From owner-freebsd-ipfw Sun Dec 10 12:30:29 2000 From owner-freebsd-ipfw@FreeBSD.ORG Sun Dec 10 12:30:25 2000 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mailhost01.reflexnet.net (mailhost01.reflexnet.net [64.6.192.82]) by hub.freebsd.org (Postfix) with ESMTP id 5FBC537B400; Sun, 10 Dec 2000 12:30:25 -0800 (PST) Received: from 149.211.6.64.reflexcom.com ([64.6.211.149]) by mailhost01.reflexnet.net with Microsoft SMTPSVC(5.5.1877.197.19); Sun, 10 Dec 2000 12:28:49 -0800 Received: (from cjc@localhost) by 149.211.6.64.reflexcom.com (8.11.0/8.11.0) id eBAKUHl16220; Sun, 10 Dec 2000 12:30:17 -0800 (PST) (envelope-from cjc) Date: Sun, 10 Dec 2000 12:30:17 -0800 (PST) From: "Crist J. Clark" Message-Id: <200012102030.eBAKUHl16220@149.211.6.64.reflexcom.com> To: FreeBSD-gnats-submit@freebsd.org Cc: freebsd-ipfw@freebsd.org Subject: ipfw fragment logging misses first frag Reply-To: cjc@149.211.6.64.reflexcom.com X-send-pr-version: 3.2 Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG >Submitter-Id: current-users >Originator: Crist J. Clark >Organization: >Confidential: no >Synopsis: ipfw fragment logging misses first frag >Severity: non-critical >Priority: low >Category: kern >Release: FreeBSD 4.1-STABLE i386 >Class: sw-bug >Environment: FreeBSD 4-STABLE and 5-CURRENT. Probably earlier versions as well. >Description: Logging of fragmented IP datagrams is logged in sys/netinet/ip_fw.c with the following code, if ((ip->ip_off & IP_OFFMASK)) snprintf(SNPARGS(fragment, 0), " Fragment = %d", ip->ip_off & IP_OFFMASK); else fragment[0] = '\0'; That is, it tests if this datagram has a non-zero offset, and if it does, it prints the offset (somewhat misleadingly labeled as "Fragment ="). There is a problem with this methodology. It misses first fragments, that is, fragments with zero offset. >How-To-Repeat: If you have a machine running ipfw with logging enabled, try this little trick, # ipfw add 10 pass log icmp from 127.0.0.1 to 127.0.0.1 in via lo0 # ifconfig lo0 mtu 1000 # ping -c 1 -s 5000 127.0.0.1 PING 127.0.0.1 (127.0.0.1): 5000 data bytes 5008 bytes from 127.0.0.1: icmp_seq=0 ttl=255 time=0.657 ms --- 127.0.0.1 ping statistics --- 1 packets transmitted, 1 packets received, 0% packet loss # ifconfig lo0 mtu 16384 # ipfw delete 10 Now notice the log entries generated, ipfw: 10 Accept ICMP:8.0 127.0.0.1 127.0.0.1 in via lo0 ipfw: 10 Accept ICMP 127.0.0.1 127.0.0.1 in via lo0 Fragment = 122 ipfw: 10 Accept ICMP 127.0.0.1 127.0.0.1 in via lo0 Fragment = 244 ... ipfw: 10 Accept ICMP 127.0.0.1 127.0.0.1 in via lo0 Fragment = 610 The first fragment is not identified as a fragment. >Fix: There are a number of issues with ipfw logging. For fragments, there is no way to tell in logs which fragments belong together, first fragments are not seen, nor are final fragments marked. Adding all of that would mean making changes that some people would not like if for no other reason than it would be a change. However, adding the functionality to log first fragments appropriately is a trivial code change and I cannot think of any reason why someone would argue against it, --- ip_fw.c.orig Sun Dec 10 12:22:54 2000 +++ ip_fw.c Sun Dec 10 12:24:43 2000 @@ -607,7 +607,7 @@ break; } - if ((ip->ip_off & IP_OFFMASK)) + if ((ip->ip_off & (IP_OFFMASK | IP_MF))) snprintf(SNPARGS(fragment, 0), " Fragment = %d", ip->ip_off & IP_OFFMASK); else That is, rather than check if the fragment offset is non-zero, we just check if the fragment offset is non-zero _or_ the more-fragments bit is set. This will catch initial fragments with zero offset. This has no runtime cost and simply makes the logging a little more precise. Thanks. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Sun Dec 10 22:23:28 2000 From owner-freebsd-ipfw@FreeBSD.ORG Sun Dec 10 22:23:23 2000 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mailhost01.reflexnet.net (mailhost01.reflexnet.net [64.6.192.82]) by hub.freebsd.org (Postfix) with ESMTP id D0EAE37B400 for ; Sun, 10 Dec 2000 22:23:19 -0800 (PST) Received: from 149.211.6.64.reflexcom.com ([64.6.211.149]) by mailhost01.reflexnet.net with Microsoft SMTPSVC(5.5.1877.197.19); Sun, 10 Dec 2000 22:21:43 -0800 Received: (from cjc@localhost) by 149.211.6.64.reflexcom.com (8.11.0/8.11.0) id eBB6NG419165 for freebsd-ipfw@freebsd.org; Sun, 10 Dec 2000 22:23:16 -0800 (PST) (envelope-from cjc) Date: Sun, 10 Dec 2000 22:23:16 -0800 From: "Crist J. Clark" To: freebsd-ipfw@freebsd.org Subject: Extended ipfw Logging Message-ID: <20001210222316.A19100@149.211.6.64.reflexcom.com> Reply-To: cjclark@alum.mit.edu Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="8t9RHnE3ZwKMSgU+" X-Mailer: Mutt 1.0i Sender: cjc@149.211.6.64.reflexcom.com Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG --8t9RHnE3ZwKMSgU+ Content-Type: text/plain; charset=us-ascii I wanted to add a little information to my ipfw logs. Initially, I just wanted to add TCP flags, but once I made the change, I figured I might as well go ahead and dump most any field of interest. The output of the TCP logging looks like, Dec 10 22:07:57 bubbles /boot/kernel/kernel: ipfw: 400 Accept TCP 192.168.64.254:3036 192.168.64.20:7 f=0x02 s=0x7d43188c a=0x00000000 i=0x48bc t=0x40 in via ep0 DF Dec 10 22:07:57 bubbles /boot/kernel/kernel: ipfw: 400 Accept TCP 192.168.64.20:7 192.168.64.254:3036 f=0x12 s=0xbdcd5fc5 a=0x7d43188d i=0x11b7 t=0x40 out via ep0 DF Dec 10 22:07:57 bubbles /boot/kernel/kernel: ipfw: 400 Accept TCP 192.168.64.254:3036 192.168.64.20:7 f=0x10 s=0x7d43188d a=0xbdcd5fc6 i=0x48bd t=0x40 in via ep0 DF Dec 10 22:07:59 bubbles /boot/kernel/kernel: ipfw: 400 Accept TCP 192.168.64.254:3036 192.168.64.20:7 f=0x18 s=0x7d43188d a=0xbdcd5fc6 i=0x48be t=0x40 in via ep0 DF Dec 10 22:07:59 bubbles /boot/kernel/kernel: ipfw: 400 Accept TCP 192.168.64.20:7 192.168.64.254:3036 f=0x18 s=0xbdcd5fc6 a=0x7d431893 i=0x11b8 t=0x40 out via ep0 DF Dec 10 22:08:00 bubbles /boot/kernel/kernel: ipfw: 400 Accept TCP 192.168.64.254:3036 192.168.64.20:7 f=0x10 s=0x7d431893 a=0xbdcd5fcc i=0x48bf t=0x40 in via ep0 DF Dec 10 22:08:02 bubbles /boot/kernel/kernel: ipfw: 400 Accept TCP 192.168.64.254:3036 192.168.64.20:7 f=0x11 s=0x7d431893 a=0xbdcd5fcc i=0x48c0 t=0x40 in via ep0 DF Dec 10 22:08:02 bubbles /boot/kernel/kernel: ipfw: 400 Accept TCP 192.168.64.20:7 192.168.64.254:3036 f=0x10 s=0xbdcd5fcc a=0x7d431894 i=0x11b9 t=0x40 out via ep0 DF Dec 10 22:08:02 bubbles /boot/kernel/kernel: ipfw: 400 Accept TCP 192.168.64.20:7 192.168.64.254:3036 f=0x11 s=0xbdcd5fcc a=0x7d431894 i=0x11ba t=0x40 out via ep0 DF Dec 10 22:08:02 bubbles /boot/kernel/kernel: ipfw: 400 Accept TCP 192.168.64.254:3036 192.168.64.20:7 f=0x10 s=0x7d431894 a=0xbdcd5fcd i=0x48c1 t=0x40 in via ep0 DF Where we see TCP flags in the 'f=,' sequence numbers 's=,' acknowledgement numbers 'a=,' IP ID number 'i=,' and TTL 't=.' Some UDP and ICMP (a traceroute), Dec 10 22:08:38 bubbles /boot/kernel/kernel: ipfw: 400 Accept UDP 192.168.64.254:51890 192.168.64.20:33435 i=0xcab3 t=0x01 in via ep0 Dec 10 22:08:38 bubbles /boot/kernel/kernel: ipfw: 400 Accept ICMP:3.3 192.168.64.20 192.168.64.254 i=0x11e0 t=0xff out via ep0 Dec 10 22:08:38 bubbles /boot/kernel/kernel: ipfw: 400 Accept UDP 192.168.64.254:51890 192.168.64.20:33436 i=0xcab4 t=0x01 in via ep0 Dec 10 22:08:38 bubbles /boot/kernel/kernel: ipfw: 400 Accept ICMP:3.3 192.168.64.20 192.168.64.254 i=0x11e1 t=0xff out via ep0 Dec 10 22:08:38 bubbles /boot/kernel/kernel: ipfw: 400 Accept UDP 192.168.64.254:51890 192.168.64.20:33437 i=0xcab5 t=0x01 in via ep0 Dec 10 22:08:38 bubbles /boot/kernel/kernel: ipfw: 400 Accept ICMP:3.3 192.168.64.20 192.168.64.254 i=0x11e2 t=0xff out via ep0 Where we see some extra IP parameters again. Finally, some fragmentation logging (an oversized ping and the pong back), Dec 10 18:08:15 bubbles /boot/kernel/kernel: ipfw: 400 Accept ICMP:8.0 192.168.64.254 192.168.64.20 i=0xc47e t=0xff in via ep0 Offset=0* Dec 10 18:08:15 bubbles /boot/kernel/kernel: ipfw: 400 Accept ICMP 192.168.64.254 192.168.64.20 i=0xc47e t=0xff in via ep0 Offset=1480* Dec 10 18:08:15 bubbles /boot/kernel/kernel: ipfw: 400 Accept ICMP 192.168.64.254 192.168.64.20 i=0xc47e t=0xff in via ep0 Offset=2960 Dec 10 18:08:15 bubbles /boot/kernel/kernel: ipfw: 400 Accept ICMP:0.0 192.168.64.20 192.168.64.254 i=0x005d t=0xff out via ep0 The patches are attached. In addition to the patches, you need to put, options IPFIREWALL_EXTRA_VERBOSE In your kernel config. The patches were diff'ed from CURRENT, but they work fine on STABLE. So, uh, is anyone besides me interested in getting a little more information in ipfw logs? Let me know if you use these or have suggestions. If there is anyone interested, I was also considering building a little daemon that uses divert(4) to do logging and some packet capturing from userland. Seems like a good way to add arbitrary logging abilities without having to mess with (and possibly bloat) the kernel. It would also be a good diagnostic tool, especially with a packet capture ability. Has anyone found themselves thinking they would find something like that useful? Let me know. I have not decided if I am going to do it yet. -- Crist J. Clark cjclark@alum.mit.edu --8t9RHnE3ZwKMSgU+ Content-Type: text/plain; charset=us-ascii Content-Disposition: attachment; filename="ip_fw.patch" --- ip_fw.c Sun Dec 10 19:13:17 2000 +++ /usr/src/sys/netinet/ip_fw.c Sun Dec 10 19:01:03 2000 @@ -573,8 +573,19 @@ len += snprintf(SNPARGS(proto, len), "%s", inet_ntoa(ip->ip_dst)); if ((ip->ip_off & IP_OFFMASK) == 0) +#ifdef IPFIREWALL_EXTRA_VERBOSE + snprintf(SNPARGS(proto, len), + ":%d f=0x%02x s=0x%08x a=0x%08x i=0x%04x t=0x%02x", + ntohs(tcp->th_dport), + tcp->th_flags, + ntohl(tcp->th_seq), + ntohl(tcp->th_ack), + ntohs(ip->ip_id), + ip->ip_ttl); +#else snprintf(SNPARGS(proto, len), ":%d", ntohs(tcp->th_dport)); +#endif break; case IPPROTO_UDP: len = snprintf(SNPARGS(proto, 0), "UDP %s", @@ -587,8 +598,16 @@ len += snprintf(SNPARGS(proto, len), "%s", inet_ntoa(ip->ip_dst)); if ((ip->ip_off & IP_OFFMASK) == 0) +#ifdef IPFIREWALL_EXTRA_VERBOSE + snprintf(SNPARGS(proto, len), + ":%d i=0x%04x t=0x%02x", + ntohs(udp->uh_dport), + ntohs(ip->ip_id), + ip->ip_ttl); +#else snprintf(SNPARGS(proto, len), ":%d", ntohs(udp->uh_dport)); +#endif break; case IPPROTO_ICMP: if ((ip->ip_off & IP_OFFMASK) == 0) @@ -598,20 +617,48 @@ len = snprintf(SNPARGS(proto, 0), "ICMP "); len += snprintf(SNPARGS(proto, len), "%s", inet_ntoa(ip->ip_src)); +#ifdef IPFIREWALL_EXTRA_VERBOSE + snprintf(SNPARGS(proto, len), " %s i=0x%04x t=0x%02x", + inet_ntoa(ip->ip_dst), + ntohs(ip->ip_id), + ip->ip_ttl); +#else snprintf(SNPARGS(proto, len), " %s", inet_ntoa(ip->ip_dst)); +#endif break; default: len = snprintf(SNPARGS(proto, 0), "P:%d %s", ip->ip_p, inet_ntoa(ip->ip_src)); +#ifdef IPFIREWALL_EXTRA_VERBOSE + snprintf(SNPARGS(proto, len), " %s i=0x%04x t=0x%02x", + inet_ntoa(ip->ip_dst), + ntohs(ip->ip_id), + ip->ip_ttl); +#else snprintf(SNPARGS(proto, len), " %s", inet_ntoa(ip->ip_dst)); +#endif break; } - if ((ip->ip_off & IP_OFFMASK)) +#ifdef IPFIREWALL_EXTRA_VERBOSE + if (ip->ip_off & IP_DF) + len = snprintf(SNPARGS(fragment, 0), " DF"); + else { + fragment[0] = '\0'; + len = 0; + } + if (ip->ip_off & (IP_OFFMASK | IP_MF)) + len = snprintf(SNPARGS(fragment, len), " Frag=%d", + (ip->ip_off & IP_OFFMASK)<<3); + if (ip->ip_off & IP_MF) + len = snprintf(SNPARGS(fragment, len), "+"); +#else + if (ip->ip_off & (IP_OFFMASK | IP_MF)) snprintf(SNPARGS(fragment, 0), " Fragment = %d", ip->ip_off & IP_OFFMASK); else fragment[0] = '\0'; +#endif if (oif) log(LOG_SECURITY | LOG_INFO, "%s %s %s out via %s%d%s\n", name, action, proto, oif->if_name, oif->if_unit, fragment); --8t9RHnE3ZwKMSgU+ Content-Type: text/plain; charset=us-ascii Content-Disposition: attachment; filename="options.patch" --- options Sun Dec 10 18:25:56 2000 +++ /usr/src/sys/conf/options Sun Dec 10 01:45:19 2000 @@ -245,6 +245,7 @@ PFIL_HOOKS opt_pfil_hooks.h IPFIREWALL opt_ipfw.h IPFIREWALL_VERBOSE opt_ipfw.h +IPFIREWALL_EXTRA_VERBOSE opt_ipfw.h IPFIREWALL_VERBOSE_LIMIT opt_ipfw.h IPFIREWALL_DEFAULT_TO_ACCEPT opt_ipfw.h IPFIREWALL_FORWARD opt_ipfw.h --8t9RHnE3ZwKMSgU+-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Tue Dec 12 1:26:46 2000 From owner-freebsd-ipfw@FreeBSD.ORG Tue Dec 12 01:26:44 2000 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mailhost01.reflexnet.net (mailhost01.reflexnet.net [64.6.192.82]) by hub.freebsd.org (Postfix) with ESMTP id 1E9D237B402 for ; Tue, 12 Dec 2000 01:26:44 -0800 (PST) Received: from 149.211.6.64.reflexcom.com ([64.6.211.149]) by mailhost01.reflexnet.net with Microsoft SMTPSVC(5.5.1877.197.19); Tue, 12 Dec 2000 01:25:08 -0800 Received: (from cjc@localhost) by 149.211.6.64.reflexcom.com (8.11.0/8.11.0) id eBC9Qfk24553; Tue, 12 Dec 2000 01:26:41 -0800 (PST) (envelope-from cjc) Date: Tue, 12 Dec 2000 01:26:41 -0800 From: "Crist J. Clark" To: Jev Cc: freebsd-ipfw@freebsd.org, darcy@ok-connect.com Subject: Re: Extended ipfw Logging Message-ID: <20001212012641.C96105@149.211.6.64.reflexcom.com> Reply-To: cjclark@alum.mit.edu References: <20001210222316.A19100@149.211.6.64.reflexcom.com> <20001211081137.F9536@ecad.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0i In-Reply-To: <20001211081137.F9536@ecad.org>; from jev@ecad.org on Mon, Dec 11, 2000 at 08:11:37AM +0000 Sender: cjc@149.211.6.64.reflexcom.com Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG On Mon, Dec 11, 2000 at 08:11:37AM +0000, Jev wrote: > > I would find this highly useful, would be great if you could turn it > on/off wuth sysctl :) Good idea. How's this: I did not add a new sysctl knob, instead, we still use net.inet.ip.fw.verbose, except that, net.inet.ip.fw.verbose=0 # Logging off net.inet.ip.fw.verbose=1 # Regular logging net.inet.ip.fw.verbose=2 # Enhanced logging Obviously, we could utilize more levels... but keep it sane. I made the code change, but it's getting too late for me to do enough testing to feel OK about posting patches. This sound good though? -- Crist J. Clark cjclark@alum.mit.edu To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Tue Dec 12 8:23:22 2000 From owner-freebsd-ipfw@FreeBSD.ORG Tue Dec 12 08:23:21 2000 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from new-dns.whc.net (new-dns.whc.net [204.90.111.214]) by hub.freebsd.org (Postfix) with ESMTP id C507F37B400 for ; Tue, 12 Dec 2000 08:23:20 -0800 (PST) Received: from null ([206.249.222.250]) by new-dns.whc.net (8.11.1/8.10.1/kbp) with SMTP id for ; Tue, 12 Dec 2000 09:21:42 -0700 (MST) Reply-To: From: "Carlos Andrade" To: Subject: thanks for the info Date: Tue, 12 Dec 2000 09:20:02 -0700 Message-ID: <000001c06457$618f7da0$fadef9ce@copyco.com> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook CWS, Build 9.0.2416 (9.0.2911.0) Importance: Normal X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2919.6600 Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG on having to add a new kernel argument. So I added options IPDIVERT as told to do. Okay now comes the problem. This is the second time I have rebuilt the kernel. When I type "make install" after "make depend" and then "make" I get this error: $make install chflags noschg /kernel chflags: /kernel: Operation not permitted *** Error code 1 (ignored) mv /kernel /kernel.old mv: rename /kernel to /kernel.old: Operation not permitted *** Error code 1 So what did I do wrong? I followed the method stated in the FreeBSD handbook for updating kernels. But I get this. Any hints/pointers? -Carlos Andrade ---- Carlos A. Andrade IS Manager RJS Technologies 915.845.5228 ext 13 915.845.2119 fax carlos@rjstech.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Tue Dec 12 15:31:28 2000 From owner-freebsd-ipfw@FreeBSD.ORG Tue Dec 12 15:31:20 2000 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from new-dns.whc.net (new-dns.whc.net [204.90.111.214]) by hub.freebsd.org (Postfix) with ESMTP id E4F1337B400 for ; Tue, 12 Dec 2000 15:31:19 -0800 (PST) Received: from null ([206.249.222.250]) by new-dns.whc.net (8.11.1/8.10.1/kbp) with SMTP id for ; Tue, 12 Dec 2000 16:30:30 -0700 (MST) Reply-To: From: "Carlos Andrade" To: Subject: sigh, today is just not my day. Date: Tue, 12 Dec 2000 16:28:46 -0700 Message-ID: <000101c06493$46aa2620$fadef9ce@rjstech.com> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="----=_NextPart_000_0002_01C06458.9A4B4E20" X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook CWS, Build 9.0.2416 (9.0.2911.0) Importance: Normal X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2919.6600 Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG This is a multi-part message in MIME format. ------=_NextPart_000_0002_01C06458.9A4B4E20 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Right, first off thank you to all who helped me out with the kern.securelevel issue. Okay here we go, the major reason for me to be doing this is that my boss wants a firewall ASAP. She purchased Checkpoint for $2000-2500, and it needed a subscription ~$400/year. I talked to her about using a Unix based firewall solution and the cost would be only in work hours (unlike checkpoint which would add $$$). She liked the idea. Our ISP uses FreeBSD, so I thought what the hell why not. I am coming from a Linux/SunOS background, but more of a CS student than as a admin. This email list and its members have been great to me. Okay so the conundrum. I want to test the FreeBSD (4.1.1) machine. It has two nicks ifconfig comes up great (please see attachment info.txt). I have a set of firewall rules in ipfw that seem to do the trick (please see attachment rc_firewall.txt). So here goes *** note that xl1 has no carrier since I unplugged the cross over cable *** My machine(win98) freebsd machine ip 192.168.1.250 192.168.1.225 (inside interface) netmask 255.255.255.224 255.255.255.224 its gateway 192.168.1.225 (the firewall machine) is dns servers are the same as the freebsd machines (ie our isp dns servers) right. So the freebsd machine can see the out side world. When I have my machine behind the firewall I cant see Jack (if at all). What I am doing wrong? Any help will be appreciated. I have been poring over the freebsd website, freebsddiary.org, and other sites. you guys/gals rock -Carlos Andrade ---- Carlos A. Andrade IS Manager RJS Technologies 915.845.5228 ext 13 915.845.2119 fax carlos@rjstech.com ------=_NextPart_000_0002_01C06458.9A4B4E20 Content-Type: text/plain; name="rc_firewall.txt" Content-Transfer-Encoding: quoted-printable Content-Disposition: attachment; filename="rc_firewall.txt" ############=0A= # Setup system for firewall service.