Date: Wed, 25 Oct 2000 16:53:01 -0400 From: Bill Fumerola <billf@chimesnet.com> To: "Michelle R. Sanchez, CNE" <msanchez@polyserve.com> Cc: freebsd-hackers@freebsd.org Subject: Re: question for the freebsd community Message-ID: <20001025165301.O37870@jade.chc-chimes.com> In-Reply-To: <39F71657.8855C56D@polyserve.com>; from msanchez@polyserve.com on Wed, Oct 25, 2000 at 10:20:23AM -0700 References: <39F71657.8855C56D@polyserve.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, Oct 25, 2000 at 10:20:23AM -0700, Michelle R. Sanchez, CNE wrote:
> 1] is it a good idea to try to put a service monitor on IPFW? If so,
> does this compromise the firewall in any way?
Yes, it could be beneficial, if its done right it isn't a compromise.
> i am not a firewall expert by any means but i think that you would not
> want to take this approach. our service monitor tries to connect to the
> application once per second or by some user-definable interval.
If you wanted to get tricky, you could use icmp response codes to do what
you want. Make a rule like:
ipfw add unreach host-unknown tcp from somemonitoringmachine to yourfirewall someunusedport#
(you can use an unused icmp unreach code for this as well.)
open a connection to that machine (on that port) and you should get that icmp message back.
you can do this with icmp as well:
[hawk-root] /sys/netinet # ipfw sh
00100 0 0 unreach host-prohib icmp from any to 172.16.81.69 icmptype 8
65510 173 14654 allow ip from any to any
65535 0 0 deny ip from any to any
[elk-billf] /home/billf > ping hawk
PING hawk.internal.chc-chimes.com (172.16.81.69): 56 data bytes
36 bytes from hawk.internal.chc-chimes.com (172.16.81.69): Dest Unreachable, Bad Code: 10
Vr HL TOS Len ID Flg off TTL Pro cks Src Dst
4 5 00 6800 55d4 0 0000 ff 01 ec9f 172.16.81.77 172.16.81.69
36 bytes from hawk.internal.chc-chimes.com (172.16.81.69): Dest Unreachable, Bad Code: 10
Vr HL TOS Len ID Flg off TTL Pro cks Src Dst
4 5 00 6800 58d4 0 0000 ff 01 ec9c 172.16.81.77 172.16.81.69
Tada. If your firewall is "down" then the response wouldn't be a unreach with code 10.
This may be considered hackish, but it also may be considered pretty damn slick.
> 2] someone once suggested to monitor the port that the 'console' uses to
> talk to the firewall if you are trying to configure it remotely. would
> this be recommended? does it mean leaving the 'console' up all the time?
The console is either your VGA/keyboard or a serial console depending on how
you configure it. It is wise to either be really good at firewall rules or have
some sort of out of band access to the firewall.
> 3] is there a configuration that could be made where the firewall would
> allow a tcp connection to be made by a specific IP address only -
> without any compromise? if so, how can this be done.
If you want _just_ those rules do this:
ipfw add allow tcp from goodhost to mymachine portnumber setup
ipfw add allow tcp from any to any established
ipfw add deny tcp from any to mymachine portnumber
If you already have rules, those 3 lines will go in different sections of your firewall.
--
Bill Fumerola - Network Architect, BOFH / Chimes, Inc.
billf@chimesnet.com / billf@FreeBSD.org
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-hackers" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20001025165301.O37870>