From owner-freebsd-ipfw Sun May 28 21: 9:11 2000 Delivered-To: freebsd-ipfw@freebsd.org Received: from io.dreamscape.com (io.dreamscape.com [206.64.128.6]) by hub.freebsd.org (Postfix) with ESMTP id 752AE37BB57 for ; Sun, 28 May 2000 21:08:43 -0700 (PDT) (envelope-from krentel@dreamscape.com) Received: from dreamscape.com (sA9-p5.dreamscape.com [207.198.13.197]) by io.dreamscape.com (8.9.3/8.8.4) with ESMTP id AAA10623; Mon, 29 May 2000 00:07:35 -0400 (EDT) X-Dreamscape-Track-A: sA9-p5.dreamscape.com [207.198.13.197] X-Dreamscape-Track-B: Mon, 29 May 2000 00:07:35 -0400 (EDT) Received: (from krentel@localhost) by dreamscape.com (8.9.3/8.9.3) id AAA20103; Mon, 29 May 2000 00:07:29 -0400 (EDT) (envelope-from krentel) Date: Mon, 29 May 2000 00:07:29 -0400 (EDT) From: "Mark W. Krentel" Message-Id: <200005290407.AAA20103@dreamscape.com> To: freebsd-ipfw@FreeBSD.ORG Subject: Re: rc.firewall rule 200 Cc: archie@whistle.com Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG Last week, I asked about some of the rc.firewall rules. I've looked at them in more detail and I have a few more comments. I apologize in advance if I'm being dense about this. (1) My conclusion is that rule 200 doesn't really add anything for security. ${fwcmd} add 100 pass all from any to any via lo0 ${fwcmd} add 200 deny all from any to 127.0.0.0/8 Now, I realize that anything matching rule 200 cannot possibly be legitimate, and that's reason enough to deny it. But the claim was that someone on the same network could circumvent the firewall by using the machine's 127.0.0.1 address, as in the following attack. ifconfig lo0 down delete route add 127.0.0.0 telnet 127.0.0.1 I don't see where this attack accomplishes anything. An outside packet destined for 127.0.0.1 must first enter on an interface other than loopback. At that point it's confronted with the same rules whether it's destined for 127.0.0.1 or the machine's legit address. The point is that a hacker can just as easily use the machine's legit address and face the same set of rules. (2) The UDP rules (client and simple types) seem a little loose to me. ${fwcmd} add pass udp from any 53 to ${ip} ${fwcmd} add pass udp from ${ip} to any 53 ${fwcmd} add pass udp from any 123 to ${ip} ${fwcmd} add pass udp from ${ip} to any 123 These rules allow access by anyone to all UDP ports (NFS, syslog, etc) if the attack is made from port 53 or 123. I would suggest adding source address to the rules. Assuming you don't want to add another parameter for DNS server address (like net, mask and ip), you could put a note in a comment. # Allow DNS queries out in the world # Can strengthen these rules by replacing "any" with the # IP address of your DNS server. ${fwcmd} add pass udp from any 53 to ${ip} ${fwcmd} add pass udp from ${ip} to any 53 (3) And I'll make one more pitch for blocking spoofs of localhost with the following rule. ${fwcmd} add 400 deny all from 127.0.0.0/8 to any The firewall type "simple" blocks spoofing of the inside network addresses (as it certainly should). I just don't see where spoofing localhost is any less dangerous. Just my $0.02. --Mark To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Mon May 29 6:36:40 2000 Delivered-To: freebsd-ipfw@freebsd.org Received: from smtp.atl.mediaone.net (atlasmtp.atl.mediaone.net [24.92.1.152]) by hub.freebsd.org (Postfix) with ESMTP id 15EB237BC3B for ; Mon, 29 May 2000 06:36:37 -0700 (PDT) (envelope-from lnbrg@atl.mediaone.net) Received: from atl.mediaone.net (client37028.atl.mediaone.net [24.88.37.28]) by smtp.atl.mediaone.net (8.8.7/8.8.7) with ESMTP id