From owner-freebsd-ipfw@FreeBSD.ORG Mon Oct 17 10:23:49 2005 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 459F616A41F for ; Mon, 17 Oct 2005 10:23:49 +0000 (GMT) (envelope-from parrinello_alessandro@yahoo.it) Received: from web26209.mail.ukl.yahoo.com (web26209.mail.ukl.yahoo.com [217.12.10.246]) by mx1.FreeBSD.org (Postfix) with SMTP id 8557743D4C for ; Mon, 17 Oct 2005 10:23:48 +0000 (GMT) (envelope-from parrinello_alessandro@yahoo.it) Received: (qmail 7194 invoked by uid 60001); 17 Oct 2005 10:23:47 -0000 DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.it; h=Message-ID:Received:Date:From:Subject:To:MIME-Version:Content-Type; b=fIxyMi+cIUbte95Qh9di1t9QhB8TqUJ7o/Iz48HEujWDXpoG7/4dYkAaoGl8Z4XjGW/1bkidVO6foDXYYT8RMTObsvDALBVCOQtiKZqo1PdmdtCLhw2FFd9lmExifkbEB/H7p5lmbwQYjNjSbv3M/vA3p61dROy+UJMVlqX4KY0= ; Message-ID: <20051017102347.7192.qmail@web26209.mail.ukl.yahoo.com> Received: from [82.112.213.130] by web26209.mail.ukl.yahoo.com via HTTP; Mon, 17 Oct 2005 12:23:47 CEST Date: Mon, 17 Oct 2005 12:23:47 +0200 (CEST) From: Alessandro Parrinello To: freebsd-ipfw@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Subject: Dynamically adding ipfw & natd rule X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 17 Oct 2005 10:23:49 -0000 Hi, i need to change the natting rules of natd by a c program dynamically based on information gived me by a server. How can i do this? ___________________________________ Yahoo! Messenger: chiamate gratuite in tutto il mondo http://it.messenger.yahoo.com From owner-freebsd-ipfw@FreeBSD.ORG Mon Oct 17 11:01:57 2005 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 10AB316A41F for ; Mon, 17 Oct 2005 11:01:57 +0000 (GMT) (envelope-from owner-bugmaster@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id CA0A243D49 for ; Mon, 17 Oct 2005 11:01:56 +0000 (GMT) (envelope-from owner-bugmaster@freebsd.org) Received: from freefall.freebsd.org (peter@localhost [127.0.0.1]) by freefall.freebsd.org (8.13.3/8.13.3) with ESMTP id j9HB1ujQ022370 for ; Mon, 17 Oct 2005 11:01:56 GMT (envelope-from owner-bugmaster@freebsd.org) Received: (from peter@localhost) by freefall.freebsd.org (8.13.3/8.13.1/Submit) id j9HB1t5n022364 for freebsd-ipfw@freebsd.org; Mon, 17 Oct 2005 11:01:55 GMT (envelope-from owner-bugmaster@freebsd.org) Date: Mon, 17 Oct 2005 11:01:55 GMT Message-Id: <200510171101.j9HB1t5n022364@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: peter set sender to owner-bugmaster@freebsd.org using -f From: FreeBSD bugmaster To: freebsd-ipfw@FreeBSD.org Cc: Subject: Current problem reports assigned to you X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 17 Oct 2005 11:01:57 -0000 Current FreeBSD problem reports Critical problems Serious problems S Submitted Tracker Resp. Description ------------------------------------------------------------------------------- o [2003/04/22] kern/51274 ipfw ipfw2 create dynamic rules with parent nu f [2003/04/24] kern/51341 ipfw ipfw rule 'deny icmp from any to any icmp o [2003/12/11] kern/60154 ipfw ipfw core (crash) o [2004/03/03] kern/63724 ipfw IPFW2 Queues dont t work o [2004/11/13] kern/73910 ipfw [ipfw] serious bug on forwarding of packe o [2004/11/19] kern/74104 ipfw ipfw2/1 conflict not detected or reported f [2004/12/25] kern/75483 ipfw ipfw count does not count o [2005/05/11] bin/80913 ipfw /sbin/ipfw2 silently discards MAC addr ar 8 problems total. Non-critical problems S Submitted Tracker Resp. Description ------------------------------------------------------------------------------- o [2004/10/29] kern/73276 ipfw ipfw2 vulnerability (parser error) o [2005/02/01] kern/76971 ipfw ipfw antispoof incorrectly blocks broadca o [2005/05/05] kern/80642 ipfw [patch] IPFW small patch - new RULE OPTIO o [2005/06/28] kern/82724 ipfw [patch] Add setnexthop and defaultroute f o [2005/10/07] kern/87032 ipfw [PATCH] ipfw ioctl interface implementati 5 problems total. From owner-freebsd-ipfw@FreeBSD.ORG Mon Oct 17 11:02:54 2005 Return-Path: X-Original-To: ipfw@freebsd.org Delivered-To: freebsd-ipfw@FreeBSD.ORG Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7FF2C16A41F for ; Mon, 17 Oct 2005 11:02:54 +0000 (GMT) (envelope-from owner-bugmaster@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id 6762443D68 for ; Mon, 17 Oct 2005 11:02:52 +0000 (GMT) (envelope-from owner-bugmaster@freebsd.org) Received: from freefall.freebsd.org (peter@localhost [127.0.0.1]) by freefall.freebsd.org (8.13.3/8.13.3) with ESMTP id j9HB2q1d022981 for ; Mon, 17 Oct 2005 11:02:52 GMT (envelope-from owner-bugmaster@freebsd.org) Received: (from peter@localhost) by freefall.freebsd.org (8.13.3/8.13.1/Submit) id j9HB2pKf022975 for ipfw@freebsd.org; Mon, 17 Oct 2005 11:02:51 GMT (envelope-from owner-bugmaster@freebsd.org) Date: Mon, 17 Oct 2005 11:02:51 GMT Message-Id: <200510171102.j9HB2pKf022975@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: peter set sender to owner-bugmaster@freebsd.org using -f From: FreeBSD bugmaster To: ipfw@FreeBSD.org Cc: Subject: Current problem reports assigned to you X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 17 Oct 2005 11:02:54 -0000 Current FreeBSD problem reports Critical problems Serious problems Non-critical problems S Submitted Tracker Resp. Description ------------------------------------------------------------------------------- a [2001/04/13] kern/26534 ipfw Add an option to ipfw to log gid/uid of w o [2002/12/10] kern/46159 ipfw ipfw dynamic rules lifetime feature o [2003/02/11] kern/48172 ipfw ipfw does not log size and flags o [2003/03/10] kern/49086 ipfw [patch] Make ipfw2 log to different syslo o [2003/04/09] bin/50749 ipfw ipfw2 incorrectly parses ports and port r o [2003/08/26] kern/55984 ipfw [patch] time based firewalling support fo o [2003/12/30] kern/60719 ipfw [ipfw] Headerless fragments generate cryp o [2004/08/03] kern/69963 ipfw ipfw: install_state warning about already o [2004/09/04] kern/71366 ipfw "ipfw fwd" sometimes rewrites destination 9 problems total. From owner-freebsd-ipfw@FreeBSD.ORG Tue Oct 18 07:36:17 2005 Return-Path: X-Original-To: ipfw@freebsd.org Delivered-To: freebsd-ipfw@FreeBSD.ORG Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7927916A420 for ; Tue, 18 Oct 2005 07:36:17 +0000 (GMT) (envelope-from bu7cher@yandex.ru) Received: from mail.rdu.kirov.ru (ns.rdu.kirov.ru [217.9.151.217]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9EE9E43D45 for ; Tue, 18 Oct 2005 07:36:16 +0000 (GMT) (envelope-from bu7cher@yandex.ru) Received: from kirov.so-cdu.ru (kirov [172.21.81.1]) by mail.rdu.kirov.ru (Postfix) with ESMTP id 408C2FEC3; Tue, 18 Oct 2005 11:36:14 +0400 (MSD) Received: from kirov.so-cdu.ru (localhost [127.0.0.1]) by rdu.kirov.ru (Postfix) with SMTP id 2EBF715C96; Tue, 18 Oct 2005 11:36:14 +0400 (MSD) Received: by rdu.kirov.ru (Postfix, from userid 1014) id E286115C98; Tue, 18 Oct 2005 11:36:13 +0400 (MSD) Received: from [172.21.81.52] (elsukov.kirov.so-cdu.ru [172.21.81.52]) by rdu.kirov.ru (Postfix) with ESMTP id C37AE15C92; Tue, 18 Oct 2005 11:36:13 +0400 (MSD) Message-ID: <4354A5ED.8020801@yandex.ru> Date: Tue, 18 Oct 2005 11:36:13 +0400 From: "Andrey V. Elsukov" User-Agent: Mozilla Thunderbird 1.0.6 (FreeBSD/20050716) MIME-Version: 1.0 To: Alessandro Parrinello References: <20051017102347.7192.qmail@web26209.mail.ukl.yahoo.com> In-Reply-To: <20051017102347.7192.qmail@web26209.mail.ukl.yahoo.com> Content-Type: text/plain; charset=KOI8-R; format=flowed Content-Transfer-Encoding: 7bit Cc: ipfw@freebsd.org Subject: Re: Dynamically adding ipfw & natd rule X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: bu7cher@yandex.ru List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 18 Oct 2005 07:36:17 -0000 Alessandro Parrinello wrote: > Hi, i need to change the natting rules of natd by a c > program dynamically based on information gived me by a > server. How can i do this? If you speak about an ipfw divert rules, then you can see the sbin/ipfw source code as example. -- WBR, Andrey V. Elsukov From owner-freebsd-ipfw@FreeBSD.ORG Fri Oct 21 01:51:55 2005 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 375B916A41F for ; Fri, 21 Oct 2005 01:51:55 +0000 (GMT) (envelope-from daemon@foxchat.net) Received: from foxsurfer.com (dns1.foxsurfer.com [205.134.229.66]) by mx1.FreeBSD.org (Postfix) with ESMTP id D90D043D64 for ; Fri, 21 Oct 2005 01:51:54 +0000 (GMT) (envelope-from daemon@foxchat.net) Received: from [24.172.9.74] (zapper@rrcs-24-172-9-74.midsouth.biz.rr.com [24.172.9.74]) by foxsurfer.com (8.13.3/8.13.3) with ESMTP id j9L1plns079023 for ; Thu, 20 Oct 2005 18:51:48 -0700 (PDT) (envelope-from daemon@foxchat.net) Message-ID: <435849B9.8040509@foxchat.net> Date: Thu, 20 Oct 2005 21:51:53 -0400 From: Daemon User-Agent: Mozilla Thunderbird 1.0.7 (X11/20050930) X-Accept-Language: en-us, en MIME-Version: 1.0 To: freebsd-ipfw@freebsd.org Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-Spam-Status: No, score=-5.3 required=9.5 tests=ALL_TRUSTED,BAYES_20 autolearn=failed version=3.0.4 X-Spam-Checker-Version: SpamAssassin 3.0.4 (2005-06-05) on FoxSurfer.Com Subject: ipfw firewall help X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 21 Oct 2005 01:51:55 -0000 I'm trying to build a firewall from scratch using man ipfw and what I can find on the net. I'm doing bandwidth shaping and I'm not quite sure where it goes as far as rule numbers. From what I can see, it matters and I'd like to do it right. I'm using an OPEN firewall with NATD because I'm on cable broadband with a static IP. Here is what I have. 00010 52 2446 pipe 1 ip from 172.16.140.0/24 to any xmit re0 00020 0 0 pipe 2 ip from any to 172.16.140.0/24 recv re0 00050 274 24955 divert 8668 ip from any to any via re0 00100 50 5642 allow ip from any to any via lo0 00200 0 0 deny ip from any to 127.0.0.0/8 00300 0 0 deny ip from 127.0.0.0/8 to any 65535 4658 547779 allow ip from any to any The actual rule set for the bandwidth shaping is: # Traffic Shaping. # oif="re0" # ${oif} Public Interface. # iif="re1" # ${iif} Internal nic. # iip="172.16.140.0/24" # ${iip} ${fwcmd} add 10 pipe 1 all from ${iip} to any xmit ${oif} ${fwcmd} pipe 1 config mask src-ip 0xffffff00 bw 35Kbits/s queue 40Kbytes ${fwcmd} add 20 pipe 2 all from any to ${iip} recv ${oif} ${fwcmd} pipe 2 config mask dst-ip 0xffffff00 bw 4000Kbits/s queue 40Kbytes I've found lots of stuff on "how" to set it up but I can't seem to find anything