic to/from bge0
pass in quick on bge0 all keep state keep frags
pass out quick on bge0 all keep state keep frags

# Pass traffic to WAN and keep state
pass out quick on tun0 proto tcp all flags S keep state keep frags
pass out quick on tun0 proto udp all keep state keep frags
pass out quick on tun0 proto icmp all keep state keep frags

Try reverting the local IP Filter changes that modify the default policy
to block and use something like this instead:

+   # Block everything by default.
+   block in log from any to any
+   block out log from any to any
+   
+   # Allow everything on lo0.
+   pass in quick on lo0 from 127.0.0.1/32 to 127.0.0.1/32
+   pass out quick on lo0 from 127.0.0.1/32 to 127.0.0.1/32

# Pass LAN traffic on bge0 interface.
pass in  quick on bge0 all keep state keep frags
pass out quick on bge0 all keep state keep frags

# Pass outgoing traffic to WAN and keep state
pass out quick on tun0 proto tcp all flags S keep state keep frags
pass out quick on tun0 proto udp all keep state keep frags
pass out quick on tun0 proto icmp all keep state keep frags

Please pay particular attention to the rules marked with '+' above.

This may explain why in a previous post you wrote:

On 2006-08-26 15:02, J.D. Bronson [EMAIL PROTECTED] wrote:
 Clients can use the machine (as a router) and get out perfectly!
 No issues with network performance at all. I am very pleased...until...

 I found out that the router itself cant get out 100%.

 My ipconfig is basically this:

 bge0 - 10.43.82.174
 alias 10.43.82.171 - for bind9 views
 alias 10.43.82.51 - for bind9 views

 bge1 - connected to dsl modem

 well I cant even telnet from the machine to itself!
 'destination unreachable'

 DNS requests from the server itself (to itself - it runs bind) are
 unanswered yet it is able to fully answer requests from internal or
 external clients...just not itself!

 If I use a public DNS server -or- use the IP of the machine I want to
 connect up to, the router is able to get out and uses the correct IP.

You are implicitly blocking all traffic on the lo0 interface (by the
modified default policy to block all traffic, and missing an explicit
rule to allow lo0 traffic).

When a system tries to connect to itself, it uses lo0/127.0.0.1 and this
is not possible with your setup.

I hope this helps a bit,

-- Giorgos

___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

Re: ipfilter on 6.1

[J.D. Bronson]

At 05:19 PM 8/26/2006, Giorgos Keramidas wrote:


You are implicitly blocking all traffic on the lo0 interface (by the
modified default policy to block all traffic, and missing an explicit
rule to allow lo0 traffic).

When a system tries to connect to itself, it uses lo0/127.0.0.1 and this
is not possible with your setup.

I hope this helps a bit,

-- Giorgos



Oh geezI cant believe I forgot lo0. HOW STUPID.
I will edit this and take another look at it.

once I have this working..I still want to figure out why pf was not happy.

Thanks for pointing this out guys...I feel foolish, but glad someone told me.

-JD


___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

Re: ipfilter on 6.1

[Duane Hill]

On Saturday, August 26, 2006 at 8:02:10 PM, J.D. confabulated:

 I got a full load of 6.1p4 installed and all built. I have pppoe and 
 ipfilter running almost perfect.

 Clients can use the machine (as a router) and get out perfectly!
 No issues with network performance at all. I am very pleased...until...

 I found out that the router itself cant get out 100%.

 My ipconfig is basically this:

 bge0 - 10.43.82.174
 alias 10.43.82.171 - for bind9 views
 alias 10.43.82.51 - for bind9 views

 bge1 - connected to dsl modem

 well I cant even telnet from the machine to itself!
 'destination unreachable'

 DNS requests from the server itself (to itself - it runs bind) are 
 unanswered yet it is able to fully answer requests from internal or 
 external clients...just not itself!

 If I use a public DNS server -or- use the IP of the machine I want to 
 connect up to, the router is able to get out and uses the correct IP.

 I used the same configs from solaris on here (ipf.conf and ipnat.conf)
 and only needed to change sppp0 to tun0.

 this should take care of anything the machine itself needs:

 ipf.conf==
 # Pass LAN traffic to/from bge0
 pass in quick on bge0 all keep state keep frags
 pass out quick on bge0 all keep state keep frags

 # Pass traffic to WAN and keep state
 pass out quick on tun0 proto tcp all flags S keep state keep frags
 pass out quick on tun0 proto udp all keep state keep frags
 pass out quick on tun0 proto icmp all keep state keep frags

 ==

 I am totally baffled. Its like I am being blocked somehow but even 
 with ipfilter WIDE open - traffic still wont pass.

 I am wondering if this is some quirk with the interface 
 aliases...although running the basic same setup on solaris - it works 
 perfectly.

Did you build the kernel with the 'IPFILTER_DEFAULT_BLOCK'? If so, you
would have to have two allowances at the end for anything else that
didn't match the other rules:

pass in all
pass out all

Being you are using 'quick', the processing stops when a match is
found. If no match is found and you have IPFILTER_DEFAULT_BLOCK
enabled, everything else would be blocked.

I made this mistake when I set IPFilter up the first time and it was
in a colo facility over 800 miles away.

-- 
This message was sent using 100% recycled electrons.

___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

Re: ipfilter on 6.1

[Giorgos Keramidas]

On 2006-08-26 17:48, J.D. Bronson [EMAIL PROTECTED] wrote:
At 05:19 PM 8/26/2006, Giorgos Keramidas wrote:
 You are implicitly blocking all traffic on the lo0 interface (by the
 modified default policy to block all traffic, and missing an
 explicit rule to allow lo0 traffic).

 When a system tries to connect to itself, it uses lo0/127.0.0.1 and
 this is not possible with your setup.

 I hope this helps a bit,

 Oh geezI cant believe I forgot lo0. HOW STUPID.
 I will edit this and take another look at it.

Cool!  If this is indeed the fix, let us know :)

If you also feel like it and you are not limited by contract or
other things, I'd be interested to see how you modified IP Filter
to make it use a block by default policy.

Regards,
Giorgos

___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

Re: ipfilter on 6.1

[J.D. Bronson]

At 06:37 PM 8/26/2006, Giorgos Keramidas wrote:

Cool!  If this is indeed the fix, let us know :)

If you also feel like it and you are not limited by contract or
other things, I'd be interested to see how you modified IP Filter
to make it use a block by default policy.

Regards,
Giorgos


This fixed it. WHEW!

Simply adding this to my own kernel:

options IPFILTER
options IPFILTER_LOG
options IPFILTER_DEFAULT_BLOCK



then:

# ipf -V

ipf: IP Filter: v4.1.8 (416)
Kernel: IP Filter: v4.1.8
Running: yes
Log Flags: 0 = none set
Default: block all, Logging: available
Active list: 0
Feature mask: 0xa


___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

Re: ipfilter on 6.1

[Giorgos Keramidas]

On 2006-08-26 18:52, J.D. Bronson [EMAIL PROTECTED] wrote:
 At 06:37 PM 8/26/2006, Giorgos Keramidas wrote:
 Cool!  If this is indeed the fix, let us know :)
 
 If you also feel like it and you are not limited by contract or
 other things, I'd be interested to see how you modified IP Filter
 to make it use a block by default policy.
 
 Regards,
 Giorgos
 
 This fixed it. WHEW!

Great :)

 Simply adding this to my own kernel:
 
 options IPFILTER
 options IPFILTER_LOG
 options IPFILTER_DEFAULT_BLOCK

Ok this was what I wanted to make sure :)

 then:
 
 # ipf -V
 
 ipf: IP Filter: v4.1.8 (416)
 Kernel: IP Filter: v4.1.8
 Running: yes
 Log Flags: 0 = none set
 Default: block all, Logging: available
 Active list: 0
 Feature mask: 0xa

___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

Re: ipfilter on 6.1

[J.D. Bronson]

Ok guys...now that I have ipfilter working...I need to run a few 
commands in /etc/ppp/ppp;linkup and cant figure out the syntax...



% cat /etc/ppp/ppp.linkup

# It is no longer necessary to re-add the default route here as our
MYADDR:

! sh -c /sbin/ipnat -CF -f /etc/ipnat.conf
! sh -c /sbin/ipf -F -f /etc/ipf.conf
! sh -c /sbin/ipf -Fa -f /etc/ipf.conf
! sh -c /sbin/ipf -y

...I also tried with !bg and that failed to.
whats the best way to get these commands to run once my ppp link is up?

thanks-

-JD

___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

Re: ipfilter on 6.1

[Giorgos Keramidas]

On 2006-08-26 19:46, J.D. Bronson [EMAIL PROTECTED] wrote:
 Ok guys...now that I have ipfilter working...I need to run a few
 commands in /etc/ppp/ppp;linkup and cant figure out the syntax...

