From owner-freebsd-ipfw Sun Dec 5 9:43: 6 1999 Delivered-To: freebsd-ipfw@freebsd.org Received: from nemezis.ipan.lublin.pl (nemezis.ipan.lublin.pl [212.182.61.154]) by hub.freebsd.org (Postfix) with ESMTP id 3ACDB15399 for ; Sun, 5 Dec 1999 09:42:57 -0800 (PST) (envelope-from jumbo@nemezis.ipan.lublin.pl) Received: by nemezis.ipan.lublin.pl (Postfix, from userid 1066) id 93F0E1F1A6; Sun, 5 Dec 1999 19:39:12 +0000 (GMT) Received: from localhost (localhost [127.0.0.1]) by nemezis.ipan.lublin.pl (Postfix) with ESMTP for id 40F6B1B229; Sun, 5 Dec 1999 19:39:12 +0000 (GMT) Date: Sun, 5 Dec 1999 19:39:12 +0000 (GMT) From: Jacek Debowczyk To: freebsd-ipfw@freebsd.org Subject: ipfw fwd | natd ? Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG Hi ! I've 2 computers, which have adresses eg. 200.200.200.10 and 200.200.200.11. I want to all connections to 200.200.200.10 port 1000 be redirected to 200.200.200.11 port 2000. Both servers have for one network card each. 200.200.200.10 is FreeBSD. Can I do this using ipfw fwd or ipfw diver with natd and how ? Can I all connections to 200.200.200.10 redirect to 200.200.200.11 ? Regards, jack. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Sun Dec 5 17:14:22 1999 Delivered-To: freebsd-ipfw@freebsd.org Received: from web3005.mail.yahoo.com (web3005.mail.yahoo.com [204.71.202.168]) by hub.freebsd.org (Postfix) with SMTP id 147CB14EB5 for ; Sun, 5 Dec 1999 17:14:10 -0800 (PST) (envelope-from galluccib@yahoo.ie) Received: (qmail 10982 invoked by uid 60001); 6 Dec 1999 01:14:09 -0000 Message-ID: <19991206011409.10981.qmail@web3005.mail.yahoo.com> Received: from [216.174.90.43] by web3005.mail.yahoo.com; Sun, 05 Dec 1999 17:14:09 PST Date: Sun, 5 Dec 1999 17:14:09 -0800 (PST) From: Brian Gallucci Subject: IPFW established To: freebsd-ipfw@freebsd.org Cc: freebsd-isp@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG I just have one question about the established command in rc.firewall. I have heard that if we add -> $fwcmd add pass tcp from any to any established $fwcmd add pass tcp from any to any 20 setup $fwcmd add pass tcp from any to any 21 setup $fwcmd add pass tcp from any to any 80 setup vs $fwcmd add pass tcp from any 20 to any $fwcmd add pass tcp from any to any 20 $fwcmd add pass tcp from any 21 to any $fwcmd add pass tcp from any to any 21 Using the established command will give us better performance on the firewall, is this correct ? Can you email me back at briang@expnet.net because I'm not on the mailing list. Thanks Brian Gallucci Sr. Network Engineer Network Operations Center Express Networks, Inc. briang@expnet.net ____________________________________________________________ Do You Yahoo!? Get your free @yahoo.co.uk address at http://mail.yahoo.co.uk or your free @yahoo.ie address at http://mail.yahoo.ie To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Sun Dec 5 21:43:13 1999 Delivered-To: freebsd-ipfw@freebsd.org Received: from azazel.zer0.org (azazel.zer0.org [209.133.53.200]) by hub.freebsd.org (Postfix) with ESMTP id 310DC14BC2 for ; Sun, 5 Dec 1999 21:43:11 -0800 (PST) (envelope-from gsutter@azazel.zer0.org) Received: (from gsutter@localhost) by azazel.zer0.org (8.9.3/8.9.2) id VAA41599; Sun, 5 Dec 1999 21:41:52 -0800 (PST) (envelope-from gsutter) Date: Sun, 5 Dec 1999 21:41:52 -0800 From: Gregory Sutter To: Brian Gallucci Cc: freebsd-ipfw@FreeBSD.ORG Subject: Re: IPFW established Message-ID: <19991205214151.Y94590@azazel.zer0.org> References: <19991206011409.10981.qmail@web3005.mail.yahoo.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0pre3i In-Reply-To: <19991206011409.10981.qmail@web3005.mail.yahoo.com> Organization: Zer0 Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG On Sun, Dec 05, 1999 at 05:14:09PM -0800, Brian Gallucci wrote: > I just have one question about the established command > in rc.firewall. > > I have heard that if we add -> > $fwcmd add pass tcp from any to any established > $fwcmd add pass tcp from any to any 20 setup > $fwcmd add pass tcp from any to any 21 setup > $fwcmd add pass tcp from any to any 80 setup > vs > $fwcmd add pass tcp from any 20 to any > $fwcmd add pass tcp from any to any 20 > $fwcmd add pass tcp from any 21 to any > $fwcmd add pass tcp from any to any 21 > > Using the