JAA27759 for ; Mon, 29 May 2000 09:36:30 -0400 (EDT) Message-ID: <393271E0.CCB12B68@atl.mediaone.net> Date: Mon, 29 May 2000 13:34:25 +0000 From: "George M. Ellenburg" X-Mailer: Mozilla 4.73 [en] (X11; U; Linux 2.2.14-5.0 i686) X-Accept-Language: en MIME-Version: 1.0 To: freebsd-ipfw@freebsd.org Subject: IPFW Web Resources Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG Can anyone recommend some decent online resources for ipfw? I'm having a little difficulty getting port-redirection to work. ipfw add fwd 24.88.37.x,23 tcp from any to 192.168.0.2 23 via fxp1 Where fxp1 is my internal interface. Natd is running. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Mon May 29 7:53:39 2000 Delivered-To: freebsd-ipfw@freebsd.org Received: from cc942873-a.ewndsr1.nj.home.com (cc942873-a.ewndsr1.nj.home.com [24.2.89.207]) by hub.freebsd.org (Postfix) with ESMTP id 7C06137BC47 for ; Mon, 29 May 2000 07:53:36 -0700 (PDT) (envelope-from cjc@cc942873-a.ewndsr1.nj.home.com) Received: (from cjc@localhost) by cc942873-a.ewndsr1.nj.home.com (8.9.3/8.9.3) id KAA59047; Mon, 29 May 2000 10:53:34 -0400 (EDT) (envelope-from cjc) Date: Mon, 29 May 2000 10:53:34 -0400 From: "Crist J. Clark" To: "George M. Ellenburg" Cc: freebsd-ipfw@FreeBSD.ORG Subject: Re: IPFW Web Resources Message-ID: <20000529105333.A58958@cc942873-a.ewndsr1.nj.home.com> Reply-To: cjclark@home.com References: <393271E0.CCB12B68@atl.mediaone.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0i In-Reply-To: <393271E0.CCB12B68@atl.mediaone.net>; from lnbrg@atl.mediaone.net on Mon, May 29, 2000 at 01:34:25PM +0000 Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG On Mon, May 29, 2000 at 01:34:25PM +0000, George M. Ellenburg wrote: > Can anyone recommend some decent online resources for ipfw? > > I'm having a little difficulty getting port-redirection to work. > > ipfw add fwd 24.88.37.x,23 tcp from any to 192.168.0.2 23 via fxp1 This is not going to work how you want. Remember: ipfw(8) does not change the content of packets. > Where fxp1 is my internal interface. > > Natd is running. Good, because you should be using natd(8) to do this. See 'redirect_port' on the natd manpage. -- Crist J. Clark cjclark@home.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Mon May 29 8:17: 1 2000 Delivered-To: freebsd-ipfw@freebsd.org Received: from smtp.atl.mediaone.net (atlasmtp.atl.mediaone.net [24.92.1.152]) by hub.freebsd.org (Postfix) with ESMTP id E155A37BF55 for ; Mon, 29 May 2000 08:16:48 -0700 (PDT) (envelope-from lnbrg@atl.mediaone.net) Received: from atl.mediaone.net (client37028.atl.mediaone.net [24.88.37.28]) by smtp.atl.mediaone.net (8.8.7/8.8.7) with ESMTP id LAA15063; Mon, 29 May 2000 11:16:46 -0400 (EDT) Message-ID: <39328962.36D5C769@atl.mediaone.net> Date: Mon, 29 May 2000 15:14:42 +0000 From: "George M. Ellenburg" X-Mailer: Mozilla 4.73 [en] (X11; U; Linux 2.2.14-5.0 i686) X-Accept-Language: en MIME-Version: 1.0 To: cjclark@home.com Cc: freebsd-ipfw@FreeBSD.ORG Subject: Re: IPFW Web Resources References: <393271E0.CCB12B68@atl.mediaone.net> <20000529105333.A58958@cc942873-a.ewndsr1.nj.home.