From owner-freebsd-ipfw Sun May 14 19:53:48 2000 Delivered-To: freebsd-ipfw@freebsd.org Received: from io.dreamscape.com (io.dreamscape.com [206.64.128.6]) by hub.freebsd.org (Postfix) with ESMTP id 20B6037B592 for ; Sun, 14 May 2000 19:53:46 -0700 (PDT) (envelope-from krentel@dreamscape.com) Received: from dreamscape.com (sa3-p59.dreamscape.com [207.198.19.123]) by io.dreamscape.com (8.9.3/8.8.4) with ESMTP id WAA03170 for ; Sun, 14 May 2000 22:52:38 -0400 (EDT) X-Dreamscape-Track-A: sa3-p59.dreamscape.com [207.198.19.123] X-Dreamscape-Track-B: Sun, 14 May 2000 22:52:38 -0400 (EDT) Received: (from krentel@localhost) by dreamscape.com (8.9.3/8.9.3) id WAA07148 for freebsd-ipfw@freebsd.org; Sun, 14 May 2000 22:52:36 -0400 (EDT) (envelope-from krentel) Date: Sun, 14 May 2000 22:52:36 -0400 (EDT) From: "Mark W. Krentel" Message-Id: <200005150252.WAA07148@dreamscape.com> To: freebsd-ipfw@freebsd.org Subject: rc.firewall rule 200 Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG The rc.firewall script adds these rules: ${fwcmd} add 100 pass all from any to any via lo0 ${fwcmd} add 200 deny all from any to 127.0.0.0/8 The second rule blocks packets destined for network 127. But doesn't it make more sense to block packets *from* 127.0.0.0/8, that is, packets trying to spoof localhost? I'm wondering if the rule should actually be: ${fwcmd} add 200 deny all from 127.0.0.0/8 to any Also, how does rule 200 (original version) ever get invoked? The packet is not going over loopback because of rule 100. So, why would a machine forward a packet destined for network 127? --Mark To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Mon May 15 13:29:34 2000 Delivered-To: freebsd-ipfw@freebsd.org Received: from bubba.whistle.com (bubba.whistle.com [207.76.205.7]) by hub.freebsd.org (Postfix) with ESMTP id 7D3F437B578 for ; Mon, 15 May 2000 13:29:32 -0700 (PDT) (envelope-from archie@whistle.com) Received: (from archie@localhost) by bubba.whistle.com (8.9.3/8.9.2) id NAA35843; Mon, 15 May 2000 13:29:19 -0700 (PDT) From: Archie Cobbs Message-Id: <200005152029.NAA35843@bubba.whistle.com> Subject: Re: rc.firewall rule 200 In-Reply-To: <200005150252.WAA07148@dreamscape.com> from "Mark W. Krentel" at "May 14, 2000 10:52:36 pm" To: krentel@dreamscape.com (Mark W. Krentel) Date: Mon, 15 May 2000 13:29:19 -0700 (PDT) Cc: freebsd-ipfw@FreeBSD.ORG X-Mailer: ELM [version 2.4ME+ PL54 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG Mark W. Krentel writes: > The rc.firewall script adds these rules: > > ${fwcmd} add 100 pass all from any to any via lo0 > ${fwcmd} add 200 deny all from any to 127.0.0.0/8 The point of these two rules is to disallow someone on another (locally networked) machine from doing this: ifconfig lo0 down delete route add 127.0.0.0 telnet 127.0.0.1 and circumventing your firewall. -Archie ___________________________________________________________________________ Archie Cobbs * Whistle Communications, Inc. * http://www.whistle.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Mon May 15 17:17:51 2000 Delivered-To: freebsd-ipfw@freebsd.org Received: from io.dreamscape.com (io.dreamscape.com [206.64.128.6]) by hub.freebsd.org (Postfix) with ESMTP id 5570C37B93E for ; Mon, 15 May 2000 17:17:49 -0700 (PDT) (envelope-from krentel@dreamscape.com) Received: from dreamscape.com (sA22-p30.dreamscape.com [209.217.202.94]) by io.dreamscape.com (8.9.3/8.8.4) with ESMTP id UAA15113; Mon, 15 May 2000 20:16:46 -0400 (EDT) X-Dreamscape-Track-A: sA22-p30.dreamscape.com [209.217.202.94] X-Dreamscape-Track-B: Mon, 15 May 2000 20:16:46 -0400 (EDT) Received: (from krentel@localhost) by dreamscape.com (8.9.3/8.9.3) id UAA02420; Mon, 15 May 2000 20:16:43 -0400 (EDT) (envelope-from krentel) Date: Mon, 15 May 2000 20:16:43 -0400 (EDT) From: "Mark W. Krentel" Message-Id: <200005160016.UAA02420@dreamscape.com> To: archie@whistle.com Subject: Re: rc.firewall rule 200 Cc: freebsd-ipfw@FreeBSD.ORG Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG > The point of these two rules is to disallow someone on another > (locally networked) machine from doing this: > > ifconfig lo0 down delete > route