Hi all,
please what's the difference between this ipfw rules:
${fwcmd} add 63000 deny ip from any to 0.0.0.255:0.0.0.255 in via ${oif}
and
${fwcmd} add deny all from any to 255.255.255.255
It seems similar, but I think it is not. Both should stop broadcasts.
Peter
I know this has probably been posted 1000's of times but i would like to
set up a ipfw firewall i run many services on this machine. It acts as a
gateway for my network
APACHE web server
IMAP mail server
SMTP mail server
BIND name server
FTP server
also i would like to be able to forward packets
Could anyone please tell me what ipfw rules need to be set in order to allow
software installation through the ports collection? I tried adding a rule to
allow ftp outbound and although I can ftp out, I still cannot fetch the source
tarball when using the make command in /usr/ports. What else
Greetings,
This is what i came up with for my network after reviewing some docs and talking
with some people. i want to run it by you all before i impimented because i want
it to be secure before i open up my internal network to the outside world.
what do you think of my ipfw rules? do they
I posted this to the freebsd-security list, but i believe that is
not the right list to this question (sorry! this is my first message
to the freebsd mailing-lists). I hope this is the right list! :)
anyway:
I tried making a firewall for my laptop..but i'm not sure if i
forgot anything. And things
Hello everyone.
Im on FreeBSD 4.8R, NATd, ipfw enabled, everything working fine.
my box is behind a DSL modem router and clients behind the FreeBSD.
My LAN is C class IPs.
I compiled ipfw to accept by default.
This is my ipfw list:
00050 divert 8668 ip from any to any via rl0
Helo everyone
I have a nat box with a default to deny ruleset, but whenever i ftp
through it i get a transfer rate of + - 3kb/s (over lan)
Below are what i have in my firewall script:
ipfw disable firewall
ipfw -f flush
int_if=fxp0
ext_if=rl0
# IPFW Count Rules for MRTG
ipfw add 10001 count i
Peter Rosa disturbed my sleep to write:
> please what's the difference between this ipfw rules:
>
> ${fwcmd} add 63000 deny ip from any to 0.0.0.255:0.0.0.255 in via ${oif}
This denies broadcasts coming in to your machine through the outside
interface. The rule number is speci
Articles based on solutions that I use:
http://www.kruijff.org/alex/index.php?dir=docs/FreeBSD/
On Tue, Feb 17, 2004 at 08:46:09PM -0800, Saint Aardvark the Carpeted wrote:
> Peter Rosa disturbed my sleep to write:
> > please what's the difference between this ipfw rules:
> &g
On Thursday 04 March 2004 01:42, RYAN vAN GINNEKEN wrote:
> I know this has probably been posted 1000's of times but i would like to
> set up a ipfw firewall i run many services on this machine. It acts as a
> gateway for my network
> APACHE web server
80/TCP and perhaps 443/TCP
> IMAP mail server
RYAN vAN GINNEKEN wrote:
I know this has probably been posted 1000's of times but i would like to
set up a ipfw firewall i run many services on this machine. It acts as a
gateway for my network
APACHE web server
IMAP mail server
SMTP mail server
BIND name server
FTP server
also i would like to b
At 05:52 PM 10.10.2002 -0400, [EMAIL PROTECTED] wrote:
>Could anyone please tell me what ipfw rules need to be set in order to allow
>software installation through the ports collection? I tried adding a rule to
>allow ftp outbound and although I can ftp out, I still cannot fetch t
On Thursday, October 10, 2002, at 03:06 PM, Jack L. Stone wrote:
At 05:52 PM 10.10.2002 -0400, [EMAIL PROTECTED] wrote:
Could anyone please tell me what ipfw rules need to be set in order to allow
software installation through the ports collection? I tried adding a rule to
allow ftp outbound
CTED]]On Behalf Of
[EMAIL PROTECTED]
Sent: Thursday, October 10, 2002 9:18 PM
To: [EMAIL PROTECTED]
Subject: re: ipfw rules
On Thursday, October 10, 2002, at 03:06 PM, Jack L. Stone wrote:
At 05:52 PM 10.10.2002 -0400, [EMAIL PROTECTED] wrote:
Could anyone please tell me what ipfw rules need to be set
> I am able to use cvsup with our firewall. The problem is when actually trying
> to install the software using the make command since the make command tries to
> fetch the source tarball from a remote server using ftp.