established command will give us better > performance on the firewall, is this correct ? Using the 'established' keyword in this way will stop processing of the firewall rules at that rule, thus saving however-many ns it takes to process the remaining rules in ipfw. Unless there are many rules, the savings is pretty negligible. Using the first set of rules instead of the second also closes a MAJOR hole. With the second set of rules in place, a person could make a connection from port 20 on their machine (which they control) to _any_ port on a machine behind the firewall. You _cannot_ use source port filtering as a means of access control, since the controller of the source host can use any port that they choose. Regards, Greg -- Gregory S. Sutter Failing sardine factory cans employees! mailto:gsutter@pobox.com http://www.pobox.com/~gsutter/ PGP DSS public key 0x40AE3052 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Wed Dec 8 7:41:45 1999 Delivered-To: freebsd-ipfw@freebsd.org Received: from mail.rdc1.tn.home.com (ha1.rdc1.tn.home.com [24.2.7.66]) by hub.freebsd.org (Postfix) with ESMTP id 9189D14FC7 for ; Wed, 8 Dec 1999 07:41:36 -0800 (PST) (envelope-from williamsl@Home.Com) Received: from RELIABLE ([24.4.115.31]) by mail.rdc1.tn.home.com (InterMail v4.01.01.00 201-229-111) with ESMTP id <19991208154134.RFEK7535.mail.rdc1.tn.home.com@RELIABLE> for ; Wed, 8 Dec 1999 07:41:34 -0800 Date: Wed, 8 Dec 1999 10:39:36 -0500 From: Ben WIlliams X-Mailer: The Bat! (v1.34a) UNREG / CD5BF9353B3B7091 Reply-To: Ben WIlliams X-Priority: 3 (Normal) Message-ID: <10444.991208@Home.Com> To: freebsd-ipfw@FreeBSD.ORG Subject: divert rules Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG freebsd-ipfw, Wednesday, December 08, 1999 Hi all! I have a question about some observed behaviour of ipfw and I'd like to ask you all if it's right, proper, expected, etc. and why since the man-page seems to indicate otherwise. According to the ipfw man page: "... divert port Divert packets that match this rule to the di- vert(4) socket bound to port port. The search ter- minates. ... If a packet matches more than one divert and/or tee rule, all but the last are ignored. ..." However when playing with divert rules on my natd box whenever I had more than one divert rule -each- rule would be triggered. The effect this had was to have multiple replies sent to any request the inside boxes made. Is this the expected behaviour? (Doesn't seem that way to me...) The divert rules were all together if that has anything to do with it. -- Ben mailto:williamsl@Home.Com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Wed Dec 8 9:17: 0 1999 Delivered-To: freebsd-ipfw@freebsd.org Received: from rapidnet.com (rapidnet.com [205.164.216.1]) by hub.freebsd.org (Postfix) with ESMTP id 826F9155A8 for ; Wed, 8 Dec 1999 09:16:29 -0800 (PST) (envelope-from nick@rapidnet.com) Received: from localhost (nick@localhost) by rapidnet.com (8.9.3/8.9.3) with ESMTP id KAA42900; Wed, 8 Dec 1999 10:16:16 -0700 (MST) Date: Wed, 8 Dec 1999 10:16:16 -0700 (MST) From: Nick Rogness To: Ben WIlliams Cc: freebsd-ipfw@FreeBSD.ORG Subject: Re: divert rules In-Reply-To: <10444.991208@Home.Com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG On Wed, 8 Dec 1999, Ben WIlliams wrote: [snip] > However when playing with divert rules on my natd box whenever I had > more than one divert rule -each- rule would be triggered. The effect > this had was to have multiple replies sent to any request the inside > boxes made. Is this the expected behaviour? (Doesn't seem that way to > me...) The divert rules were all together if that has anything to do > with it. What do your firewall rules look like? ******************************************************** Nick Rogness File not found... System Administrator Should I fake it (Y/N)? RapidNet, INC ******************************************************** To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Wed Dec 8 12:43:13 1999 Delivered-To: freebsd-ipfw@freebsd.org Received: from alpo.whistle.com (alpo.whistle.com [207.76.204.38]) by hub.freebsd.org (Postfix) with ESMTP id 9E33615227 for ; Wed, 8 Dec 1999 12:43:09 -0800 (PST) (envelope-from julian@whistle.com) Received: from current1.whiste.com (current1.whistle.com [207.76.205.22]) by