From owner-freebsd-ipfw Mon Jul 10 15: 0: 9 2000 Delivered-To: freebsd-ipfw@freebsd.org Received: from camus.cybercable.fr (camus.cybercable.fr [212.198.0.200]) by hub.freebsd.org (Postfix) with SMTP id 96B1D37B59F for ; Mon, 10 Jul 2000 15:00:01 -0700 (PDT) (envelope-from clefevre%no-spam@citeweb.net) Received: (qmail 12374907 invoked from network); 10 Jul 2000 21:59:55 -0000 Received: from r224m65.cybercable.tm.fr (HELO gits.dyndns.org) ([195.132.224.65]) (envelope-sender ) by camus.cybercable.fr (qmail-ldap-1.03) with SMTP for ; 10 Jul 2000 21:59:55 -0000 Received: (from root@localhost) by gits.dyndns.org (8.9.3/8.9.3) id XAA98271; Mon, 10 Jul 2000 23:59:53 +0200 (CEST) (envelope-from clefevre%no-spam@citeweb.net) Posted-Date: Mon, 10 Jul 2000 23:59:53 +0200 (CEST) To: cjclark@alum.mit.edu Cc: Jennifer Ulrich , freebsd-ipfw@FreeBSD.ORG Subject: Re: allowing passive ftp through ipfw [LONG] References: <20000621205009.74341.qmail@hotmail.com> <20000621145255.I214@dialin-client.earthlink.net> Reply-To: clefevre@citeweb.net X-Face: V|+c;4!|B?E%BE^{E6);aI.[<97Zd*>^#%Y5Cxv;%Y[PT-LW3;A:fRrJ8+^k"e7@+30g0YD0*^^3jgyShN7o?a]C la*Zv'5NA,=963bM%J^o]C From: Cyrille Lefevre Date: 10 Jul 2000 23:59:52 +0200 In-Reply-To: "Crist J. Clark"'s message of "Wed, 21 Jun 2000 14:52:55 -0700" Message-ID: Lines: 274 User-Agent: Gnus/5.0807 (Gnus v5.8.7) XEmacs/21.1 (Canyonlands) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG "Crist J. Clark" writes: > On Wed, Jun 21, 2000 at 04:50:09PM -0400, Jennifer Ulrich wrote: [snip] > > Actually, this would be a good place for keep-state to work. I'm kinda > surprised that no one has added a keep-state method for FTP. It'd just > be, > > ipfw add 2350 pass tcp from any to x.x.x.x 21 setup keep-state ftp > > Right? Creating a dynamic rule that passes traffic from 20 to > x.x.x.x. From how I understand keep-state to work (and it is minimal, > sorry), it should not be too difficult to do? could someone which is network aware, update /etc/rc.firewall w/ new ipfw stuffs ? and w/ configuration parameters for common services in /etc/rc.conf such as (considering all is blocked by default) : ipfw_input_interface=empty|input_interface ipfw_output_interface=empty|ouput_interface and/or ipfw_internal_subnet=empty|subnet:mask ipfw_external_subnet=empty|subnet:mask ipfw_internal_address=empty|address ipfw_external_address=empty|address ipfw_isp_subnet=subnet:mask ipfw_allow_icmp_queries=YES|NO ipfw_allow_igmp_queries=YES|NO ipfw_allow_bootpc=YES|NO|subnet ipfw_allow_ftp=YES|NO|addresses ipfw_allow_passive_ftp=YES|NO|addresses ipfw_allow_telnet=YES|NO|addresses ipfw_allow_telnet_proxy_port=port ipfw_allow_telnet_proxy=YES|NO|addresses ipfw_allow_dns=YES|NO|addresses ipfw_allow_finger=YES|NO|addresses ipfw_allow_www_proxy_port=port ipfw_allow_www=YES|NO|addresses ipfw_allow_ftp_proxy_port=port ipfw_allow_ftp_proxy=YES|NO|addresses ipfw_allow_pop=YES|NO|addresses ipfw_allow_ident=YES|NO|addresses ipfw_allow_news=YES|NO|addresses ipfw_allow_bootp=YES|NO|addresses ipfw_allow_ntp=YES|NO|addresses ipfw_allow_router=YES|NO|addresses ipfw_allow_icq=YES|NO|addresses ipfw_allow_traceroute=YES|NO|addresses etc. oip="$ipfw_external_address" if [ -n $ipfw_external_interface ]; then oif="via $ipfw_external_interface" fi etc. case $ipfw_allow_icmp_queries in YES) $fwcmd add pass icmp from any to ${oip} icmptypes 0,3,5,8,11,12,13,14 $oif $fwcmd add pass icmp from ${oip} to any icmptypes 0,3,5,8,11,12,13,14 $oif $fwcmd add pass icmp from ${oip} to 224.0.0.0/24 icmptypes 9 $oif ;; esac etc. I've only on interface (not enought IRQs/slots), to both internal/external traffic, so, I'm not sure about the use of the via rule. my configuration is probably perfectible, but I'm not really network aware. maybe these rules (I don't remember all of them :) may help someone to do this job ? ... case ${firewall_type} in [Oo][Pp][Ee][Nn]) ${fwcmd} add 65000 pass all from any to any ;; [Cc][Uu][Ss][Tt][Oo][Mm]) # set these to your network and netmask and ip onet= omask= oip= inet= imask= iip= eval `ifconfig ${firewall_interface} | awk ' /inet / && i == 0 { split($2,a,"."); net=a[1]"."a[2]"."a[3]".0" print "onet="net, "omask="$4, "oip="$2 i++; next } /inet / && i == 1 { split($2,a,"."); net=a[1]"."a[2]"."a[3]".0" print "inet="net, "imask="$4, "iip="$2 i++; next } '` # usual services: # 7:echo/tcp/udp(inetd/echo) - # 9:discard/tcp/udp(inetd/discard) - # 13:daytime/tcp/udp(inetd/daytime) - # 19:chargen/tcp/udp(inetd/chargen) - # 21:ftp/tcp(inetd/ftp) +zzasure.tld # 23:telnet/tcp(inetd/telnet) +zzasure.tld # 25:smtp/tcp(sendmail) +zzsmtp.tld # 37:time/tcp/udp(inetd/time) - # 42:name/tcp(named) - # 53:domain/tcp(named) (+) # 53:domain/udp(named) + # 68:bootpc/udp(dhzzient) - # 79:finger/tcp(inetd/finger) (+) # 80:http/tcp(apache) +zzwww.tld/zzproxy.tld # 8080:proxy/tcp(apache/squid) +zzwww.tld/zzproxy.tld # 110:pop3/tcp(inetd/pop) +zzasure.tld # 111:sunrpc/tcp/udp(portmap) - # 113:auth/tcp(inetd/ident) (+) # 119:nntp/tcp(innd) (+) # 123:ntp/udp(xntpd) + # 512:exec/udp(inetd/exec) - # 513:login/tcp(inetd/login) - # 514:shell/tcp(inetd/shell) - # 514:syslog/udp(syslogd) - # 518:ntalk/udp(inetd/ntalk) - # 520:routed/udp() + # 4000:icq/udp() + # 10000:webmin/tcp/udp(perl) (+zzwww.tld/zzproxy.tld) # icmp types: # 0:echo reply 1:destination unreachable 3:packet lost, slow down # 4:redirect (shorter route) 8:echo 9:router advertisement # 10:router solicitation 11:time exceeded 12:ip header bad # 13:timestamp request 14:timestamp reply # 15:information request 16:information reply # 17:address mask request 18:address mask reply # what's this ? # ${fwcmd} add 1 deny ip from any to any ipoptions ssrr,lsrr,ts,rr # and this ? # ${fwcmd} add pass all from 0.0.0.0 to 0.0.0.0 # Allow icmp queries out in the world # allow all $fwcmd add pass icmp from any to ${oip} icmptypes 0,3,5,8,11,12,13,14 $fwcmd add pass icmp from ${oip} to any icmptypes 0,3,5,8,11,12,13,14 $fwcmd add pass icmp from ${oip} to 224.0.0.0/24 icmptypes 9 # Allow igmp queries out in the world # does not work # $fwcmd add pass igmp from ${oip} to 224.0.0.0/24 # use this instead ! $fwcmd add pass igmp from any to any # Allow any traffic to or from my own net. # fw disabled right now. # $fwcmd add pass all from ${oip} to ${onet}:${omask} # $fwcmd add pass all from ${onet}:${omask} to ${oip} # [ "x$iip" != "x" ] && # $fwcmd add pass all from ${inet}:${imask} to any # Allow any traffic to or from my ISP # allow all $fwcmd add pass all from ${oip} to XXX.YYY.0.0/24 $fwcmd add pass all from XXX.YYY.0.0/24 to ${oip} # Allow