From owner-freebsd-ipfw Sun Nov 28 0:17: 6 1999 Delivered-To: freebsd-ipfw@freebsd.org Received: from assneck.2inches.com (2inches.com [207.44.238.235]) by hub.freebsd.org (Postfix) with ESMTP id 17A93152AB for ; Sun, 28 Nov 1999 00:17:02 -0800 (PST) (envelope-from chuck@2inches.com) Received: from [207.44.238.234] (vtcn5k1.vatican5000.com [207.44.238.234]) by assneck.2inches.com (8.9.3/8.9.3) with ESMTP id AAA00296 for ; Sun, 28 Nov 1999 00:17:01 -0800 (PST) Mime-Version: 1.0 X-Sender: chuck@207.44.238.235 Message-Id: Date: Sun, 28 Nov 1999 00:17:01 -0800 To: freebsd-ipfw@freebsd.org From: chuck sumner Subject: IPFW and NATD Content-Type: text/plain; charset="us-ascii" ; format="flowed" Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG Hi Do I need to use NATD with IFPW? I tried using IPFW without NATD and all connections were denied, incoming or outgoing. I enabled IPFW in the kernel and specified a CLIENT firewall type in rc.conf. Another thing is this: I'm not sure what these variables should be in rc.firewall: # set these to your network and netmask and ip net="xxx.xxx.xxx.xxx." mask="255.255.255.0" ip="xxx.xxx.xxx.xxx" I have a chain of 6 ip addresses on my DSL line, so I don't know how to specify that in the net and mask variables. How can I figure that out. Thank you. Chuck To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Mon Nov 29 4:59:35 1999 Delivered-To: freebsd-ipfw@freebsd.org Received: from flood.ping.uio.no (flood.ping.uio.no [129.240.78.31]) by hub.freebsd.org (Postfix) with ESMTP id 5E46114E40; Mon, 29 Nov 1999 04:59:29 -0800 (PST) (envelope-from des@flood.ping.uio.no) Received: (from des@localhost) by flood.ping.uio.no (8.9.3/8.9.3) id NAA95132; Mon, 29 Nov 1999 13:59:05 +0100 (CET) (envelope-from des) To: Tony Landells Cc: hackers@FreeBSD.ORG Subject: Re: new IPFW References: <199911242152.IAA26077@tungsten.austclear.com.au> From: Dag-Erling Smorgrav Date: 29 Nov 1999 13:59:05 +0100 In-Reply-To: Tony Landells's message of "Thu, 25 Nov 1999 08:52:28 +1100" Message-ID: Lines: 36 User-Agent: Gnus/5.070097 (Pterodactyl Gnus v0.97) Emacs/20.4 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG [moving from -ipfw and -arch to -hackers] Tony Landells writes: > One concern I would have with that is that there are a lot of tools > built on BPF that I would prefer to not be able to run on the firewall. Don't confuse BPF with promiscuous mode. BPF is simply a programmable packet filter and does not in and of itself represent a security risk. Promiscuous mode allows a host to capture packets not destined to itself, and may represent a security risk on shared media networks (e.g. 10Base2, unswitched 10BaseT). The attached patch prevents switching into promiscuous mode when running in "Network secure mode" (securelevel 3 or higher). DES -- Dag-Erling Smorgrav - des@flood.ping.uio.no Index: if.c =================================================================== RCS file: /home/ncvs/src/sys/net/if.c,v retrieving revision 1.77 diff -u -r1.77 if.c --- if.c 1999/11/22 02:44:51 1.77 +++ if.c 1999/11/29 12:52:07 @@ -908,6 +908,8 @@ int error; if (pswitch) { + if (securelevel >= 3) + return (EPERM); /* * If the device is not configured up, we cannot put it in * promiscuous mode. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Wed Dec 1 14:45: 4 1999 Delivered-To: freebsd-ipfw@freebsd.org Received: from ns.itga.com.au (ns.itga.com.au [192.83.119.129]) by hub.freebsd.org (Postfix) with ESMTP id 7EB6614E12 for ; Wed, 1 Dec 1999 14:44:58 -0800 (PST) (envelope-from gnb@itga.com.au) Received: from lightning.itga.com.au (lightning.itga.com.au [192.168.71.20]) by ns.itga.com.au (8.9.3/8.9.3) with ESMTP id JAA24628 for ; Thu, 2 Dec 1999 09:44:56 +1100 (EST) (envelope-from gnb@itga.com.au) Received: from lightning.itga.com.au (lightning.itga.com.au [192.168.71.20]) by lightning.itga.com.au (8.9.3/8.9.3) with ESMTP id JAA01083; Thu, 2 Dec 1999 09:44:55 +1100 (EST) Message-Id: <199912012244.JAA01083@lightning.itga.com.au> X-Mailer: exmh version 2.0.1 12/23/97 From: Gregory Bond To: freebsd-ipfw@FreeBSD.ORG Subject: ipfw and ip aliases not working? Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Thu, 02 Dec 1999 09:44:55 +1100 Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG Either I'm very confused (not impossible!!) or IPFW is busted. I have an interface with 2 ip addresses (we are in the process of changing ISPs...) bash-2.03$ ifconfig fxp0 fxp0: flags=8843 mtu 1500 inet 192.83.119.129 netmask 0xfffffff0 broadcast 192.83.119.143 inet 202.53.40.210 netmask 0xfffffff8 broadcast 202.53.40.215 ether 00:90:27:4c:ea:bc media: autoselect (10baseT/UTP) status: active supported media: autoselect 100baseTX 100baseTX 10baseT/UTP 10baseT/UTP bash-2.03$ I have ipfw rules that are supposed to allow any arbitrary incoming & outgoing tcp sessions to this host on either IP address: 15000 13 604 allow tcp from any to 192.83.119.129 via fxp0 setup 15100 869 38236 allow tcp from 192.83.119.129 to any via fxp0 setup 15800 0 0 allow tcp from any to 203.53.40.210 via fxp0 setup 15900 0 0 allow tcp from 203.53.40.210 to any via fxp0 setup 29000 2 80 deny log tcp from any to any setup As you can see, this works for the 192.83 address, but does not work for the 203.53 address, and I get kernel messages like: Dec 2 09:16:06 ns /kernel: ipfw: 29000 Deny TCP 192.160.13.9:4251 202.53.40.210:25 in via fxp0 Dec 2 09:16:11 ns /kernel: ipfw: 29000 Deny TCP 192.160.13.9:4251 202.53.40.210:25 in via fxp0 But AFAICT this error message exactly matches rule 15800! [The same thing is also happening with UDP packets.] Any clues? Greg. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Wed Dec 1 16:34:53 1999 Delivered-To: freebsd-ipfw@freebsd.org Received: from bubba.whistle.com (bubba.whistle.com [207.76.205.7]) by hub.freebsd.org (Postfix) with ESMTP id 4B28415169 for ; Wed, 1 Dec 1999 16:34:51 -0800 (PST) (envelope-from archie@whistle.com) Received: (from archie@localhost) by bubba.whistle.com (8.9.2/8.9.2) id QAA45418; Wed, 1 Dec 1999 16:33:39 -0800 (PST) From: Archie Cobbs Message-Id: <199912020033.QAA45418@bubba.whistle.com> Subject: Re: ipfw and ip aliases not working? In-Reply-To: <199912012244.JAA01083@lightning.itga.com.au> from Gregory Bond at "Dec 2, 1999 09:44:55 am" To: gnb@itga.com.au (Gregory Bond) Date: Wed, 1 Dec 1999 16:33:39 -0800 (PST) Cc: freebsd-ipfw@FreeBSD.ORG X-Mailer: ELM [version 2.4ME+ PL54 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG Gregory Bond writes: > 15800 0 0 allow tcp from any to 203.53.40.210 via fxp0 setup > 15900 0 0 allow tcp from 203.53.40.210 to any via fxp0 setup > > 29000 2 80 deny log tcp from any to any setup > > As you can see, this works for the 192.83 address, but does not work for the > 203.53 address, and I get kernel messages like: > > Dec 2 09:16:06 ns /kernel: ipfw: 29000 Deny TCP 192.160.13.9:4251 202.53.40.210:25 in via fxp0 > Dec 2 09:16:11 ns /kernel: ipfw: 29000 Deny TCP 192.160.13.9:4251 202.53.40.210:25 in via fxp0 > > But AFAICT this error message exactly matches rule 15800! What happening is that you're receiving non-zero offset fragments of TCP packets, in which case rule 15800 does not apply because of the 'setup' keyword. So they don't match until rule 29000. -Archie ___________________________________________________________________________ Archie Cobbs * Whistle Communications, Inc. * http://www.whistle.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Wed Dec 1 16:39:47 1999 Delivered-To: freebsd-ipfw@freebsd.org Received: from m3.worldnet.net (m3.worldnet.net [195.3.3.7]) by hub.freebsd.org (Postfix) with ESMTP id 8DCD714BF8 for ; Wed, 1 Dec 1999 16:39:43 -0800 (PST) (envelope-from cholet@logilune.com) Received: from antigone.logilune.com (wn16-008.paris.worldnet.fr [195.3.16.8]) by m3.worldnet.net (8.9.3/8.9.3) with ESMTP id BAA22464; Thu, 2 Dec 1999 01:39:26 +0100 (CET) Received: by antigone.logilune.com (Postfix, from userid 1000) id 29622282; Thu, 2 Dec 1999 01:38:50 +0100 (CET) From: Eric Cholet Organization: Logilune To: Gregory Bond Subject: Re: ipfw and ip aliases not working? Date: Thu, 2 Dec 1999 01:37:29 +0100 X-Mailer: KMail [version 1.0.21] Content-Type: text/plain Cc: freebsd-ipfw@FreeBSD.ORG References: <199912012244.JAA01083@lightning.itga.com.au> MIME-Version: 1.0 Message-Id: <99120201385000.08115@antigone.logilune.com> Content-Transfer-Encoding: quoted-printable Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG ifconfig output uses 202.53.40.215 ipfw output uses 203.53.40.215 ^ :-) Eric On Wed, 01 Dec 1999, Gregory Bond wrote: > Either I'm very confused (not impossible!!) or IPFW is busted. >=20 > I have an interface with 2 ip addresses (we are in the process of chang= ing=20 > ISPs...) >=20 > bash-2.03$ ifconfig fxp0 > fxp0: flags=3D8843 mtu 1500 > inet 192.83.119.129 netmask 0xfffffff0 broadcast 192.83.119.143 > inet 202.53.40.210 netmask 0xfffffff8 broadcast 202.53.40.215 > ether 00:90:27:4c:ea:bc=20 > media: autoselect (10baseT/UTP) status: active > supported media: autoselect 100baseTX 100baseTX 1= 0baseT/UTP 10baseT/UTP > bash-2.03$=20 >=20 > I have ipfw rules that are supposed to allow any arbitrary incoming & o= utgoing > tcp sessions to this host on either IP address: >=20 > =0915000 13 604 allow tcp from any to 192.83.119.129 via fxp0 s= etup > =0915100 869 38236 allow tcp from 192.83.119.129 to any via fxp0 s= etup > =09 > =0915800 0 0 allow tcp from any to 203.53.40.210 via fxp0 se= tup > =0915900 0 0 allow tcp from 203.53.40.210 to any via fxp0 se= tup >=20 > =0929000 2 80 deny log tcp from any to any setup >=20 > As you can see, this works for the 192.83 address, but does not work fo= r the=20 > 203.53 address, and I get kernel messages like: >=20 > =09Dec 2 09:16:06 ns /kernel: ipfw: 29000 Deny TCP 192.160.13.9:4251 2= 02.53.40.210:25 in via fxp0 > =09Dec 2 09:16:11 ns /kernel: ipfw: 29000 Deny TCP 192.160.13.9:4251 2= 02.53.40.210:25 in via fxp0 >=20 > But AFAICT this error message exactly matches rule 15800! >=20 > [The same thing is also happening with UDP packets.] >=20 > Any clues? >=20 > Greg. >=20 >=20 >=20 >=20 > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-ipfw" in the body of the message -- Eric Cholet To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Wed