alpo.whistle.com (8.9.1a/8.9.1) with ESMTP id MAA61731; Wed, 8 Dec 1999 12:43:02 -0800 (PST) Date: Wed, 8 Dec 1999 12:43:01 -0800 (PST) From: Julian Elischer To: Nick Rogness Cc: Ben WIlliams , freebsd-ipfw@FreeBSD.ORG Subject: Re: divert rules In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG On Wed, 8 Dec 1999, Nick Rogness wrote: > On Wed, 8 Dec 1999, Ben WIlliams wrote: > > [snip] > > However when playing with divert rules on my natd box whenever I had > > more than one divert rule -each- rule would be triggered. The effect > > this had was to have multiple replies sent to any request the inside > > boxes made. Is this the expected behaviour? (Doesn't seem that way to > > me...) The divert rules were all together if that has anything to do > > with it. You are confusing the behaviour of a single run through the ipfw code with the result of combining NATD and ipfw. the first run will finish when the packet is diverted. NATD then changes the packet and re-injects it back into the firewall at the rule number following that which diverted it. If it then hits another divert rule, that will be taken as well. It is possible to make teh rules NOT do this in 2 ways. NATD could be altered to inject the packet somewhere else in the ruleset, or you could add 2 rules to each divert rule.. 1000 divert ip from blah blah 1000 skipto 2000 <-------- packets not diverted will skip to 2000 1001 accept ip from any to any <------reinjected packets come here. julian To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Wed Dec 8 20:11: 6 1999 Delivered-To: freebsd-ipfw@freebsd.org Received: from mail.rdc1.tn.home.com (ha1.rdc1.tn.home.com [24.2.7.66]) by hub.freebsd.org (Postfix) with ESMTP id 93C7114C04 for ; Wed, 8 Dec 1999 20:10:52 -0800 (PST) (envelope-from williamsl@Home.Com) Received: from RELIABLE ([24.4.115.31]) by mail.rdc1.tn.home.com (InterMail v4.01.01.00 201-229-111) with ESMTP id <19991209041048.DTMA7535.mail.rdc1.tn.home.com@RELIABLE>; Wed, 8 Dec 1999 20:10:48 -0800 Date: Wed, 8 Dec 1999 23:08:49 -0500 From: Ben WIlliams X-Mailer: The Bat! (v1.34a) UNREG / CD5BF9353B3B7091 Reply-To: Ben WIlliams X-Priority: 3 (Normal) Message-ID: <11964.991208@Home.Com> To: Julian Elischer Cc: freebsd-ipfw@FreeBSD.ORG Subject: Re[2]: divert rules In-reply-To: References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG Wednesday, December 08, 1999 Thank you Julian. So from what I'm reading here all incoming packets got diverted, then natd, then reinjected right behind the divert rule they just went through to hit the next divert rule in the sequence and this behaviour continued until it ran out of divert rules, yes? Here are my ipfw rules as they stand now. Everything but IRC from an inside box and ICQ (direct connections) seems to work right now. pn1 is my outside (public) interface with the IP address 123.123.123.123 (which is fake .. this server will be moving shortly) delta:~# ipfw l 00100 allow ip from any to any via lo0 00200 deny ip from any to 127.0.0.0/8 00300 deny ip from 192.168.1.0/24 to any in recv pn1 00400 deny ip from 123.123.123.0/24 to any in recv pn0 00600 deny ip from any to 192.168.0.0/16 via pn1 00700 deny ip from 172.16.0.0/12 to any via pn1 00800 deny ip from any to 172.16.0.0/12 via pn1 00900 deny ip from 10.0.0.0/8 to any via pn1 01000 deny ip from any to 10.0.0.0/8 via pn1 # This (1040) is the divert rule I was playing with and your # explaination makes sense now that I look at it .. 01040 divert 8668 log ip from any to any 01100 allow tcp from any to any established 01200 allow tcp from any to 123.123.123.123 25 setup 01300 allow tcp from any to 123.123.123.123 2500 setup 01400 allow tcp from any to 123.123.123.123 53 setup # I see entrys in my logs indicating that this host is (continually) # trying to connect to my identd server so I'm dropping ident requests # from here. 'bad.ip.address' is not an IRC server and I don't know what # else uses ident (?) 