 % cat /etc/ppp/ppp.linkup

 # It is no longer necessary to re-add the default route here as our
 MYADDR:

 ! sh -c /sbin/ipnat -CF -f /etc/ipnat.conf
 ! sh -c /sbin/ipf -F -f /etc/ipf.conf
 ! sh -c /sbin/ipf -Fa -f /etc/ipf.conf
 ! sh -c /sbin/ipf -y

Watch out for that empty line, if it is *REALLY* part of your
`ppp.linkup' script.  Empty lines are section delimiters in ppp(8)
config files.

Thereis also no reason to run ipf _twice_!

Please also note that I don't use sh -c to signal ntpd to start/stop
from my ppp.linkup script and it all works fine:

[EMAIL PROTECTED]:/root# cat -n /etc/ppp/ppp.linkup
 1  MYADDR:
 2   ! /etc/rc.d/ntpd start
[EMAIL PROTECTED]:/root#

Maybe the whole sh -c and quoting stuff you are using is not really
passed down to sh(1) but is parsed by ppp(8) when `ppp.linkup' is read?

I am also not sure if it is a good idea to run ``ipnat -CF'' of
``ipf -Fa''.  What about states of existing connections?  If you
momentarily lose the PPP connection, but it then comes up pretty fast,
you are effectively dropping all previous connection information here,
even though it may still be valid and useful.

I'd go for the simpler syntax of:

MYADDR:
 ! /sbin/ipf -y

___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

Re: ipfilter on 6.1

[J.D. Bronson]

At 07:59 PM 8/26/2006, you wrote:


I'd go for the simpler syntax of:

MYADDR:
 ! /sbin/ipf -y


well that didnt work either. what a pain. :(

tun0: Warning: /etc/ppp/ppp.linkup: ! /sbin/ipf -y: Invalid command


perhaps its time to write a script and simply reference the script 
from ppp.linkup


-JD 


___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

Ipfilter 4.1.13 and freebsd 6.1

[Nicholas von Waltsleben]

I am currently running a couple of 6.1 and 5.4 servers as firewall /
routers for my company.  I am experiencing some problems on the 6.1
server with ipfilter where it blocks oow (out of window) packets.  I
have tried to update to the latest version of ipfilter but was unable to
compile my kernel after running the kupgrade script in the ipf source
folder.  Does anyone have any hacks / patches that they have used to get
ipfilter version 4.1.13 running on FreeBSD 6.1-Release?
 
Regards,
Nicholas
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

RE: Ipfilter 4.1.13 and freebsd 6.1

[fbsd]

I run 6.1 with ipfilter and LAN full of window boxes  NO PROBLEM.

You need to provide a much greater level of details before making
such unfounded statements as ipfilter is broken.

Your rule set is most likely incorrect.

Post description of your firewall/LAN setup along with your complete
rule set for review by list.



-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Nicholas
von
Waltsleben
Sent: Thursday, June 08, 2006 3:16 AM
To: freebsd-questions@freebsd.org
Subject: Ipfilter 4.1.13 and freebsd 6.1


I am currently running a couple of 6.1 and 5.4 servers as firewall /
routers for my company.  I am experiencing some problems on the 6.1
server with ipfilter where it blocks oow (out of window) packets.  I
have tried to update to the latest version of ipfilter but was
unable to
compile my kernel after running the kupgrade script in the ipf
source
folder.  Does anyone have any hacks / patches that they have used to
get
ipfilter version 4.1.13 running on FreeBSD 6.1-Release?

Regards,
Nicholas
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to
[EMAIL PROTECTED]

___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

RE: Ipfilter 4.1.13 and freebsd 6.1

[Nicholas von Waltsleben]

 
 Nicholas wrote:
 
 I am currently running a couple of 6.1 and 5.4 servers as firewall /
 routers for my company.  I am experiencing some problems on the 6.1
 server with ipfilter where it blocks oow (out of window) packets.  I
 have tried to update to the latest version of ipfilter but was
 unable to
 compile my kernel after running the kupgrade script in the ipf
 source
 folder.  Does anyone have any hacks / patches that they have used to
 get
 ipfilter version 4.1.13 running on FreeBSD 6.1-Release?

 Regards,
 Nicholas

 Fbsd wrote:

 
 I run 6.1 with ipfilter and LAN full of window boxes  NO PROBLEM.
 
 You need to provide a much greater level of details before making
 such unfounded statements as ipfilter is broken.

I never said that ipfilter was in any way broken, just that I was
experiencing problems running it since moving to a 6.1 server.  My
apologies for not making myself clearer.

 Your rule set is most likely incorrect.
 
 Post description of your firewall/LAN setup along with your complete
 rule set for review by list.

Very well, here is some more information but I am not about to post my
entire ruleset on a publicly searchable mailing list

Extract from ipfstat -ni

@2 block in quick on em0 all head 1
...
@9 pass in quick on em0 proto tcp from 196.31.10.14/32 to any port =
http flags S/FSRPAU keep state group 1 
...
@19 block in log quick on em0 all group 1

Ipmon output

08/06/2006 14:23:01.652653 STATE:NEW 165.165.192.80,53269 -
196.7.156.157,80 PR tcp
...
08/06/2006 14:23:31.221693 em0 @1:20 b 165.165.192.80,53269 -
196.7.156.157,80 PR tcp len 20 64 -S IN OOW
08/06/2006 14:23:31.674548 STATE:NEW 165.165.192.80,50949 -
196.7.156.157,80 PR tcp
08/06/2006 14:23:32.915562 STATE:NEW 165.165.192.80,53465 -
196.7.156.157,80 PR tcp
08/06/2006 14:23:34.219658 em0 @1:20 b 165.165.192.80,53269 -
196.7.156.157,80 PR tcp len 20 64 -S IN OOW

The 165.x.x.x IP address is from an ADSL line I was using to
troubleshoot the problem (I was the only person using the line so it
made tcpdumps etc easier to read, less noise).

In our environment the problem was easily resolved by disabling SACKS on
the Windows 2003 servers behind my firewall (something I have just
finished testing).  But I would still like someone to please point me in
the right direction insofar as updating IPFilter to 4.1.13 under FreeBSD
6.1 as this solution is not to my liking.

Regards,
Nicholas




___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

installing ports behind IPFILTER

[Brett Wiggins]

Hi everyone,
I am having some problems installing ports when I have 

IPFILTER running. I have put FTP_PASSIVE_MODE=YES in /etc/make.conf

but the command 'make all install clean' yields;

===  Vulnerability check disabled, database not found
= jce-aba-1.1.tar.gz doesn't seem to exist in /usr/ports/distfiles/.
= Attempting to fetch from 
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/local-distfiles/znerd/.
fetch: 
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/local-distfiles/znerd/jce-aba-1.1.tar.gz:
 Network is unreachable
*** Error code 1

This happens when I try to install ports or pakages. I have also tried

to install with tcp/ip ports 20,21 and 22 open but to no avail.

Could you please CC me if you can help, am not on the list due to

this mailbox being from a University. My IPFILTER is set to block by

default in my kernel, and I am running 6.1 RELEASE

Thanks,

Brett.

-- 
If you are new to UNIX, you may be used to clicking something and seeing 
either an OK message, an error, nothing, or (all too often) a pretty blue 
screen with nifty high-tech letters explaining exactly where the system 
crashed - Michael Lucas 
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

Re: installing ports behind IPFILTER

[Duane Whitty]

Brett Wiggins wrote:

Hi everyone,
I am having some problems installing ports when I have 


IPFILTER running. I have put FTP_PASSIVE_MODE=YES in /etc/make.conf
  

Try putting it in /etc/login.conf

/etc #grep PASSIVE *
login.conf: :setenv=MAIL=/var/mail/$,BLOCKSIZE=K,FTP_PASSIVE_MODE=YES:\

[snip]

Hope this helps


Duane Whitty
--
[EMAIL PROTECTED]
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

Re: installing ports behind IPFILTER

[Mikhail Goriachev]

Brett Wiggins wrote:
 Hi everyone,
 I am having some problems installing ports when I have 
 
 IPFILTER running. I have put FTP_PASSIVE_MODE=YES in /etc/make.conf
 
 but the command 'make all install clean' yields;
 
 ===  Vulnerability check disabled, database not found
 = jce-aba-1.1.tar.gz doesn't seem to exist in /usr/ports/distfiles/.
 = Attempting to fetch from 
 ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/local-distfiles/znerd/.
 fetch: 
 ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/local-distfiles/znerd/jce-aba-1.1.tar.gz:
  Network is unreachable
 *** Error code 1
 
 This happens when I try to install ports or pakages. I have also tried
 
 to install with tcp/ip ports 20,21 and 22 open but to no avail.
 
 Could you please CC me if you can help, am not on the list due to
 
 this mailbox being from a University. My IPFILTER is set to block by
 
 default in my kernel, and I am running 6.1 RELEASE



G'day,

Probably this is what you're after:

# Allow out gateway  LAN users non-secure FTP ( both passive  active
modes)
# This function uses the IPNAT built in FTP proxy function coded in
# the nat rules file to make this single rule function correctly.
# If you want to use the pkg_add command to install application packages
# on your gateway system you need this rule.
pass out quick on dc0 proto tcp from any to any port = 21 flags S keep state

That one is from:

http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/firewalls-ipf.html


Cheers,
Mikhail.