TCP through if setup succeeded # allow all $fwcmd add pass tcp from any to any established # Allow access to our FTP (+FTPDATA) # allow all # $fwcmd add pass tcp from any to ${oip} 21 setup $fwcmd add pass tcp from any 20 to ${oip} 1024- setup # fw disabled right now # [ "x$iip" != "x" ] && # $fwcmd add pass tcp from any 20 to ${inet}:${imask} 1024- setup # or just some addresses $fwcmd add pass tcp from zzasure.tld to ${oip} 21 setup # Allow access to our TELNET # $fwcmd add pass tcp from any to ${oip} 23 setup $fwcmd add pass tcp from zzasure.tld to ${oip} 23 setup # Allow setup of incoming email (SMTP) # allow all # $fwcmd add pass tcp from any to ${oip} 25 setup # or just some addresses $fwcmd add pass tcp from zzsmtp.tld to ${oip} 25 setup $fwcmd add pass tcp from mail.citeweb.net to ${oip} 25 setup $fwcmd add pass tcp from hub.freebsd.org to ${oip} 25 setup # Allow access to our DNS # disabled right now # $fwcmd add pass tcp from any to ${oip} 53 setup # Allow access to our user informations (FINGER) # disabled right now # $fwcmd add pass tcp from any to ${oip} 79 setup # Allow access to our WWW # allow all # $fwcmd add pass tcp from any to ${oip} 80 setup # or just some addresses $fwcmd add pass tcp from zzwww.tld to ${oip} 80 setup $fwcmd add pass tcp from zzwproxy.tld to ${oip} 80 setup # Allow access to our WEBMIN # disabled right now # $fwcmd add pass tcp from zzwww.tld to ${oip} 10000 setup # $fwcmd add pass tcp from zzwproxy.tld to ${oip} 10000 setup # Allow access to our POP # allow all # $fwcmd add pass tcp from any to ${oip} 110 setup # or just some addresses $fwcmd add pass tcp from zzasure.tld to ${oip} 110 setup # Allow access to our IDENT # allow all $fwcmd add pass tcp from any to ${oip} 113 setup # Allow access to our NEWS # allow all # $fwcmd add pass tcp from any to ${oip} 119 setup # Allow setup of outgoing TCP connections only # allow all $fwcmd add pass tcp from ${oip} to any setup # Disallow setup of all other TCP connections # deny all $fwcmd add deny log tcp from any to any setup # Allow BOOTP queries out to the world # allow all $fwcmd add pass udp from ${oip} 68 to XXX.YYY.0.0/24 67 # Allow DNS queries out in the world # allow all $fwcmd add pass udp from any 53 to ${oip} $fwcmd add pass udp from ${oip} to any 53 # Allow NTP queries out in the world # allow all $fwcmd add pass udp from any 123 to ${oip} $fwcmd add pass udp from ${oip} to any 123 # Allow ROUTER queries out in the world # allow all $fwcmd add pass udp from any 520 to ${oip} $fwcmd add pass udp from ${oip} to any 520 # Allow ICQ queries out in the world # allow all $fwcmd add pass udp from any 4000 to ${oip} $fwcmd add pass udp from ${oip} to any 4000 # Allow traceroute queries out in the world # allow all $fwcmd add pass udp from any 33400-33499 to ${oip} $fwcmd add pass udp from ${oip} to any 33400-33499 # Everything else is denied by default, unless the # IPFIREWALL_DEFAULT_TO_ACCEPT option is set in your kernel # config file. # just in case, deny all ${fwcmd} add 65000 deny log all from any to any ;; [Cc][Ll][Ii][Ee][Nn][Tt]) ... Cyrille. -- home:mailto:clefevre%no-spam@citeweb.net Supprimer "%no-spam" pour me repondre. work:mailto:Cyrille.Lefevre%no-spam@edf.fr Remove "%no-spam" to answer me back. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Fri Jul 14 17:23:52 2000 Delivered-To: freebsd-ipfw@freebsd.org Received: from valis.worldgate.ca (valis.worldgate.ca [198.161.84.2]) by hub.freebsd.org (Postfix) with ESMTP id 19A7A37C6A3 for ; Fri, 14 Jul 2000 17:23:46 -0700 (PDT) (envelope-from skafte@worldgate.ca) Received: from worldgate.ca (diskless4.worldgate.ca [198.161.84.132]) by valis.worldgate.ca (8.9.3/8.9.3) with ESMTP id SAA92950 for ; Fri, 14 Jul 2000 18:23:42 -0600 (MDT) (envelope-from skafte@worldgate.ca) Message-ID: <396FAF0E.9B6EF521@worldgate.ca> Date: Fri, 14 Jul 2000 18:23:42 -0600 From: Greg Skafte Organization: WorldGate Inc X-Mailer: Mozilla 4.73 [en] (X11; U; Linux 2.0.36 i386) X-Accept-Language: en MIME-Version: 1.0 To: freebsd-ipfw@freebsd.org Subject: ipfw accounting problem? .... Content-Type: multipart/mixed; boundary="------------6C4AB87CEC0C4B2CFC61C162" Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG This is a multi-part message in MIME format. --------------6C4AB87CEC0C4B2CFC61C162 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit I really haven't started looking into the code .... but should the checkstate rule show packet accounting matches..... 09000 0 0 check-state 09500 16194 1609751 allow tcp from x.x.x.x to any keep-state out xmit fxp0 setup  yet there are packet matches in the dynamic rules ..... -- Email: skafte@worldgate.ca Voice: +780 413 1910 Fax: +780 421 4929 #575 Sun Life Place * 10123 99 Street * Edmonton, AB * Canada * T5J 3H1 -- -- When things can't get any worse, they simplify themselves by getting a whole lot worse then complicated. A complete and utter disaster is the simplest thing in the world; it's preventing one that's complex. (Janet Morris) --------------6C4AB87CEC0C4B2CFC61C162 Content-Type: text/x-vcard; charset=us-ascii; name="skafte.vcf" Content-Transfer-Encoding: 7bit Content-Description: Card for Greg Skafte Content-Disposition: attachment; filename="skafte.vcf" begin:vcard n:Skafte;Greg tel;pager:+1 (780) 491 4791 tel;cell:+1 (780) 718 1570 tel;fax:+1 (780) 421 4929 tel;work:+1 (780) 413 1910 x-mozilla-html:FALSE org:;Network Operations adr:;;#575 10123 99 Street;Edmonton;Alberta;T5J 3H1;Canada version:2.1 email;internet:Skafte@worldgate.ca title:Operations Manager x-mozilla-cpt:;29088 fn:Greg Skafte end:vcard --------------6C4AB87CEC0C4B2CFC61C162-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Fri Jul 14 17:29:27 2000 Delivered-To: freebsd-ipfw@freebsd.org Received: from info.iet.unipi.it (info.iet.unipi.it [131.114.9.184]) by hub.freebsd.org (Postfix) with ESMTP id 5025737BA2C for ; Fri, 14 Jul 2000 17:29:21 -0700 (PDT) (envelope-from luigi@info.iet.unipi.it) Received: (from luigi@localhost) by info.iet.unipi.it (8.9.3/8.9.3) id CAA22244; Sat, 15 Jul 2000 02:30:42 +0200 (CEST) (envelope-from luigi) From: Luigi Rizzo Message-Id: <200007150030.CAA22244@info.iet.unipi.it> Subject: Re: ipfw accounting problem? .... In-Reply-To: <396FAF0E.9B6EF521@worldgate.ca> from Greg Skafte at "Jul 14, 2000 06:23:42 pm" To: Greg Skafte Date: Sat, 15 Jul 2000 02:30:42 +0200 (CEST) Cc: freebsd-ipfw@FreeBSD.ORG X-Mailer: ELM [version 2.4ME+ PL61 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG > I really haven't started looking into the code .... but > should the checkstate