01425 deny tcp from bad.ip.address to 123.123.123.123 113 01425 deny udp from bad.ip.address to 123.123.123.123 113 01450 allow log tcp from any to 123.123.123.123 113 setup 01500 allow tcp from any to 123.123.123.123 80 setup 01600 allow tcp from any to 123.123.123.123 8000 setup 01700 allow tcp from any to 123.123.123.123 8080 setup 01800 allow tcp from any to 123.123.123.123 8888 setup 01900 deny log tcp from any to any in recv pn1 setup 02000 allow tcp from any to any setup 02100 allow udp from any 53 to 123.123.123.123 02200 allow udp from 123.123.123.123 to any 53 02300 allow udp from any 123 to 123.123.123.123 02400 allow udp from 123.123.123.123 to any 123 65500 allow log ip from any to any 65535 allow ip from any to any 22:59:39 root delta:~# Wednesday, December 08, 1999, 3:43:01 PM, you wrote: JE> On Wed, 8 Dec 1999, Nick Rogness wrote: >> On Wed, 8 Dec 1999, Ben WIlliams wrote: >> >> [snip] >> > However when playing with divert rules on my natd box whenever I had >> > more than one divert rule -each- rule would be triggered. The effect >> > this had was to have multiple replies sent to any request the inside >> > boxes made. Is this the expected behaviour? (Doesn't seem that way to >> > me...) The divert rules were all together if that has anything to do >> > with it. JE> You are confusing the behaviour of a single run through the ipfw code with JE> the result of combining NATD and ipfw. JE> the first run will finish when the packet is diverted. NATD then changes JE> the packet and re-injects it back into the firewall at the rule number JE> following that which diverted it. If it then hits another divert rule, JE> that will be taken as well. It is possible to make teh rules NOT do this JE> in 2 ways. NATD could be altered to inject the packet somewhere else in JE> the ruleset, or you could add 2 rules to each divert rule.. JE> 1000 divert ip from blah blah JE> 1000 skipto 2000 <-------- packets not diverted will skip to 2000 JE> 1001 accept ip from any to any <------reinjected packets come here. JE> julian -- Ben mailto:williamsl@Home.Com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Wed Dec 8 20:23: 3 1999 Delivered-To: freebsd-ipfw@freebsd.org Received: from alpo.whistle.com (alpo.whistle.com [207.76.204.38]) by hub.freebsd.org (Postfix) with ESMTP id 340E515322 for ; Wed, 8 Dec 1999 20:22:52 -0800 (PST) (envelope-from julian@whistle.com) Received: from current1.whiste.com (current1.whistle.com [207.76.205.22]) by alpo.whistle.com (8.9.1a/8.9.1) with ESMTP id UAA74884; Wed, 8 Dec 1999 20:22:43 -0800 (PST) Date: Wed, 8 Dec 1999 20:22:42 -0800 (PST) From: Julian Elischer To: Ben WIlliams Cc: freebsd-ipfw@FreeBSD.ORG Subject: Re: Re[2]: divert rules In-Reply-To: <11964.991208@Home.Com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG On Wed, 8 Dec 1999, Ben WIlliams wrote: > Wednesday, December 08, 1999 > Thank you Julian. So from what I'm reading here all incoming > packets got diverted, then natd, then reinjected right behind the > divert rule they just went through to hit the next divert rule in the > sequence and this behaviour continued until it ran out of divert > rules, yes? yes, until the packet is either rejected or accepted. The process that opens a divert socket can specify what rule to re-inject at. The received packet comes with info as to what rule caused the diversion. If that info is fed straight back, then the filtering begins at that rule number, PLUS ONE. The info comes in in the sockaddr in a recvfrom(2) and is sent in the sockaddr in a sendto(2). (in the 'port' field). I notice you only have one divert rule.. where did it hit a second divert? > Here are my ipfw rules as they stand now. Everything but IRC from > an inside box and ICQ (direct connections) seems to work right now. > pn1 is my outside (public) interface with the IP address > 123.123.123.123 (which is fake .. this server will be moving shortly) > > delta:~# ipfw l > 00100 allow ip from any to any via lo0 > 00200 deny ip from any to 127.0.0.0/8 > 00300 deny ip from 192.168.1.0/24 to any in recv pn1 > 00400 deny ip from 123.123.123.0/24 to any in recv pn0 > 00600 deny ip from any to 192.168.0.0/16 via pn1 > 00700 deny ip from 172.16.0.0/12 to any via pn1 > 00800 deny ip from any to 172.16.0.0/12 via pn1 > 00900 deny ip from 10.0.0.0/8 to any via pn1 > 01000 deny ip from any to 10.0.0.0/8 via pn1 > # This (1040) is the divert rule I was playing with and your > # explaination makes sense now that I look at it .. > 01040 divert 8668 log ip from any to any > 01100 allow tcp from any to any established > 01200 allow tcp from any to 123.123.123.123 25 setup > 01300 allow tcp from any to 123.123.123.123 2500 setup > 01400 allow tcp from any to 123.123.123.123 53 setup > # I see entrys in my logs indicating that this host is (continually) > # trying to connect to my identd server so I'm dropping ident requests > # from here. 