=0A= # $FreeBSD: src/etc/rc.firewall,v 1.30.2.6 2000/09/21 07:44:53 ru Exp $=0A= =0A= # Suck in the configuration variables.=0A= if [ -r /etc/defaults/rc.conf ]; then=0A= . /etc/defaults/rc.conf=0A= source_rc_confs=0A= elif [ -r /etc/rc.conf ]; then=0A= . /etc/rc.conf=0A= fi=0A= =0A= ############=0A= # Define the firewall type in /etc/rc.conf. Valid values are:=0A= # open - will allow anyone in=0A= # client - will try to protect just this machine=0A= # simple - will try to protect a whole network=0A= # closed - totally disables IP services except via lo0 interface=0A= # UNKNOWN - disables the loading of firewall rules=0A= # filename - will load the rules in the given filename (full path = required)=0A= #=0A= # For ``client'' and ``simple'' the entries below should be customized=0A= # appropriately=0A= =0A= ############=0A= #=0A= # If you don't know enough about packet filtering, we suggest that you=0A= # take time to read this book: # # Building Internet Firewalls # Brent Chapman and Elizabeth Zwicky # # O'Reilly & Associates, Inc # ISBN 1-56592-124-0 # http://www.ora.com/ # # For a more advanced treatment of Internet Security read: # # Firewalls & Internet Security # Repelling the wily hacker # William R. Cheswick, Steven M. Bellowin # # Addison-Wesley # ISBN 0-201-6337-4 # http://www.awl.com/ # =0A= if [ -n "${1}" ]; then=0A= firewall_type=3D"${1}"=0A= fi=0A= =0A= ############ # Set quiet mode if requested # case ${firewall_quiet} in=0A= [Yy][Ee][Ss])=0A= fwcmd=3D"/sbin/ipfw -q"=0A= ;;=0A= *)=0A= fwcmd=3D"/sbin/ipfw"=0A= ;;=0A= esac=0A= =0A= ############ # Flush out the list before we begin. # ${fwcmd} -f flush=0A= =0A= ############ # These rules are required for using natd. All packets are passed to # natd before they encounter your remaining rules. The firewall rules # will then be run again on each packet after translation by natd, # minus any divert rules (see natd(8)). # case ${natd_enable} in=0A= [Yy][Ee][Ss])=0A= if [ -n "${natd_interface}" ]; then=0A= ${fwcmd} add 50 divert natd all from any to any via = ${natd_interface}=0A= fi=0A= ;;=0A= esac=0A= =0A= ############ # If you just configured ipfw in the kernel as a tool to solve network # problems or you just want to disallow some particular kinds of traffic # then you will want to change the default policy to open. You can also # do this as your only action by setting the firewall_type to ``open''. # # ${fwcmd} add 65000 pass all from any to any=0A= =0A= ############ # Only in rare cases do you want to change these rules # ${fwcmd} add 100 pass all from any to any via lo0=0A= ${fwcmd} add 200 deny all from any to 127.0.0.0/8=0A= # If you're using 'options BRIDGE', uncomment the following line to pass = ARP #${fwcmd} add 300 pass udp from 0.0.0.0 2054 to 0.0.0.0=0A= =0A= # Prototype setups. # case ${firewall_type} in=0A= [Ss][Ii][Mm][Pp][Ll][Ee])=0A= =0A= # I deleted open and client, too many conflicts # so we go directly in to simple # This is a prototype setup for a simple firewall. Configure this # machine as a named server and ntp server, and point all the machines # on the inside at this machine for those services. ############ =0A= # set these to your outside interface network and netmask and ip oif=3D"xl0"=0A= onet=3D"206.249.222.0"=0A= omask=3D"255.255.255.224"=0A= oip=3D"206.249.222.226"=0A= =0A= # set these to your inside interface network and netmask and ip iif=3D"xl1"=0A= inet=3D"192.168.1.0"=0A= imask=3D"255.255.255.224"=0A= iip=3D"192.168.1.225"=0A= =0A= #dns servers #dns1=3D"204.90.111.2"=0A= #dns2=3D"205.137.48.5"=0A= =0A= # Stop spoofing ${fwcmd} add 300 deny all from ${inet}:${imask} to any in via ${oif}=0A= ${fwcmd} add 400 deny all from ${onet}:${omask} to any in via ${iif}=0A= =0A= # Stop RFC1918 nets on the outside interface ${fwcmd} add 500 deny all from 10.0.0.0/8 to any via ${oif}=0A= ${fwcmd} add 600 deny all from any to 10.0.0.0/8 out via ${oif}=0A= ${fwcmd} add 700 deny all from 172.16.0.0/12 to any via ${oif}=0A= ${fwcmd} add 800 deny all from any to 172.16.0.0/12 out via ${oif}=0A= ${fwcmd} add 900 deny all from 192.168.0.0/16 to any via ${oif}=0A= ${fwcmd} add 1000 deny all from any to 192.168.0.0/16 out via ${oif}=0A= =0A= # Stop draft-manning-dsua-03.txt (1 May 2000) nets (includes RESERVED-1,=0A= # DHCP auto-configuration, NET-TEST, MULTICAST (class D), and class E)=0A= # on the outside interface=0A= ${fwcmd} add 1100 deny all from 0.0.0.0/8 to any via ${oif}=0A= ${fwcmd} add 1200 deny all from any to 0.0.0.0/8 via ${oif}=0A= ${fwcmd} add 1300 deny all from 169.254.0.0/16 to any via ${oif}=0A= ${fwcmd} add 1400 deny all from any to 169.254.0.0/16 via ${oif}=0A= ${fwcmd} add 1500 deny all from 192.0.2.0/24 to any via ${oif}=0A= ${fwcmd} add 1600 deny all from any to 192.0.2.0/24 via ${oif}=0A= ${fwcmd} add 1700 deny all from 224.0.0.0/4 to any via ${oif}=0A= ${fwcmd} add 1800 deny all from any to 224.0.0.0/4 via ${oif}=0A= ${fwcmd} add 1900 deny all from 240.0.0.0/4 to any via ${oif}=0A= ${fwcmd} add 2000 deny all from any to 240.0.0.0/4 via ${oif}=0A= =0A= # Allow TCP through if setup succeeded ${fwcmd} add 2100 pass tcp from any to any established=0A= =0A= # Allow IP fragments to pass through ${fwcmd} add 2200 pass all from any to any frag=0A= =0A= # TCP STUFF =0A= # Allow access to sendmail for incoming email=0A= ${fwcmd} add 2300 pass tcp from any to ${oip} 25 setup=0A= =0A= # Allow access to our WWW=0A= ${fwcmd} add 2400 pass tcp from any to ${oip} 80 setup=0A= =0A= #SSH login - allow and log all incoming=0A= ${fwcmd} add 2500 pass log tcp from any to any 22 in via ${oip} setup=0A= =0A= #IDENT - reset incoming connections =0A= ${fwcmd} add 2600 reset tcp from any to any 113 in via ${oif} setup=0A= =0A= # Reject&Log all setup of incoming connections from the outside=0A= ${fwcmd} add 2700 deny log tcp from any to any in via ${oif} setup=0A= =0A= # Allow setup of any other TCP connection=0A= ${fwcmd} add 2800 pass tcp from any to any setup=0A= =0A= # UPD STUFF=0A= =0A= # Allow access to our DNS=0A= #${fwcmd} add 2900 pass upd from any to ${dns1} 53 setup=0A= #${fwcmd} add 3000 pass upd from any to ${dns2} 53 setup=0A= #${fwcmd} add 3100 pass udp from ${dns1} 53 to any=0A= #${fwcmd} add 3200 pass udp from ${dns2} 53 to any=0A= =0A= ${fwcmd} add 2900 pass udp from any 53 to ${oip}=0A= ${fwcmd} add 3000 pass udp from ${oip} 53 to any=0A= ${fwcmd} add 3100 pass tcp from any to ${oip} 53 setup=0A= =0A= # SMB - allow local traffic=0A= ${fwcmd} add 3300 pass udp from any to any 137-139 via ${iif}=0A= =0A= # Allow NTP queries out in the world BUT we do it like this=0A= # allow server-server on outside interface=0A= # allow client-server on inside interface=0A= ${fwcmd} add 3400 pass udp from any 123 to any 123 via ${oif}=0A= ${fwcmd} add 3500 pass udp from any 123 to any 123 via ${iif}=0A= ${fwcmd} add 3600 pass udp from any to any 123 via ${iif} =0A= =0A= # TRACEROUTE - allow outgoing but not ingoing=0A= ${fwcmd} add 3700 pass udp from any to any 33434-33523 out via ${oif}=0A= =0A= # ICMP stuff=0A= =0A= #ICMP packets=0A= # allow all on internal interface=0A= ${fwcmd} add 3800 pass icmp from any to any via ${iif}=0A= =0A= #Allow outgoing pings but no incoming=0A= ${fwcmd} add 3900 pass icmp from any to any icmptypes 8 out via ${oif}=0A= ${fwcmd} add 4000 pass icmp from any to any icmptypes 0 in via ${oif}=0A= =0A= #Allow destination unreachable, source quench, time excedded=0A= #and bad header=0A= ${fwcmd} add 4100 pass icmp from any to any icmptypes 3,4,11,12 via = ${oif}=0A= =0A= #deny the rest of them=0A= ${fwcmd} add 4200 deny icmp from any to any =0A= =0A= # Everything else is denied by default, unless the=0A= # IPFIREWALL_DEFAULT_TO_ACCEPT option is set in your kernel=0A= # config file. Which it is not=0A= ;;=0A= esac=0A= ------=_NextPart_000_0002_01C06458.9A4B4E20 Content-Type: text/plain; name="info.txt" Content-Transfer-Encoding: quoted-printable Content-Disposition: attachment; filename="info.txt" xl0: flags=3D8843 mtu 1500=0A= inet 206.249.222.226 netmask 0xffffffe0 broadcast 206.249.222.255=0A= inet6 fe80::260:8ff:fe8d:f089%xl0 prefixlen 64 scopeid 0x1 =0A= ether 00:60:08:8d:f0:89 =0A= media: autoselect (10baseT/UTP) status: active=0A= supported media: autoselect 100baseTX 100baseTX = 10baseT/UTP 10baseT/UTP 100baseTX =0A= xl1: flags=3D8843 mtu 1500=0A= inet 192.168.1.225 netmask 0xffffffe0 broadcast 192.168.1.255=0A= inet6 fe80::260:8ff:fe3a:5258%xl1 prefixlen 64 scopeid 0x2 =0A= ether 00:60:08:3a:52:58 =0A= media: autoselect (none) status: no carrier=0A= supported media: autoselect 100baseTX 100baseTX = 10baseT/UTP 10baseT/UTP 100baseTX =0A= lp0: flags=3D8810 mtu 1500=0A= sl0: flags=3Dc010 mtu 552=0A= faith0: flags=3D8000 mtu 1500=0A= gif0: flags=3D8010 mtu 1280=0A= gif1: flags=3D8010 mtu 1280=0A= gif2: flags=3D8010 mtu 1280=0A= gif3: flags=3D8010 mtu 1280=0A= lo0: flags=3D8049 mtu 16384=0A= inet6 fe80::1%lo0 prefixlen 64 scopeid 0xa =0A= inet6 ::1 prefixlen 128 =0A= inet 127.0.0.1 netmask 0xff000000 =0A= ppp0: flags=3D8010 mtu 1500=0A= ------=_NextPart_000_0002_01C06458.9A4B4E20-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Tue Dec 12 17:17:31 2000 From owner-freebsd-ipfw@FreeBSD.ORG Tue Dec 12 17:17:29 2000 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from radius.wavefire.com (radius.wavefire.com [139.142.95.252]) by hub.freebsd.org (Postfix) with SMTP id C173E37B400 for ; Tue, 12 Dec 2000 17:17:28 -0800 (PST) Received: (qmail 7521 invoked from network); 13 Dec 2000 01:17:28 -0000 Received: from ccliii.caniserv.com (HELO dbitech) (darcyb@139.142.95.253) by radius.wavefire.com with SMTP; 13 Dec 2000 01:17:28 -0000 Message-Id: <3.0.32.20001212172301.0285bc20@mail.ok-connect.com> X-Sender: darcyb@mail.ok-connect.com X-Mailer: Windows Eudora Pro Version 3.0 (32) Date: Tue, 12 Dec 2000 17:23:02 -0800 To: From: Darcy Buskermolen Subject: Re: sigh, today is just not my day. Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG you can't route private IP space through the internet like that.. What you need is to use natd to do either 1-1 IP translation ot 1 to many IP translation.. make sure that you have the IPDIVERT option compled into your kernel and put the following into your /etc/rc.conf natd_enable="YES" natd_interface="xl0" At 04:28 PM 12/12/00 -0700, you wrote: >Right, first off thank you to all who helped me out with the >kern.securelevel issue. Okay here we go, the major reason for me to be >doing this is that my boss wants a firewall ASAP. She purchased Checkpoint >for $2000-2500, and it needed a subscription ~$400/year. I talked to her >about using a Unix based firewall solution and the cost would be only in >work hours (unlike checkpoint which would add $$$). She liked the idea. >Our ISP uses FreeBSD, so I thought what the hell why not. I am coming from >a Linux/SunOS background, but more of a CS student than as a admin. This >email list and its members have been great to me. Okay so the conundrum. I >want to test the FreeBSD (4.1.1) machine. It has two nicks ifconfig comes >up great (please see attachment info.txt). I have a set of firewall rules >in ipfw that seem to do the trick (please see attachment rc_firewall.txt). >So here goes >*** note that xl1 has no carrier since I unplugged the cross over cable *** > >My machine(win98) freebsd machine >ip 192.168.1.250 192.168.1.225 (inside interface) >netmask 255.255.255.224 255.255.255.224 >its gateway 192.168.1.225 (the firewall machine) >is dns servers are the same >as the freebsd machines (ie our isp dns servers) > >right. So the freebsd machine can see the out side world. When I have my >machine behind the firewall I cant see Jack (if at all). What I am doing >wrong? Any help will be appreciated. I have been poring over the freebsd >website, freebsddiary.org, and other sites. >you guys/gals rock > >-Carlos Andrade >---- >Carlos A. Andrade >IS Manager >RJS Technologies >915.845.5228 ext 13 915.845.2119 fax >carlos@rjstech.com > >Attachment Converted: "C:\Program Files\Eudora32\attach\rc_firewall.txt" > >Attachment Converted: "C:\Program Files\Eudora32\attach\info.txt" > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Tue Dec 12 17:32: 8 2000 From owner-freebsd-ipfw@FreeBSD.ORG Tue Dec 12 17:32:07 2000 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mail2.lig.bellsouth.net (mail2.lig.bellsouth.net [205.152.0.56]) by hub.freebsd.org (Postfix) with ESMTP id 322C437B404 for ; Tue, 12 Dec 2000 17:32:06 -0800 (PST) Received: from eileen (adsl-61-148-210.int.bellsouth.net [208.61.148.210]) by mail2.lig.bellsouth.net (3.3.5alt/0.75.2) with SMTP id UAA14202; Tue, 12 Dec 2000 20:32:00 -0500 (EST) Message-Id: <200012130132.UAA14202@mail2.lig.bellsouth.net> From: "Chris Browning" To: , Date: Tue, 12 Dec 2000 20:25:09 -0500 MIME-Version: 1.0 Content-type: text/plain; charset=US-ASCII Content-transfer-encoding: 7BIT Subject: Re: sigh, today is just not my day. Priority: normal In-reply-to: <000101c06493$46aa2620$fadef9ce@rjstech.com> X-mailer: Pegasus Mail for Win32 (v3.01b) Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG > My machine(win98) freebsd machine > ip 192.168.1.250 192.168.1.225 (inside interface) > netmask 255.255.255.224 255.255.255.224 > its gateway 192.168.1.225 (the firewall machine) > is dns servers are the same > as the freebsd machines (ie our isp dns servers) > > right. So the freebsd machine can see the out side world. When I have my > machine behind the firewall I cant see Jack (if at all). What I am doing > wrong? Any help will be appreciated. I have been poring over the freebsd > website, freebsddiary.org, and other sites. > you guys/gals rock > > -Carlos Andrade > ---- I haven't had time to work through all your rules, and I'm no pro, but I would look carefully at the RFC1918 and draft-manning rules that have to do with 192.168.x.x. I've gotten burned a couple of times forgetting that the packets go to natd first and then back through the ruleset with their addrs re-written, if I'm not mistaken. It looks like you have that covered, but again, I'm not a pro. Anyone else? Hope it helps... -------------------------- Chris Browning brownicm@prokyon.com ------------------------ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Tue Dec 12 17:47:33 2000 From owner-freebsd-ipfw@FreeBSD.ORG Tue Dec 12 17:47:31 2000 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mail3.lig.bellsouth.net (mail3.lig.bellsouth.net [205.152.0.51]) by hub.freebsd.org (Postfix) with ESMTP id E1F8F37B400 for ; Tue, 12 Dec 2000 17:47:30 -0800 (PST) Received: from eileen (adsl-61-148-210.int.bellsouth.net [208.61.148.210]) by mail3.lig.bellsouth.net (3.3.5alt/0.75.2) with SMTP id UAA09876 for ; Tue, 12 Dec 2000 20:47:29 -0500 (EST) Message-Id: <200012130147.UAA09876@mail3.lig.bellsouth.net> From: "Chris Browning" To: freebsd-ipfw@freebsd.org Date: Tue, 12 Dec 2000 20:40:41 -0500 MIME-Version: 1.0 Content-type: text/plain; charset=US-ASCII Content-transfer-encoding: 7BIT Subject: suck in config vars in rc.firewall Priority: normal X-mailer: Pegasus Mail for Win32 (v3.01b) Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG This has been bugging me. Could someone explain why rc.firewall seems to take config variables from etc/defaults/rc.conf instead of /etc/rc.conf?... # Suck in the configuration variables. if [ -f /etc/defaults/rc.conf ]; then . /etc/defaults/rc.conf elif [ -f /etc/rc.conf ]; then . /etc/rc.conf fi Is my understanding of if/elif/fi and test faulty? Thanks. -------------------------- Chris Browning brownicm@prokyon.com ------------------------ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Tue Dec 12 18: 8:31 2000 From owner-freebsd-ipfw@FreeBSD.ORG Tue Dec 12 18:08:29 2000 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from chmls20.mediaone.net (chmls20.mediaone.net [24.147.1.156]) by hub.freebsd.org (Postfix) with ESMTP id 69EFC37B402 for ; Tue, 12 Dec 2000 18:08:29 -0800 (PST) Received: from acm.org (reyim.ne.mediaone.net [24.218.251.241]) by chmls20.mediaone.net (8.8.7/8.8.7) with ESMTP id VAA28846; Tue, 12 Dec 2000 21:08:16 -0500 (EST) Message-ID: <3A36DA0C.1B005960@acm.org> Date: Tue, 12 Dec 2000 21:08:12 -0500 From: Jim Bloom X-Mailer: Mozilla 4.75 [en]C-MOENE (Win98; U) X-Accept-Language: en MIME-Version: 1.0 To: Chris Browning Cc: freebsd-ipfw@FreeBSD.ORG Subject: Re: suck in config vars in rc.firewall References: <200012130147.UAA09876@mail3.lig.bellsouth.net> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG Chris Browning wrote: > > This has been bugging me. Could someone explain why > rc.firewall seems to take config variables from > etc/defaults/rc.conf instead of /etc/rc.conf?... > > # Suck in the configuration variables. > if [ -f /etc/defaults/rc.conf ]; then > . /etc/defaults/rc.conf > elif [ -f /etc/rc.conf ]; then > . /etc/rc.conf > fi > > Is my understanding of if/elif/fi and test faulty? Thanks. Nope, your understanding is correct. What you missed is that /etc/defaults/rc.conf reads in /etc/rc.conf at the end. It takes a bit of variable following to see how this occurs. Jim Bloom bloom@acm.