add 127.0.0.0 > telnet 127.0.0.1 Ok, good point. But this attack can only be launched from one hop away, right? A legitimate machine would not forward a packet destined for 127.0.0.1, so the attacker has to be one hop away. But my original question still stands. Isn't it equally important to block packets from 127.0.0.0/8 that are not over loopback? On the gateway machine for a local network, you would certainly block spoofing of the network's internal addresses. And indeed, the "simple" type in rc.firewall does this. So, don't you also want to block spoofing of 127.0.0.1? --Mark To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Mon May 15 17:35:40 2000 Delivered-To: freebsd-ipfw@freebsd.org Received: from bubba.whistle.com (bubba.whistle.com [207.76.205.7]) by hub.freebsd.org (Postfix) with ESMTP id 177AB37B5CF for ; Mon, 15 May 2000 17:35:38 -0700 (PDT) (envelope-from archie@whistle.com) Received: (from archie@localhost) by bubba.whistle.com (8.9.3/8.9.2) id RAA53894; Mon, 15 May 2000 17:35:31 -0700 (PDT) From: Archie Cobbs Message-Id: <200005160035.RAA53894@bubba.whistle.com> Subject: Re: rc.firewall rule 200 In-Reply-To: <200005160016.UAA02420@dreamscape.com> from "Mark W. Krentel" at "May 15, 2000 08:16:43 pm" To: krentel@dreamscape.com (Mark W. Krentel) Date: Mon, 15 May 2000 17:35:31 -0700 (PDT) Cc: freebsd-ipfw@FreeBSD.ORG X-Mailer: ELM [version 2.4ME+ PL54 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG Mark W. Krentel writes: > > The point of these two rules is to disallow someone on another > > (locally networked) machine from doing this: > > > > ifconfig lo0 down delete > > route add 127.0.0.0 > > telnet 127.0.0.1 > > Ok, good point. But this attack can only be launched from one hop > away, right? A legitimate machine would not forward a packet destined > for 127.0.0.1, so the attacker has to be one hop away. Right. > But my original question still stands. Isn't it equally important to > block packets from 127.0.0.0/8 that are not over loopback? On the It's not equally important because your machine would normally not reply to any such packet, where in the other case it would. So it's actually less important to block than "normally source addressed" packets, from a security point of view... However, from a network cleanliness/sanity point of view, sure it's probably a good idea to block them, along with RFC 1918 addresses, etc. -Archie ___________________________________________________________________________ Archie Cobbs * Whistle Communications, Inc. * http://www.whistle.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Fri May 19 15:35:29 2000 Delivered-To: freebsd-ipfw@freebsd.org Received: from juice.shallow.net (node16229.a2000.nl [24.132.98.41]) by hub.freebsd.org (Postfix) with ESMTP id 9E0AB37BFD8 for ; Fri, 19 May 2000 15:35:24 -0700 (PDT) (envelope-from joshua@roughtrade.net) Received: from localhost (joshua@localhost) by juice.shallow.net (8.9.3/8.9.3) with ESMTP id AAA48825; Sat, 20 May 2000 00:36:40 +0200 (CEST) (envelope-from joshua@roughtrade.net) Date: Sat, 20 May 2000 00:36:40 +0200 (CEST) From: Joshua Goodall To: "Mark W. Krentel" Cc: archie@whistle.com, freebsd-ipfw@FreeBSD.ORG Subject: Re: rc.firewall rule 200 In-Reply-To: <200005160016.UAA02420@dreamscape.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG On Mon, 15 May 2000, Mark W. Krentel wrote: > Ok, good point. But this attack can only be launched from one hop > away, right? A legitimate machine would not forward a packet destined > for 127.0.0.1, so the attacker has to be one hop away. On a typical cable modem network that's still a great many "potentially hostile" hosts. > So, don't you also want to block spoofing of 127.0.0.1? I don't know about others on this list, but I'm taking your suggestion and adding it to my ruleset. Caveat emptor applies of course, but nothing broke immediately. - J To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Sat May 20 15: 0:51 2000 Delivered-To: freebsd-ipfw@freebsd.org Received: from fire.orionmedia.net (r97aag019132.nyr.cable.rcn.com [208.58.100.70]) by hub.freebsd.org (Postfix) with ESMTP id 2525937B6C2 for ; Sat, 20 