RE: MS Shares through IPFW

From owner-freebsd-ipfw Tue Mar 6 10:52:58 2001 Delivered-To: freebsd-ipfw@freebsd.org Received: from mail.ibizcorp.com (internal-office.ibizcorp.com [63.110.128.74]) by hub.freebsd.org (Postfix) with ESMTP id F287E37B718 for ; Tue, 6 Mar 2001 10:52:50 -0800 (PST) (envelope-from brad@iBizcorp.com) Received: by MAIL with Internet Mail Service (5.5.2650.21) id ; Tue, 6 Mar 2001 11:56:51 -0700 Message-ID: <40DFA2708D54D41193F20001025665B61ABBB7@MAIL> From: Bradley Senff To: "'freebsd-ipfw@freebsd.org'" Subject: IPFW and forwarding from one interface to another (LONG) Date: Tue, 6 Mar 2001 11:56:51 -0700 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2650.21) Content-Type: text/plain; charset="iso-8859-1" Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG Like most of the posters, I have an issue with IPFW that perhaps this group can assist me with. I am pretty familiar with IPFW, and very familiar with FreeBSD. I have a firewall, with 5 ethernet ports. (for this case, we'll call them ports 1 through 5). For the purpose of explanation, the view of the firewall is explained from the PUBLIC side into the PRIVATE side. Quick NOTE: the kernel is made with the following options: options TCP_DROP_SYNFIN, options TCP_RESTRICT_RST, options IPFIREWALL,options IPFIREWALL_VERBOSE, options IPFIREWALL_FORWARD, options DUMMYNET, and options IPSTEALTH. The rc.conf has: gateway_enable="YES", firewall_enable="YES", among other unrelated items. Port 1 is the firewall's main ethernet port. This port should be used only for connecting to the firewall itself. Ports 2 through 5 are used for traffic. I use the "even" ports (2,4) for INBOUND traffic. Ports 3,4 are OUTBOUND to the protected segments. There are two segments. Port 2 is the public side for Segment 1 (we'll say 1.1.1.0/24). Port 3 is the actual segment 1 (and has the IP 1.1.1.1/24). Port 4 is the public side for segment 2 (2.2.2.0/24), port 5 has the IP of 2.2.2.1/24. Since port 1 is the main port for the firewall, the IP 9.9.9.9/30 is used, and directly connected to the upstream gateway. The upstream gateway (9.9.9.10/30), is the default gateway for the firewall. (netstat -rn shows 0.0.0.0 to have a gateway of 9.9.9.10). When setting up the rules, I have placed filters for the incoming traffic on ports 2 and 4. Those ports work great. No problems there. However, I have some filters on ports 3 and 5 to keep that side of the firewall's segments separate. I also have a global forward command. Any packets coming from the public to segment 2 are coming in through port 2. I want the reverse to be true as well: All traffic from the PRIVATE side of segment 2 MUST be redirected (next hop changed etc) to the PUBLIC port (port 2). Port 3's traffic should be pushed to go back to the public via port 2. NOT PORT 1!!!! Due to the default gateway set in the kernel's routing table, (I assume) the return traffic is going out Port 1. Look at the firewall config below (IP's changed to protect the innocents) to see what the explanation is attempting to illustrate. Is that configuration correct to remap the traffic coming in port 3 from the private side to go out port 2 on the public side? #Ports in the firewall, and their IP's: #fxp0 3.3.3.1/30 (firewall traffic only.. or at least should be!) #dc0 5.5.5.5/30 (public side for segment 1) #dc1 1.1.1.1/24 (private side for segment 1) #dc2 6.6.6.5/30 (public side for segment 2) #dc3 2.2.2.1/24 (private side for segment 2) #allow loopback traffic add 00010 allow ip from any to any via lo0 #default deny all add 65534 deny ip from any to any #deny all non-routed IP's from going anywhere through firewall add 0100 deny all from 192.168.0.0/16 to any via any add 0101 deny all from any to 192.168.0.0/16 via any add 0102 deny all from 172.16.0.0/12 to any via any add 0103 deny all from any to 172.16.0.0/12 via any add 0104 deny all from 10.0.0.0/8 to any via any add 0105 deny all from any to 10.0.0.0/8 via any #deny 127 traffic on all interfaces except lo0 add 0106 deny ip from any to 127.0.0.0/8 via fxp0 add 0107 deny ip from 127.0.0.0/8 to any via fxp0 add 0108 deny ip from any to 127.0.0.0/8 via dc* add 0109 deny ip from 127.0.0.0/8 to any via dc* # fxp0 is the firewall.. we should let everything in from my network, and allow established out # not an entirely correct entry, I removed the real ones, and put this in as an example only # so as to represent the port in this config. add 500 allow ip from to 3.3.3.1/30 in via fxp0 add 510 allow ip from 3.3.3.1/30 to any established out via fxp0 # 520 and 530 had to be added to allow the traffic to incorrectly go out fxp0 .. I don't want this # but I have no choice since the fwd statements are not working. add 520 allow ip from 1.1.1.0/24 to any out fxp0 add 530 allow ip from 2.2.2.0/24 to any out fxp0 #deny all shares if not specifically allowed add 60400 deny tcp from any to any 135 via dc* add 60410 deny tcp from any to any 138 via dc* add 60420 deny tcp from any to any 139 via dc* add 60430 deny tcp