'bad.ip.address' is not an IRC server and I don't know what > # else uses ident (?) > 01425 deny tcp from bad.ip.address to 123.123.123.123 113 > 01425 deny udp from bad.ip.address to 123.123.123.123 113 > 01450 allow log tcp from any to 123.123.123.123 113 setup > 01500 allow tcp from any to 123.123.123.123 80 setup > 01600 allow tcp from any to 123.123.123.123 8000 setup > 01700 allow tcp from any to 123.123.123.123 8080 setup > 01800 allow tcp from any to 123.123.123.123 8888 setup > 01900 deny log tcp from any to any in recv pn1 setup > 02000 allow tcp from any to any setup > 02100 allow udp from any 53 to 123.123.123.123 > 02200 allow udp from 123.123.123.123 to any 53 > 02300 allow udp from any 123 to 123.123.123.123 > 02400 allow udp from 123.123.123.123 to any 123 > 65500 allow log ip from any to any > 65535 allow ip from any to any > 22:59:39 root > delta:~# > > > Wednesday, December 08, 1999, 3:43:01 PM, you wrote: > > > > JE> On Wed, 8 Dec 1999, Nick Rogness wrote: > > >> On Wed, 8 Dec 1999, Ben WIlliams wrote: > >> > >> [snip] > >> > However when playing with divert rules on my natd box whenever I had > >> > more than one divert rule -each- rule would be triggered. The effect > >> > this had was to have multiple replies sent to any request the inside > >> > boxes made. Is this the expected behaviour? (Doesn't seem that way to > >> > me...) The divert rules were all together if that has anything to do > >> > with it. > > JE> You are confusing the behaviour of a single run through the ipfw code with > JE> the result of combining NATD and ipfw. > > JE> the first run will finish when the packet is diverted. NATD then changes > JE> the packet and re-injects it back into the firewall at the rule number > JE> following that which diverted it. If it then hits another divert rule, > JE> that will be taken as well. It is possible to make teh rules NOT do this > JE> in 2 ways. NATD could be altered to inject the packet somewhere else in > JE> the ruleset, or you could add 2 rules to each divert rule.. > > JE> 1000 divert ip from blah blah > JE> 1000 skipto 2000 <-------- packets not diverted will skip to 2000 > JE> 1001 accept ip from any to any <------reinjected packets come here. > > JE> julian > > > > -- > Ben mailto:williamsl@Home.Com > > > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Wed Dec 8 20:45:33 1999 Delivered-To: freebsd-ipfw@freebsd.org Received: from rapidnet.com (rapidnet.com [205.164.216.1]) by hub.freebsd.org (Postfix) with ESMTP id 8021114ED0 for ; Wed, 8 Dec 1999 20:45:17 -0800 (PST) (envelope-from nick@rapidnet.com) Received: from localhost (nick@localhost) by rapidnet.com (8.9.3/8.9.3) with ESMTP id VAA52340; Wed, 8 Dec 1999 21:45:04 -0700 (MST) Date: Wed, 8 Dec 1999 21:45:03 -0700 (MST) From: Nick Rogness To: Ben WIlliams Cc: Julian Elischer , freebsd-ipfw@FreeBSD.ORG Subject: Re: Re[2]: divert rules In-Reply-To: <11964.991208@Home.Com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG On Wed, 8 Dec 1999, Ben WIlliams wrote: [snip] > # I see entrys in my logs indicating that this host is (continually) > # trying to connect to my identd server so I'm dropping ident requests > # from here. 'bad.ip.address' is not an IRC server and I don't know what > # else uses ident (?) sendmail uses ident. ******************************************************** Nick Rogness File not found... System Administrator Should I fake it (Y/N)? RapidNet, INC ******************************************************** To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Wed Dec 8 20:58: 4 1999 Delivered-To: freebsd-ipfw@freebsd.org Received: from nameserver.austclear.com.au (nameserver.austclear.com.au [192.83.119.132]) by hub.freebsd.org (Postfix) with ESMTP id C499D152CF for ; Wed, 8 Dec 1999 20:57:46 -0800 (PST) (envelope-from ahl@austclear.com.au) Received: from tungsten.austclear.com.au (tungsten.austclear.com.au [192.168.70.1]) by nameserver.austclear.com.au (8.9.3/8.9.3) with ESMTP id PAA18611 for ; Thu, 9 Dec 1999 15:54:13 +1100 (EST) Received: from tungsten (tungsten [192.168.70.1]) by tungsten.austclear.com.au (8.9.3/8.9.3) with ESMTP id PAA23744; Thu, 9 Dec 1999 15:56:47 +1100 (EST) Message-Id: <199912090456.PAA23744@tungsten.austclear.com.au> X-Mailer: exmh version 2.0.1 12/23/97 To: freebsd-ipfw@FreeBSD.ORG Subject: Re: Re[2]: divert rules In-Reply-To: Your message of "Wed, 08 Dec 1999 21:45:03 PDT." Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Thu, 09 Dec 1999 15:56:47 +1100 From: Tony Landells Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG > sendmail uses ident. Assuming you haven't set Timeout.ident to 0, which I always do because 1. hardly anyone runs an ident daemon 2. it's way too easy to lie to anyway But that's just my opinion. Tony To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Wed Dec 8 22: 4:45 1999 Delivered-To: freebsd-ipfw@freebsd.org Received: from mail.rdc1.tn.home.com (ha1.rdc1.tn.home.com [24.2.7.66]) by hub.freebsd.org (Postfix) with ESMTP id 6E2A7155BF for ; Wed, 8 Dec 1999 22:04:41 -0800 (PST) (envelope-from williamsl@Home.Com) Received: from RELIABLE ([24.4.115.31]) by mail.rdc1.tn.home.com (InterMail v4.01.01.00 201-229-111) with ESMTP id <19991209060440.FTQO7535.mail.rdc1.tn.home.com@RELIABLE>; Wed, 8 Dec 1999 22:04:40 -0800 Date: Thu, 9 Dec 1999 01:02:42 -0500 From: Ben WIlliams X-Mailer: The Bat! (v1.34a) UNREG / CD5BF9353B3B7091 Reply-To: Ben WIlliams X-Priority: 3 (Normal) Message-ID: <743.991209@Home.Com> To: Julian Elischer Cc: freebsd-ipfw@FreeBSD.ORG Subject: Re[4]: divert rules In-reply-To: References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG Thursday, December 09, 1999 Thank you for that explanation Julian. The rest of the divert rules are missing now because I had to take them out or I wouldn't be able to access the net (as I found out the hard way). I was playing with variations of the divert line that's in there. I tried `ipfw add 1045 divert natd from any to any in recv pn1` as a possible alternative to just "any to any" ... though when looking at that rule now I wonder why I was trying to do that since it doesn't add any security (that I can see) to my natd server not being hijacked from the outside.... Must read more about network security and routing... Wednesday, December 08, 1999, 11:22:42 PM, you wrote: JE> On Wed, 8 Dec 1999, Ben WIlliams wrote: >> Wednesday, December 08, 1999 >> Thank you Julian. So from what I'm reading here all incoming >> packets got diverted, then natd, then reinjected right behind the >> divert rule they just went through to hit the next divert rule in the >> sequence and this behaviour continued until it ran out of divert >> rules, yes? JE> yes, until the packet is either rejected or accepted. JE> The process that opens a divert socket can specify what rule to re-inject JE> at. The received packet comes with info as to what rule caused the JE> diversion. If that info is fed straight back, then the filtering begins at JE> that rule number, PLUS ONE. JE> The info comes in in the sockaddr in a recvfrom(2) and is sent in the JE> sockaddr in a sendto(2). (in the 'port' field). JE> I notice you only have one divert rule.. where did it hit a second divert? >> Here are my ipfw rules as they stand now. Everything but IRC from >> an inside box and ICQ (direct connections) seems to work right now. >> pn1 is my outside (public) interface with the IP address >> 123.123.123.123 (which is fake .. this server will be moving shortly) >> >> delta:~# ipfw l >> 00100 allow ip from any to any via lo0 >> 00200 deny ip from any to 127.0.0.0/8 >> 00300 deny ip from 192.168.1.0/24 to any in recv pn1 >> 00400 deny ip from 123.123.123.0/24 to any in recv pn0 >> 00600 deny ip from any to 192.168.0.0/16 via pn1 >> 00700 deny ip from 172.16.0.0/12 to any via pn1 >> 00800 deny ip from any to 172.16.0.0/12 via pn1 >> 00900 deny ip from 10.0.0.0/8 to any via pn1 >> 01000 deny ip from any to 10.0.0.0/8 via pn1 >> # This (1040) is the divert rule I was playing with and your >> # explaination makes sense now that I look at it .. >> 01040 divert 8668 log ip from any to any >> 01100 allow tcp from any to any established >> 01200 allow tcp from any to 123.123.123.123 25 setup >> 01300 allow tcp from any to 123.123.123.123 2500 setup >> 01400 allow tcp from any to 123.123.123.123 53 setup >> # I see entrys in my logs indicating that this host is (continually) >> # trying to connect to my identd server so I'm dropping ident requests >> # from here. 