-- 
Mikhail Goriachev
Webanoide

Telephone: +61 (0)3 62252501
Mobile Phone: +61 (0)4 38255158
E-Mail: [EMAIL PROTECTED]
Web: http://www.webanoide.org

PGP Key ID: 0x4E148A3B
PGP Key Fingerprint: D96B 7C14 79A5 8824 B99D 9562 F50E 2F5D 4E14 8A3B
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

ipfilter rule will not load

[Aaron Siegel]

Hello
I cannot get ipfilter to load any rules. When I type in the iptest command I 
receive the following output:
[EMAIL PROTECTED]# ipftest
no rules loaded

I used the example found in the /usr/share/examples directory I am unable to 
load the firewall. I have tried to load the file though

# ipf -Fa -f /etc/ipf.rules

I have posted my configuration bellow

Thank you
Aaron




Kernel
#IPFILTER
options IPFILTER
options IPFILTER_LOG
#optionsIPFILTER_DEFAULT_BLOCK

/etc/rc.conf
ipfilter_enable=YES
ipfilter_rules=/etc/ipf.rules
ipmon_enable=YES
ipmon_flags=-Dsn
ipnat_enable=YES
ipnat_rules=/etc/ipnat.rules


/etc/syslog.conf
security.*  /var/log/ipfilter.log
security.info   /var/log/firewall.info
security.notice /var/log/firewall.notice
security.warning/var/log/firewall.warning
security.err/var/log/firewall.err
 
/etc/ipf.rules (small excerpt)# Allow in standard www function because I have 
apache server
pass in quick on dc0 proto tcp from any to any port = 80 flags S keep state
pass in quick on dc0 proto udp from any to any port = 80 keep state

# Allow access to the zope server 8080
pass in quick on dc0 proto tcp from any to any port = 8080 flags S keep state
pass in quick on dc0 proto udp from any to any port = 8080 keep state

# Allow in non-secure Telnet session from public Internet
# labeled non-secure because ID/PW passed over public Internet as clear text.
# Delete this sample group if you do not have telnet server enabled.
#pass in quick on dc0 proto tcp from any to any port = 23 flags S keep state
#pass in quick on dc0 porto udp from any to any port = 23 keep state


# Allow in secure FTP, Telnet, and SCP from public Internet
# This function is using SSH (secure shell)
pass in quick on dc0 proto tcp from any to any port = 22 flags S keep state
pass in quick on dc0 proto udp from any to any port = 22 keep state

# Block and log only first occurrence of all remaining traffic
# coming into the firewall. The logging of only the first
# occurrence stops a .denial of service. attack targeted
# at filling up your log file space.
# This rule enforces the block all by default logic.
block in log first quick on dc0 all

___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

Re: ipfilter rule will not load

[Ron Wilhoite]

On 4/25/2006 1:19 PM, Aaron Siegel wrote:

Hello
I cannot get ipfilter to load any rules. When I type in the iptest command I 
receive the following output:

[EMAIL PROTECTED]# ipftest
no rules loaded



man ipftest says:

At least one of -N, -P or -r must be specified.

Sounds like you want:

# ipftest -r /etc/ipf.rules

Ron Wilhoite
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

re: Re: problem with ipfilter(ipnat)

[Arnold Lee]

Nikos, thank you. I  appended  mssclamp 1440  in ipf.rule, it works 
now!   And I have tried not use it but add set link mtu 1440 in mpd.conf, and 
failed. Yes, the problem occurs when NATing, and mssclamp 1440 is the key.
 
fbsd,  thank you anyway.
   
  Arnold Lee 
  2006 -04-14




-
How low will we go? Check out Yahoo! Messenger’s low  PC-to-Phone call rates.
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

problem with ipfilter(ipnat)

[Arnold Lee]

  I am in a small lan and want to use fb 6.0 as a router to share internet 
access. I use mpd 3.18 to dial adsl on demand. I configured ipnat with :
   map rl0 10.0.0.0/8 - 0.0.0.0/32 portmap tcp/udp auto
 map rl0 10.0.0.0/8 - 0.0.0.0/32
And then I use my client compute(windows 2000 Pro) to access internet, it seems 
ok, but soon I realize that there are some websites I can not access! For 
example, www.chinaunix.net is unacessable! So are some ftp sites such as 
ftp.freebsd.org. It must be a problem of the FB6 box, because if i access 
internet directly from the win2000 box, all those sites above is ok ! what is 
wrong? By the way, I donot use ipfirewall and other firewall, and in rc.conf, I 
wrote ipfilter_enable = NO, ipnat_enable= YES. Can you help me?


-
无限容量雅虎相册，原图等大下载，超快速度，赶快抢注！ 
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

RE: problem with ipfilter(ipnat)

[fbsd]

There is nothing wrong with FreeBSD 6.0
It's the way you activated ipf that is wrong.
Ipfilter's ipnat function is not an independent function.
You have to code this in rc.conf
ipfilter_enable = YES
ipnat_enable = YES

and make sure there is no default ipf.rules file

Then ipf will use its default pass all rule which results in the
ipnat function working with a firewall rule of pass all

Also your nat rules are incorrect.
The special alias 0.0.0.0/32 should be 0/32

The FreeBSD handbook has a good section on ipfilter.

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Arnold Lee
Sent: Wednesday, April 12, 2006 4:34 AM
To: freebsd-questions@freebsd.org
Subject: problem with ipfilter(ipnat)


  I am in a small lan and want to use fb 6.0 as a router to share
internet access. I use mpd 3.18 to dial adsl on demand. I configured
ipnat with :
   map rl0 10.0.0.0/8 - 0.0.0.0/32 portmap tcp/udp auto
 map rl0 10.0.0.0/8 - 0.0.0.0/32
And then I use my client compute(windows 2000 Pro) to access
internet, it seems ok, but soon I realize that there are some
websites I can not access! For example, www.chinaunix.net is
unacessable! So are some ftp sites such as ftp.freebsd.org. It must
be a problem of the FB6 box, because if i access internet directly
from the win2000 box, all those sites above is ok ! what is wrong?
By the way, I donot use ipfirewall and other firewall, and in
rc.conf, I wrote ipfilter_enable = NO, ipnat_enable= YES. Can you
help me?


-
无限容量雅虎相册，原图等大下载，超快速度，赶快抢注！
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to
[EMAIL PROTECTED]

___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

Re: problem with ipfilter(ipnat)

[Nikos Vassiliadis]

On Wednesday 12 April 2006 11:34, Arnold Lee wrote:
   I am in a small lan and want to use fb 6.0 as a router to share internet
 access. I use mpd 3.18 to dial adsl on demand. I configured ipnat with :
 map rl0 10.0.0.0/8 - 0.0.0.0/32 portmap tcp/udp auto
  map rl0 10.0.0.0/8 - 0.0.0.0/32
 And then I use my client compute(windows 2000 Pro) to access internet, it
 seems ok, but soon I realize that there are some websites I can not access!
 For example, www.chinaunix.net is unacessable! So are some ftp sites such
 as ftp.freebsd.org. It must be a problem of the FB6 box, because if i
 access internet directly from the win2000 box, all those sites above is ok
 ! what is wrong? By the way, I donot use ipfirewall and other firewall, and
 in rc.conf, I wrote ipfilter_enable = NO, ipnat_enable= YES. Can you help
 me?

I can try. It might be a PMTU problem. A quick way testing PMTU
related problems is setting a small (below 1400) MTU on your nic.
If you have another Unix-like OS on your lan(besides your router)
you can try a smaller MTU like this ifconfig nic mtu 1000 and see
what's going on. If you don't have another Unix-like OS, go to step 2
(Windows can also change MTU size but the procedure is not that
simple, google for it if you want it).

2) I recall that I have seen something relative in ipf. It's here:
http://www.netbsd.org/Documentation/network/pppoe/#clamping
a quick search in man 5 ipf.conf for clamp returned no results, but
that's the case for NetBSD man aswell. I guess it is not documented in
the manual. Try it.

there is also ng_tcpmss(4), which does the job and is what I have used
in the past with success

there are other sollutions too(an mpd option, is it working? a daemon
(tcpmssd)) but I am not familar with...

HTH



 -
 无限容量雅虎相册，原图等大下载，超快速度，赶快抢注！
 ___
 freebsd-questions@freebsd.org mailing list
 http://lists.freebsd.org/mailman/listinfo/freebsd-questions
 To unsubscribe, send any mail to
 [EMAIL PROTECTED]
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

RE: FBSD 6.0 ipfilter nat redirect not working.