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Tue Dec 12 23:23:42 2000 From owner-freebsd-ipfw@FreeBSD.ORG Tue Dec 12 23:23:37 2000 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mailhost01.reflexnet.net (mailhost01.reflexnet.net [64.6.192.82]) by hub.freebsd.org (Postfix) with ESMTP id 0FE0537B400 for ; Tue, 12 Dec 2000 23:23:37 -0800 (PST) Received: from 149.211.6.64.reflexcom.com ([64.6.211.149]) by mailhost01.reflexnet.net with Microsoft SMTPSVC(5.5.1877.197.19); Tue, 12 Dec 2000 23:21:59 -0800 Received: (from cjc@localhost) by 149.211.6.64.reflexcom.com (8.11.0/8.11.0) id eBD7NJ029170; Tue, 12 Dec 2000 23:23:19 -0800 (PST) (envelope-from cjc) Date: Tue, 12 Dec 2000 23:23:19 -0800 From: "Crist J. Clark" To: cjclark@alum.mit.edu Cc: Jev , freebsd-ipfw@FreeBSD.ORG, darcy@ok-connect.com Subject: Re: Extended ipfw Logging Message-ID: <20001212232319.I96105@149.211.6.64.reflexcom.com> Reply-To: cjclark@alum.mit.edu References: <20001210222316.A19100@149.211.6.64.reflexcom.com> <20001211081137.F9536@ecad.org> <20001212012641.C96105@149.211.6.64.reflexcom.com> Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="MGYHOYXEY6WxJCY8" X-Mailer: Mutt 1.0i In-Reply-To: <20001212012641.C96105@149.211.6.64.reflexcom.com>; from cjclark@reflexnet.net on Tue, Dec 12, 2000 at 01:26:41AM -0800 Sender: cjc@149.211.6.64.reflexcom.com Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG --MGYHOYXEY6WxJCY8 Content-Type: text/plain; charset=us-ascii On Tue, Dec 12, 2000 at 01:26:41AM -0800, Crist J. Clark wrote: > On Mon, Dec 11, 2000 at 08:11:37AM +0000, Jev wrote: > > > > I would find this highly useful, would be great if you could turn it > > on/off wuth sysctl :) > > Good idea. How's this: > > I did not add a new sysctl knob, instead, we still use > net.inet.ip.fw.verbose, except that, > > net.inet.ip.fw.verbose=0 # Logging off > net.inet.ip.fw.verbose=1 # Regular logging > net.inet.ip.fw.verbose=2 # Enhanced logging > > Obviously, we could utilize more levels... but keep it sane. > > I made the code change, but it's getting too late for me to do enough > testing to feel OK about posting patches. This sound good though? They look good to me. The sysctl works as advertised above. You still need to add the IPFIREWALL_EXTRA_VERBOSE option to build in the functionality. A level of '2' for net.inet.ip.fw becomes the default when the option is built in. I have gotten a number of emails from people who like the idea. If anyone is actually using it, please let me know. And of course, any more suggestions are welcome. -- Crist J. Clark cjclark@alum.mit.edu --MGYHOYXEY6WxJCY8 Content-Type: text/plain; charset=us-ascii Content-Disposition: attachment; filename="ip_fw.patch" --- ip_fw.c Sun Dec 10 19:13:17 2000 +++ /usr/src/sys/netinet/ip_fw.c Tue Dec 12 01:47:30 2000 @@ -67,7 +67,11 @@ static int fw_debug = 1; #ifdef IPFIREWALL_VERBOSE +#ifdef IPFIREWALL_EXTRA_VERBOSE +static int fw_verbose = 2; +#else static int fw_verbose = 1; +#endif #else static int fw_verbose = 0; #endif @@ -488,7 +492,7 @@ struct icmp *const icmp = (struct icmp *) ((u_int32_t *) ip + ip->ip_hl); u_int64_t count; char *action; - char action2[32], proto[47], name[18], fragment[17]; + char action2[32], proto[97], name[18], fragment[17]; int len; count = f ? f->fw_pcnt : ++counter; @@ -572,9 +576,20 @@ len += snprintf(SNPARGS(proto, len), " "); len += snprintf(SNPARGS(proto, len), "%s", inet_ntoa(ip->ip_dst)); - if ((ip->ip_off & IP_OFFMASK) == 0) + if ((ip->ip_off & IP_OFFMASK) == 0) { snprintf(SNPARGS(proto, len), ":%d", ntohs(tcp->th_dport)); +#ifdef IPFIREWALL_EXTRA_VERBOSE + if ( fw_verbose > 1 ) + snprintf(SNPARGS(proto, len), + " f=0x%02x s=0x%08x a=0x%08x i=0x%04x t=0x%02x", + tcp->th_flags, + ntohl(tcp->th_seq), + ntohl(tcp->th_ack), + ntohs(ip->ip_id), + ip->ip_ttl); +#endif + } break; case IPPROTO_UDP: len = snprintf(SNPARGS(proto, 0), "UDP %s", @@ -586,9 +601,17 @@ len += snprintf(SNPARGS(proto, len), " "); len += snprintf(SNPARGS(proto, len), "%s", inet_ntoa(ip->ip_dst)); - if ((ip->ip_off & IP_OFFMASK) == 0) - snprintf(SNPARGS(proto, len), ":%d", + if ((ip->ip_off & IP_OFFMASK) == 0) { + len += snprintf(SNPARGS(proto, len), ":%d", ntohs(udp->uh_dport)); +#ifdef IPFIREWALL_EXTRA_VERBOSE + if ( fw_verbose > 1 ) + snprintf(SNPARGS(proto, len), + " i=0x%04x t=0x%02x", + ntohs(ip->ip_id), + ip->ip_ttl); +#endif + } break; case IPPROTO_ICMP: if ((ip->ip_off & IP_OFFMASK) == 0) @@ -598,20 +621,55 @@ len = snprintf(SNPARGS(proto, 0), "ICMP "); len += snprintf(SNPARGS(proto, len), "%s", inet_ntoa(ip->ip_src)); - snprintf(SNPARGS(proto, len), " %s", inet_ntoa(ip->ip_dst)); + len += snprintf(SNPARGS(proto, len), " %s", inet_ntoa(ip->ip_dst)); +#ifdef IPFIREWALL_EXTRA_VERBOSE + if ( fw_verbose > 1 ) + snprintf(SNPARGS(proto, len), + " i=0x%04x t=0x%02x", + ntohs(ip->ip_id), + ip->ip_ttl); +#endif break; default: len = snprintf(SNPARGS(proto, 0), "P:%d %s", ip->ip_p, inet_ntoa(ip->ip_src)); - snprintf(SNPARGS(proto, len), " %s", inet_ntoa(ip->ip_dst)); + len += snprintf(SNPARGS(proto, len), " %s", inet_ntoa(ip->ip_dst)); +#ifdef IPFIREWALL_EXTRA_VERBOSE + if ( fw_verbose > 1 ) + snprintf(SNPARGS(proto, len), " i=0x%04x t=0x%02x", + ntohs(ip->ip_id), + ip->ip_ttl); +#endif break; } - if ((ip->ip_off & IP_OFFMASK)) +#ifdef IPFIREWALL_EXTRA_VERBOSE + if ( fw_verbose > 1 ) { + if (ip->ip_off & IP_DF) + len = snprintf(SNPARGS(fragment, 0), " DF"); + else { + fragment[0] = '\0'; + len = 0; + } + if (ip->ip_off & (IP_OFFMASK | IP_MF)) + len += snprintf(SNPARGS(fragment, len), " Frag=%d", + (ip->ip_off & IP_OFFMASK)<<3); + if (ip->ip_off & IP_MF) + len += snprintf(SNPARGS(fragment, len), "+"); + } else { + if (ip->ip_off & (IP_OFFMASK | IP_MF)) + snprintf(SNPARGS(fragment, 0), " Fragment = %d", + ip->ip_off & IP_OFFMASK); + else + fragment[0] = '\0'; + } +#else + if (ip->ip_off & (IP_OFFMASK | IP_MF)) snprintf(SNPARGS(fragment, 0), " Fragment = %d", ip->ip_off & IP_OFFMASK); else fragment[0] = '\0'; +#endif if (oif) log(LOG_SECURITY | LOG_INFO, "%s %s %s out via %s%d%s\n", name, action, proto, oif->if_name, oif->if_unit, fragment); --MGYHOYXEY6WxJCY8 Content-Type: text/plain; charset=us-ascii Content-Disposition: attachment; filename="options.patch" --- options Sun Dec 10 18:25:56 2000 +++ /usr/src/sys/conf/options Sun Dec 10 01:45:19 2000 @@ -245,6 +245,7 @@ PFIL_HOOKS opt_pfil_hooks.h IPFIREWALL opt_ipfw.h IPFIREWALL_VERBOSE opt_ipfw.h +IPFIREWALL_EXTRA_VERBOSE opt_ipfw.h IPFIREWALL_VERBOSE_LIMIT opt_ipfw.h IPFIREWALL_DEFAULT_TO_ACCEPT opt_ipfw.h IPFIREWALL_FORWARD opt_ipfw.h --MGYHOYXEY6WxJCY8-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Tue Dec 12 23:59:29 2000 From owner-freebsd-ipfw@FreeBSD.ORG Tue Dec 12 23:59:25 2000 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mailhost01.reflexnet.net (mailhost01.reflexnet.net [64.6.192.82]) by hub.freebsd.org (Postfix) with ESMTP id 6AAB937B400 for ; Tue, 12 Dec 2000 23:59:25 -0800 (PST) Received: from 149.211.6.64.reflexcom.com ([64.6.211.149]) by mailhost01.reflexnet.net with Microsoft SMTPSVC(5.5.1877.197.19); Tue, 12 Dec 2000 23:57:47 -0800 Received: (from cjc@localhost) by 149.211.6.64.reflexcom.com (8.11.0/8.11.0) id eBD7xLh29419; Tue, 12 Dec 2000 23:59:21 -0800 (PST) (envelope-from cjc) Date: Tue, 12 Dec 2000 23:59:17 -0800 From: "Crist J. Clark" To: cjclark@alum.mit.edu Cc: Jev , freebsd-ipfw@FreeBSD.ORG, darcy@ok-connect.com Subject: Re: Extended ipfw Logging Message-ID: <20001212235917.J96105@149.211.6.64.reflexcom.com> Reply-To: cjclark@alum.mit.edu References: <20001210222316.A19100@149.211.6.64.reflexcom.com> <20001211081137.F9536@ecad.org> <20001212012641.C96105@149.211.6.64.reflexcom.com> <20001212232319.I96105@149.211.6.64.reflexcom.com> Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="hHWLQfXTYDoKhP50" X-Mailer: Mutt 1.0i In-Reply-To: <20001212232319.I96105@149.211.6.64.reflexcom.com>; from cjclark@reflexnet.net on Tue, Dec 12, 2000 at 11:23:19PM -0800 Sender: cjc@149.211.6.64.reflexcom.com Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG --hHWLQfXTYDoKhP50 Content-Type: text/plain; charset=us-ascii On Tue, Dec 12, 2000 at 11:23:19PM -0800, Crist J. Clark wrote: [snip] > They look good to me. The sysctl works as advertised above. You still > need to add the IPFIREWALL_EXTRA_VERBOSE option to build in the > functionality. A level of '2' for net.inet.ip.fw becomes the default > when the option is built in. Grrr... That ip_fw.patch was not the latest one in the version I was testing. There is a small bug. Here is the correct one. -- Crist J. Clark cjclark@alum.mit.edu --hHWLQfXTYDoKhP50 Content-Type: text/plain; charset=us-ascii Content-Disposition: attachment; filename="ip_fw.patch" --- ip_fw.c Sun Dec 10 19:13:17 2000 +++ /usr/src/sys/netinet/ip_fw.c Tue Dec 12 23:55:04 2000 @@ -67,7 +67,11 @@ static int fw_debug = 1; #ifdef IPFIREWALL_VERBOSE +#ifdef IPFIREWALL_EXTRA_VERBOSE +static int fw_verbose = 2; +#else static int fw_verbose = 1; +#endif #else static int fw_verbose = 0; #endif @@ -488,7 +492,7 @@ struct icmp *const icmp = (struct icmp *) ((u_int32_t *) ip + ip->ip_hl); u_int64_t count; char *action; - char action2[32], proto[47], name[18], fragment[17]; + char action2[32], proto[97], name[18], fragment[17]; int len; count = f ? f->fw_pcnt : ++counter; @@ -572,9 +576,20 @@ len += snprintf(SNPARGS(proto, len), " "); len += snprintf(SNPARGS(proto, len), "%s", inet_ntoa(ip->ip_dst)); - if ((ip->ip_off & IP_OFFMASK) == 0) - snprintf(SNPARGS(proto, len), ":%d", + if ((ip->ip_off & IP_OFFMASK) == 0) { + len += snprintf(SNPARGS(proto, len), ":%d", ntohs(tcp->th_dport)); +#ifdef IPFIREWALL_EXTRA_VERBOSE + if ( fw_verbose > 1 ) + snprintf(SNPARGS(proto, len), + " f=0x%02x s=0x%08x a=0x%08x i=0x%04x t=0x%02x", + tcp->th_flags, + ntohl(tcp->th_seq), + ntohl(tcp->th_ack), + ntohs(ip->ip_id), + ip->ip_ttl); +#endif + } break; case IPPROTO_UDP: len = snprintf(SNPARGS(proto, 0), "UDP %s", @@ -586,9 +601,17 @@ len += snprintf(SNPARGS(proto, len), " "); len += snprintf(SNPARGS(proto, len), "%s", inet_ntoa(ip->ip_dst)); - if ((ip->ip_off & IP_OFFMASK) == 0) - snprintf(SNPARGS(proto, len), ":%d", + if ((ip->ip_off & IP_OFFMASK) == 0) { + len += snprintf(SNPARGS(proto, len), ":%d", ntohs(udp->uh_dport)); +#ifdef IPFIREWALL_EXTRA_VERBOSE + if ( fw_verbose > 1 ) + snprintf(SNPARGS(proto, len), + " i=0x%04x t=0x%02x", + ntohs(ip->ip_id), + ip->ip_ttl); +#endif + } break; case IPPROTO_ICMP: if ((ip->ip_off & IP_OFFMASK) == 0) @@ -598,20 +621,55 @@ len = snprintf(SNPARGS(proto, 0), "ICMP "); len += snprintf(SNPARGS(proto, len), "%s", inet_ntoa(ip->ip_src)); - snprintf(SNPARGS(proto, len), " %s", inet_ntoa(ip->ip_dst)); + len += snprintf(SNPARGS(proto, len), " %s", inet_ntoa(ip->ip_dst)); +#ifdef IPFIREWALL_EXTRA_VERBOSE + if ( fw_verbose > 1 ) + snprintf(SNPARGS(proto, len), + " i=0x%04x t=0x%02x", + ntohs(ip->ip_id), + ip->ip_ttl); +#endif break; default: len = snprintf(SNPARGS(proto, 0), "P:%d %s", ip->ip_p, inet_ntoa(ip->ip_src)); - snprintf(SNPARGS(proto, len), " %s", inet_ntoa(ip->ip_dst)); + len += snprintf(SNPARGS(proto, len), " %s", inet_ntoa(ip->ip_dst)); +#ifdef IPFIREWALL_EXTRA_VERBOSE + if ( fw_verbose > 1 ) + snprintf(SNPARGS(proto, len), " i=0x%04x t=0x%02x", + ntohs(ip->ip_id), + ip->ip_ttl); +#endif break; } - if ((ip->ip_off & IP_OFFMASK)) +#ifdef IPFIREWALL_EXTRA_VERBOSE + if ( fw_verbose > 1 ) { + if (ip->ip_off & IP_DF) + len = snprintf(SNPARGS(fragment, 0), " DF"); + else { + fragment[0] = '\0'; + len = 0; + } + if (ip->ip_off & (IP_OFFMASK | IP_MF)) + len += snprintf(SNPARGS(fragment, len), " Frag=%d", + (ip->ip_off & IP_OFFMASK)<<3); + if (ip->ip_off & IP_MF) + len += snprintf(SNPARGS(fragment, len), "+"); + } else { + if (ip->ip_off & (IP_OFFMASK | IP_MF)) + snprintf(SNPARGS(fragment, 0), " Fragment = %d", + ip->ip_off & IP_OFFMASK); + else + fragment[0] = '\0'; + } +#else + if (ip->ip_off & (IP_OFFMASK | IP_MF)) snprintf(SNPARGS(fragment, 0), " Fragment = %d", ip->ip_off & IP_OFFMASK); else fragment[0] = '\0'; +#endif if (oif) log(LOG_SECURITY | LOG_INFO, "%s %s %s out via %s%d%s\n", name, action, proto, oif->if_name, oif->if_unit, fragment); --hHWLQfXTYDoKhP50-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Wed Dec 13 0:15:27 2000 From owner-freebsd-ipfw@FreeBSD.ORG Wed Dec 13 00:15:25 2000 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mail.biographix.com (unknown [207.236.111.133]) by hub.freebsd.org (Postfix) with ESMTP id C75EA37B400 for ; Wed, 13 Dec 2000 00:15:24 -0800 (PST) Received: from bottleneck2000 ([192.168.1.12]) by mail.biographix.com (8.11.1/8.11.1) with SMTP id eBD8Fw337083 for ; Wed, 13 Dec 2000 03:15:58 -0500 (EST) Message-ID: <008401c064dd$7233c7c0$0c01a8c0@bottleneck2000> From: "Elliott Perrin" To: Subject: Problem with Natd and IPFW Date: Wed, 13 Dec 2000 03:19:42 -0500 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.00.2919.6700 X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2919.6700 Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG So here is the scenario, I have a FreeBSD box configured with three interfaces, one to the Net, one to the LAN where our public servers sit, and one to the local LAN. It is a FreeBSD 4.1 box. Our public servers have routable addresses, so natd is running with the -u flag so that only the Local LAN gets translated. The kernel was compiled so without the default to accept option in the firewall. If the firewall is running without an allow all from any to any rule, natd complains with the natd failed to write packet back (permission denied) error and the local LAN cannot get anywhere out of the office. They can still get to our public servers, but they cannot go anywhere on the Internet. Once the allow ip from any to any rule is specified the problem clears up right away. (which obviously makes sense) To give you an idea of where natd is in the ruleset, I have provided a chunk of the rules below (taken from ipfw -a list) 00100 allow ip from any to any in recv lo0 00200 deny ip from any to 127.0.0.0/8 00300 deny ip from 192.168.1.0/24 to any in recv ed0 00400 deny ip from xxx.xxx.xxx.xxx/28 to any in recv ed0 00500 deny ip from 192.168.1.0/24 to any in recv fxp0 00600 deny ip from xxx.xxx.xxx.xxx/28 to any in recv xl0 00700 deny ip from xxx.xxx.xxx.xxx/29 to any in recv fxp0 00800 deny ip from xxx.xxx.xxx.xxx/29 to any in recv xl0 00900 deny ip from any to 10.0.0.0/8 via ed0 01000 deny ip from any to 172.16.0.0/12 via ed0 01100 deny ip from any to 192.168.0.0/16 via ed0 01200 deny ip from any to 0.0.0.0/8 via ed0 01300 deny ip from any to 169.254.0.0/16 via ed0 01400 deny ip from any to 192.0.2.0/24 via ed0 01500 divert 8668 ip from any to any via ed0 01600 deny ip from 10.0.0.0/8 to any via ed0 01700 deny ip from 172.16.0.0/12 to any via ed0 01800 deny ip from 192.168.0.0/16 to any via ed0 01900 deny ip from 0.0.0.0/8 to any via ed0 02000 deny ip from 169.254.0.0/16 to any via ed0 02100 deny ip from 192.0.2.0/24 to any via ed0 Now, I decided to run natd with the -v flag to see if I could find out what the hell was going on. When I was running it without an allow ip from any to any rule, I would see aliasing from the local LAN to the external address, but no aliasing on packets coming back in. When the rule allow ip from any to any is declared, I can see the translation going both in and out. I've read through the natd and ipfw man pages, nothing seems to point to how to clear this up. Can anyone shed some light. ________________________________________ Elliott Perrin eperrin@bigorbit.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Wed Dec 13 0:24:37 2000 From owner-freebsd-ipfw@FreeBSD.ORG Wed Dec 13 00:24:34 2000 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from whale.sunbay.crimea.ua (whale.sunbay.crimea.ua [212.110.138.65]) by hub.freebsd.org (Postfix) with ESMTP id 9CF4E37B400 for ; Wed, 13 Dec 2000 00:24:29 -0800 (PST) Received: (from ru@localhost) by whale.sunbay.crimea.ua (8.11.0/8.11.0) id eBD8NkE79440; Wed, 13 Dec 2000 10:23:46 +0200 (EET) (envelope-from ru) Date: Wed, 13 Dec 2000 10:23:46 +0200 From: Ruslan Ermilov To: Elliott Perrin Cc: freebsd-ipfw@FreeBSD.ORG Subject: Re: Problem with Natd and IPFW Message-ID: <20001213102346.A76652@sunbay.com> Mail-Followup-To: Elliott Perrin , freebsd-ipfw@FreeBSD.ORG References: <008401c064dd$7233c7c0$0c01a8c0@bottleneck2000> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <008401c064dd$7233c7c0$0c01a8c0@bottleneck2000>; from eperrin@bigorbit.com on Wed, Dec 13, 2000 at 03:19:42AM -0500 Sender: ru@whale.sunbay.crimea.ua Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG On Wed, Dec 13, 2000 at 03:19:42AM -0500, Elliott Perrin wrote: > So here is the scenario, I have a FreeBSD box configured > with three interfaces, one to the Net, one to the LAN where > our public servers sit, and one to the local LAN. It is a > FreeBSD 4.1 box. Our public servers have routable addresses, > so natd is running with the -u flag so that only the Local > LAN gets translated. The kernel was compiled so without the > default to accept option in the firewall. > > If the firewall is running without an allow all from any to > any rule, natd complains with the > > natd failed to write packet back (permission denied) error > > and the local LAN cannot get anywhere out of the office. > They can still get to our public servers, but they cannot go > anywhere on the Internet. Once the allow ip from any to any > rule is specified the problem clears up right away. (which > obviously makes sense) To give you an idea of where natd is > in the ruleset, I have provided a chunk of the rules below > (taken from ipfw -a list) > > 00100 allow ip from any to any in recv lo0 > 00200 deny ip from any to 127.0.0.0/8 > 00300 deny ip from 192.168.1.0/24 to any in recv ed0 > 00400 deny ip from xxx.xxx.xxx.xxx/28 to any in recv ed0 > 00500 deny ip from 192.168.1.0/24 to any in recv fxp0 > 00600 deny ip from xxx.xxx.xxx.xxx/28 to any in recv xl0 > 00700 deny ip from xxx.xxx.xxx.xxx/29 to any in recv > fxp0 > 00800 deny ip from xxx.xxx.xxx.xxx/29 to any in recv xl0 > 00900 deny ip from any to 10.0.0.0/8 via ed0 > 01000 deny ip from any to 172.16.0.0/12 via ed0 > 01100 deny ip from any to 192.168.0.0/16 via ed0 > 01200 deny ip from any to 0.0.0.0/8 via ed0 > 01300 deny ip from any to 169.254.0.0/16 via ed0 > 01400 deny ip from any to 192.0.2.0/24 via ed0 > 01500 divert 8668 ip from any to any via ed0 > 01600 deny ip from 10.0.0.0/8 to any via ed0 > 01700 deny ip from 172.16.0.0/12 to any via ed0 > 01800 deny ip from 192.168.0.0/16 to any via ed0 > 01900 deny ip from 0.0.0.0/8 to any via ed0 > 02000 deny ip from 169.254.0.0/16 to any via ed0 > 02100 deny ip from 192.0.2.0/24 to any via ed0 > > Now, I decided to run natd with the -v flag to see if I > could find out what the hell was going on. When I was > running it without an allow ip from any to any rule, I would > see aliasing from the local LAN to the external address, but > no aliasing on packets coming back in. When the rule allow > ip from any to any is declared, I can see the translation > going both in and out. > I do not see any ``allow'' rules expect the first (lo0) one. Do you have these? -- Ruslan Ermilov Oracle Developer/DBA, ru@sunbay.com Sunbay Software AG, ru@FreeBSD.org FreeBSD committer, +380.652.512.251 Simferopol, Ukraine http://www.FreeBSD.org The Power To Serve http://www.oracle.com Enabling The Information Age To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Fri