If you have a proxy server running, try putting FETCH_ENV variable into
/et
- Original Message -
From: "Grant Cooper" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]>
Sent: Friday, October 11, 2002 5:10 PM
Subject: Re: ipfw rules
> I am having the same problem. I now just allow ftp from certain IP
> addr
On 2006-12-16 18:01, Jurjen Middendorp <[EMAIL PROTECTED]> wrote:
> I posted this to the freebsd-security list, but i believe that is not
> the right list to this question (sorry! this is my first message to
> the freebsd mailing-lists). I hope this is the right list! :) anyway:
>
> I tried making
Cool! thanks for the reply + suggestions!
I haven't had any trouble with my firewall blocking too much yet
(also didn't connect to the internet much yet :), but i'll think
about just allowing all out... on the other hand i like the idea
of just letting through out that i need (which isn't very muc
Ok, i changed my original rules. I'm going to use both the ruleset you
recommended
and these ones (not at the same time though :). And see which one gives me the
least trouble.
greetings,
jurjen.
#!/bin/sh
ipfw -q flush
cmd="ipfw -q add"
ks="keep-state"
oif="ath0"
#sort in en out packets
Hi,
I have two ipfw rules that I want to remove. They are viewable with the
"ipfw show" command
--- snip ---
06600 0 0 allow ip from any to any proto tcp src-ip
66.66.66.66 dst-port 22
06700 0 0 allow ip from any to any proto tcp src-ip
66.66.66.66 d
Hallo!
Out from reading the manpage for natd, I have a question about how to restrict IPFW
access for NAT for the case when I have one computer connected directly to another one
(having two NICs installed into it)? That means that I don't have to care about big
private network, but rather want
Marwan Sultan disturbed my sleep to write:
> I compiled ipfw to accept by default.
> This is my ipfw list:
>
> 00050 divert 8668 ip from any to any via rl0
> 00100 allow ip from any to any via lo0
> 00200 deny ip from any to 127.0.0.0/8
> 00300 deny ip from 127.0.0.0/8 to any
> 65000 allow
Marwan Sultan wrote:
a) lets say I want to deny everything except a range of IPs
starting from 192.168.1.1 to 192.168.1.50.
what rule set should be? how to set range of IPs? to pass
and deny rest of the C class. FreeBSD Doc's doesnot cover this?
or i didnot see.!
I would set
Hi,
I would like to get some input of these rules I'm currenly using.
I come from a linux/cisco background, so I want to know how bad these are :)
mostly my questions are the keep-state stuff. I guess 00235 can go, as I
think that
one allows all trafic from that specific ip if already connected e
Hello FreeBSD people!
I have a smtp server under attack by what seems like a large botnet. My
inetd is choking under the load and not allowing real mail through. I've
successfully used tshark to find the offenders and put them into ipfw
firewall for port 25.
So here is my question, I'm cur
Lots of people play games here and basically a pain to keep trying to
get these stupid things to work with individual rules for each.
I'm running FreeBSD 6.x with IPFW/natd
I get a dynamic IP from my ISP and the internal nic is 192.168.17.1
Everything inside the network is 192.168.17.xxx
The
On 2007-12-27 15:47, Noah <[EMAIL PROTECTED]> wrote:
> Hi,
>
> I have two ipfw rules that I want to remove. They are viewable with the
> "ipfw show" command
>
>
> --- snip ---
>
> 06600 0 0 allow ip from any to any proto tcp src-ip
> 66
thanks for the response.
I was Looking for awk to do some of the parsing like this:
/sbin/ipfw list | grep '%IP%' | awk '{ print "ipfw -q delete " $1 }' | sh
cheers,
Noah
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mai
On Fri, 28 Dec 2007 02:21:54 +0200 Giorgos Keramidas <[EMAIL PROTECTED]> wrote:
> On 2007-12-27 15:47, Noah <[EMAIL PROTECTED]> wrote:
> > Hi,
> >
> > I have two ipfw rules that I want to remove. They are viewable with the
> > "ipfw show" co
es.
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Eugene
Panchenko
Sent: Sunday, February 01, 2004 11:15 AM
To: [EMAIL PROTECTED]
Subject: NAT and IPFW rules
Hallo!