[fbsd_user]

 in quick on rl0 proto tcp/udp from any to any port = 139
block in quick on rl0 proto tcp/udp from any to any port = 81

# Block all ftp attempts to login so count will show in daily cron rpt
block in quick on rl0 proto tcp/udp from any to any port = 21

# Block all SSH attempts to login so count will show in daily cron rpt
block in quick on rl0 proto tcp/udp from any to any port = 22

# Block all telnet attempts to login so count will show in daily cron rpt
block in quick on rl0 proto tcp/udp from any to any port = 23

# Block all www attempts so count will show in daily cron rpt
block in quick on rl0 proto tcp/udp from any to any port = 80

# Block all secure www attempts so count will show in daily cron rpt
block in quick on rl0 proto tcp from any to any port = 443 

# Block all smtp email server attempts so count will show in daily cron rpt
block in quick on rl0 proto tcp from any to any port = 25 

# block range of Trojan udp ports 1021 thru 1039 
# so count will show in daily cron rpt
block in quick on rl0 proto udp from any to any port 1020  1040

# block Trojan scan port
block in quick on rl0 proto tcp from any port = 6000 to any 

# Allow traffic in from ISP's DHCP server. 
pass in quick on rl0 proto udp from xx.173.0.1 port = 67 to any keep state
pass in quick on rl0 proto udp from xx.39.64.1 port = 67 to any keep state

# Allow traffic in from ISP's DNS server. 
pass in quick on rl0 proto udp from xx.168.240.5 port = 53 to any keep state
pass in quick on rl0 proto udp from xx.168.240.2 port = 53 to any keep state

# Allow in testing www function because I have apache server on lan
pass in log quick on rl0 proto tcp from any to any port = 6188 flags S keep 
state
pass in log quick on rl0 proto tcp from any to 10.0.10.4 port = 80  flags S 
keep state

# Block all upd traffic
block in log quick on rl0 proto udp all
#block in quick on rl0 proto udp all

# Block and log only first occurrence of all remaining traffic 
# coming into the firewall. 
# This rule enforces the block all by default logic. 
#block in quick on rl0 all
block in log quick on rl0 all

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Erik Norgaard
Sent: Wednesday, March 29, 2006 2:54 AM
To: [EMAIL PROTECTED]
Cc: [EMAIL PROTECTED] ORG
Subject: Re: FBSD 6.0 ipfilter nat redirect not working.


fbsd_user wrote:

 # /root ipnat -l
 List of active MAP/Redirect filters:
 map rl0 10.0.10.0/29 - 0.0.0.0/32 proxy port ftp ftp/tcp
 map rl0 0.0.0.0/0 - 0.0.0.0/32 proxy port ftp ftp/tcp
 map rl0 10.0.10.0/29 - 0.0.0.0/32
 rdr rl0 0.0.0.0/0 port 6188 - 10.0.10.4 port 80 tcp
 
 List of active sessions:
 RDR 10.0.10.4   80- - 79.69.59.49 6188  [65.45.227.95
 2698]
 MAP 10.0.10.6   1857  - - 79.69.59.49 1857
 [216.155.193.144 5050]
 
 Nothing happens. No ipf.log records on gateway box and
 no ipf.log records on the LAN web server box.
 There is firewall rule to log  pass from any to 10.0.10.4 port = 80
 keep state
 And any packet that does not match a firewall rule get logged and
 dropped.

Please post your filter ruleset also.

Erik
-- 
Ph: +34.666334818  web: www.locolomo.org
S/MIME Certificate: www.daemonsecurity.com/ca/8D03551FFCE04F06.crt
Subject ID:  9E:AA:18:E6:94:7A:91:44:0A:E4:DD:87:73:7F:4E:82:E7:08:9C:72
Fingerprint: 5B:D5:1E:3E:47:E7:EC:1C:4C:C8:3A:19:CC:AE:14:F5:DF:18:0F:B9
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

Re: FBSD 6.0 ipfilter nat redirect not working.

[Erik Norgaard]

 connections out from your LAN 
will then not be evaluated against this rule when response packets come back.



# Block a bunch of different nasty things. 
# That I don't want to see in the log 


# Block frags
#block in log quick on rl0 all with frags
block in quick on rl0 all with frags

# Block short tcp packets
#block in log quick on rl0 proto tcp all with short
block in quick on rl0 proto tcp all with short

# block source routed packets
#block in log quick on rl0 all with opt lsrr
#block in log quick on rl0 all with opt ssrr
block in quick on rl0 all with opt lsrr
block in quick on rl0 all with opt ssrr


# Block nmap OS fingerprint attempts
block in quick on rl0 proto tcp from any to any flags FUP

# Block anything with special options
#block in log quick on rl0 all with ipopts 
block in quick on rl0 all with ipopts


# Block public pings 
block in quick on rl0 proto icmp all icmp-type 8


# Block ident
block in quick on rl0 proto tcp from any to any port = 113

# Block all Netbios service. 137=name, 138=datagram, 139=session 
# Netbios is MS/Windows sharing services.

# Block MS/Windows hosts2 name server requests 81
block in quick on rl0 proto tcp/udp from any to any port = 137
block in quick on rl0 proto tcp/udp from any to any port = 138
block in quick on rl0 proto tcp/udp from any to any port = 139
block in quick on rl0 proto tcp/udp from any to any port = 81

# Block all ftp attempts to login so count will show in daily cron rpt
block in quick on rl0 proto tcp/udp from any to any port = 21

# Block all SSH attempts to login so count will show in daily cron rpt
block in quick on rl0 proto tcp/udp from any to any port = 22

# Block all telnet attempts to login so count will show in daily cron rpt
block in quick on rl0 proto tcp/udp from any to any port = 23

# Block all www attempts so count will show in daily cron rpt
block in quick on rl0 proto tcp/udp from any to any port = 80


Here you go! You have the nat rule

  rdr rl0 0.0.0.0/0 port 6188 - 10.0.10.4 port 80 tcp

for rdr, this takes place on the incoming interface before the packet 
traverses the in-rules for that interface. So the packets on rl0 you 
redirect to port 80 are blocked here.



# Block all secure www attempts so count will show in daily cron rpt
block in quick on rl0 proto tcp from any to any port = 443 


# Block all smtp email server attempts so count will show in daily cron rpt
block in quick on rl0 proto tcp from any to any port = 25 

# block range of Trojan udp ports 1021 thru 1039 
# so count will show in daily cron rpt

block in quick on rl0 proto udp from any to any port 1020  1040

# block Trojan scan port
block in quick on rl0 proto tcp from any port = 6000 to any 

# Allow traffic in from ISP's DHCP server. 
pass in quick on rl0 proto udp from xx.173.0.1 port = 67 to any keep state

pass in quick on rl0 proto udp from xx.39.64.1 port = 67 to any keep state

# Allow traffic in from ISP's DNS server. 
pass in quick on rl0 proto udp from xx.168.240.5 port = 53 to any keep state

pass in quick on rl0 proto udp from xx.168.240.2 port = 53 to any keep state

# Allow in testing www function because I have apache server on lan
pass in log quick on rl0 proto tcp from any to any port = 6188 flags S keep 
state
pass in log quick on rl0 proto tcp from any to 10.0.10.4 port = 80  flags S 
keep state


These two rules never apply, the rdr takes place as mentioned before 
filtering, so the first won't ever match, and the second is blocked above.


Remember with nat: if rules applies on the way in, the are applied 
_before_ the packet is filtered. If rules applies on the way out, they are 
applied _after_ the packet is filtered.


And this is great, because when you write the filter rules, you can simply 
think of all your ip's being routeable.


Cheers, Erik

# Block all upd traffic
block in log quick on rl0 proto udp all
#block in quick on rl0 proto udp all

# Block and log only first occurrence of all remaining traffic 
# coming into the firewall. 
# This rule enforces the block all by default logic. 
#block in quick on rl0 all

block in log quick on rl0 all

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Erik Norgaard
Sent: Wednesday, March 29, 2006 2:54 AM
To: [EMAIL PROTECTED]
Cc: [EMAIL PROTECTED] ORG
Subject: Re: FBSD 6.0 ipfilter nat redirect not working.


fbsd_user wrote:


# /root ipnat -l
List of active MAP/Redirect filters:
map rl0 10.0.10.0/29 - 0.0.0.0/32 proxy port ftp ftp/tcp
map rl0 0.0.0.0/0 - 0.0.0.0/32 proxy port ftp ftp/tcp
map rl0 10.0.10.0/29 - 0.0.0.0/32
rdr rl0 0.0.0.0/0 port 6188 - 10.0.10.4 port 80 tcp

List of active sessions:
RDR 10.0.10.4   80- - 79.69.59.49 6188  [65.45.227.95
2698]
MAP 10.0.10.6   1857  - - 79.69.59.49 1857
[216.155.193.144 5050]

Nothing happens. No ipf.log records on gateway box and
no ipf.log records on the LAN web server box.
There is firewall rule to log  pass from any to 10.0.10.4 port = 80
keep state

Re: FBSD 6.0 ipfilter nat redirect not working.

[Donald J. O'Neill]

Just a quick question. How are you connecting to the Internet, by that I 
mean are you using aDSL? If you are, I can help you.

Don
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

FBSD 6.0 ipfilter nat redirect not working.

