From owner-freebsd-ipfw Mon Aug 28 8:25:38 2000 Delivered-To: freebsd-ipfw@freebsd.org Received: from c014.sfo.cp.net (c014-h017.c014.sfo.cp.net [209.228.12.81]) by hub.freebsd.org (Postfix) with SMTP id 2802F37B507 for ; Mon, 28 Aug 2000 08:25:30 -0700 (PDT) Received: (cpmta 14258 invoked from network); 28 Aug 2000 08:25:29 -0700 Received: from m12hRs4n205.midsouth.rr.com (HELO development1) (24.95.125.205) by smtp.valuedata.net (209.228.12.81) with SMTP; 28 Aug 2000 08:25:29 -0700 X-Sent: 28 Aug 2000 15:25:29 GMT Message-ID: <002d01c01103$ed055e60$0200000a@development1> From: "Daryl Chance" To: "FreeBSD IPFW" Subject: ipfw add exec(blah).... Date: Mon, 28 Aug 2000 10:23:31 -0500 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4133.2400 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG Hi, Has there ever been any type of discussion about adding something to ipfw to execute a certain command if a fw rule is triggered? There could be a little use for this, but the only couple I can really think of is: a) if a deny rule is triggered you could run tcpdump for a little, the rule could possibly pass on some variables to the script (ip address:port denied) so you could pipe tcpdump through grep for the ip addie/port, watching for any other attemps. b) you could setup a script to email you or play a sound wav or some visual type of alert. Thoughts? I don't know much about the IPFW code, so I couldn't code a patch for it :). This a good idea? or could it allow for a possible security problem? Thanks, -------------------------------------------------------- | Daryl Chance | I have made this letter longer then | | Valuedata, LLC | usual because I lacked the time to | | Memphis, TN | make it shorter. -- Blaise Pascal | -------------------------------------------------------- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Mon Aug 28 8:41:38 2000 Delivered-To: freebsd-ipfw@freebsd.org Received: from c014.sfo.cp.net (c014-h023.c014.sfo.cp.net [209.228.12.87]) by hub.freebsd.org (Postfix) with SMTP id CCA5237B43E for ; Mon, 28 Aug 2000 08:41:32 -0700 (PDT) Received: (cpmta 9292 invoked from network); 28 Aug 2000 08:31:02 -0700 Received: from m12hRs4n205.midsouth.rr.com (HELO development1) (24.95.125.205) by smtp.valuedata.net (209.228.12.87) with SMTP; 28 Aug 2000 08:31:02 -0700 X-Sent: 28 Aug 2000 15:31:02 GMT Message-ID: <005f01c01104$b382a980$0200000a@development1> From: "Daryl Chance" To: "FreeBSD IPFW" Subject: ipfw add exec(blah).... Date: Mon, 28 Aug 2000 10:29:04 -0500 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4133.2400 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG Hi, Has there ever been any type of discussion about adding something to ipfw to execute a certain command if a fw rule is triggered? There could be a little use for this, but the only couple I can really think of is: a) if a deny rule is triggered you could run tcpdump for a little, the rule could possibly pass on some variables to the script (ip address:port denied) so you could pipe tcpdump through grep for the ip addie/port, watching for any other attemps. b) you could setup a script to email you or play a sound wav or some visual type of alert. Thoughts? I don't know much about the IPFW code, so I couldn't code a patch for it :). This a good idea? or could it allow for a possible security problem? Thanks, -------------------------------------------------------- | Daryl Chance | I have made this letter longer then | | Valuedata, LLC | usual because I lacked the time to | | Memphis, TN | make it shorter. -- Blaise Pascal | -------------------------------------------------------- -------------------------------------------------------- | Daryl Chance | I have made this letter longer then | | Valuedata, LLC | usual because I lacked the time to | | Memphis, TN | make it shorter. -- Blaise Pascal | -------------------------------------------------------- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Mon Aug 28 16:13:48 2000 Delivered-To: freebsd-ipfw@freebsd.org Received: from ns1.rresearch.com (ip104.gte21.rb1.bel.nwlink.com [207.202.191.104]) by hub.freebsd.org (Postfix) with ESMTP id CAA6537B423 for ; Mon, 28 Aug 2000 16:13:45 -0700 (PDT) Received: from ns1.rresearch.com (localhost.rresearch.com [127.0.0.1]) by ns1.rresearch.com (8.9.3/8.9.3) with ESMTP id QAA43037; Mon, 28 Aug 2000 16:13:44 -0700 (PDT) (envelope-from sab@ns1.rresearch.com) Message-Id: <200008282313.QAA43037@ns1.rresearch.com> To: "Daryl Chance" Cc: "FreeBSD IPFW" Subject: Re: ipfw add exec(blah).... References: <005f01c01104$b382a980$0200000a@development1> In-reply-to: <005f01c01104$b382a980$0200000a@development1> From: Scott Blachowicz Reply-To: scott@sabmail.rresearch.com MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-ID: <43034.967504423.1@ns1.rresearch.com> Date: Mon, 28 Aug 2000 16:13:44 -0700 Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG "Daryl Chance" wrote: > Has there ever been any type of discussion about adding > something to ipfw to execute a certain command if a fw > rule is triggered? Well...ipfw can log to syslog and syslogd can run a command on receipt of messages - check 'man syslog.conf' for details. I'd guess that since the capability is already there in that form, it shouldn't be necessary to stick it in ipfw "itself". -- Scott.Blachowicz@seaslug.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Mon Aug 28 16:19:28 2000 Delivered-To: freebsd-ipfw@freebsd.org Received: from jade.chc-chimes.com (jade.chc-chimes.com [216.28.46.6]) by hub.freebsd.org (Postfix) with ESMTP id 574CC37B443 for ; Mon, 28 Aug 2000 16:19:27 -0700 (PDT) Received: by jade.chc-chimes.com (Postfix, from userid 1001) id D08ED1C41; Mon, 28 Aug 2000 19:19:26 -0400 (EDT) Date: Mon, 28 Aug 2000 19:19:26 -0400 From: Bill Fumerola To: Scott Blachowicz Cc: Daryl Chance , FreeBSD IPFW Subject: Re: ipfw add exec(blah).... Message-ID: <20000828191926.O33771@jade.chc-chimes.com> References: <005f01c01104$b382a980$0200000a@development1> <200008282313.QAA43037@ns1.rresearch.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0i In-Reply-To: <200008282313.QAA43037@ns1.rresearch.com>; from scott@sabmail.rresearch.com on Mon, Aug 28, 2000 at 04:13:44PM -0700 X-Operating-System: FreeBSD 3.3-STABLE i386 Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG On Mon, Aug 28, 2000 at 04:13:44PM -0700, Scott Blachowicz wrote: > Well...ipfw can log to syslog and syslogd can run a command on receipt > of messages - check 'man syslog.conf' for details. I'd guess that > since the capability is already there in that form, it shouldn't be > necessary to stick it in ipfw "itself". Yes. Matt Ayres and I discussed this today and we pretty much both agreed that this would be the work of an external daemon monitoring the packet count or looking for specific syslog type things. The logisitics of trying to make ipfw run a program isn't something I'd like to think about either. -- Bill Fumerola - Network Architect, BOFH / Chimes, Inc. billf@chimesnet.com / billf@FreeBSD.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Tue Aug 29 2: 5:28 2000 Delivered-To: freebsd-ipfw@freebsd.org Received: from ipamzlx.physik.uni-mainz.de (ipamzlx.Physik.Uni-Mainz.DE [134.93.180.54]) by hub.freebsd.org (Postfix) with ESMTP id 79DC737B43E for ; Tue, 29 Aug 2000 02:05:24 -0700 (PDT) Received: from ipamzlx.Physik.Uni-Mainz.DE (ipamzlx.Physik.Uni-Mainz.DE [134.93.180.54]) by ipamzlx.physik.uni-mainz.de (8.11.0/8.9.3) with ESMTP id e7T97o823656 for ; Tue, 29 Aug 2000 11:07:50 +0200 (CEST) (envelope-from ohartman@ipamzlx.physik.uni-mainz.de) Date: Tue, 29 Aug 2000 11:07:50 +0200 (CEST) From: "O. Hartmann" To: freebsd-ipfw@freebsd.org Subject: IPFIREWALL or IPFILTER? What are the benefits of each filter? Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG Dear Sirs. Using FreebSD 4.1-STABLE on our servers I'm confrontated with the need of security. I have the choice of two IP filtering facilities in FreeBSD's kernel, but can anybody tell me what are the benefits of each one? At this moment I try IPFIREWALL and it seems to be good, syntax is easy to understand, since the last revision we got a stateful filtering instance and so on. But what is about IPFILTER? At this stage I think choosing one or the other technique will be easy, the easyness of understanding syntax is not the problem, I think main focus should be on flexibility. If anyone out here can describe the differences and benefits of each firewall unit, please feel free to answer. Thanks a lot, Gruss O. Hartmann ------------------------------------------------------------------- ohartman@ipamzlx.physik.uni-mainz.de Klimadatenserver des IPA, Universitaet Mainz Netzwerk- und Systembetreuung To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Thu Aug 31 11:47:17 2000 Delivered-To: freebsd-ipfw@freebsd.org Received: from bcbso.bcbso.com (bcbso.bcbso.com [199.2.126.250]) by