'bad.ip.address' is not an IRC server and I don't know what >> # else uses ident (?) >> 01425 deny tcp from bad.ip.address to 123.123.123.123 113 >> 01425 deny udp from bad.ip.address to 123.123.123.123 113 >> 01450 allow log tcp from any to 123.123.123.123 113 setup >> 01500 allow tcp from any to 123.123.123.123 80 setup >> 01600 allow tcp from any to 123.123.123.123 8000 setup >> 01700 allow tcp from any to 123.123.123.123 8080 setup >> 01800 allow tcp from any to 123.123.123.123 8888 setup >> 01900 deny log tcp from any to any in recv pn1 setup >> 02000 allow tcp from any to any setup >> 02100 allow udp from any 53 to 123.123.123.123 >> 02200 allow udp from 123.123.123.123 to any 53 >> 02300 allow udp from any 123 to 123.123.123.123 >> 02400 allow udp from 123.123.123.123 to any 123 >> 65500 allow log ip from any to any >> 65535 allow ip from any to any >> 22:59:39 root >> delta:~# >> >> >> Wednesday, December 08, 1999, 3:43:01 PM, you wrote: >> >> >> >> JE> On Wed, 8 Dec 1999, Nick Rogness wrote: >> >> >> On Wed, 8 Dec 1999, Ben WIlliams wrote: >> >> >> >> [snip] >> >> > However when playing with divert rules on my natd box whenever I had >> >> > more than one divert rule -each- rule would be triggered. The effect >> >> > this had was to have multiple replies sent to any request the inside >> >> > boxes made. Is this the expected behaviour? (Doesn't seem that way to >> >> > me...) The divert rules were all together if that has anything to do >> >> > with it. >> >> JE> You are confusing the behaviour of a single run through the ipfw code with >> JE> the result of combining NATD and ipfw. >> >> JE> the first run will finish when the packet is diverted. NATD then changes >> JE> the packet and re-injects it back into the firewall at the rule number >> JE> following that which diverted it. If it then hits another divert rule, >> JE> that will be taken as well. It is possible to make teh rules NOT do this >> JE> in 2 ways. NATD could be altered to inject the packet somewhere else in >> JE> the ruleset, or you could add 2 rules to each divert rule.. >> >> JE> 1000 divert ip from blah blah >> JE> 1000 skipto 2000 <-------- packets not diverted will skip to 2000 >> JE> 1001 accept ip from any to any <------reinjected packets come here. >> >> JE> julian >> >> >> >> -- >> Ben mailto:williamsl@Home.Com >> >> >> -- Ben mailto:williamsl@Home.Com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Wed Dec 8 22:13:19 1999 Delivered-To: freebsd-ipfw@freebsd.org Received: from mail.rdc1.tn.home.com (ha1.rdc1.tn.home.com [24.2.7.66]) by hub.freebsd.org (Postfix) with ESMTP id 3D5B5155EB for ; Wed, 8 Dec 1999 22:13:17 -0800 (PST) (envelope-from williamsl@Home.Com) Received: from RELIABLE ([24.4.115.31]) by mail.rdc1.tn.home.com (InterMail v4.01.01.00 201-229-111) with ESMTP id <19991209061316.FWYY7535.mail.rdc1.tn.home.com@RELIABLE>; Wed, 8 Dec 1999 22:13:16 -0800 Date: Thu, 9 Dec 1999 01:11:19 -0500 From: Ben WIlliams X-Mailer: The Bat! (v1.34a) UNREG / CD5BF9353B3B7091 Reply-To: Ben WIlliams X-Priority: 3 (Normal) Message-ID: <949.991209@Home.Com> To: Nick Rogness Cc: freebsd-ipfw@FreeBSD.ORG Subject: Re[4]: divert rules In-reply-To: References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG Thursday, December 09, 1999 Thank you for that little bit of information. What does sendmail do with ident replies? "bad.ip.address" is being used for a mailserver by a different person on the internal LAN and I've never seen their mail client complain when connecting to that server. Wednesday, December 08, 1999, 11:45:03 PM, you wrote: NR> On Wed, 8 Dec 1999, Ben WIlliams wrote: NR> [snip] >> # I see entrys in my logs indicating that this host is (continually) >> # trying to connect to my identd server so I'm dropping ident requests >> # from here. 