[fbsd_user]

Been running ipfilter long time.
Now with FBSD 6.0 having no joy at getting
redirect to web server on LAN to work.
This is first time trying this.

rl0 is NIC facing the public internet.
10.0.10.4 is the LAN ip address of the web server.
Have friend uses http://79.69.59.49:6188/index.htm
to target me. The ip address is fake for this posting.

# /root ipnat -l
List of active MAP/Redirect filters:
map rl0 10.0.10.0/29 - 0.0.0.0/32 proxy port ftp ftp/tcp
map rl0 0.0.0.0/0 - 0.0.0.0/32 proxy port ftp ftp/tcp
map rl0 10.0.10.0/29 - 0.0.0.0/32
rdr rl0 0.0.0.0/0 port 6188 - 10.0.10.4 port 80 tcp

List of active sessions:
RDR 10.0.10.4   80- - 79.69.59.49 6188  [65.45.227.95
2698]
MAP 10.0.10.6   1857  - - 79.69.59.49 1857
[216.155.193.144 5050]

Nothing happens. No ipf.log records on gateway box and
no ipf.log records on the LAN web server box.
There is firewall rule to log  pass from any to 10.0.10.4 port = 80
keep state
And any packet that does not match a firewall rule get logged and
dropped.

Gateway box has these sysctl nobs set
net.inet.ip.forwarding=1
net.inet.ip.sourceroute=0
net.ip.accept_sourceroute=0

From the active session list, it looks like the rdr command was
executed
but no packet showed up at the firewall.

My question is, does any one have ipfilter nat redirect working on
Freebsd 6.0


___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

Re: FBSD 6.0 ipfilter nat redirect not working.

[Erik Norgaard]

fbsd_user wrote:


# /root ipnat -l
List of active MAP/Redirect filters:
map rl0 10.0.10.0/29 - 0.0.0.0/32 proxy port ftp ftp/tcp
map rl0 0.0.0.0/0 - 0.0.0.0/32 proxy port ftp ftp/tcp
map rl0 10.0.10.0/29 - 0.0.0.0/32
rdr rl0 0.0.0.0/0 port 6188 - 10.0.10.4 port 80 tcp

List of active sessions:
RDR 10.0.10.4   80- - 79.69.59.49 6188  [65.45.227.95
2698]
MAP 10.0.10.6   1857  - - 79.69.59.49 1857
[216.155.193.144 5050]

Nothing happens. No ipf.log records on gateway box and
no ipf.log records on the LAN web server box.
There is firewall rule to log  pass from any to 10.0.10.4 port = 80
keep state
And any packet that does not match a firewall rule get logged and
dropped.


Please post your filter ruleset also.

Erik
--
Ph: +34.666334818  web: www.locolomo.org
S/MIME Certificate: www.daemonsecurity.com/ca/8D03551FFCE04F06.crt
Subject ID:  9E:AA:18:E6:94:7A:91:44:0A:E4:DD:87:73:7F:4E:82:E7:08:9C:72
Fingerprint: 5B:D5:1E:3E:47:E7:EC:1C:4C:C8:3A:19:CC:AE:14:F5:DF:18:0F:B9
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

Re: ipfilter nat redirect

[Erik Norgaard]

fbsd_user wrote:

I have a web server on my private lan that I want
to be accessible from the public internet.

dc0 is the interface facing the public internet

I added this rdr rule after the map rules at the end of my nat file.


ordering is extremely important, nat rules are first match while filter 
rules are last match unless you add the quick keyword. So, if you have 
eg a binat rule, then the rdr never takes place.



  rdr dc0 0/0 port 80 - 10.0.10.4 port 8080

also tried this rule

  rdr dc0 0.0.0.0/0 port 80 - 10.0.10.4 port 8080


seems ok, but you may want to replace the 0/0 with your external ip/32 
if it is fixed.



My understanding of the documentation says the above rdr rule means,

check all packets inbound on interface dc0, and
no matter what the sending ip address of the packet may be,
if the port number of the destination ip address of that packet
matches port 80,
then re-write the packet's destination ip address and port to
10.0.10.4 port 8080 and create the internal nat table to
handle the translation of the outbound packets coming from
10.0.10.4.
Then hand the re-written packet to the firewall to be processed
against the firewall rules.

My ipfilter firewall rules would need a pass rule like this

pass in log quick on dc0 proto tcp from any to 10.0.10.4 port = 8080
flags S keep state

to create the by-directional packet session.

Problem is I cant get this to work.
I see nothing in the log for the pass rule.

Anybody have any idea what I am doing wrong
or if my understanding of the re-direct process is in error.


When using rdr, the rdr rule is applied _before_ the filtering, so 
filter rule  above seems correct to me.


Always, and in particular for debugging, create a rule that catches and 
logs anything you haven't thought of. Your log only catches successful 
passes, after that rule, add a log rule like:


  block in log quick on dc0

this should show you the packets that actually are filtered.

Cheers, Erik
--
Ph: +34.666334818  web: www.locolomo.org
S/MIME Certificate: www.daemonsecurity.com/ca/8D03551FFCE04F06.crt
Subject ID:  9E:AA:18:E6:94:7A:91:44:0A:E4:DD:87:73:7F:4E:82:E7:08:9C:72
Fingerprint: 5B:D5:1E:3E:47:E7:EC:1C:4C:C8:3A:19:CC:AE:14:F5:DF:18:0F:B9
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

Re: ipfilter nat redirect

[Erik Norgaard]

John Murphy wrote:

I think the filter action occurs before NAT so you would need this:

pass in log quick on dc0 proto tcp from any to your live IP port = 80


For ip-filter, if nat is done when the packet comes IN on an interface, 
like with rdr, then this takes place BEFORE filtering. If nat is done 
when the packet goes OUT on an interface then this takes place AFTER 
filtering.


If you use binat then you can think of it as the combination of rdr and 
nat. The reason that binat is not really rdr+nat is that rdr requires a 
specific port. But for understanding where the nat'ing takes place for 
binat, thinking rdr+nat on the same interface works.


This means that when nat is configured correctly then you can completely 
forget about it when writing the firewall rules and just think of all 
networks to be routable.


Cheers, Erik
--
Ph: +34.666334818  web: www.locolomo.org
S/MIME Certificate: www.daemonsecurity.com/ca/8D03551FFCE04F06.crt
Subject ID:  9E:AA:18:E6:94:7A:91:44:0A:E4:DD:87:73:7F:4E:82:E7:08:9C:72
Fingerprint: 5B:D5:1E:3E:47:E7:EC:1C:4C:C8:3A:19:CC:AE:14:F5:DF:18:0F:B9
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

ipfilter nat redirect

[fbsd_user]

I have a web server on my private lan that I want
to be accessible from the public internet.

dc0 is the interface facing the public internet

I added this rdr rule after the map rules at the end of my nat file.

  rdr dc0 0/0 port 80 - 10.0.10.4 port 8080

also tried this rule

  rdr dc0 0.0.0.0/0 port 80 - 10.0.10.4 port 8080

My understanding of the documentation says the above rdr rule means,

check all packets inbound on interface dc0, and
no matter what the sending ip address of the packet may be,
if the port number of the destination ip address of that packet
matches port 80,
then re-write the packet's destination ip address and port to
10.0.10.4 port 8080 and create the internal nat table to
handle the translation of the outbound packets coming from
10.0.10.4.
Then hand the re-written packet to the firewall to be processed
against the firewall rules.

My ipfilter firewall rules would need a pass rule like this

pass in log quick on dc0 proto tcp from any to 10.0.10.4 port = 8080
flags S keep state

to create the by-directional packet session.

Problem is I cant get this to work.
I see nothing in the log for the pass rule.

Anybody have any idea what I am doing wrong
or if my understanding of the re-direct process is in error.




___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

Re: ipfilter nat redirect

[John Murphy]

fbsd_user [EMAIL PROTECTED] wrote:

I have a web server on my private lan that I want
to be accessible from the public internet.

dc0 is the interface facing the public internet

I added this rdr rule after the map rules at the end of my nat file.

  rdr dc0 0/0 port 80 - 10.0.10.4 port 8080

also tried this rule

  rdr dc0 0.0.0.0/0 port 80 - 10.0.10.4 port 8080

I have 'tcpudp' after the port in my rdr rules, but see below. 

My understanding of the documentation says the above rdr rule means,

check all packets inbound on interface dc0, and
no matter what the sending ip address of the packet may be,
if the port number of the destination ip address of that packet
matches port 80,
then re-write the packet's destination ip address and port to
10.0.10.4 port 8080 and create the internal nat table to
handle the translation of the outbound packets coming from
10.0.10.4.
Then hand the re-written packet to the firewall to be processed
against the firewall rules.