Out from reading the manpage for natd, I have a question about how
to restrict IPFW access
I have a cable modem and I'm using 4.9 as a NAT router for my home
network. I have 4 rules in my ipfw config. The first enables NAT and
the last is 65000 allow any to any.
In between I ha 2 rules to deny access to ports 53 and 110 on the
Internet side. That's all.
Here's my thinking: I use i
or two, then proceeds
[snip]
starting standard daemons: inetd cron sshd usbd sendmail
sendmail-clientmqueue
[snip]
here it hangs on sendmail and sendmail-clientmqueue, then proceeds
it then hangs for hours at 'recovering vi sessions:'.
it eventually boots all the way through after a few
running 4.7 with firewall, natd enabled kernel. i wish to create firewall
rules outside of the rc.firewall script that remain static across
reboots. to that end, i created a set (rc.firewall.rules), pointing
rc.conf to that set:
firewall_enable="YES"
firewall_type="/etc/rc.firewall.rules"
natd_ena
On 2003-04-05 21:49, Robin Ericsson <[EMAIL PROTECTED]> wrote:
>
> I would like to get some input of these rules I'm currenly using.
>
> I come from a linux/cisco background, so I want to know how bad these
> are :) mostly my questions are the keep-state stuff. I guess 00235 can
> go, as I think t
I've been looking into using Dummynet for outgoing traffic, and I've found it
hard going because the tutorials and how-to's deal with it in isolation,
without indicating how it would be used in a real firewall. They generally
suggest setting net.inet.ip.fw.one_pass=1, which as I understand it,
Hi,
I have a problem blocking foreign intruders for specific ports in ipfw.
One of my friends have 4.X-Stable running in production for proxy,
e-mail, virus etc. Server also have natd and ipfw installed on it. We
have following rule set.
-
00050 2132 1212881 divert 8668 ip from any to any
In the last episode (Oct 30), eBoundHost: Artur said:
> Hello FreeBSD people!
>
> I have a smtp server under attack by what seems like a large botnet. My
> inetd is choking under the load and not allowing real mail through. I've
> successfully used tshark to find the offenders and put them int
c: freebsd-questions@freebsd.org
Sent: Oct 30, 2007 23:36
Subject: Re: how many IPFW rules?
In the last episode (Oct 30), eBoundHost: Artur said:
> Hello FreeBSD people!
>
> I have a smtp server under attack by what seems like a large botnet. My
> inetd is choking under the load and
On Tuesday 30 October 2007 22:57:31 eBoundHost: Artur wrote:
> Hello FreeBSD people!
>
> I have a smtp server under attack by what seems like a large botnet. My
> inetd is choking under the load and not allowing real mail through.
> I've successfully used tshark to find the offenders and put them
Bob Hall wrote:
On Fri, Nov 02, 2007 at 04:59:27AM -0500, Jack Barnett wrote:
I added this for a temporary fix:
${fwcmd} add pass all from any to any
I don't think that is the right answer; That allows to much in?
Yes.
I've tried these per the docs:
${fwcmd} add allow a
Jack Barnett wrote:
Bob Hall wrote:
On Fri, Nov 02, 2007 at 04:59:27AM -0500, Jack Barnett wrote:
I added this for a temporary fix:
${fwcmd} add pass all from any to any
I don't think that is the right answer; That allows to much in?
Yes.
I've tried these per the docs:
Jack Barnett wrote:
Jack Barnett wrote:
Jack Barnett wrote:
Bob Hall wrote:
On Fri, Nov 02, 2007 at 04:59:27AM -0500, Jack Barnett wrote:
I added this for a temporary fix:
${fwcmd} add pass all from any to any
I don't think that is the right answer; That allows to much in?
On Fri, 02 Nov 2007 04:59:27 -0500
Jack Barnett <[EMAIL PROTECTED]> wrote:
>
> Lots of people play games here and basically a pain to keep trying to
> get these stupid things to work with individual rules for each.
>
> I'm running FreeBSD 6.x with IPFW/natd
>
> I get a dynamic IP from my ISP a
RW wrote:
On Fri, 02 Nov 2007 04:59:27 -0500
Jack Barnett [1]<[EMAIL PROTECTED]> wrote:
Lots of people play games here and basically a pain to keep trying to
get these stupid things to work with individual rules for each.