rule show packet accounting matches..... the way it is implemented is to account packets into the dynamic rules and probably also in the "parent" rule (the one with "keep-state". cheers luigi > 09000 0 0 check-state > 09500 16194 1609751 allow tcp from x.x.x.x to any keep-state out xmit > fxp0 setup >  > > yet there are packet matches in the dynamic rules ..... > > > > -- > Email: skafte@worldgate.ca Voice: +780 413 1910 Fax: +780 421 4929 > #575 Sun Life Place * 10123 99 Street * Edmonton, AB * Canada * T5J 3H1 > -- -- > When things can't get any worse, they simplify themselves by getting a > whole lot worse then complicated. A complete and utter disaster is the > simplest thing in the world; it's preventing one that's complex. > (Janet Morris) Content-Description: Card for Greg Skafte [Attachment, skipping...] To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Fri Jul 14 17:46:38 2000 Delivered-To: freebsd-ipfw@freebsd.org Received: from valis.worldgate.ca (valis.worldgate.ca [198.161.84.2]) by hub.freebsd.org (Postfix) with ESMTP id CC5FD37B855 for ; Fri, 14 Jul 2000 17:46:34 -0700 (PDT) (envelope-from skafte@worldgate.ca) Received: from worldgate.ca (diskless4.worldgate.ca [198.161.84.132]) by valis.worldgate.ca (8.9.3/8.9.3) with ESMTP id SAA94145; Fri, 14 Jul 2000 18:46:28 -0600 (MDT) (envelope-from skafte@worldgate.ca) Message-ID: <396FB45F.47307416@worldgate.ca> Date: Fri, 14 Jul 2000 18:46:23 -0600 From: Greg Skafte Organization: WorldGate Inc X-Mailer: Mozilla 4.73 [en] (X11; U; Linux 2.0.36 i386) X-Accept-Language: en MIME-Version: 1.0 To: Luigi Rizzo Cc: freebsd-ipfw@FreeBSD.ORG Subject: Re: ipfw accounting problem? .... References: <200007150030.CAA22244@info.iet.unipi.it> Content-Type: multipart/mixed; boundary="------------17104E690B52B8C41254BFA6" Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG This is a multi-part message in MIME format. --------------17104E690B52B8C41254BFA6 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Luigi Rizzo wrote: > > > I really haven't started looking into the code .... but > > should the checkstate rule show packet accounting matches..... > > the way it is implemented is to account packets into the > dynamic rules and probably also in the "parent" rule (the one > with "keep-state". on a 4.X machine I'm only see the accounting info in the dynamic rules, not the Parent "keep-state". I'm just wondering if matches to the "check-state" should have accounting info? Some people may have issues with packet accounting being done in the dynamic rules since some of the rules can expire in as little as 5 seconds ( yes the timeout can be adjusted by a sysctl but ..) > > cheers > luigi > > > 09000 0 0 check-state > > 09500 16194 1609751 allow tcp from x.x.x.x to any keep-state out xmit > > fxp0 setup > >  > > > > yet there are packet matches in the dynamic rules ..... > > > > > > > > -- -- Email: skafte@worldgate.ca Voice: +780 413 1910 Fax: +780 421 4929 #575 Sun Life Place * 10123 99 Street * Edmonton, AB * Canada * T5J 3H1 -- -- When things can't get any worse, they simplify themselves by getting a whole lot worse then complicated. A complete and utter disaster is the simplest thing in the world; it's preventing one that's complex. (Janet Morris) --------------17104E690B52B8C41254BFA6 