Date: Tue, 8 Dec 1998 05:06:23 +1300 (NZDT) From: Andrew McNaughton <andrew@squiz.co.nz> To: Nelson <rjn103s@mgr3.k12.mo.us> Cc: security@FreeBSD.ORG Subject: Re: 2.2.8 && ipfw? && 1 other ? Message-ID: <Pine.BSF.4.05.9812080447060.12456-100000@aniwa.sky> In-Reply-To: <3.0.6.32.19981207090315.008713e0@204.184.227.125>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, 7 Dec 1998, Nelson wrote:
> ipfw l
>
> It only shows the rules list down to 2066
All of your rules are there and working, but the code for displaying htem
only handles 1024 entries. If you look in /usr/src/sbin/ipfw/ipfw.c
These are my diffs from the 2.2.7-RELEASE sources:
root@aniwa# diff /usr/src/sbin/ipfw/ipfw.c.orig /usr/src/sbin/ipfw/ipfw.c
182c182
< printf("%10lu %10lu ",chain->fw_pcnt,chain->fw_bcnt);
---
> printf("%9lu %11lu ",chain->fw_pcnt,chain->fw_bcnt);
407c407
< struct ip_fw rules[1024];
---
> struct ip_fw rules[10240];
The first difference is unrelated - it improves on the problem of
truncating display space for the ipfw statistics. You have to have at
least 2^11 bytes of traffic matching a rule for it to matter.
> I am not really sure what the lines in the rc.firewall that contain the
> word "setup" really mean. Would someone care to help me out with it:)
They apply to TCP connections only and match only the packets that are
sent to establish the connection.
you can set a rule saying
ipfw allow tcp from any to any established
and it will not on it's own allow any connections to be made.
Imagine you want to allow outbound ssh connections. If you use rules like
this:
ipfw allow tcp from $myip to any ssh
ipfw allow tcp from any ssh to $myip
then anyone can connect from the ssh port on their machine to any port on
your machine.
So if you want to keep statistics about how much traffic
goes through which kinds of services, you might use:
ipfw allow tcp from $myip to any ssh
ipfw allow tcp from any ssh to $myip established
Or, if you don't care about the statistics but you want to keep your rule
set simple you might use:
ipfw allow tcp from any to any established
ipfw allow tcp from any to $myip ssh
This still requires two rules to enable this one service, but only the
second rule needs to be repeated in order to enable other services.
Andrew McNaughton
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.05.9812080447060.12456-100000>