I'm running FreeBSD 6.x with IPFW/natd
I get a dynamic IP from my I
On Fri, Nov 02, 2007 at 04:59:27AM -0500, Jack Barnett wrote:
> I added this for a temporary fix:
>${fwcmd} add pass all from any to any
>
> I don't think that is the right answer; That allows to much in?
Yes.
> I've tried these per the docs:
>
>${fwcmd} add allow all from any to any o
Jack Barnett wrote:
Jack Barnett wrote:
Bob Hall wrote:
On Fri, Nov 02, 2007 at 04:59:27AM -0500, Jack Barnett wrote:
I added this for a temporary fix:
${fwcmd} add pass all from any to any
I don't think that is the right answer; That allows to much in?
Yes.
I've tr
Hi, Jack, let's see.
Jack Barnett wrote:
>
> Lots of people play games here and basically a pain to keep trying to
> get these stupid things to work with individual rules for each.
>
> I'm running FreeBSD 6.x with IPFW/natd
>
> I get a dynamic IP from my ISP and the internal nic is 192.168.17.1
>
On Fri, Nov 02, 2007 at 10:59:04PM +0100, [EMAIL PROTECTED] wrote:
> >onet=`ifconfig xl0 | grep "inet " | awk '{print $6}'`
> I'm not sure about this. Isn't the sixth word the broadcast address
> (ending with .255)?
It's correct. I've been using this in my firewall file since FBSD
4.somet
[EMAIL PROTECTED] wrote:
So basically the ruleset should be simple:
ipfw -f flush
# allow lo0 stuff
# block some spoofs/attacks
# if you are hosting gameservers from 192.168.17.3 or whatever,
# you should (manually) open server ports, in other words, add
# routes to 192.168.17.3 to specific serv
Jack Barnett wrote:
[EMAIL PROTECTED] wrote:
So basically the ruleset should be simple:
ipfw -f flush
# allow lo0 stuff
# block some spoofs/attacks
# if you are hosting gameservers from 192.168.17.3 or whatever,
# you should (manually) open server ports, in other words, add
# routes to 192.168.
Kevin Curran wrote:
I have a cable modem and I'm using 4.9 as a NAT router for my home
network. I have 4 rules in my ipfw config. The first enables NAT and
the last is 65000 allow any to any.
In between I ha 2 rules to deny access to ports 53 and 110 on the
Internet side. That's all.
Here's m
Kevin Curran <[EMAIL PROTECTED]> wrote:
> I have a cable modem and I'm using 4.9 as a NAT router for my home
> network. I have 4 rules in my ipfw config. The first enables NAT and
> the last is 65000 allow any to any.
>
> In between I ha 2 rules to deny access to ports 53 and 110 on the
> Inter
learn about all your FBSD firewall options
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Kevin
Curran
Sent: Monday, June 14, 2004 9:12 PM
To: [EMAIL PROTECTED]
Subject: Are 4 IPFW rules enough?
I have a cable modem and I'm using 4.9 as a NAT router f
> hi all
>
> my apologies, this could get long as i'm including the text of various
> config files:
>
> i've been trying to learn ipfw. i've recompiled a kernel with the
> following options
> ipfw add allow ip from any to any
Do you really want to allow everything in, or is this just a typo?
riginal Message -
From: "Dan Pelleg" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>; "Redmond Militante"
<[EMAIL PROTECTED]>
Sent: Monday, October 21, 2002 6:16 PM
Subject: RE: need help with ipfw rules
>
> > hi all
> >
> > my apologies,
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
hi
thanks for responding
On Mon, Oct 21, 2002 at 09:16:36PM -0400, Dan Pelleg expatiated with great perspicuity:
>
> > hi all
> >
> > my apologies, this could get long as i'm including the text of various
> > config files:
> >
> > i've been trying
"Stephen D. Kingrea" <[EMAIL PROTECTED]> writes:
> firewall_enable="YES"
> firewall_type="/etc/rc.firewall.rules"
This should be one of client etc, see rc(8) for more information.
norbert.
