From owner-freebsd-questions@FreeBSD.ORG Wed Feb 4 07:35:07 2004 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B660816A4CF for ; Wed, 4 Feb 2004 07:35:07 -0800 (PST) Received: from pd4mo1so.prod.shaw.ca (shawidc-mo1.cg.shawcable.net [24.71.223.10]) by mx1.FreeBSD.org (Postfix) with ESMTP id E642C43D55 for ; Wed, 4 Feb 2004 07:34:55 -0800 (PST) (envelope-from aardvark@saintaardvarkthecarpeted.com) Received: from pd2mr4so.prod.shaw.ca (pd2mr4so-ser.prod.shaw.ca [10.0.141.107])2003))freebsd-questions@freebsd.org; Wed, 04 Feb 2004 08:25:35 -0700 (MST) Received: from pn2ml3so.prod.shaw.ca (pn2ml3so-qfe0.prod.shaw.ca [10.0.121.147]) by l-daemon (iPlanet Messaging Server 5.2 HotFix 1.18 (built Jul 28 2003)) with ESMTP id <0HSK003O8G6NFP@l-daemon> for freebsd-questions@freebsd.org; Wed, 04 Feb 2004 08:25:35 -0700 (MST) Received: from francisco.saintaardvarkthecarpeted.com (h24-87-202-31.vc.shawcable.net [24.87.202.31]) by l-daemon (iPlanet Messaging Server 5.2 HotFix 1.18 (built Jul 28 2003)) with ESMTP id <0HSK00IAYG6M2I@l-daemon> for freebsd-questions@freebsd.org; Wed, 04 Feb 2004 08:25:34 -0700 (MST) Received: from hardesty.hardesty.saintaardvarkthecarpeted.com ([192.168.23.1]) by francisco.saintaardvarkthecarpeted.com (8.12.10/8.12.8) with ESMTP id i14FPpp3077380; Wed, 04 Feb 2004 07:25:52 -0800 Received: from aardvark by hardesty.hardesty.saintaardvarkthecarpeted.com with local (Exim 3.36 #1 (Debian)) id 1AoOuv-0004Ov-00; Wed, 04 Feb 2004 07:26:17 -0800 Date: Wed, 04 Feb 2004 07:26:17 -0800 From: Saint Aardvark the Carpeted In-reply-to: <20040203195904.M73395@kifco.net> Sender: Debian User To: Marwan Sultan Message-id: <20040204152616.GJ2197@hardesty.saintaardvarkthecarpeted.com> MIME-version: 1.0 Content-type: text/plain; charset=us-ascii Content-transfer-encoding: 7BIT Content-disposition: inline User-Agent: Mutt/1.5.5.1+cvs20040105i References: <20040203195904.M73395@kifco.net> cc: FreeBSD questions List Subject: Re: ipfw rules help. X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 04 Feb 2004 15:35:08 -0000 Marwan Sultan disturbed my sleep to write: > I compiled ipfw to accept by default. > This is my ipfw list: > > 00050 divert 8668 ip from any to any via rl0 > 00100 allow ip from any to any via lo0 > 00200 deny ip from any to 127.0.0.0/8 > 00300 deny ip from 127.0.0.0/8 to any > 65000 allow ip from any to any > 65535 allow ip from any to any Hm...this may not be a big deal, but is there any reason you're putting the divert rule before the rules dealing with lo0/127.0.0.0/8? The default FreeBSD open firewall ruleset usually puts the divert rule after -- this would be rule 400 in your example. > a) lets say I want to deny everything except a range of IPs > starting from 192.168.1.1 to 192.168.1.50. > what rule set should be? how to set range of IPs? to pass > and deny rest of the C class. FreeBSD Doc's doesnot cover this? > or i didnot see.! man ipfw(8) will help you. Depending on the version of ipfw (I forget when this syntax was added), you may be able to do this: ipfw allow all from 192.168.1.{1,50} to any ipfw deny all from any to any As for which rule it should be...typically what I do is write down my firewall rules in a separate file, try to make sure that they make sense (allow rules before deny rules, for example), then try them out...always making sure that I have some way into the machine if I'm working remotely! Usually you can let ipfw take care of assigning rule numbers, unless you've got something fairly special going on. > b) If i want to deny everything except ip 192.168.1.5 as follow > 00400 allow all from 192.168.1.5 to any > 01000 deny all from any to any. > > when ipfw reads the rules and pass by 00400 then comes to 01000 > then it denies even the 192.168.1.5, althou i put this rule before the > deny ? what im missing? how should i pass 1 ip and deny all? I'm not sure why that would happen, but you can find out. If you change that deny rule to a deny-and-log rule, like this: ipfw deny log all from any to any you can then run "tail -f /var/log/security" and see what packets are being caught by the deny rule. You can also run "ipfw show", which will show you how many packets/bytes are being caught by which rules. Again, read the man page for ipfw. Off the top of my head, I suspect you're allowing traffic out, but not back in -- you haven't listed a rule that would allow replies to TCP traffic back in, or DNS queries. Denying either of these would make it look like nothing is working. Try this: allow tcp from 192.168.1.5 to any allow udp from 192.168.1.5 to any keep-state check-state allow tcp from any to any established deny all from any to any > c) If I want rule 00400 to expire in 9PM and be active in 8AM.(EXAMPLE) > how do we do that? is it by set a cron job to delete and add > the ipfw rule? or there is something to do from the ipfw it self? As far as I know, you can only do this with a cron job. Test carefully, though -- it's frighteningly easy to lock yourself out while doing this sort of thing. I speak from bitter experience. :-) > D) Last Q: IF I restart the box all the rules will be reset, > and comes to default. which is reasonable. > How to keep it everytime I restart? > do i create a file somewhere, and i tell my rc.conf for it? > what the rc.conf line should be? and file format? man rc.conf(5) will show you firewall options. What I usually do is write my own and keep it in a separate file -- I find rc.firewall too confusing when trying to customize it. But have a look at /etc/rc.firewall and the "simple" option -- it probably does a lot of what you want. > Question out of subject, > How i can do something thro cronjob to make the box Email me the > log of firewall everyday on certain time, lets say 9PM ? Well, you could just have a script that would, say, grep for today's date in your firewall logs and email that. Another thing you could consider doing, though, is signing up at dshield.org and using one of their clients to parse your logs. Dshield collects firewall information from volunteers around the world, and uses it to alert people to new or fast-moving threats. It's an excellent idea, and a lot of help to security people. I use ipfw2dshield to parse and mail my logs, and as a bonus I get a copy of the email myself to see if there's anything interesting. Hope that helps! Hugh -- Saint Aardvark the Carpeted aardvark@saintaardvarkthecarpeted.com Because the plural of Anecdote is Myth.