'bad.ip.address' is not an IRC server and I don't know what >> # else uses ident (?) NR> sendmail uses ident. NR> ******************************************************** NR> Nick Rogness File not found... NR> System Administrator Should I fake it (Y/N)? NR> RapidNet, INC NR> ******************************************************** NR> To Unsubscribe: send mail to majordomo@FreeBSD.org NR> with "unsubscribe freebsd-ipfw" in the body of the message -- Ben mailto:williamsl@Home.Com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Wed Dec 8 22:56: 1 1999 Delivered-To: freebsd-ipfw@freebsd.org Received: from rapidnet.com (rapidnet.com [205.164.216.1]) by hub.freebsd.org (Postfix) with ESMTP id F1DE315337 for ; Wed, 8 Dec 1999 22:55:56 -0800 (PST) (envelope-from nick@rapidnet.com) Received: from localhost (nick@localhost) by rapidnet.com (8.9.3/8.9.3) with ESMTP id XAA75531; Wed, 8 Dec 1999 23:55:54 -0700 (MST) Date: Wed, 8 Dec 1999 23:55:54 -0700 (MST) From: Nick Rogness To: Ben WIlliams Cc: freebsd-ipfw@FreeBSD.ORG Subject: Re: Re[4]: divert rules In-Reply-To: <949.991209@Home.Com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG On Thu, 9 Dec 1999, Ben WIlliams wrote: > > Thank you for that little bit of information. What does sendmail do > with ident replies? "bad.ip.address" is being used for a mailserver by > a different person on the internal LAN and I've never seen their mail > client complain when connecting to that server. I believe it is used by sendmail to determine the remote identity of the connecting server. Yes, sendmail will work even with it turned off. At one time sendmail did say that it sped up connection times when running ident on older versions. How it is implemented in 8.9.3...I don't know. I ident timeout value in sendmail 8.9.3 (default) is set to 30 seconds: http://www.sendmail.org/m4/tweakingoptions.html ******************************************************** Nick Rogness File not found... System Administrator Should I fake it (Y/N)? RapidNet, INC ******************************************************** To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Thu Dec 9 11:28:48 1999 Delivered-To: freebsd-ipfw@freebsd.org Received: from hotmail.com (f28.law4.hotmail.com [216.33.149.28]) by hub.freebsd.org (Postfix) with SMTP id 0161B14C04 for ; Thu, 9 Dec 1999 11:28:46 -0800 (PST) (envelope-from binkieboi@hotmail.com) Received: (qmail 55514 invoked by uid 0); 9 Dec 1999 19:28:45 -0000 Message-ID: <19991209192845.55513.qmail@hotmail.com> Received: from 12.10.140.2 by www.hotmail.com with HTTP; Thu, 09 Dec 1999 11:28:45 PST X-Originating-IP: [12.10.140.2] From: "Adidas Boy" To: freebsd-ipfw@FreeBSD.ORG Subject: Firewall using FreeBSD 3.3 Date: Thu, 09 Dec 1999 12:28:45 MST Mime-Version: 1.0 Content-Type: text/plain; format=flowed Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG Dear FreeBSD IPFW, I have a FreeBSD 3.3 Box that I have installed and I'm trying to get a rather secure firewall up to help prevent against basic attacks to our system. I have did some research and have installed tcpd to only allow certain hosts, and disabled services that I don't need to use. What I want to happen is I'm going to have the Firewall which has 2 ethernet cards one configured for the real internet of 205.1.1.x and then the fake network of 10.0.0.x. I am going to put several web servers and e-mail servers behind the firewall and then hoping that I can have all the trafic route thru the firewall to help prevent direct attacks to the servers behind the firewall. I'm assuming i could somehow use natd and set some kind of static table that would be as follows: real inet ip fake ip behind firewall 205.1.1.1 -> 10.0.0.1 205.1.1.2 -> 10.0.0.2 how would i configure natd to do this static routing. 205.1.1.1, 205.1.1.2 would all be answered by the firewall. then i would assume i would have to use ipfw to make the firewall more tighter by only allowing certain connections on certain ports to certain machines. so say for instance on machine 205.1.1.2 which was also 10.0.0.2 i wanted users to only be able to connect to port 80 what should my ipfw configuration look like? then i would need to have like 205.1.1.3 only have port 25 and 110 available? any help would be greatly appreciated. I need your help please! please e-mail directly back to me. brian ______________________________________________________ Get Your Private, Free Email at http://www.hotmail.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message