Dec 15 14:34:14 2000 From owner-freebsd-ipfw@FreeBSD.ORG Fri Dec 15 14:34:06 2000 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from new-dns.whc.net (new-dns.whc.net [204.90.111.214]) by hub.freebsd.org (Postfix) with ESMTP id 3317537B400 for ; Fri, 15 Dec 2000 14:34:06 -0800 (PST) Received: from null ([206.249.222.226]) by new-dns.whc.net (8.11.1/8.10.1/kbp) with SMTP id for ; Fri, 15 Dec 2000 15:33:12 -0700 (MST) Reply-To: From: "Carlos Andrade" To: Subject: right Date: Fri, 15 Dec 2000 15:31:13 -0700 Message-ID: <000801c066e6$bb7e4620$fa01a8c0@rjstech.com> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="----=_NextPart_000_0009_01C066AC.0F1F6E20" X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook CWS, Build 9.0.2416 (9.0.2911.0) Importance: Normal X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2919.6600 Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG This is a multi-part message in MIME format. ------=_NextPart_000_0009_01C066AC.0F1F6E20 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit So the email list found some typo's (which is good, the typos bad). And I have my machine on a crossover cable, life is peachy right? wrong... for some reason I cannot get dns to work. I can send email and receive email since I was able to hobble the ip's of my pop and smtp servers. So I look at my rc.firewall (attached) and well I cannot figure out why I can do things using IP's but not names. Its one thing for me to do this, its another for the rest of the office to do it. For that matter I don't know of the top of my head the ip for www.yahoo.com. So I beseech this email list, what am I doing wrong? ---- Carlos A. Andrade IS Manager RJS Technologies 915.845.5228 ext 13 915.845.2119 fax carlos@rjstech.com ------=_NextPart_000_0009_01C066AC.0F1F6E20 Content-Type: text/plain; name="rc_firewall.txt" Content-Transfer-Encoding: quoted-printable Content-Disposition: attachment; filename="rc_firewall.txt" ############=0A= # Setup system for firewall service.=0A= # $FreeBSD: src/etc/rc.firewall,v 1.30.2.6 2000/09/21 07:44:53 ru Exp $=0A= =0A= # Suck in the configuration variables.=0A= if [ -r /etc/defaults/rc.conf ]; then=0A= . /etc/defaults/rc.conf=0A= source_rc_confs=0A= elif [ -r /etc/rc.conf ]; then=0A= . /etc/rc.conf=0A= fi=0A= =0A= ############=0A= # Define the firewall type in /etc/rc.conf. Valid values are:=0A= # open - will allow anyone in=0A= # client - will try to protect just this machine=0A= # simple - will try to protect a whole network=0A= # closed - totally disables IP services except via lo0 interface=0A= # UNKNOWN - disables the loading of firewall rules=0A= # filename - will load the rules in the given filename (full path = required)=0A= #=0A= # For ``client'' and ``simple'' the entries below should be customized=0A= # appropriately=0A= =0A= ############=0A= #=0A= # If you don't know enough about packet filtering, we suggest that you=0A= # take time to read this book: # # Building Internet Firewalls # Brent Chapman and Elizabeth Zwicky # # O'Reilly & Associates, Inc # ISBN 1-56592-124-0 # http://www.ora.com/ # # For a more advanced treatment of Internet Security read: # # Firewalls & Internet Security # Repelling the wily hacker # William R. Cheswick, Steven M. Bellowin # # Addison-Wesley # ISBN 0-201-6337-4 # http://www.awl.com/ # =0A= if [ -n "${1}" ]; then=0A= firewall_type=3D"${1}"=0A= fi=0A= =0A= ############ # Set quiet mode if requested # case ${firewall_quiet} in=0A= [Yy][Ee][Ss])=0A= fwcmd=3D"/sbin/ipfw -q"=0A= ;;=0A= *)=0A= fwcmd=3D"/sbin/ipfw"=0A= ;;=0A= esac=0A= =0A= ############ # Flush out the list before we begin. # ${fwcmd} -f flush=0A= =0A= ############ # These rules are required for using natd. All packets are passed to # natd before they encounter your remaining rules. The firewall rules # will then be run again on each packet after translation by natd, # minus any divert rules (see natd(8)). # case ${natd_enable} in=0A= [Yy][Ee][Ss])=0A= if [ -n "${natd_interface}" ]; then=0A= ${fwcmd} add 50 divert natd all from any to any via = ${natd_interface}=0A= fi=0A= ;;=0A= esac=0A= =0A= ############ # If you just configured ipfw in the kernel as a tool to solve network # problems or you just want to disallow some particular kinds of traffic # then you will want to change the default policy to open. You can also # do this as your only action by setting the firewall_type to ``open''. # # ${fwcmd} add 65000 pass all from any to any=0A= =0A= ############ # Only in rare cases do you want to change these rules # ${fwcmd} add 100 pass all from any to any via lo0=0A= ${fwcmd} add 200 deny all from any to 127.0.0.0/8=0A= # If you're using 'options BRIDGE', uncomment the following line to pass = ARP #${fwcmd} add 300 pass udp from 0.0.0.0 2054 to 0.0.0.0=0A= =0A= # Prototype setups. # case ${firewall_type} in=0A= [Ss][Ii][Mm][Pp][Ll][Ee])=0A= =0A= # I deleted open and client, too many conflicts # so we go directly in to simple # This is a prototype setup for a simple firewall. Configure this # machine as a named server and ntp server, and point all the machines # on the inside at this machine for those services. ############ =0A= # set these to your outside interface network and netmask and ip oif=3D"xl0"=0A= onet=3D"206.249.222.0"=0A= omask=3D"255.255.255.224"=0A= oip=3D"206.249.222.226"=0A= =0A= # set these to your inside interface network and netmask and ip iif=3D"xl1"=0A= inet=3D"192.168.1.0"=0A= imask=3D"255.255.255.224"=0A= iip=3D"192.168.1.225"=0A= =0A= #dns servers #dns1=3D"204.90.111.2"=0A= #dns2=3D"205.137.48.5"=0A= =0A= # Stop spoofing ${fwcmd} add 300 deny all from ${inet}:${imask} to any in via ${oif}=0A= ${fwcmd} add 400 deny all from ${onet}:${omask} to any in via ${iif}=0A= =0A= # Stop RFC1918 nets on the outside interface ${fwcmd} add 500 deny all from 10.0.0.0/8 to any via ${oif}=0A= ${fwcmd} add 600 deny all from any to 10.0.0.0/8 out via ${oif}=0A= ${fwcmd} add 700 deny all from 172.16.0.0/12 to any via ${oif}=0A= ${fwcmd} add 800 deny all from any to 172.16.0.0/12 out via ${oif}=0A= ${fwcmd} add 900 deny all from 192.168.0.0/16 to any via ${oif}=0A= ${fwcmd} add 1000 deny all from any to 192.168.0.0/16 out via ${oif}=0A= =0A= # Stop draft-manning-dsua-03.txt (1 May 2000) nets (includes RESERVED-1,=0A= # DHCP auto-configuration, NET-TEST, MULTICAST (class D), and class E)=0A= # on the outside interface=0A= ${fwcmd} add 1100 deny all from 0.0.0.0/8 to any via ${oif}=0A= ${fwcmd} add 1200 deny all from any to 0.0.0.0/8 via ${oif}=0A= ${fwcmd} add 1300 deny all from 169.254.0.0/16 to any via ${oif}=0A= ${fwcmd} add 1400 deny all from any to 169.254.0.0/16 via ${oif}=0A= ${fwcmd} add 1500 deny all from 192.0.2.0/24 to any via ${oif}=0A= ${fwcmd} add 1600 deny all from any to 192.0.2.0/24 via ${oif}=0A= ${fwcmd} add 1700 deny all from 224.0.0.0/4 to any via ${oif}=0A= ${fwcmd} add 1800 deny all from any to 224.0.0.0/4 via ${oif}=0A= ${fwcmd} add 1900 deny all from 240.0.0.0/4 to any via ${oif}=0A= ${fwcmd} add 2000 deny all from any to 240.0.0.0/4 via ${oif}=0A= =0A= # Allow TCP through if setup succeeded ${fwcmd} add 2100 pass tcp from any to any established=0A= =0A= # Allow IP fragments to pass through ${fwcmd} add 2200 pass all from any to any frag=0A= =0A= # TCP STUFF =0A= # Allow access to sendmail for incoming email=0A= ${fwcmd} add 2300 pass tcp from any to ${oip} 25 setup=0A= =0A= # Allow access to our WWW=0A= ${fwcmd} add 2400 pass tcp from any to ${oip} 80 setup=0A= =0A= #SSH login - allow and log all incoming=0A= ${fwcmd} add 2500 pass log tcp from any to any 22 in via ${oip} setup=0A= =0A= #IDENT - reset incoming connections =0A= ${fwcmd} add 2600 reset tcp from any to any 113 in via ${oif} setup=0A= =0A= # Reject&Log all setup of incoming connections from the outside=0A= ${fwcmd} add 2700 deny log tcp from any to any in via ${oif} setup=0A= =0A= # Allow setup of any other TCP connection=0A= ${fwcmd} add 2800 pass tcp from any to any setup=0A= =0A= # UPD STUFF=0A= =0A= # Allow access to our DNS=0A= #${fwcmd} add 2900 pass upd from any to ${dns1} 53 setup=0A= #${fwcmd} add 3000 pass upd from any to ${dns2} 53 setup=0A= #${fwcmd} add 3100 pass udp from ${dns1} 53 to any=0A= #${fwcmd} add 3200 pass udp from ${dns2} 53 to any=0A= =0A= ${fwcmd} add 2900 pass udp from any 53 to ${oip}=0A= ${fwcmd} add 3000 pass udp from ${oip} 53 to any=0A= ${fwcmd} add 3100 pass tcp from any to ${oip} 53 setup=0A= =0A= # SMB - allow local traffic=0A= ${fwcmd} add 3300 pass udp from any to any 137-139 via ${iif}=0A= =0A= # Allow NTP queries out in the world BUT we do it like this=0A= # allow server-server on outside interface=0A= # allow client-server on inside interface=0A= ${fwcmd} add 3400 pass udp from any 123 to any 123 via ${oif}=0A= ${fwcmd} add 3500 pass udp from any 123 to any 123 via ${iif}=0A= ${fwcmd} add 3600 pass udp from any to any 123 via ${iif} =0A= =0A= # TRACEROUTE - allow outgoing but not ingoing=0A= ${fwcmd} add 3700 pass udp from any to any 33434-33523 out via ${oif}=0A= =0A= # ICMP stuff=0A= =0A= #ICMP packets=0A= # allow all on internal interface=0A= ${fwcmd} add 3800 pass icmp from any to any via ${iif}=0A= =0A= #Allow outgoing pings but no incoming=0A= ${fwcmd} add 3900 pass icmp from any to any icmptypes 8 out via ${oif}=0A= ${fwcmd} add 4000 pass icmp from any to any icmptypes 0 in via ${oif}=0A= =0A= #Allow destination unreachable, source quench, time excedded=0A= #and bad header=0A= ${fwcmd} add 4100 pass icmp from any to any icmptypes 3,4,11,12 via = ${oif}=0A= =0A= #deny the rest of them=0A= ${fwcmd} add 4200 deny icmp from any to any =0A= =0A= # Everything else is denied by default, unless the=0A= # IPFIREWALL_DEFAULT_TO_ACCEPT option is set in your kernel=0A= # config file. Which it is not=0A= ;;=0A= esac=0A= ------=_NextPart_000_0009_01C066AC.0F1F6E20-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Fri Dec 15 15: 6: 2 2000 From owner-freebsd-ipfw@FreeBSD.ORG Fri Dec 15 15:06:01 2000 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from new-dns.whc.net (new-dns.whc.net [204.90.111.214]) by hub.freebsd.org (Postfix) with ESMTP id E992237B400 for ; Fri, 15 Dec 2000 15:06:00 -0800 (PST) Received: from null ([206.249.222.226]) by new-dns.whc.net (8.11.1/8.10.1/kbp) with SMTP id for ; Fri, 15 Dec 2000 16:05:46 -0700 (MST) Reply-To: From: "Carlos Andrade" To: Subject: paranoia sets in... Date: Fri, 15 Dec 2000 16:03:50 -0700 Message-ID: <000001c066eb$4a3f8b40$fa01a8c0@rjstech.com> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook CWS, Build 9.0.2416 (9.0.2911.0) Importance: Normal X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2919.6600 Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG I just realized something.... We have here at our work a Citrix Metaframe server that we will be putting behind the firewall. How do I tell the clients on the other side of the firewall what address to connect to the server if I am using nat? For that matter I need to allow the following traffic, should I make them specific rules? I am such a nag..... The following is a list of TCP/IP and UDP ports that must be open on firewalls and routers for ICA packets to pass through: TCP/IP port 1494 (inbound) ({fwcmd} add xxxxx pass tcp from any to ${oip} 1494 ??? ) UDP port 1604 (inbound and outbound) Outbound (from the server to the client) ports 1023 and above (a maximum of 65535) for both TCP/IP & UDP ---- Carlos A. Andrade IS Manager RJS Technologies 915.845.5228 ext 13 915.845.2119 fax carlos@rjstech.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Sat Dec 16 1:10:33 2000 From owner-freebsd-ipfw@FreeBSD.ORG Sat Dec 16 01:10:30 2000 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mailhost01.reflexnet.net (mailhost01.reflexnet.net [64.6.192.82]) by hub.freebsd.org (Postfix) with ESMTP id 218D537B400 for ; Sat, 16 Dec 2000 01:10:30 -0800 (PST) Received: from rfx-64-6-211-149.users.reflexcom.com ([64.6.211.149]) by mailhost01.reflexnet.net with Microsoft SMTPSVC(5.5.1877.197.19); Sat, 16 Dec 2000 01:08:49 -0800 Received: (from cjc@localhost) by rfx-64-6-211-149.users.reflexcom.com (8.11.0/8.11.0) id eBG9AOC76664; Sat, 16 Dec 2000 01:10:24 -0800 (PST) (envelope-from cjc) Date: Sat, 16 Dec 2000 01:10:16 -0800 From: "Crist J. Clark" To: Carlos Andrade Cc: freebsd-ipfw@FreeBSD.ORG Subject: Re: right Message-ID: <20001216011016.N96105@149.211.6.64.reflexcom.com> Reply-To: cjclark@alum.mit.edu References: <000801c066e6$bb7e4620$fa01a8c0@rjstech.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0i In-Reply-To: <000801c066e6$bb7e4620$fa01a8c0@rjstech.com>; from carlos@rjstech.com on Fri, Dec 15, 2000 at 03:31:13PM -0700 Sender: cjc@rfx-64-6-211-149.users.reflexcom.com Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG On Fri, Dec 15, 2000 at 03:31:13PM -0700, Carlos Andrade wrote: > So the email list found some typo's (which is good, the typos bad). And more below, or are these the same ones? > And I > have my machine on a crossover cable, life is peachy right? wrong... > > for some reason I cannot get dns to work. I can send email and receive > email since I was able to hobble the ip's of my pop and smtp servers. So I > look at my rc.firewall (attached) and well I cannot figure out why I can do > things using IP's but not names. Its one thing for me to do this, its > another for the rest of the office to do it. For that matter I don't know > of the top of my head the ip for www.yahoo.com. So I beseech this email > list, what am I doing wrong? [snip] > case ${firewall_type} in > [Ss][Ii][Mm][Pp][Ll][Ee]) > > # I deleted open and client, too many conflicts > # so we go directly in to simple > # This is a prototype setup for a simple firewall. Configure this > # machine as a named server and ntp server, and point all the machines > # on the inside at this machine for those services. > ############ > > # set these to your outside interface network and netmask and ip > oif="xl0" > onet="206.249.222.0" > omask="255.255.255.224" > oip="206.249.222.226" > > # set these to your inside interface network and netmask and ip > iif="xl1" > inet="192.168.1.0" > imask="255.255.255.224" > iip="192.168.1.225" Errr... These numbers do not all agree. Your IP address is outside of your network, or your netmask is too small, or your network is in the wrong place. > #dns servers > #dns1="204.90.111.2" > #dns2="205.137.48.5" [snip] > # UPD STUFF > > # Allow access to our DNS > #${fwcmd} add 2900 pass upd from any to ${dns1} 53 setup > #${fwcmd} add 3000 pass upd from any to ${dns2} 53 setup > #${fwcmd} add 3100 pass udp from ${dns1} 53 to any > #${fwcmd} add 3200 pass udp from ${dns2} 53 to any > > ${fwcmd} add 2900 pass udp from any 53 to ${oip} OK, this should let DNS back to your gateway. > ${fwcmd} add 3000 pass udp from ${oip} 53 to any > ${fwcmd} add 3100 pass tcp from any to ${oip} 53 setup These say that you want your gateway (or perhaps a machine behind it) to function as a DNS server? I don't see a rule allowing the port 53 traffic onto you private net. Nor do I see a rule allowing DNS out. Why did you use different rules rather than fix the problems with the ones you have commented out? > # SMB - allow local traffic > ${fwcmd} add 3300 pass udp from any to any 137-139 via ${iif} Ouch. Why? > # Allow NTP queries out in the world BUT we do it like this > # allow server-server on outside interface > # allow client-server on inside interface > ${fwcmd} add 3400 pass udp from any 123 to any 123 via ${oif} > ${fwcmd} add 3500 pass udp from any 123 to any 123 via ${iif} > ${fwcmd} add 3600 pass udp from any to any 123 via ${iif} Rule 3500 is a subset of rule 3600. Rule 3400 and 3500 could be made into a single, ${fwcmd} add 3400 pass udp from any 123 to any 123 [snip] -- Crist J. Clark cjclark@alum.mit.edu To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Sat Dec 16 3:27:24 2000 From owner-freebsd-ipfw@FreeBSD.ORG Sat Dec 16 03:27:20 2000 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from point.osg.gov.bc.ca (point.osg.gov.bc.ca [142.32.102.44]) by hub.freebsd.org (Postfix) with ESMTP id 0F3BC37B402; Sat, 16 Dec 2000 03:27:20 -0800 (PST) Received: (from daemon@localhost) by point.osg.gov.bc.ca (8.8.7/8.8.8) id DAA23718; Sat, 16 Dec 2000 03:26:35 -0800 Received: from passer.osg.gov.bc.ca(142.32.110.29) via SMTP by point.osg.gov.bc.ca, id smtpda23716; Sat Dec 16 03:26:15 2000 Received: (from uucp@localhost) by passer.osg.gov.bc.ca (8.11.1/8.9.1) id eBGBQ9806221; Sat, 16 Dec 2000 03:26:09 -0800 (PST) Received: from cwsys9.cwsent.com(10.2.2.1), claiming to be "cwsys.cwsent.com" via SMTP by passer9.cwsent.com, id smtpdwP6219; Sat Dec 16 03:25:51 2000 Received: (from uucp@localhost) by cwsys.cwsent.com (8.11.1/8.9.1) id eBGBPkP05378; Sat, 16 Dec 2000 03:25:46 -0800 (PST) Message-Id: <200012161125.eBGBPkP05378@cwsys.cwsent.com> Received: from localhost.cwsent.com(127.0.0.1), claiming to be "cwsys" via SMTP by localhost.cwsent.com, id smtpdDU5367; Sat Dec 16 03:24:58 2000 X-Mailer: exmh version 2.2 06/23/2000 with nmh-1.0.4 Reply-To: Cy Schubert - ITSD Open Systems Group From: Cy Schubert - ITSD Open Systems Group X-OS: FreeBSD 4.2-RELEASE X-Sender: cy To: "Ari Suutari" Cc: freebsd-net@FreeBSD.ORG, freebsd-ipfw@FreeBSD.ORG Subject: Re: IPFW & IPsec tunnel mode In-reply-to: Your message of "Thu, 07 Dec 2000 09:20:40 +0200." <001301c0601e$34cab880$0e05a8c0@intranet.syncrontech.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Sat, 16 Dec 2000 03:24:57 -0800 Sender: cy@uumail.gov.bc.ca Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG In message <001301c0601e$34cab880$0e05a8c0@intranet.syncrontech.com>, "Ari Suut ari" writes: > However, pipsecd only supports fixed keys and Kame seems more > like the future way to go. Would it be possible to enhance ipfw & kame > to work together better in same way (like having some kind of name for > each tunnel and allowing ipfw rule to use them in similar way as > 'via' is used with interfaces) ? Check the -security archives. This was just discussed about a month ago. In that thread a KAME developer explained why it cannot be accomplished. Regards, Phone: (250)387-8437 Cy Schubert Fax: (250)387-5766 Team Leader, Sun/Alpha Team Internet: Cy.Schubert@osg.gov.bc.ca Open Systems Group, ITSD, ISTA Province of BC To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message