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG "Crist J. Clark" wrote: > On Mon, May 29, 2000 at 01:34:25PM +0000, George M. Ellenburg wrote: > > ipfw add fwd 24.88.37.x,23 tcp from any to 192.168.0.2 23 via fxp1 > > This is not going to work how you want. Remember: ipfw(8) does not > change the content of packets. What exactly is the 'fwd' argument used for with ipfw, then? > > Natd is running. > > Good, because you should be using natd(8) to do this. See > 'redirect_port' on the natd manpage. Looking into that, now. Thanks for the suggestion! To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Mon May 29 9:35:57 2000 Delivered-To: freebsd-ipfw@freebsd.org Received: from cc942873-a.ewndsr1.nj.home.com (cc942873-a.ewndsr1.nj.home.com [24.2.89.207]) by hub.freebsd.org (Postfix) with ESMTP id E125E37BC15 for ; Mon, 29 May 2000 09:35:48 -0700 (PDT) (envelope-from cjc@cc942873-a.ewndsr1.nj.home.com) Received: (from cjc@localhost) by cc942873-a.ewndsr1.nj.home.com (8.9.3/8.9.3) id MAA59433; Mon, 29 May 2000 12:35:44 -0400 (EDT) (envelope-from cjc) Date: Mon, 29 May 2000 12:35:44 -0400 From: "Crist J. Clark" To: "George M. Ellenburg" Cc: freebsd-ipfw@FreeBSD.ORG Subject: Re: IPFW Web Resources Message-ID: <20000529123544.E58958@cc942873-a.ewndsr1.nj.home.com> Reply-To: cjclark@home.com References: <393271E0.CCB12B68@atl.mediaone.net> <20000529105333.A58958@cc942873-a.ewndsr1.nj.home.com> <39328962.36D5C769@atl.mediaone.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0i In-Reply-To: <39328962.36D5C769@atl.mediaone.net>; from lnbrg@atl.mediaone.net on Mon, May 29, 2000 at 03:14:42PM +0000 Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG On Mon, May 29, 2000 at 03:14:42PM +0000, George M. Ellenburg wrote: > "Crist J. Clark" wrote: > > > On Mon, May 29, 2000 at 01:34:25PM +0000, George M. Ellenburg wrote: > > > ipfw add fwd 24.88.37.x,23 tcp from any to 192.168.0.2 23 via fxp1 > > > > This is not going to work how you want. Remember: ipfw(8) does not > > change the content of packets. > > What exactly is the 'fwd' argument used for with ipfw, then? $ man ipfw . . . fwd ipaddr[,port] Change the next-hop on matching packets to ipaddr, which can be an IP address in dotted quad or a host name. . . . This is intended for use with transparent proxy servers. . . . -- Crist J. Clark cjclark@home.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Tue May 30 9:49:27 2000 Delivered-To: freebsd-ipfw@freebsd.org Received: from bubba.whistle.com (bubba.whistle.com [207.76.205.7]) by hub.freebsd.org (Postfix) with ESMTP id 5F55737B892 for ; Tue, 30 May 2000 09:49:25 -0700 (PDT) (envelope-from archie@whistle.com) Received: (from archie@localhost) by bubba.whistle.com (8.9.3/8.9.2) id JAA32109; Tue, 30 May 2000 09:48:59 -0700 (PDT) From: Archie Cobbs Message-Id: <200005301648.JAA32109@bubba.whistle.com> Subject: Re: rc.firewall rule 200 In-Reply-To: <200005290407.AAA20103@dreamscape.com> from "Mark W. Krentel" at "May 29, 2000 00:07:29 am" To: krentel@dreamscape.com (Mark W. Krentel) Date: Tue, 30 May 2000 09:48:59 -0700 (PDT) Cc: freebsd-ipfw@FreeBSD.ORG X-Mailer: ELM [version 2.4ME+ PL54 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG Mark W. Krentel writes: > Last week, I asked about some of the rc.firewall rules. I've looked > at them in more detail and I have a few more comments. I apologize in > advance if I'm being dense about this. > > (1) My conclusion is that rule 200 doesn't really add anything for > security. > > ${fwcmd} add 100 pass all from any to any via lo0 > ${fwcmd} add 200 deny all from any to 127.0.0.0/8 > > Now, I realize that anything matching rule 200 cannot possibly be > legitimate, and that's reason enough to deny it. But the claim was > that someone on the same network could circumvent the firewall by > using the machine's 127.0.0.1 address, as in the following attack. > > ifconfig lo0 down delete > route add 127.0.0.0 > telnet 127.0.0.1 > > I don't see where this attack accomplishes anything. An outside > packet destined for 127.0.0.1 must first enter on an interface other > than loopback. At that point it's confronted with the same rules > whether it's destined for 127.0.0.1 or the machine's legit address. > The point is that a hacker can just as easily use the machine's legit > address and face the same set of rules. But.. sometimes sensitive services are running bound (only) to the address 127.0.0.1, and there are no firewall rules to protect them, because normally none are needed. By doing the 'route add ..' trick an adversary can negate this assumption. If you happen to be relying on it, you're in trouble. As an example, you have to look no farther than FreeBSD two years ago: http://www.freebsd.org/cgi/cvsweb.cgi/src/etc/rc.firewall (revision 1.19) http://www.FreeBSD.org/cgi/query-pr.cgi?pr=6406 -Archie ___________________________________________________________________________ Archie Cobbs * Whistle Communications, Inc. * http://www.whistle.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Tue May 30 16:14:30 2000 Delivered-To: freebsd-ipfw@freebsd.org Received: from hotmail.com (law-f77.hotmail.com [209.185.131.140]) by hub.freebsd.org (Postfix) with SMTP id D216137BE43 for ; Tue, 30 May 2000 16:14:24 -0700 (PDT) (envelope-from ronnetron@hotmail.com) Received: (qmail 18002 invoked by uid 0); 30 May 2000 23:14:17 -0000 Message-ID: <20000530231417.18001.qmail@hotmail.com> Received: from 63.203.116.218 by www.hotmail.com with HTTP; Tue, 30 May 2000 16:14:17 PDT X-Originating-IP: [63.203.116.218] From: "Ron Smith" To: freebsd-ipfw@freebsd.org Subject: SMTP rules Date: Tue, 30 May 2000 16:14:17 PDT Mime-Version: 1.0 Content-Type: text/plain; format=flowed Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG Hi all, 'uname -a' says: FreeBSD 3.4-RELEASE I would like to send and receive mail through our firewall, but the canned rule for this doesn't seem to work. I have the following in place: # Allow setup of incoming email $fwcmd add pass tcp from any to ${oip} 25 setup We have a separate mail server, behind the NAT router, that handles the mail. But, no one on the outside of our LAN is able to send email to our mail server. And, we aren't able to send mail out to anyone other than the people on our LAN. 'more /etc/db.ourdomain.com' says the following: ;MX records @ IN MX 10 mail.ourdomain.com. ;hosts mail IN A 192.x.x.x Apparently there is something I'm missing. Any help would be appreciated greatly. TIA Ron Smith ________________________________________________________________________ Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Tue May 30 16:38: 9 2000 Delivered-To: freebsd-ipfw@freebsd.org Received: from rapidnet.com (rapidnet.com [205.164.216.1]) by hub.freebsd.org (Postfix) with ESMTP id 306B937B749 for ; Tue, 30 May 2000 16:38:03 -0700 (PDT) (envelope-from nick@rapidnet.com) Received: from localhost (nick@localhost) by rapidnet.com (8.9.3/8.9.3) with ESMTP id RAA16848; Tue, 30 May 2000 17:37:55 -0600 (MDT) Date: Tue, 30 May 2000 17:37:55 -0600 (MDT) From: Nick Rogness To: Ron Smith Cc: freebsd-ipfw@freebsd.org Subject: Re: SMTP rules In-Reply-To: <20000530231417.18001.qmail@hotmail.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG On Tue, 30 May 2000, Ron Smith wrote: > Hi all Hello, > > 'uname -a' says: FreeBSD 3.4-RELEASE > > I would like to send and receive mail through our firewall, but the canned > rule for this doesn't seem to work. I have the following in place: > > # Allow setup of incoming email > $fwcmd add pass tcp from any to ${oip} 25 setup Umm, ok. > > We have a separate mail server, behind the NAT router, that handles the > mail. But, no one on the outside of our LAN is able to send email to our > mail server. And, we aren't able to send mail out to anyone other than the > people on our LAN. I'm assuming your mail server is on the private side? Is a redirect_port added in the natd config? You need to give more details of how your network is constructed. 