Content-Type: text/x-vcard; charset=us-ascii; name="skafte.vcf" Content-Transfer-Encoding: 7bit Content-Description: Card for Greg Skafte Content-Disposition: attachment; filename="skafte.vcf" begin:vcard n:Skafte;Greg tel;pager:+1 (780) 491 4791 tel;cell:+1 (780) 718 1570 tel;fax:+1 (780) 421 4929 tel;work:+1 (780) 413 1910 x-mozilla-html:FALSE org:;Network Operations adr:;;#575 10123 99 Street;Edmonton;Alberta;T5J 3H1;Canada version:2.1 email;internet:Skafte@worldgate.ca title:Operations Manager x-mozilla-cpt:;29088 fn:Greg Skafte end:vcard --------------17104E690B52B8C41254BFA6-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Fri Jul 14 23:38: 7 2000 Delivered-To: freebsd-ipfw@freebsd.org Received: from info.iet.unipi.it (info.iet.unipi.it [131.114.9.184]) by hub.freebsd.org (Postfix) with ESMTP id E398237C4B1 for ; Fri, 14 Jul 2000 23:38:02 -0700 (PDT) (envelope-from luigi@info.iet.unipi.it) Received: (from luigi@localhost) by info.iet.unipi.it (8.9.3/8.9.3) id IAA24985; Sat, 15 Jul 2000 08:39:32 +0200 (CEST) (envelope-from luigi) From: Luigi Rizzo Message-Id: <200007150639.IAA24985@info.iet.unipi.it> Subject: Re: ipfw accounting problem? .... In-Reply-To: <396FB45F.47307416@worldgate.ca> from Greg Skafte at "Jul 14, 2000 06:46:23 pm" To: Greg Skafte Date: Sat, 15 Jul 2000 08:39:32 +0200 (CEST) Cc: freebsd-ipfw@FreeBSD.ORG X-Mailer: ELM [version 2.4ME+ PL61 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG > > the way it is implemented is to account packets into the > > dynamic rules and probably also in the "parent" rule (the one > > with "keep-state". > > on a 4.X machine I'm only see the accounting info in the > dynamic rules, not the Parent "keep-state". I'm just wondering > if matches to the "check-state" should have accounting info? the fact is that you can have multiple places where dynamic rules are checked so the info you want can still be split over several different places. Furthermore one check-state match refers to the whole set of dynamic rules so again the info possibly logged in the check-state rule is not that significant anyways. > Some people may have issues with packet accounting being done > in the dynamic rules since some of the rules can expire in as > little as 5 seconds ( yes the timeout can be adjusted by a > sysctl but ..) Well you have to consider that ipfw in general (not only dynamic rules) was not written for accounting purposes. As an example there is no way to read&reset a counter atomically, you must always read the whole ruleset at once, and this requires the whole structure to be copied at splnet(), etc. etc. -- surely this was not a problem when rulesets were manually constructed and possibly small. Things have changed now with dynamic rules and dynamic dummynet pipes where you can have tens of thousands of entries in the ipfw ruleset. cheers luigi -----------------------------------+------------------------------------- Luigi RIZZO, luigi@iet.unipi.it . Dip. di Ing. dell'Informazione http://www.iet.unipi.it/~luigi/ . Universita` di Pisa TEL/FAX: +39-050-568.533/522 . via Diotisalvi 2, 56126 PISA (Italy) Mobile +39-347-0373137 -----------------------------------+------------------------------------- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message