on where the rules go. Any help would be greatly appreciated. Regards, Mark From owner-freebsd-ipfw@FreeBSD.ORG Fri Oct 21 06:23:54 2005 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id AB2BD16A41F for ; Fri, 21 Oct 2005 06:23:54 +0000 (GMT) (envelope-from gbryant@roamingsolutions.net) Received: from basillia.speedxs.net (basillia.speedxs.net [83.98.255.13]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1B52943D46 for ; Fri, 21 Oct 2005 06:23:51 +0000 (GMT) (envelope-from gbryant@roamingsolutions.net) Received: from ongers.net (ongers.speedxs.nl [83.98.237.210]) by basillia.speedxs.net (Postfix) with ESMTP id 507CA7295; Fri, 21 Oct 2005 08:11:02 +0200 (CEST) Received: from (165.146.215.66 [165.146.215.66]) by MailEnable Inbound Mail Agent with ESMTP; Fri, 21 Oct 2005 08:29:17 +0200 Message-ID: <4358899F.1090505@roamingsolutions.net> Date: Fri, 21 Oct 2005 08:24:31 +0200 From: G Bryant User-Agent: Mozilla Thunderbird 1.0.7 (Windows/20050923) X-Accept-Language: en-us, en MIME-Version: 1.0 To: Daemon , freebsd-ipfw@freebsd.org References: <435849B9.8040509@foxchat.net> In-Reply-To: <435849B9.8040509@foxchat.net> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Antivirus: avast! (VPS 0542-4, 2005/10/20), Outbound message X-Antivirus-Status: Clean Cc: Subject: Re: ipfw firewall help X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 21 Oct 2005 06:23:54 -0000 Hi, I found my rules worked best in this order: (You will need to correct the syntax - just typed up the order for you quickly) Deny spoofed Allow localhost Allow all from any to any via $iif divert natd all from any to any in via $oif #insert bandwidth shaping rules skipto 5000 all from $iip to any out via $oif #allow all from any to me in via $oif # if you want to receive traffic from internet to this box. Your decision if you need it. deny all from any to any out allow all from any to $iip in via $oif #allow all from me to any out via $oif # traffic from this box out to the internet. Your decision if you need it. deny all from any to any in 5000 nat all from any to any out via $oif allow all from any to any out This is a very "open" set of rules - your choice. Hope this helps. Regards, Graham Daemon wrote: >I'm trying to build a firewall from scratch using man ipfw and what I >can find on the net. I'm doing bandwidth shaping and I'm not quite sure >where it goes as far as rule numbers. From what I can see, it matters >and I'd like to do it right. I'm using an OPEN firewall with NATD >because I'm on cable broadband with a static IP. Here is what I have. > >00010 52 2446 pipe 1 ip from 172.16.140.0/24 to any xmit re0 >00020 0 0 pipe 2 ip from any to 172.16.140.0/24 recv re0 >00050 274 24955 divert 8668 ip from any to any via re0 >00100 50 5642 allow ip from any to any via lo0 >00200 0 0 deny ip from any to 127.0.0.0/8 >00300 0 0 deny ip from 127.0.0.0/8 to any >65535 4658 547779 allow ip from any to any > >The actual rule set for the bandwidth shaping is: > ># Traffic Shaping. ># oif="re0" # ${oif} Public Interface. ># iif="re1" # ${iif} Internal nic. ># iip="172.16.140.0/24" # ${iip} > >${fwcmd} add 10 pipe 1 all from ${iip} to any xmit ${oif} >${fwcmd} pipe 1 config mask src-ip 0xffffff00 bw 35Kbits/s queue 40Kbytes > >${fwcmd} add 20 pipe 2 all from any to ${iip} recv ${oif} >${fwcmd} pipe 2 config mask dst-ip 0xffffff00 bw 4000Kbits/s queue 40Kbytes > >I've found lots of stuff on "how" to set it up but I can't seem to find >anything on