To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-questions" in the body of the mes
On Wed, Jan 22, 2003 at 09:45:09AM -0500, Stephen D. Kingrea wrote:
> running 4.7 with firewall, natd enabled kernel. i wish to create firewall
> rules outside of the rc.firewall script that remain static across
> reboots. to that end, i created a set (rc.firewall.rules), pointing
> rc.conf to that
On Wed, Jan 22, 2003 at 03:18:33PM +, Daniel Bye wrote:
> On Wed, Jan 22, 2003 at 09:45:09AM -0500, Stephen D. Kingrea wrote:
> > running 4.7 with firewall, natd enabled kernel. i wish to create firewall
> > rules outside of the rc.firewall script that remain static across
> > reboots. to that
On Wed, 22 Jan 2003, Daniel Bye wrote:
>On Wed, Jan 22, 2003 at 03:18:33PM +, Daniel Bye wrote:
>> On Wed, Jan 22, 2003 at 09:45:09AM -0500, Stephen D. Kingrea wrote:
>> > running 4.7 with firewall, natd enabled kernel. i wish to create firewall
>> > rules outside of the rc.firewall script tha
On Mon, Sep 26, 2005 at 05:26:12PM +0300, Ertan Kucukoglu wrote:
> Hi,
>
> I have a problem blocking foreign intruders for specific ports in ipfw.
>
> One of my friends have 4.X-Stable running in production for proxy,
> e-mail, virus etc. Server also have natd and ipfw installed on it. We
> hav
Здравствуйте, Questions.
1 allow all from any to any via rl0
2 allow all from any to any via rl1
109 skipto 110 tcp from any to any 80 in recv $iface #split only http trafic
109 skipto 200 all from any to any #do not split all other trafic
110 check-state
111 prob 0.5 skipto 131 in recv rl
I can't seem to get the ipfw rules right for letting ssh clients access a ssh
server. I can use ssh on the server to connect to the client; but if I try
to connect from the client to the server, the operation times out.
I have my rules in /etc/ipfw.rules. Executing 'ipfw show'
I just setup a FreeBSD box for a router, so that I could make use of ipfw
to block MSN Messenger traffic ... but I'm having a bugger of a time
finding a "definitive" list of what needs to be blocked :(
MSN Messenger appears to be smart enough to go *around* the usual port
1863 and onto port 80
My main goal is to lock down my ipfw rules so that
when I run nmap, all I see is:
Interesting ports on 192.168.0.10:
Not shown: 1677 closed ports
PORTSTATE SERVICE
22/tcp open ssh
MAC Address: 00:12:D8:A2:23:C2
Nmap finished: 1 IP address (1 host up) scanned in
9.791 seconds
So that
This is a situation where I thought I knew more than I
actually do. I set up a new domain name server with a
client-type firewall after having tested it first, but there is
nothing like hundreds of thousands of packets per hour to show
the weak spots.
I made the mistake of setting
Hello freebsd-questions,
Finally, I ve got to work my ipfw firewall with two NATs (one for local
resources, provided by ISP, one for VPN - which leads me to
Internet= ).
But I need further help on it :-(
Here is my rules:
#!/bin/sh
ipfw='/sbin/ipfw -q'
mynet='192
Здравствуйте, KES.
Вы писали 30 декабря 2008 г., 21:47:40:
K> Здравствуйте, Questions.
K> 1 allow all from any to any via rl0
K> 2 allow all from any to any via rl1
K> 109 skipto 110 tcp from any to any 80 in recv $iface #split only http trafic
K> 109 skipto 200 all from any to any #do not
On Monday 19 January 2004 00:47, Andrew L. Gould wrote:
> I can't seem to get the ipfw rules right for letting ssh clients access a
> ssh server. I can use ssh on the server to connect to the client; but if I
> try to connect from the client to the server, the operation times out.
On Sunday 18 January 2004 05:53 pm, Daan Vreeken [PA4DAN] wrote:
> On Monday 19 January 2004 00:47, Andrew L. Gould wrote:
> > I can't seem to get the ipfw rules right for letting ssh clients access a
> > ssh server. I can use ssh on the server to connect to the client;
Does portmap have to be enabled to connect to sshd?
Thanks,
Andrew Gould
___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Andrew L. Gould wrote:
Does portmap have to be enabled to connect to sshd?
No
___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
On Sunday 18 January 2004 05:53 pm, Daan Vreeken [PA4DAN] wrote:
>
> You forgot the packets in the other direction... This should do the trick :
>
> ${fwcmd} add 00300 allow tcp from any to me 22
> ${fwcmd} add 00301 allow tcp from me 22 to any
>
> grtz,
> Daan
It worked.