My ipfilter firewall rules would need a pass rule like this

pass in log quick on dc0 proto tcp from any to 10.0.10.4 port = 8080
flags S keep state

I think the filter action occurs before NAT so you would need this:

pass in log quick on dc0 proto tcp from any to your live IP port = 80

-- 
John.
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

Interaction between mpd and ipfilter/ipnat

[Jim Hatfield]

I have a FreeBSD firewall which does packet filtering and NAT.
The internal address range is 172.16.64.0/24. The only filtering
is incoming on the external NIC, fxp0.

The machine also runs mpd for remote access.

By pure chance I was tailing ipf.log when I connected an XP laptop
to the mpd service, and immediately I saw these:


Mar 16 16:57:41 inchgower ipmon[61]: 16:57:40.923619 fxp0 @0:2 b 172.16.64.168,137 
- 172.16.64.200,137 PR udp len 20 96 IN
Mar 16 16:57:42 inchgower ipmon[61]: 16:57:42.425811 fxp0 @0:2 b 172.16.64.168,137 
- 172.16.64.200,137 PR udp len 20 96 IN


172.16.64.168 is the address given out by mpd to the laptop.
172.16.64.200 is the Active Directory Domain Controller.

I'm confused as to why ipf is seeing these packets coming in on fxp0.
Surely what comes in is the GRE packet to the external NIC's address,
this is then decapsulated and the embedded packet routed on. Why does
ipf even see it, let alone block it? I would expect the source interface
to be ng0, not fxp0.

From the laptop I can ping and connect to internal machines, so most
packets are not being blocked in this way.

tcpdump also sees the packets coming in on fxp0, but I'm not convinced
they are. I guess I can only really tell if I get the switch to copy
packets to another port and monitor from there.


___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

[was Re: IPFILTER rule error]

[Maxim Vetrov]

Yes, that's it! Thanks! I've managed to miss somehow your message, 
Giorgos, and flooded a bit :-)


Regards,
Muxas
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

Re: IPFILTER rule error

[Maxim Vetrov]

Hi!

Thahks for your attention!

 First of all you really need to read the ipfilter section of the 
FreeBSD handbook...

 [EMAIL PROTECTED]

I've read the handbook. Good starting point! :-) Given that I just 
_TEST_ ipf config ported from 5.4 to 6.0 on local LAN, I do not violate 
theoretical background of firewalling. Grouping is used to differentiate 
inbound\outbound traffic, probably I will use it to diff interfaces.


 I don't know if you posted the whole ruleset or if you cut out what 
seemed irrelevant to keep the post short...

 Erik Norgaard

Yes, I do not show you the whole story about ipf.rules, only the 
skeleton and the problematic lines. The reason for that is that ipfilter 
works with basic ipf.rules, and ipfstat confirms that. But no logs as 
expected (but eventually I've found where log info went: it appeared at 
/var/log/messages, and not in /var/log/security as configured!). By the 
way, I prefer to use syslogd because it allows for log rotation, which 
is god! :-)


Problem with no such process appeared when I added to ipf.rules line
 pass out quick on rl0 \
 proto udp from any to any port = sunrpc keep state group 20

It doesn't matter whether port parameter is expressed as a name or a 
number. I have other lines written both types and all of that works! 
Again, the error is presented only when I insert the above line in 
ipf.rules. This is an outbound rule; I've had the inbound rule in basic 
setup (you can see it in my previous post) and it ran just well!


Ok, in the attachment there is the whole story about ipf.rules as it is. 
As I've found from the handbook this way of firewalling is called 
inclusive %-).


Regards,
Muxas

P.S. I apologize for my message timing, it's the second question i'll 
ask after ipf :-)

#  External interface - ppp0   #


#%% Block-and-log everything that is not allowed explicitly 
#block in log on ppp0 all head 10
#block out log on ppp0 all head 15

#%% Allow DNS requests %
#pass out quick on ppp0 \
#  proto tcp/udp from any to any port = domain keep state group 15

#%% Allow outbound HTTP packets 
#pass out quick on ppp0 \
#  proto tcp from any to any port = 80 keep state keep frags group 15

#%% Allow outbound FTP packets %
#pass out quick on ppp0 \
#  proto tcp from any to any port = 21 keep state group 15

#%% Allow inbound FTP-data packets %
#pass in quick on ppp0 \
#  proto tcp/udp from any port = 20 to any port  1024 keep state group 10

#%% Allow outbound Jabber connections %%
#pass out quick on ppp0 \
#  proto tcp from any to any port = 5222 keep state group 15

#%% Allow POP3 outgoing connections 
#pass out quick on ppp0 \
#  proto tcp/udp from any to any port = 110 keep state group 15

#%% Allow SMTP outgoing connections 
#pass out quick  on ppp0 \
#  proto tcp/udp from any to any port = 25 keep state group 15

#%% Allow outgoing CVS connections %
#pass out quick on ppp0 \
#  proto tcp/udp from any to any port = 5999 keep state group 15 


#  Internal interface #1 - rl0 (10.0.1.0/29)   #


#% Block-and-log everything that is not allowed explicitly %
block in log on rl0 all head 20
block out log on rl0 all head 25
#pass in  on rl0 from 10.0.1.1/29 to any group 20
#pass out on rl0 from any to 10.0.1.1/29 group 25

#% Allow ping %%
pass in quick on rl0 \
  proto icmp all keep state group 20
pass out quick on rl0 \
  proto icmp all keep state group 25

#% Allow DNS requests %%
pass in quick on rl0 \
  proto tcp/udp from any to any port = domain keep state group 20

#% Allow DHCP requests %
pass in quick on rl0 \
  proto tcp/udp from any port = 68 to any port = 67 group 20

#% Allow HTTP requests from local network %%
pass in quick on rl0 \
  proto tcp from any to any port = 80 keep state keep frags group 20

#% Allow FTP requests from local network %%%
pass in quick on rl0 proto tcp from any to any port = 21 keep state group 20

#% Allow inbound FTP-data packets

Re: IPFILTER rule error

[Erik Norgaard]

Maxim Vetrov wrote:


#  Internal interface #1 - rl0 (10.0.1.0/29)   #


#% Block-and-log everything that is not allowed explicitly %
block in log on rl0 all head 20
block out log on rl0 all head 25
#% Allow Sun RPC incoming calls 
pass in quick on rl0 \
  proto tcp/udp from any to any port = sunrpc keep state group 20
pass in quick on rl0 \
  proto tcp/udp from any to any port = 717 keep state group 20
# the next line raise the error when uncommented
#pass out quick on rl0 \
#  proto udp from any to any port = 111 keep state group 20


I think someone else already pointed at this: You try to add a rule for 
outbound traffic to the inbound group in the offending line. Try correct 
to group 25.


Cheers, Erik

--
Ph: +34.666334818  web: www.locolomo.org
S/MIME Certificate: www.daemonsecurity.com/ca/8D03551FFCE04F06.crt
Subject ID:  9E:AA:18:E6:94:7A:91:44:0A:E4:DD:87:73:7F:4E:82:E7:08:9C:72
Fingerprint: 5B:D5:1E:3E:47:E7:EC:1C:4C:C8:3A:19:CC:AE:14:F5:DF:18:0F:B9
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

Re: IPFILTER rule error

[Giorgos Keramidas]

On 2006-02-15 16:23, Erik Norgaard [EMAIL PROTECTED] wrote:
 Maxim Vetrov wrote:
 
 #  Internal interface #1 - rl0 (10.0.1.0/29)
 #
 
 
 #% Block-and-log everything that is not allowed explicitly
 %
 block in log on rl0 all head 20
 block out log on rl0 all head 25
 #% Allow Sun RPC incoming calls
 
 pass in quick on rl0 \
   proto tcp/udp from any to any port = sunrpc keep state group 20
 pass in quick on rl0 \
   proto tcp/udp from any to any port = 717 keep state group 20
 # the next line raise the error when uncommented
 #pass out quick on rl0 \
 #  proto udp from any to any port = 111 keep state group 20

 I think someone else already pointed at this: You try to add a rule for
 outbound traffic to the inbound group in the offending line. Try correct
 to group 25.

That's true.  I did post the relevant message:

Date: Tue, 14 Feb 2006 17:13:33 +0200
From: Giorgos Keramidas [EMAIL PROTECTED]
Subject: Re: IPFILTER rule error
To: Maxim Vetrov [EMAIL PROTECTED]
Cc: [EMAIL PROTECTED], [EMAIL PROTECTED]

[...]

Note that you have only set up a group numbered '25' for outgoing
traffic, but then attempt to add a rule to an outgoing group of '20'.
This is the cause of the error you're seeing.

This ruleset should work fine:

#   block in log on rl0 all head 20
#   block out log on rl0 all head 25
#
#   pass in quick on rl0 \
# proto tcp/udp from any to any port = sunrpc keep state group 20
#   pass in quick on rl0 \
# proto tcp/udp from any to any port = 717 keep state group 20
#   pass out quick on rl0 \
# proto udp from any to any port = 111 keep state group 25

[...]