May 2000 15:00:48 -0700 (PDT) (envelope-from mfeld@iname.com) Received: from [192.168.151.4] (orion.orionmedia.net [192.168.151.4]) by fire.orionmedia.net (8.9.3/8.9.3) with ESMTP id RAA48625 for ; Sat, 20 May 2000 17:57:06 -0400 (EDT) Mime-Version: 1.0 X-Sender: michael@mail.orionmedia.net Message-Id: Date: Sat, 20 May 2000 18:00:30 -0400 To: freebsd-ipfw@freebsd.org From: Michael Feld Subject: IPFW Ruleset help Content-Type: text/plain; charset="us-ascii" ; format="flowed" Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG HI there all... I'm new to this list. I have a static IP and a private network behind a dual-homed free-bsd box, and I need a set of basic IPFW rules. The following rules don't work, and basically block off all access from inside out. Does anyone have a basic set they could post or could someone tell me how to fix these? I'm naked to the world here, so any help would be appreciated. This ruleset is clearly not complete, but I was hoping I might get a little aid in setting things up. Thanks!!! Michael 00100 divert 8668 ip from any to any via ep0 00100 allow ip from any to any via lo0 00200 deny ip from any to 127.0.0.0/8 00500 allow tcp from any to 22 setup 00600 allow udp from to any 53 00700 allow udp from any 53 to 00800 allow udp from 192.168.151.0/24 to any 53 00900 allow udp from any 53 to 192.168.151.0/24 02000 allow tcp from any to any established 65100 deny log tcp from any to any in recv setup 65200 allow tcp from any to any setup 65535 deny ip from any to any To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Sat May 20 18:54: 1 2000 Delivered-To: freebsd-ipfw@freebsd.org Received: from cc942873-a.ewndsr1.nj.home.com (cc942873-a.ewndsr1.nj.home.com [24.2.89.207]) by hub.freebsd.org (Postfix) with ESMTP id BB56837B73D for ; Sat, 20 May 2000 18:53:57 -0700 (PDT) (envelope-from cjc@cc942873-a.ewndsr1.nj.home.com) Received: (from cjc@localhost) by cc942873-a.ewndsr1.nj.home.com (8.9.3/8.9.3) id VAA95028; Sat, 20 May 2000 21:52:38 -0400 (EDT) (envelope-from cjc) Date: Sat, 20 May 2000 21:52:38 -0400 From: "Crist J. Clark" To: Michael Feld Cc: freebsd-ipfw@FreeBSD.ORG Subject: Re: IPFW Ruleset help Message-ID: <20000520215237.E93357@cc942873-a.ewndsr1.nj.home.com> Reply-To: cjclark@home.com References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0i In-Reply-To: ; from mfeld@iname.com on Sat, May 20, 2000 at 06:00:30PM -0400 Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG On Sat, May 20, 2000 at 06:00:30PM -0400, Michael Feld wrote: > HI there all... > > I'm new to this list. I have a static IP and a private network > behind a dual-homed free-bsd box, and I need a set of basic IPFW > rules. The following rules don't work, and basically block off all > access from inside out. Does anyone have a basic set they could post > or could someone tell me how to fix these? I'm naked to the world > here, so any help would be appreciated. This ruleset is clearly not > complete, but I was hoping I might get a little aid in setting things > up. Thanks!!! > A few comments... > 00100 divert 8668 ip from any to any via ep0 > 00100 allow ip from any to any via lo0 > 00200 deny ip from any to 127.0.0.0/8 > 00500 allow tcp from any to 22 setup > 00600 allow udp from to any 53 If you trust your own network, why bother restricting anything out? I would only suggest that you filter your own to prevent spoofing, 00600 allow ip from to any And for the internal interface, 00650 allow ip from 192.168.151.0/24 to any via 00660 allow ip from to 192.168.151.0/24 > 00700 allow udp from any 53 to These two covered by other rules. Remove. > 00800 allow udp from 192.168.151.0/24 to any 53 > 00900 allow udp from any 53 to 192.168.151.0/24 I'd put this at the top. It will be hit the most. > 02000 allow tcp from any to any established Why add, > 65100 deny log tcp from any to any in recv setup ^^^^^^^^^^^^^^^^^^^^^^^ Log 'em all! It would help catch any errors. This one? Guess it's just been left in. > 65200 allow tcp from any to any setup > 65535 deny ip from any to any -- Crist J. Clark cjclark@home.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message