Thanks,
Andrew Gould
_
Marc G. Fournier wrote:
I just setup a FreeBSD box for a router, so that I could make use of
ipfw to block MSN Messenger traffic ... but I'm having a bugger of a
time finding a "definitive" list of what needs to be blocked :(
MSN Messenger appears to be smart enough to go *around* the usual port
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Chuck Swiger
Sent: Thursday, December 23, 2004 3:33 PM
To: Marc G. Fournier
Cc: freebsd-questions@freebsd.org
Subject: Re: Effective ipfw rules for blocking MSN Messenger ... ?
Marc G. Fournier wrote:
>
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Chuck Swiger
Sent: Thursday, December 23, 2004 3:33 PM
To: Marc G. Fournier
Cc: freebsd-questions@freebsd.org
Subject: Re: Effective ipfw rules for blocking MSN Messenger ... ?
Marc G. Fournier wrote:
>
Hi ppl!
I need to use direct access ti ipfw rules via raw sockets instead of
some scripts using ipfw utility.
I looked into ipfw sources and made a simple program to test if I could
add a simple rule this way.
Just rewrote pieces of original code intomy program w/out any serious
change.
But
ping out and receive response back
add 00502 allow icmp from any to any icmptypes 8 out
add 00503 allow icmp from any to any icmptypes 0 in
##allow me to run traceroute
add 00504 allow icmp from any to any icmptypes 11 in
add 00600 deny log ip from any to any
#--- end ipfw.rules ---
above all of my
bad-behavior lines ? That is, by allowing all established, is it possible
that some of those bad tcp packetrs could be let in before they hit my
bad-behavior block of ipfw rules ? Or are all of those bad behaviors
inconsistent with being an established tcp session ?
Second, are
On Monday 17 December 2007 19:06:29 Gore Jarold wrote:
> My main goal is to lock down my ipfw rules so that
> when I run nmap, all I see is:
>
> Interesting ports on 192.168.0.10:
> Not shown: 1677 closed ports
> PORTSTATE SERVICE
> 22/tcp open ssh
> MAC Address: 00
I use the sample ipfw rules with keep state as shown in the handbook
firewall section.
People on this list don't have ESP so they can't read your mind about what
rules you have coded.
Posting your ipfw rule set will go a long way to getting a response from
readers of this list.
That be
"fbsd2" writes:
> I use the sample ipfw rules with keep state as shown in the handbook
they do work fine. They just aren't meant for the kind of load
they were under. I needed to know how to get the same
functionality by other means.
If you use the keep-state directive
the ipfw man page says:
me matches any IP address configured on an interface in the system.
which suggests that if i code my rules using "me" then when i add an alias
ip address to an interface with ifconfig, these "me" rules will immediately
work for the newly added address as they do for ot
8:18 AM
To: [EMAIL PROTECTED]
Subject: please comment on my nat/ipfw rules (resent)
hi all
i have my test machine set up as a gateway box, with ipfw/natd
configured on it, set up to filter/redirect packets bound for a
client on my internal network.
external ip of my internal client is aliased to
ll udp out from machine
> add 00404 allow udp from any to any out via xl0
>
> #allow some icmp types (codes not supported)
> ######allow path-mtu in both directions
> add 00500 allow icmp from any to any icmptypes 3
> ##allow source quench in and out
> add 00501
ed is 32768 bytes. Change from 16384. In release 4.5 the
defaults
# for these values changed upwards to what they are below.
net.inet.tcp.sendspace=32768
net.inet.tcp.recvspace=65536
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]On Behalf Of Redmond
Militant
Ensel Sharon wrote:
[ ... ]
Two questions: is it appropriate to have line 01000 above all of my
bad-behavior lines ?