where the rules go. Any help would be greatly appreciated. > >Regards, > >Mark >_______________________________________________ >freebsd-ipfw@freebsd.org mailing list >http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw >To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" > > > > From owner-freebsd-ipfw@FreeBSD.ORG Fri Oct 21 07:29:31 2005 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4440216A41F for ; Fri, 21 Oct 2005 07:29:31 +0000 (GMT) (envelope-from jayesh.freebsdlist@gmail.com) Received: from xproxy.gmail.com (xproxy.gmail.com [66.249.82.204]) by mx1.FreeBSD.org (Postfix) with ESMTP id A7C5D43D46 for ; Fri, 21 Oct 2005 07:29:30 +0000 (GMT) (envelope-from jayesh.freebsdlist@gmail.com) Received: by xproxy.gmail.com with SMTP id t4so392452wxc for ; Fri, 21 Oct 2005 00:29:30 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:mime-version:content-type; b=nnK3JnCySwMYvgvmzvbDKzqguro8O60+39RQQT2EqlrH9T4fioT13eQVb7qRdschc9UPwudbjj3OgJLSLsazps/KOxAZFUqryRpns0G16g8fJKFrwmjZkpV5Gn/ATu7hypfp9OmM2cUlyCyfBVeEXzBT3mvrJVFyN0dHitQwZAM= Received: by 10.70.10.4 with SMTP id 4mr1566031wxj; Fri, 21 Oct 2005 00:22:10 -0700 (PDT) Received: by 10.70.34.4 with HTTP; Fri, 21 Oct 2005 00:22:10 -0700 (PDT) Message-ID: Date: Fri, 21 Oct 2005 12:52:10 +0530 From: Jayesh Jayan To: freebsd-ipfw@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Content-Disposition: inline X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: Problem with firewall and the ports X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 21 Oct 2005 07:29:31 -0000 Hi, I have a firewall in place on my server. I have opened few ports on it. The openports are 80,443, 22 ,21,20 and also the range 49152-65535. So when I try to retrive the INDEX file of ports I get the below errors wit= h fetch and wget. ***************************************************************************= ****************************************** fetch: ftp://ftp12.freebsd.org/pub/FreeBSD/ports/i386/packages-5.4-release/INDEX: Permission denied ***************************************************************************= ****************************************** wget ftp://ftp12.freebsd.org/pub/FreeBSD/ports/i386/packages-5.4-release/INDEX --02:17:13-- ftp://ftp12.freebsd.org/pub/FreeBSD/ports/i386/packages-5.4-release/INDEX =3D> `INDEX' Resolving ftp12.freebsd.org... done. Connecting to ftp12.freebsd.org[141.142.2.89 ]:21... connected. Logging in as anonymous ... Logged in! =3D=3D> SYST ... done. =3D=3D> PWD ... done. =3D=3D> TYPE I ... done. =3D=3D> CWD /pub/FreeBSD/ports/i386/packages-5.4-release... done. =3D=3D> PASV ... couldn't connect to 141.142.2.89:22692: Permission denied Retrying. --02:17:15-- ftp://ftp12.freebsd.org/pub/FreeBSD/ports/i386/packages-5.4-release/INDEX (try: 2) =3D> `INDEX' Connecting to ftp12.freebsd.org[141.142.2.89 ]:21... connected. Logging in as anonymous ... Logged in! =3D=3D> SYST ... done. =3D=3D> PWD ... done. =3D=3D> TYPE I ... done. =3D=3D> CWD /pub/FreeBSD/ports/i386/packages-5.4-release... done. =3D=3D> PASV ... couldn't connect to 141.142.2.89:46083: Permission denied Retrying. --02:17:17-- ftp://ftp12.freebsd.org/pub/FreeBSD/ports/i386/packages-5.4-release/INDEX (try: 3) =3D> `INDEX' Connecting to ftp12.freebsd.org[141.142.2.89 ]:21... connected. Logging in as anonymous ... Logged in! =3D=3D> SYST ... done. =3D=3D> PWD ... done. =3D=3D> TYPE I ... done. =3D=3D> CWD /pub/FreeBSD/ports/i386/packages-5.4-release... done. =3D=3D> PASV ... couldn't connect to 141.142.2.89:10401: Permission denied Retrying. --02:17:20-- ftp://ftp12.freebsd.org/pub/FreeBSD/ports/i386/packages-5.4-release/INDEX (try: 4) =3D> `INDEX' Connecting to ftp12.freebsd.org[141.142.2.89 ]:21... connected. Logging in as anonymous ... Logged in! =3D=3D> SYST ... done. =3D=3D> PWD ... done. =3D=3D> TYPE I ... done. =3D=3D> CWD /pub/FreeBSD/ports/i386/packages-5.4-release... done. =3D=3D> PASV ... couldn't connect to 141.142.2.89:8356: Permission denied Retrying. --02:17:25-- ftp://ftp12.freebsd.org/pub/FreeBSD/ports/i386/packages-5.4-release/INDEX (try: 5) =3D> `INDEX' Connecting to ftp12.freebsd.org[141.142.2.89 ]:21... connected. Logging in as anonymous ... Logged in! =3D=3D> SYST ... done. =3D=3D> PWD ... done. =3D=3D> TYPE I ... done. =3D=3D> CWD /pub/FreeBSD/ports/i386/packages-5.4-release... done. =3D=3D> PASV ... couldn't connect to 141.142.2.89:41680: Permission denied Retrying. ***************************************************************************= ****************************************** So can I have a picture of which all ports are required so that i can enabl= e those Awaiting your guidance. From owner-freebsd-ipfw@FreeBSD.ORG Fri Oct 21 08:53:07 2005 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 77CAD16A41F for ; Fri, 21 Oct 2005 08:53:07 +0000 (GMT) (envelope-from tw@wsf.at) Received: from viefep20-int.chello.at (viefep12-int.chello.at [213.46.255.25]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9271543D45 for ; Fri, 21 Oct 2005 08:53:05 +0000 (GMT) (envelope-from tw@wsf.at) Received: from [10.1.1.8] (really [84.112.100.252]) by viefep20-int.chello.at (InterMail vM.6.01.04.04 201-2131-118-104-20050224) with ESMTP id <20051021085303.KQUA7138.viefep20-int.chello.at@[10.1.1.8]>; Fri, 21 Oct 2005 10:53:03 +0200 Message-ID: <4358ACC2.2020607@wsf.at> Date: Fri, 21 Oct 2005 10:54:26 +0200 From: Thomas Wolf User-Agent: Mozilla Thunderbird 1.0.2 (X11/20050404) X-Accept-Language: en-us, en MIME-Version: 1.0 To: Jayesh Jayan References: In-Reply-To: Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-ipfw@freebsd.org Subject: Re: Problem with firewall and the ports X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 21 Oct 2005 08:53:07 -0000 Jayesh Jayan wrote: > Hi, > > I have a firewall in place on my server. I have opened few ports on it. The > openports are 80,443, 22 ,21,20 and also the range 49152-65535. > > So when I try to retrive the INDEX file of ports I get the below errors with > fetch and wget. > [permission denied] Please post your complete ruleset. Thomas From owner-freebsd-ipfw@FreeBSD.ORG Fri Oct 21 14:36:28 2005 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id DD03D16A41F for ; Fri, 21 Oct 2005 14:36:27 +0000 (GMT) (envelope-from daemon@foxchat.net) Received: from foxsurfer.com (dns1.foxsurfer.com [205.134.229.66]) by mx1.FreeBSD.org (Postfix) with ESMTP id 94CCE43D45 for ; Fri, 21 Oct 2005 14:36:27 +0000 (GMT) (envelope-from daemon@foxchat.net) Received: from [24.172.9.74] (zapper@rrcs-24-172-9-74.midsouth.biz.rr.com [24.172.9.74]) by foxsurfer.com (8.13.3/8.13.3) with ESMTP id j9LEaL0T017917 for ; Fri, 21 Oct 2005 07:36:22 -0700 (PDT) (envelope-from daemon@foxchat.net) Message-ID: <4358FCE7.5040803@foxchat.net> Date: Fri, 21 Oct 2005 10:36:23 -0400 From: Daemon User-Agent: Mozilla Thunderbird 1.0.7 (X11/20050930) X-Accept-Language: en-us, en MIME-Version: 1.0 To: freebsd-ipfw@freebsd.org CC: freebsd-ipfw@freebsd.org