Dec 1 16:56:36 1999 Delivered-To: freebsd-ipfw@freebsd.org Received: from ns.itga.com.au (ns.itga.com.au [192.83.119.129]) by hub.freebsd.org (Postfix) with ESMTP id DDCC7150A6 for ; Wed, 1 Dec 1999 16:56:26 -0800 (PST) (envelope-from gnb@itga.com.au) Received: from lightning.itga.com.au (lightning.itga.com.au [192.168.71.20]) by ns.itga.com.au (8.9.3/8.9.3) with ESMTP id LAA25506 for ; Thu, 2 Dec 1999 11:55:44 +1100 (EST) (envelope-from gnb@itga.com.au) Received: from lightning.itga.com.au (lightning.itga.com.au [192.168.71.20]) by lightning.itga.com.au (8.9.3/8.9.3) with ESMTP id LAA05878; Thu, 2 Dec 1999 11:55:44 +1100 (EST) Message-Id: <199912020055.LAA05878@lightning.itga.com.au> X-Mailer: exmh version 2.0.1 12/23/97 From: Gregory Bond To: freebsd-ipfw@FreeBSD.ORG Subject: Re: ipfw and ip aliases not working? In-reply-to: Your message of Thu, 02 Dec 1999 09:44:55 +1100. Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Thu, 02 Dec 1999 11:55:44 +1100 Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG I wrote: > Either I'm very confused (not impossible!!) or IPFW is busted. > inet 202.53.40.210 netmask 0xfffffff8 broadcast 202.53.40.215 > 15800 0 0 allow tcp from any to 203.53.40.210 via fxp0 setup I was very very confused. Eric Cholet pointed out that the IP addresses were different. You have no idea how many times I checked that...... it's all working now. /\ / \ ---- Greg, wearing dunces cap. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Thu Dec 2 19:14:37 1999 Delivered-To: freebsd-ipfw@freebsd.org Received: from ns.itga.com.au (ns.itga.com.au [192.83.119.129]) by hub.freebsd.org (Postfix) with ESMTP id DE34B14DAE for ; Thu, 2 Dec 1999 19:14:30 -0800 (PST) (envelope-from gnb@itga.com.au) Received: from lightning.itga.com.au (lightning.itga.com.au [192.168.71.20]) by ns.itga.com.au (8.9.3/8.9.3) with ESMTP id OAA30065 for ; Fri, 3 Dec 1999 14:14:19 +1100 (EST) (envelope-from gnb@itga.com.au) Received: from lightning.itga.com.au (lightning.itga.com.au [192.168.71.20]) by lightning.itga.com.au (8.9.3/8.9.3) with ESMTP id NAA19013; Fri, 3 Dec 1999 13:59:57 +1100 (EST) Message-Id: <199912030259.NAA19013@lightning.itga.com.au> X-Mailer: exmh version 2.0.1 12/23/97 From: Gregory Bond Cc: freebsd-ipfw@FreeBSD.ORG Subject: Re: NATD and IP Aliases In-reply-to: Your message of Wed, 24 Nov 1999 12:19:56 +1100. Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Fri, 03 Dec 1999 13:59:57 +1100 Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG I wrote: >If we are running natd on our external ethernet interface, and that ether >interface has 2 IP addresses bound to it (on two different Class C nets), >which IP will natd use for the outgoing packet? > For packets originated on the server, the system is (I think!) clever enough > to > use as the local-address the IP that is on the same network as the first-hop > gateway for that packet. > > Is natd clever enough to do the same thing? Answer (from experiment): No. It will use the first IP on the named interface and brand all packets with that IP. But the output packet will go via the appropriate gateway. If the two class Cs were on different interfaces, then presumably I could make this work by running two NATDs on two divert ports and having two divert rules. I might investigate this for the meantime.... Greg. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message