"established" means "ACK and not SYN", basicly. Your "bad behavior" rules
wouldn't really match anything which matches established, but it's probably
better to block known-ba
; Two questions: is it appropriate to have line 01000 above all of my
> bad-behavior lines ? That is, by allowing all established, is it possible
> that some of those bad tcp packetrs could be let in before they hit my
> bad-behavior block of ipfw rules ? Or are all of those bad behaviors
>
On Tue, 11 Jul 2006 13:16:21 +1000
Nick Withers <[EMAIL PROTECTED]> wrote:
> On Mon, 10 Jul 2006 18:38:51 -0400 (EDT)
> Ensel Sharon <[EMAIL PROTECTED]> wrote:
>
> >
> > My individual hosts have a set of firewall rules on each of them that
> > looks like this:
(snip)
> > Second, are there any
Tom Worster wrote:
the ipfw man page says:
me matches any IP address configured on an interface in the system.
which suggests that if i code my rules using "me" then when i add an alias
ip address to an interface with ifconfig, these "me" rules will immediately
work for the newly added addr
Tom Worster wrote:
thanks, nikos.
You're welcome.
i'm interested in your other comment about the risks of using "me".
All I am saying is that you have to take care of "attacks" which use "me"
addresses. Packets with source address a "me" address coming from a network
interface, AKA spoo
On 9/8/09 2:58 AM, "Nikos Vassiliadis" wrote:
> Tom Worster wrote:
>> the ipfw man page says:
>>
>> me matches any IP address configured on an interface in the system.
>>
>> which suggests that if i code my rules using "me" then when i add an alias
>> ip address to an interface with ifconfi
Здравствуйте, KES.
Вы писали 30 декабря 2008 г., 22:29:50:
K> Здравствуйте, KES.
K> Вы писали 30 декабря 2008 г., 21:47:40:
K>> Здравствуйте, Questions.
K>> 1 allow all from any to any via rl0
K>> 2 allow all from any to any via rl1
K>> 109 skipto 110 tcp from any to any 80 in recv $iface
Thomas Wolf
Sent: Thursday, June 03, 2004 3:00 AM
To: [EMAIL PROTECTED]; [EMAIL PROTECTED]
Subject: RE: does NATd _prevent_ use of stateful ipfw rules w/
keep-state?
JJB <[EMAIL PROTECTED]> schrieb:
> Where do you get off calling my questioning of Luigi Rizzo's
answer
> as an
cked and it works fine on my system.
Thomas
>
>
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] Behalf Of Thomas Wolf
> Sent: Thursday, June 03, 2004 3:00 AM
> To: [EMAIL PROTECTED]; [EMAIL PROTECTED]
> Subject: RE: does NATd _prevent_
On Mon, Oct 21, 2002 at 07:33:58PM +0100, Stacey Roberts wrote:
Subject: IPFW Rules for samba PDC? [WAS: samba PDC for WIN2K clients?]
From: Stacey Roberts <[EMAIL PROTECTED]>
To: Andrew Boothman <[EMAIL PROTECTED]>
Cc: [EMAIL PROTECTED],
FreeBSD Questions <[EMAIL PROTECTED]>
t back to if you would require more information in assisting
me in resolving this.
Thanks
On Sat, 2002-10-26 at 22:26, D. Penev wrote:
> On Mon, Oct 21, 2002 at 07:33:58PM +0100, Stacey Roberts wrote:
> >Subject: IPFW Rules for samba PDC? [WAS: samba PDC for WIN2K clients?]
> >From: Stacey
On Sat, Oct 26, 2002 at 10:47:48PM +0100, Stacey Roberts wrote:
Subject: Re: IPFW Rules for samba PDC? [WAS: samba PDC for WIN2K clients?]
From: Stacey Roberts <[EMAIL PROTECTED]>
To: "D. Penev" <[EMAIL PROTECTED]>
Cc: FreeBSD Questions <[EMAIL PROTECTED]>
Date: 26
n2K box.
Hope this helps.
Stacey
On Sun, 2002-10-27 at 07:15, D. Penev wrote:
> On Sat, Oct 26, 2002 at 10:47:48PM +0100, Stacey Roberts wrote:
> >Subject: Re: IPFW Rules for samba PDC? [WAS: samba PDC for WIN2K clients?]
> >From: Stacey Roberts <[EMAIL PROTECTED]>
> &
On Sun, Oct 27, 2002 at 10:50:47AM +, Stacey Roberts wrote:
Subject: Re: IPFW Rules for samba PDC? [WAS: samba PDC for WIN2K clients?]
From: Stacey Roberts <[EMAIL PROTECTED]>
To: "D. Penev" <[EMAIL PROTECTED]>
Cc: FreeBSD Questions <[EMAIL PROTECTED]>
Date: 27
1 - 100 of 101 matches
Mail list logo