hub.freebsd.org (Postfix) with SMTP id E413337B423 for ; Thu, 31 Aug 2000 11:47:14 -0700 (PDT) Received: from taurus.bcbso.com by bcbso.bcbso.com via smtpd (for [216.136.204.18]) with SMTP; 31 Aug 2000 18:47:14 UT Received: (private information removed) Received: (private information removed) X-Lotus-FromDomain: TBG From: "Robert A Clark" To: freebsd-ipfw@freebsd.org Message-ID: <8825694C.00672786.00@notes.or.regence.com> Date: Thu, 31 Aug 2000 11:40:01 -0700 Subject: Test / Question. Mime-Version: 1.0 Content-type: text/plain; charset=us-ascii Content-Disposition: inline Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG Where should I look for documentation on how to use ipfw? Are there any tutorials I can read? A flowchart of the route a packet travels throug ipfw, divert, and the stack in general would be nice. Thanks. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Thu Aug 31 14: 1:54 2000 Delivered-To: freebsd-ipfw@freebsd.org Received: from pike.osd.bsdi.com (pike.osd.bsdi.com [204.216.28.222]) by hub.freebsd.org (Postfix) with ESMTP id 5171237B422 for ; Thu, 31 Aug 2000 14:01:52 -0700 (PDT) Received: from localhost (logo@localhost) by pike.osd.bsdi.com (8.9.3/8.9.3) with ESMTP id OAA05218; Thu, 31 Aug 2000 14:01:41 -0700 (PDT) (envelope-from logo@pike.osd.bsdi.com) Date: Thu, 31 Aug 2000 14:01:41 -0700 (PDT) From: Valentino Vaschetto To: Robert A Clark Cc: freebsd-ipfw@FreeBSD.ORG Subject: Re: Test / Question. In-Reply-To: <8825694C.00672786.00@notes.or.regence.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG There is a file called rc.firewall where there are many many examples on how to use ipfw. As for a chart, I think I remember seeing it on the handbook, http://www.freebsd.org. -val On Thu, 31 Aug 2000, Robert A Clark wrote: > Where should I look for documentation on how to use ipfw? > > Are there any tutorials I can read? > > A flowchart of the route a packet travels throug ipfw, divert, and the stack in > general would be nice. > > Thanks. > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-ipfw" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Fri Sep 1 6: 9:41 2000 Delivered-To: freebsd-ipfw@freebsd.org Received: from fledge.watson.org (fledge.watson.org [204.156.12.50]) by hub.freebsd.org (Postfix) with ESMTP id C16C337B423 for ; Fri, 1 Sep 2000 06:09:38 -0700 (PDT) Received: from fledge.watson.org (robert@fledge.pr.watson.org [192.0.2.3]) by fledge.watson.org (8.9.3/8.9.3) with SMTP id JAA38724; Fri, 1 Sep 2000 09:09:21 -0400 (EDT) (envelope-from robert@fledge.watson.org) Date: Fri, 1 Sep 2000 09:09:21 -0400 (EDT) From: Robert Watson X-Sender: robert@fledge.watson.org To: Bill Fumerola Cc: Scott Blachowicz , Daryl Chance , FreeBSD IPFW Subject: Re: ipfw add exec(blah).... In-Reply-To: <20000828191926.O33771@jade.chc-chimes.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG On Mon, 28 Aug 2000, Bill Fumerola wrote: > On Mon, Aug 28, 2000 at 04:13:44PM -0700, Scott Blachowicz wrote: > > > Well...ipfw can log to syslog and syslogd can run a command on receipt > > of messages - check 'man syslog.conf' for details. I'd guess that > > since the capability is already there in that form, it shouldn't be > > necessary to stick it in ipfw "itself". > > Yes. Matt Ayres and I discussed this today and we pretty much both agreed > that this would be the work of an external daemon monitoring the packet > count or looking for specific syslog type things. > > The logisitics of trying to make ipfw run a program isn't something I'd > like to think about either. Another possibility, if you don't mind overhead, is to have a daemon listening on an IPDIVERT of the relevant packets, and the daemon can perform whatever action is necessary. You're already going to have a transition to userland or even a userland context switch by virtue of the desire to exec, and managing it this way would provide access to the packet for the purposes of more complex decision making, as well as immediate notification as opposed to polling of counters or log entries. And depending on the requirements, the daemon could exec something, or perform the action directly itself, and optionally reinsert the packet for IP stack processing. Robert N M Watson robert@fledge.watson.org http://www.watson.org/~robert/ PGP key fingerprint: AF B5 5F FF A6 4A 79 37 ED 5F 55 E9 58 04 6A B1 TIS Labs at Network Associates, Safeport Network Services To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message