References: <435849B9.8040509@foxchat.net> <4358899F.1090505@roamingsolutions.net> In-Reply-To: <4358899F.1090505@roamingsolutions.net> Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-Spam-Status: No, score=-5.9 required=9.5 tests=ALL_TRUSTED,BAYES_00 autolearn=failed version=3.0.4 X-Spam-Checker-Version: SpamAssassin 3.0.4 (2005-06-05) on FoxSurfer.Com Subject: Re: ipfw firewall help X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 21 Oct 2005 14:36:28 -0000 Great!. Thanks. One possibly stupid question. What is the "Deny Spoof"? Is that like; # Stop spoofing of your internal network range # ${fwcmd} add deny ip from ${iif} to any in via ${oif} # Stop spoofing from inside your private ip range # ${fwcmd} add deny ip from not ${iif} to any in via ${iif} G Bryant wrote: > Hi, > I found my rules worked best in this order: > (You will need to correct the syntax - just typed up the order for you > quickly) > > Deny spoofed > Allow localhost > Allow all from any to any via $iif > divert natd all from any to any in via $oif > #insert bandwidth shaping rules > skipto 5000 all from $iip to any out via $oif > #allow all from any to me in via $oif # if you want to receive traffic > from internet to this box. Your decision if you need it. > deny all from any to any out > allow all from any to $iip in via $oif > #allow all from me to any out via $oif # traffic from this box out to > the internet. Your decision if you need it. > deny all from any to any in > 5000 nat all from any to any out via $oif > allow all from any to any out > > This is a very "open" set of rules - your choice. > Hope this helps. > Regards, Graham > > > Daemon wrote: > >> I'm trying to build a firewall from scratch using man ipfw and what I >> can find on the net. I'm doing bandwidth shaping and I'm not quite sure >> where it goes as far as rule numbers. From what I can see, it matters >> and I'd like to do it right. I'm using an OPEN firewall with NATD >> because I'm on cable broadband with a static IP. Here is what I have. >> >> 00010 52 2446 pipe 1 ip from 172.16.140.0/24 to any xmit re0 >> 00020 0 0 pipe 2 ip from any to 172.16.140.0/24 recv re0 >> 00050 274 24955 divert 8668 ip from any to any via re0 >> 00100 50 5642 allow ip from any to any via lo0 >> 00200 0 0 deny ip from any to 127.0.0.0/8 >> 00300 0 0 deny ip from 127.0.0.0/8 to any >> 65535 4658 547779 allow ip from any to any >> >> The actual rule set for the bandwidth shaping is: >> >> # Traffic Shaping. >> # oif="re0" # ${oif} Public Interface. >> # iif="re1" # ${iif} Internal nic. >> # iip="172.16.140.0/24" # ${iip} >> >> ${fwcmd} add 10 pipe 1 all from ${iip} to any xmit ${oif} >> ${fwcmd} pipe 1 config mask src-ip 0xffffff00 bw 35Kbits/s queue 40Kbytes >> >> ${fwcmd} add 20 pipe 2 all from any to ${iip} recv ${oif} >> ${fwcmd} pipe 2 config mask dst-ip 0xffffff00 bw 4000Kbits/s queue >> 40Kbytes >> >> I've found lots of stuff on "how" to set it up but I can't seem to find >> anything on where the rules go. Any help would be greatly appreciated. >> >> Regards, >> >> Mark >> _______________________________________________ >> freebsd-ipfw@freebsd.org mailing list >> http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw >> To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" >> >> >> >> > > _______________________________________________ > freebsd-ipfw@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw > To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" >