From owner-freebsd-security Fri Oct 6 19:42:14 2000 Delivered-To: freebsd-security@freebsd.org Received: from allmaui.com (server25.aitcom.net [208.234.0.10]) by hub.freebsd.org (Postfix) with ESMTP id A003337B502 for ; Fri, 6 Oct 2000 19:42:08 -0700 (PDT) Received: from allmaui.com (c756043-a.stcla1.sfba.home.com [24.20.23.203]) by allmaui.com (8.8.8/8.8.5) with ESMTP id WAA15545; Fri, 6 Oct 2000 22:42:00 -0400 Message-ID: <39DE8D1B.923D86DF@allmaui.com> Date: Fri, 06 Oct 2000 19:40:27 -0700 From: Craig Cowen X-Mailer: Mozilla 4.75 [en] (Windows NT 5.0; U) X-Accept-Language: en MIME-Version: 1.0 To: Gerhard Sittig , "freebsd-security@FreeBSD.ORG" Subject: Re: Default Deny References: <200010060056.LAA11152@cairo.anu.edu.au> <39DCC1CB.5FDD7F90@allmaui.com> <20001006204807.M31338@speedy.gsinet> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I appreciate your response and your questions. Yes I did compile and install. You sound like me talking to my users at work. ipf -V: ipf: IP Filter: v3.4.8 (264) Kernel: IP Filter: v3.4.8 Running: yes Log Flags: 0 = none set Default: block all, Logging: available Active list: 0 hope fully paronoia hasn't ruined this ipfstat -in @1 pass in on lo0 proto tcp from 127.0.0.1/32 to 127.0.0.1/32 @2 pass in on lo0 proto udp from 127.0.0.1/32 to 127.0.0.1/32 @3 pass in on lo0 proto icmp from 127.0.0.1/32 to 127.0.0.1/32 @4 block in log on xl0 proto tcp from 134.122.0.0/16 to publicinterface/32 #these 3 lines are to keep the guys at work out explicitly @5 block in log on xl0 proto udp from 134.122.0.0/16 to publicinterface/32 @6 block in log on xl0 proto icmp from 134.122.0.0/16 to publicinterface/32 @7 block in log on xl0 proto tcp from any to publicinterface/32 @8 block in log on xl0 proto udp from any to publicinterface/32 @9 block in log on xl0 proto icmp from any to publicinterface/32 @10 pass in on xl0 proto tcp from desktop@work/32 to publicinterface/32 @11 pass in on xl0 proto udp from desktop@work/32 to publicinterface/32 @12 pass in on xl0 proto icmp from desktop@work/32 to publicinterface/32 @13 pass in on dc0 proto tcp from 192.168.1.0/24 to any keep state @14 pass in on dc0 proto udp from 192.168.1.0/24 to any keep state @15 pass in on dc0 proto icmp from 192.168.1.0/24 to any keep state ipfstat -on @1 pass out on lo0 proto tcp from 127.0.0.1/32 to 127.0.0.1/32 @2 pass out on lo0 proto udp from 127.0.0.1/32 to 127.0.0.1/32 @3 pass out on lo0 proto icmp from 127.0.0.1/32 to 127.0.0.1/32 @4 pass out log quick proto tcp from publicinterface/32 to any keep state #This is necassary to allow me to surf out from my firewall box @5 pass out log quick proto udp from publicinterface/32 to any keep state #with these commented out I am still able to surf from inside @6 pass out log quick proto icmp from publicinterface/32 to any keep state @7 pass out on dc0 proto tcp from 192.168.1.0/24 to 192.168.1.0/24 @8 pass out on dc0 proto udp from 192.168.1.0/24 to 192.168.1.0/24 @9 pass out on dc0 proto icmp from 192.168.1.0/24 to 192.168.1.0/24 I use this to reload my settings after changes #!/bin/sh ipf -D ipf -Fa -f /etc/ipf.conf -E ipnat -CF -f /etc/ipnat.conf I have read the howto, that is how I got this far. I was a little shocked when I saw the results of being able to surf Thanks for your help, Craig Gerhard Sittig wrote: > On Thu, Oct 05, 2000 at 18:00 +0000, Craig Cowen wrote: > > > > [ ... you reminded us of your previous post ... ] > > > > I have setup ipf with options IPFILTER_DEFAULT_BLOCK in my > > kernel. When using ipnat, I have 'pass in on (private > > interface) from 192.168.0.0/24 to any keep state' in my rules. > > If this rule is a citation, you should have gotten it rejected by > ipf. As soon as you want to "keep state" you have to specify one > of the tcp / udp / icmp protocols (don't know right now if "from > IP" will work with a specified protocol, either). > > If this was off your mind, please make sure you tell us about > your setup correctly, until there nobody could really help. > > > I have no rules specified for the public interface. > > The boxen behind the firewall can surf. > > If *this* works, I could see a chance for > - ipf not being active at all or > - ipf being absolutely open > > Did you build the kernel after setting IPFILTER_DEFAULT_BLOCK (no > kidding here), did you install it, did you boot it? What does > 'ipf -V' tell you? What does 'ipfstat -in; ipfstat -on' tell > you? Editing config files is one thing, loading these setting is > another. That's why one always asks the system about its vision > and not the admin about his intension. :) > > Have you read the ipf howto? It's very comprehensive and > helpful, even for those not employing ipfilter. It has lots of > basics, too, and should be recommended reading for anyone setting > up a packet filter. > > virtually yours 82D1 9B9C 01DC 4FB4 D7B4 61BE 3F49 4F77 72DE DA76 > Gerhard Sittig true | mail -s "get gpg key" Gerhard.Sittig@gmx.net > -- > If you don't understand or are scared by any of the above > ask your parents or an adult to help you. > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message