2 different mail servers? Are you doing your own DNS? what type of mail server is it? Is your nat device your mail server? Is it FreeBSD? etc,etc,etc. > > 'more /etc/db.ourdomain.com' says the following: > > ;MX records > @ IN MX 10 mail.ourdomain.com. What does the outside world think about your domain? Is your server authoritative for your domain: # nslookup >root Default Server: a.root-servers.net Address: 198.41.0.4 >set type=NS >yourdomain.com . . ns.yourdomain.com your_NS_IP >server your_NS_IP >set type=MX >yourdomain.com mail exchanger= mail.yourdomain.com mail.yourdomain.com your_OUTSIDE_IP >exit # I'm assuming you are running DNS. > > ;hosts > mail IN A 192.x.x.x This is a rather tricky setup because you are on a NAT'd network. You must have 2 different Name servers running (or possibly 2 subdomains), one for your public side and one for your private side. Once again, this is, of course, if you are doing DNS for your domain. > > Apparently there is something I'm missing. Any help would be appreciated > greatly. Give some more details and your probelm will probably get resolved quickly ;-) Nick Rogness - Speak softly and carry a Gigabit switch. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Wed May 31 5: 5:57 2000 Delivered-To: freebsd-ipfw@freebsd.org Received: from mail.bg (www.mail.bg [212.50.10.135]) by hub.freebsd.org (Postfix) with SMTP id EEECF37B507 for ; Wed, 31 May 2000 05:05:40 -0700 (PDT) (envelope-from toor@mail.bg) Received: (qmail 15210 invoked by uid 101); 31 May 2000 12:05:36 -0000 Date: 31 May 2000 12:05:36 -0000 Message-ID: <20000531120536.15209.qmail@mail.bg> From: Plamen Stoev To: freebsd-ipfw@freebsd.org Reply-To: Plamen Stoev MIME-Version: 1.0 Content-Type: text/plain; charset=windows-1251 Content-Transfer-Encoding: 8bit User-Agent: mail.bG web interface 2.0.11 Subject: ipfw problem Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG Hi all :) How could I manage with this problem in FreeBSD-4.0- RELEASE: ~# whoami root ~# ipfw -f flush ipfw: setsockopt(IP_FW_FLUSH): Protocol not available Regards, Plamen Stoev ----------------------------------------------- This mail sent through mail.bG - http://mail.bg Get a free for life e-mail account at mail.bg, Read your e-mail from any IMAP server anywhere. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Wed May 31 5:19:53 2000 Delivered-To: freebsd-ipfw@freebsd.org Received: from hydrant.intranova.net (hydrant.intranova.net [209.201.95.10]) by hub.freebsd.org (Postfix) with ESMTP id F090437B838 for ; Wed, 31 May 2000 05:19:50 -0700 (PDT) (envelope-from oogali@intranova.net) Received: from localhost (localhost [127.0.0.1]) by hydrant.intranova.net (Postfix) with ESMTP id B30CEE0F02; Wed, 31 May 2000 08:21:11 -0400 (EDT) Date: Wed, 31 May 2000 08:21:11 -0400 (EDT) From: Omachonu Ogali To: Plamen Stoev Cc: freebsd-ipfw@freebsd.org Subject: Re: ipfw problem In-Reply-To: <20000531120536.15209.qmail@mail.bg> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG On 31 May 2000, Plamen Stoev wrote: > ~# ipfw -f flush > ipfw: setsockopt(IP_FW_FLUSH): Protocol not available 1) Recompile your kernel with IP firewalling support: options IPFIREWALL 2) Load the 'ipfw' kernel module, provided '/modules/ipfw.ko' exists: /sbin/kldload /modules/ipfw.ko -- +-----------------------------------------------------------------------+ | Omachonu Ogali oogali@intranova.net | | Intranova Networking Group http://www.intranova.net | | PGP Key ID: 0xBFE60839 | | PGP Fingerprint: 8 51 14 FD 2A 87 53 D1 E3 AA 12 12 01 93 BD 34 | +-----------------------------------------------------------------------+ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Wed May 31 6:44:29 2000 Delivered-To: freebsd-ipfw@freebsd.org Received: from rapidnet.com (rapidnet.com [205.164.216.1]) by hub.freebsd.org (Postfix) with ESMTP id 37E9637BD80 for ; Wed, 31 May 2000 06:44:27 -0700 (PDT) (envelope-from nick@rapidnet.com) Received: from localhost (nick@localhost) by rapidnet.com (8.9.3/8.9.3) with ESMTP id HAA42349; Wed, 31 May 2000 07:44:10 -0600 (MDT) Date: Wed, 31 May 2000 07:44:10 -0600 (MDT) From: Nick Rogness To: Omachonu Ogali Cc: Plamen Stoev , freebsd-ipfw@freebsd.org Subject: Re: ipfw problem In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG On Wed, 31 May 2000, Omachonu Ogali wrote: [snip] > 2) Load the 'ipfw' kernel module, provided '/modules/ipfw.ko' exists: > /sbin/kldload /modules/ipfw.ko > Even easier is in /etc/rc.conf: firewall_enable="YES" reboot. Nick Rogness - Speak softly and carry a Gigabit switch. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Wed May 31 8:25:56 2000 Delivered-To: freebsd-ipfw@freebsd.org Received: from juice.shallow.net (node16229.a2000.nl [24.132.98.41]) by hub.freebsd.org (Postfix) with ESMTP id E710A37BDAA for ; Wed, 31 May 2000 08:25:53 -0700 (PDT) (envelope-from joshua@roughtrade.net) Received: from localhost (joshua@localhost) by juice.shallow.net (8.9.3/8.9.3) with ESMTP id RAA26609; Wed, 31 May 2000 17:25:51 +0200 (CEST) (envelope-from joshua@roughtrade.net) Date: Wed, 31 May 2000 17:25:50 +0200 (CEST) From: Joshua Goodall To: Nick Rogness Cc: Omachonu Ogali , Plamen Stoev , freebsd-ipfw@FreeBSD.ORG Subject: Re: ipfw problem In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG On Wed, 31 May 2000, Nick Rogness wrote: > On Wed, 31 May 2000, Omachonu Ogali wrote: > > [snip] > > 2) Load the 'ipfw' kernel module, provided '/modules/ipfw.ko' exists: > > /sbin/kldload /modules/ipfw.ko > > > > Even easier is in /etc/rc.conf: > > firewall_enable="YES" > > reboot. that's a bit "Microsoft" though :) J To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Wed May 31 10:11:16 2000 Delivered-To: freebsd-ipfw@freebsd.org Received: from rapidnet.com (rapidnet.com [205.164.216.1]) by hub.freebsd.org (Postfix) with ESMTP id 2E0F137B69E for ; Wed, 31 May 2000 10:11:12 -0700 (PDT) (envelope-from nick@rapidnet.com) Received: from localhost (nick@localhost) by rapidnet.com (8.9.3/8.9.3) with ESMTP id LAA52342; Wed, 31 May 2000 11:10:45 -0600 (MDT) Date: Wed, 31 May 2000 11:10:44 -0600 (MDT) From: Nick Rogness To: Joshua Goodall Cc: Omachonu Ogali , Plamen Stoev , freebsd-ipfw@FreeBSD.ORG Subject: Re: ipfw problem In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG On Wed, 31 May 2000, Joshua Goodall wrote: > > On Wed, 31 May 2000, Nick Rogness wrote: > > > On Wed, 31 May 2000, Omachonu Ogali wrote: > > > > [snip] > > > 2) Load the 'ipfw' kernel module, provided '/modules/ipfw.ko' exists: > > > /sbin/kldload /modules/ipfw.ko > > > > > > > Even easier is in /etc/rc.conf: > > > > firewall_enable="YES" > > > > reboot. > > that's a bit "Microsoft" though :) Hmmm. Maybe (a*@h$?e) ;-) He's going to have to reboot anyway, if he rebuilds his kernel...why not add it then. What happens when you use your technique and he reboots...is he or is he not going to have to retype the command you specified above? Nick Rogness - Speak softly and carry a Gigabit switch. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Fri Jun 2 9: 9: 6 2000 Delivered-To: freebsd-ipfw@freebsd.org Received: from spark.kaliostro.crimea.com (Kaliostro.crimea.com [212.3.116.90]) by hub.freebsd.org (Postfix) with ESMTP id B6ADC37B76F for ; Fri, 2 Jun 2000 09:08:45 -0700 (PDT) (envelope-from calman@kaliostro.crimea.com) Received: from comp900 ([192.168.0.71]) by spark.kaliostro.crimea.com (8.8.8/8.8.8) with SMTP id TAA00766 for ; Fri, 2 Jun 2000 19:08:37 +0300 (EEST) (envelope-from calman@kaliostro.crimea.com) Message-ID: <000a01bfcca4$77ed3380$4700a8c0@kaliostro.crimea.com> From: "Konstantin S. Kurianoff" To: Subject: ipfw ? problem Date: Fri, 2 Jun 2000 19:08:53 +0400 MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_NextPart_000_0007_01BFCCC5.FDFB6D40" X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.00.2615.200 X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2615.200 Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG This is a multi-part message in MIME format. ------=_NextPart_000_0007_01BFCCC5.FDFB6D40 Content-Type: text/plain; charset="koi8-r" Content-Transfer-Encoding: quoted-printable When boot system says: IP packet filtering initialized, divert disabled, logging disabled Kernel firewall module loaded ipfw: socket: Permission denied (3 times) Firewall rules loaded I do not want to run ipfw because i didnt option it in kernel (options = IPFIREWALL).=20 Every time being a root i wish to run ipfw flush or something else = system says:=20 "ipfw: socket: Permission denied".=20 Please help me.Thank you. calman@kaliostro.crimea.com ------=_NextPart_000_0007_01BFCCC5.FDFB6D40 Content-Type: text/html; charset="koi8-r" Content-Transfer-Encoding: quoted-printable
When boot system = says:
 
IP packet filtering initialized, = divert=20 disabled, logging disabled
Kernel firewall module = loaded
ipfw: socket: Permission = denied (3=20 times)
Firewall rules = loaded
 
I do not want to run ipfw because = i=20 didnt option it in kernel (options IPFIREWALL).
Every time being a root i wish to = run ipfw=20 flush or something else system says:
"ipfw: socket: Permission = denied".=20
 
Please help me.Thank you. calman@kaliostro.crimea.com
 
------=_NextPart_000_0007_01BFCCC5.FDFB6D40-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Fri Jun 2 13:25:40 2000 Delivered-To: freebsd-ipfw@freebsd.org Received: from freefall.freebsd.org (freefall.FreeBSD.ORG [204.216.27.21]) by hub.freebsd.org (Postfix) with ESMTP id 12F0A37B51F; Fri, 2 Jun 2000 13:25:39 -0700 (PDT) (envelope-from kris@FreeBSD.org) Received: from localhost (kris@localhost) by freefall.freebsd.org (8.9.3/8.9.2) with ESMTP id NAA06114; Fri, 2 Jun 2000 13:25:38 -0700 (PDT) (envelope-from kris@FreeBSD.org) X-Authentication-Warning: freefall.freebsd.org: kris owned process doing -bs Date: Fri, 2 Jun 2000 13:25:38 -0700 (PDT) From: Kris Kennaway To: "Konstantin S. Kurianoff" Cc: freebsd-ipfw@freebsd.org Subject: Re: ipfw ? problem In-Reply-To: <000a01bfcca4$77ed3380$4700a8c0@kaliostro.crimea.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG On Fri, 2 Jun 2000, Konstantin S. Kurianoff wrote: > When boot system says: > > IP packet filtering initialized, divert disabled, logging disabled > Kernel firewall module loaded > ipfw: socket: Permission denied (3 times) > Firewall rules loaded You have firewall_enable=YES in rc.conf. Kris ---- In God we Trust -- all others must submit an X.509 certificate. -- Charles Forsythe To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message