___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

Re: IPFILTER rule error

[Maxim Vetrov]

Hi,

Sorry, I really do not want you to guess! Here is what you asked:

kernel conf:
---
...
optionsIPFILTER
optionsIPFILTER_LOG
#optionsIPFILTER_DEFAULT_BLOCK
#optionsIPSTEALTH
...
---

rc.conf:
---
...
ifconfig_rl0=inet 10.0.1.1 netmask 255.255.255.248
...
ipnat_enable=YES
ipfilter_enable=YES
ipmon_enable=YES
...
---

services:
---
...
sunrpc  111/tcprpcbind  #SUN Remote Procedure Call
sunrpc  111/udprpcbind  #SUN Remote Procedure Call
...
---

ipf.rules:
---
block in log on rl0 all head 20
block out log on rl0 all head 25


pass in quick on rl0 \
 proto tcp/udp from any to any port = sunrpc keep state group 20
pass in quick on rl0 \
 proto tcp/udp from any to any port = 717 keep state group 20
pass out quick on rl0 \
 proto udp from any to any port = 111 keep state group 20


Steps to load the rules:

ipf -Fa
ipf -f /etc/ipf.rules

1:ioctl (add/insert rule): No such process

And there is one more problem - despite that I have packet logging
enabled by default (-Ds) through syslogd, log is empty!

syslog.conf:

...
security.*  /var/log/security
...

That file exists and have root rw permissions.

If this help: after I'd moved to 6.0 from 5.4
(backup-format-install-restore), this config stopped to work. I know
that I'm doing something wrong but what exactly?

Regards,
Muxas

___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

Re: IPFILTER rule error

[Erik Norgaard]

Maxim Vetrov wrote:

Hi,
kernel conf:
---
...
optionsIPFILTER
optionsIPFILTER_LOG
#optionsIPFILTER_DEFAULT_BLOCK
#optionsIPSTEALTH
...
---


The rc scripts should load these modules if they are not compiled with 
the kernel, in that case they would show up with kldstat.


Try use kldstat and sysctl -a to see what's in your kernel, grep for ipf.


services:
---
...
sunrpc  111/tcprpcbind  #SUN Remote Procedure Call
sunrpc  111/udprpcbind  #SUN Remote Procedure Call
...
---

ipf.rules:
---
block in log on rl0 all head 20
block out log on rl0 all head 25


pass in quick on rl0 \
 proto tcp/udp from any to any port = sunrpc keep state group 20
pass in quick on rl0 \
 proto tcp/udp from any to any port = 717 keep state group 20
pass out quick on rl0 \
 proto udp from any to any port = 111 keep state group 20


Steps to load the rules:

ipf -Fa
ipf -f /etc/ipf.rules

1:ioctl (add/insert rule): No such process


1st: IIRC, the number in the error line indicates the line the error 
occurred in - not sure though. That would be your first rule. I don't 
know if you posted the whole ruleset or if you cut out what seemed 
irrelevant to keep the post short.


2nd: Reading the ipf-howto I see no examples where port names are used, 
try using the port number to eliminate that posibility.



And there is one more problem - despite that I have packet logging
enabled by default (-Ds) through syslogd, log is empty!

syslog.conf:

...
security.*  /var/log/security
...

That file exists and have root rw permissions.


If you want to log to a separate file, why not let ipmon do that directly?

   # ipmon -D /var/log/security

Secondly, the empty log may not be that surprising in the first place if 
your ruleset is not loaded correctly.


Cheers, Erik
--
Ph: +34.666334818  web: www.locolomo.org
S/MIME Certificate: www.daemonsecurity.com/ca/8D03551FFCE04F06.crt
Subject ID:  9E:AA:18:E6:94:7A:91:44:0A:E4:DD:87:73:7F:4E:82:E7:08:9C:72
Fingerprint: 5B:D5:1E:3E:47:E7:EC:1C:4C:C8:3A:19:CC:AE:14:F5:DF:18:0F:B9
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

RE: IPFILTER rule error

[fbsd_user]

First of all you really need to read the ipfilter section of the
FreeBSD handbook.
The correct solution is exampled in the handbook.
You do not need to compile ipfilter in to the kernel to work.
From your rules I see no need for that head/group stuff so remove
it.
I see rl0 being assigned to private ip address which means that Nic
is facing your LAN which is behind your gateway box. That ip address
range is not routable on the public internet. You have something
mess up big time.

Your firewall rules is suppose to be on the Nic facing the public
internet.
You nat the public ip address to you private LAN ip address.

The reason you have no log records is because your firewall rules
have syntax error and are never loaded. Only rules with log keyword
will generate log records.
Only use rules with quick option. Do not mix quick and non quick
rules.
You need pass in rules for you ISP's dns and dhcp servers to access
your box.

Explain in detail your network layout.
Do you have LAN?
How are you connected to the public internet?

Again I strongly recommend you read the ipfilter section of the
handbook your answers are there.

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Maxim
Vetrov
Sent: Tuesday, February 14, 2006 7:57 PM
To: freebsd-questions@FreeBSD.org
Subject: Re: IPFILTER rule error


Hi,

Sorry, I really do not want you to guess! Here is what you asked:

kernel conf:
---
...
optionsIPFILTER
optionsIPFILTER_LOG
#optionsIPFILTER_DEFAULT_BLOCK
#optionsIPSTEALTH
...
---

rc.conf:
---
...
ifconfig_rl0=inet 10.0.1.1 netmask 255.255.255.248
...
ipnat_enable=YES
ipfilter_enable=YES
ipmon_enable=YES
...
---

services:
---
...
sunrpc  111/tcprpcbind  #SUN Remote Procedure Call
sunrpc  111/udprpcbind  #SUN Remote Procedure Call
...
---

ipf.rules:
---
block in log on rl0 all head 20
block out log on rl0 all head 25


pass in quick on rl0 \
  proto tcp/udp from any to any port = sunrpc keep state group 20
pass in quick on rl0 \
  proto tcp/udp from any to any port = 717 keep state group 20
pass out quick on rl0 \
  proto udp from any to any port = 111 keep state group 20


Steps to load the rules:
ipf -Fa
ipf -f /etc/ipf.rules
1:ioctl (add/insert rule): No such process

And there is one more problem - despite that I have packet logging
enabled by default (-Ds) through syslogd, log is empty!

syslog.conf:

...
security.*  /var/log/security
...

That file exists and have root rw permissions.

If this help: after I'd moved to 6.0 from 5.4
(backup-format-install-restore), this config stopped to work. I know
that I'm doing something wrong but what exactly?

Regards,
Muxas

___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to
[EMAIL PROTECTED]

___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

IPFILTER rule error

[Maxim Vetrov]

Hi,

I'm running FreeBSD 6.0, IPFilter 4.1.8(416).

Setting line for rpc outbound calls

pass out quick on rl0 \
 proto udp from any to any port = sunrpc keep state group 20

gives me this error:

ioctl (add/insert rule): No such process

What is the process i'm missing?

Regards,
muxas
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

Re: IPFILTER rule error

[Giorgos Keramidas]

On 2006-02-14 10:09, Maxim Vetrov [EMAIL PROTECTED] wrote:
 Hi,

 I'm running FreeBSD 6.0, IPFilter 4.1.8(416).

 Setting line for rpc outbound calls

 pass out quick on rl0 \
  proto udp from any to any port = sunrpc keep state group 20

 gives me this error:

 ioctl (add/insert rule): No such process

 What is the process i'm missing?

Don't copy/paste just one line.  Show us the exact options you used in
your `/etc/rc.conf' file, and be *very* specific about the steps you
took to enable that rule.

Otherwise, we can only guess what's wrong.  You don't want us to guess
wrong, do you?

- Giorgos

___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

Re: IPFILTER rule error

[Erik Norgaard]

Maxim Vetrov wrote:

Hi,

I'm running FreeBSD 6.0, IPFilter 4.1.8(416).

Setting line for rpc outbound calls

pass out quick on rl0 \
 proto udp from any to any port = sunrpc keep state group 20

gives me this error:

ioctl (add/insert rule): No such process

What is the process i'm missing?


Do you have that group? or maybe sunrpc is not in /etc/services - better 
try to write the port number. It will help to show the whole ruleset.


Cheers, Erik
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

Re: IPFILTER rule error

[chris]

 Hi,

 I'm running FreeBSD 6.0, IPFilter 4.1.8(416).

 Setting line for rpc outbound calls

 pass out quick on rl0 \
   proto udp from any to any port = sunrpc keep state group 20

 gives me this error:

 ioctl (add/insert rule): No such process

 What is the process i'm missing?

 Regards,
 muxas
 ___
 freebsd-questions@freebsd.org mailing list
 http://lists.freebsd.org/mailman/listinfo/freebsd-questions
 To unsubscribe, send any mail to
 [EMAIL PROTECTED]


Hello,
By default freebsd doesn't have any firewall's compiled into the kernel or
loaded as kernel mod's so you need to add ipfilter_enable=YES to rc.conf
and type in kldload ipl so you dont have to reboot the machine and also
make sure you add a simple rules to allow all or youll look yourself out
as it defaults to deny all hope this help a bit.



___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

Ipfilter upgrade

[mike.unixway]

Has anybody tried to upgrade from the 3r branch of Ipfilter to 4th in 
FreeBSD 5.4?
The procedure described in official document isn't correct - my kernel 
don't compile with ipfilter - couldn't create needed dependencies. Has 
anybody encountered such problem?

___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

ipfilter question

[Elmer Rivera]

hello,

my freebsd box is already setup and followed some of the docs on
setting up the firewall using ipfilter. question on logging.

setup /var/log/ipfilter.log as  my log file.
modified syslog.conf. its working now unfortunately, its loggin on
that file AND to my messages log file. is it possible to log ipfilter
log only to my log file?

thanks
--
Elmer Rivera, http://www.vizcayano.com, http://youand.i.ph
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

Re: ipfilter question

[Pietro Cerutti]

On 12/13/05, Elmer Rivera [EMAIL PROTECTED] wrote:
 hello,

Hello,


 my freebsd box is already setup and followed some of the docs on
 setting up the firewall using ipfilter. question on logging.

 setup /var/log/ipfilter.log as  my log file.

How/where did you set this up?

 modified syslog.conf.

How did you modified this?

 its working now unfortunately, its loggin on
 that file AND to my messages log file. is it possible to log ipfilter
 log only to my log file?

Yes, it is possible.

Here's my setup:

/etc/rc.conf
ipmon_enable=YES
ipmon_flags=-Dns

/etc/syslog.conf
security.*  /var/log/ipfilter.log


Make sure you don't have any other security.* facility specified in
/etc/syslog.conf


 thanks
 --
 Elmer Rivera, http://www.vizcayano.com, http://youand.i.ph


Hope this helps,

--
Pietro Cerutti
[EMAIL PROTECTED]

Beansidhe - SwiSS Death / Thrash Metal
www.beansidhe.ch

Windows: Where do you want to go today?
Linux: Where do you want to go tomorrow?
FreeBSD: Are you guys coming or what?
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

RE: ipfilter question

[fbsd_user]

In FBSD 4.11 and older, ipfilter logged to local0.
Then in 5.4 it was changed to security.
Now in 6.0 it has reverted back to logging to local0.
The /etc/syslog.conf file is where you define the log files.


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Pietro
Cerutti
Sent: Tuesday, December 13, 2005 7:39 AM
To: Elmer Rivera; FreeBSD
Subject: Re: ipfilter question


On 12/13/05, Elmer Rivera [EMAIL PROTECTED] wrote:
 hello,

Hello,


 my freebsd box is already setup and followed some of the docs on
 setting up the firewall using ipfilter. question on logging.

 setup /var/log/ipfilter.log as  my log file.

How/where did you set this up?

 modified syslog.conf.

How did you modified this?

 its working now unfortunately, its loggin on
 that file AND to my messages log file. is it possible to log
ipfilter
 log only to my log file?

Yes, it is possible.

Here's my setup:

/etc/rc.conf
ipmon_enable=YES
ipmon_flags=-Dns

/etc/syslog.conf
security.*  /var/log/ipfilter.log


Make sure you don't have any other security.* facility specified in
/etc/syslog.conf


 thanks
 --
 Elmer Rivera, http://www.vizcayano.com, http://youand.i.ph


Hope this helps,

--
Pietro Cerutti
[EMAIL PROTECTED]

Beansidhe - SwiSS Death / Thrash Metal
www.beansidhe.ch

Windows: Where do you want to go today?
Linux: Where do you want to go tomorrow?
FreeBSD: Are you guys coming or what?
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to
[EMAIL PROTECTED]

___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

Re: ipfilter question

[Elmer Rivera]

#uname -a
FreeBSD hcggw1.hcg.com.ph 5.4-RELEASE-p8 FreeBSD 5.4-RELEASE-p8 #0:
Sat Dec 10 09:49:16 PHT 2005
[EMAIL PROTECTED]:/usr/obj/usr/src/sys/HCGGW1  i386

  setup /var/log/ipfilter.log as  my log file.

 How/where did you set this up?

# touch /var/log/ipfilter.log

  modified syslog.conf.

 How did you modified this?

# vi /etc/syslog.conf

commented out old security.* and inserted a new line pointing to the file above.

--
#   Consult the syslog.conf(5) manpage.
*.err;kern.warning;auth.notice;mail.crit/dev/console
*.notice;authpriv.none;kern.debug;lpr.info;mail.crit;news.err  
/var/log/messages
security.*  /var/log/ipfilter.log
#security.* /var/log/security
auth.info;authpriv.info /var/log/auth.log
mail.info   /var/log/maillog
--

  its working now unfortunately, its loggin on
  that file AND to my messages log file. is it possible to log ipfilter
  log only to my log file?

 Yes, it is possible.

# cat /etc/rc.conf
--
ipfilter_enable=YES
ipnat_enable=YES
ipmon_enable=YES
ipmon_flags=-Dsn

--

 Here's my setup:

 /etc/rc.conf
 ipmon_enable=YES
 ipmon_flags=-Dns

 /etc/syslog.conf
 security.*  /var/log/ipfilter.log


 Make sure you don't have any other security.* facility specified in
 /etc/syslog.conf

yes, there is no other security.* facility, actually i got it working
to log on my file (/var/log/ipfilter.log) but it also logs on
/var/log/messages. I only want to log on my file.


 
  thanks
  --
  Elmer Rivera, http://www.vizcayano.com, http://youand.i.ph
 

 Hope this helps,

 --
 Pietro Cerutti
 [EMAIL PROTECTED]

 Beansidhe - SwiSS Death / Thrash Metal
 www.beansidhe.ch

 Windows: Where do you want to go today?
 Linux: Where do you want to go tomorrow?
 FreeBSD: Are you guys coming or what?


regards

--
Elmer Rivera, http://www.vizcayano.com, http://youand.i.ph
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

Re: ipfilter question

[Rob Lytle]

  Here's my setup:
 
  /etc/rc.conf
  ipmon_enable=YES
  ipmon_flags=-Dns
 
  /etc/syslog.conf
  security.*  /var/log/ipfilter.log
 
 
  Make sure you don't have any other security.* facility specified in
  /etc/syslog.conf
 
 yes, there is no other security.* facility, actually i got it working
 to log on my file (/var/log/ipfilter.log) but it also logs on
 /var/log/messages. I only want to log on my file.
 
 
  
   thanks
   --
   Elmer Rivera, http://www.vizcayano.com, http://youand.i.ph

I have the problem that ipmon logs to /var/log/messages and nothing
goes to /var/log/ipf.log.  Even after using the info in this thread.  I
am using local0 as was suggested for FreeBSD 6.0.  Earlier I was using
security.* which didn't work either.  I suppose that at the least, I
need to remove something from the /var/log/messages line.

Here is my syslog.conf:

*.err;kern.warning;auth.notice;mail.crit/dev/console
*.notice;authpriv.none;kern.debug;lpr.info;mail.crit;news.err   
/var/log/messages
local0.*/var/log/ipf.log
auth.info;authpriv.info /var/log/auth.log
mail.info   /var/log/maillog
lpr.info/var/log/lpd-errs
ftp.info/var/log/xferlog
cron.*  /var/log/cron
*.=debug/var/log/debug.log

Thanks,  Rob.

-- 
--
http://home.comcast.net/~europa100
A SETI-like Search for Intelligent
Life in Central Pa.
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

Re: ipfilter question

[Parv]

in message [EMAIL PROTECTED],
wrote Rob Lytle thusly...

 
 
   Here's my setup:
...
   in /etc/syslog.conf
  
  yes, there is no other security.* facility, actually i got it
  working

Please keep the attribution  attribute the respective authors.


 I have the problem that ipmon logs to /var/log/messages and nothing
 goes to /var/log/ipf.log.  Even after using the info in this thread.
 I am using local0 as was suggested for FreeBSD 6.0.  Earlier I was
 using security.* which didn't work either.  I suppose that at the
 least, I need to remove something from the /var/log/messages line.
 
...
 *.notice;authpriv.none;kern.debug;lpr.info;mail.crit;news.err 
 /var/log/messages
 local0.*  /var/log/ipf.log

Like authpriv.none to stop auth messages going into
/var/log/messages, you will need to add local0.none (or replace
local0 w/ whatever the actual facility is used) after *.notice;.

According to ipmon(8) on 5.4, passed  logged packets are logged w/
level of 'notice'. So you should be seeing only the passed packets in
'/var/log/messages'.  Rest of the messages, will go wherever
(local0|security|*).(info|warn|err) messages go.


Or, you could ...

  - give a file name to ipmon(8) to log messages in
  - remove the -s option to not to log via syslogd(8)
  - put the ipmon facility.none, in /etc/syslog.cong, to avoid
other files receiving ipf messages.
  - adjust /etc/newsyslog.conf to properly rotate the ipmon log
files.


Don't forget to read up on syslog.conf(5), newsyslog.conf(5),
and ipmon(8) in any case.


  - Parv

-- 

___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]