from any 135 to any via dc* add 60440 deny tcp from any 138 to any via dc* add 60450 deny tcp from any 139 to any via dc* #for incoming segment 1, skip to 10000 #remember, the public traffic comes in dc0, and #goes out dc1 to the private segment add 9000 skipto 10000 ip from any to 1.1.1.0/24 in via dc0 add 9010 skipto 10000 ip from any to 1.1.1.0/24 out via dc1 #for outgoing segment 1, skip to 10000 #from the private side, responses come in dc1, and go out dc0 add 9110 skipto 11000 ip from 1.1.1.0/24 to any in via dc1 add 9120 skipto 11000 ip from 1.1.1.0/24 to any out via dc0 #for incoming segment2 skip to 12000 add 9200 skipto 12000 ip from any to 2.2.2.0/24 in via dc2 add 9210 skipto 12000 ip from any to 2.2.2.0/24 out via dc3 #for outgoing segment2, skip to 13000 add 9301 skipto 13000 ip from 2.2.2.0/24 to any in via dc3 add 9302 skipto 13000 ip from 2.2.2.0/24 to any out via dc2 #anything that gets this far should be dropped, as it isn't for a segment here add 9999 skipto 60000 ip from any to any #END MAIN CONFIG #INFO-SEG Segment 1 #INFO-SUBNET 1.1.1.0/24 #INFO-PORT dc1 #INFO-RULESET 10000 11000 #first, deny forged packets from the net add 10000 deny ip from 1.1.1.0/24 to any in via dc0 #allow all traffic to all ports on subnet from specific IPs add 10030 allow ip from X.X.X.X/XX to 1.1.1.0/24 in via dc0 add 10040 allow ip from X.X.X.X/XX to 1.1.1.0/24 in via dc0 add 10050 allow ip from X.X.X.X/XX to 1.1.1.0/24 in via dc0 add 10060 allow ip from X.X.X.X/XX to 1.1.1.0/24 in via dc0 add 10070 allow ip from X.X.X.X/XX to 1.1.1.0/24 in via dc0 #specific ports allowed add 10110 allow tcp from any to 1.1.1.10/32 1111 in via dc0 add 10120 allow tcp from any to 1.1.1.11/32 2222 in via dc0 add 10130 allow tcp from any to 1.1.1.12/32 3333 in via dc0 add 10140 allow tcp from any to 1.1.1.13/32 4444 in via dc0 #globally allowed ports #all hosts on 1.1.1.0/24 need these ports open. # add 10200 check-state add 10210 allow tcp from any to any 1 in setup keep-state in via dc0 add 10250 allow tcp from any to any 5 in setup keep-state in via dc0 #deny access to windows shares from outside -- drop packets in from world, # and any originating within the firewall network from going out add 10310 deny tcp from any to 1.1.1.0/24 139 in via dc0 add 10310 deny udp from any to 1.1.1.0/24 139 in via dc0 add 10320 deny tcp from any to 1.1.1.0/24 135 in via dc0 add 10320 deny udp from any to 1.1.1.0/24 135 in via dc0 # allow setup and established to originate from within segment1's network add 10500 allow tcp from 1.1.1.0/24 to any established out via dc0 add 10600 allow tcp from 1.1.1.0/24 to any setup out via dc0 add 10700 allow tcp from any to 1.1.1.0/24 established in via dc0 # if it is trying to go out dc1, it should since everything is ok by now add 10800 allow ip from any to 1.1.1.0/24 out via dc1 # we are done with segment 1 add 10999 skipto 60000 ip from any to any # HERE IS what should be FORCING the traffic back through dc0 # but it isn't! # I have also tried to use 5.5.5.6/30 as well, but no dice. add 11000 fwd 5.5.5.5 ip from 1.1.1.0/24 to any via in dc1 # redundant , if 11000 worked, we wouldn't need 11010 add 11010 allow ip from 1.1.1.0/24 to any out via dc0 add 11040 skipto 10999 ip from any to any #INFO-SUBNET 2.2.2.0/24 #INFO-PORT dc3 #INFO-RULESET 12000 13000 #first, deny incoming packets from the net add 12000 deny ip from 2.2.2.0/24 to any in via dc2 #requested traffic to allow add 12300 check-state add 12310 allow tcp from any to 2.2.2.0/24 1 in setup keep-state in via dc2 add 12315 allow tcp from any to 2.2.2.0/24 2 in setup keep-state in via dc2 add 12320 allow tcp from any to 2.2.2.0/24 3 in setup keep-state in via dc2 add 12330 allow tcp from any to 2.2.2.0/24 4 in setup keep-state in via dc2 add 12340 allow tcp from any to 2.2.2.0/24 5 in setup keep-state in via dc2 add 12360 allow tcp from any to 2.2.2.0/24 established in via dc2 add 12370 allow udp from any to 2.2.2.0/24 55 in via dc2 # anything going out dc3 is ok add 12300 allow ip from any to 2.2.2.0/24 out via dc3 # we are done with segment 2 add 12999 skipto 60000 ip from any to any #segment 2's adaptor add 13000 deny tcp from any to any 135,137,138,139 via dc3 add 13001 deny udp from any to any 135,137,138,139 via dc3 # here is the other offending forward # NOTE: i *have* tried to use 6.6.6.6 (the next hop) as the forwarding # address, no dice add 13010 fwd 6.6.6.5 ip from 2.2.2.0/24 to any in via dc3 add 13020 allow ip from 2.2.2.0/24 to any out via dc2 add 13100 skipto 12999 ip from any to any Any help on this would be GREATLY appreciated. I have read the man pages for divert, fwd, etc. and it would seem that fwd is designed for what I want to do, but it isn't working. -brad To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Tue Mar 6 10:59:10 2001 Delivered-To: freebsd-ipfw@freebsd.org Received: from cody.jharris.com (cody.jharris.com [205.238.128.83]) by hub.freebsd.org (Postfix) with ESMTP id AEEDB37B718 for ; Tue, 6 Mar 2001 10:59:08 -0800 (PST) (envelope-from nick@rogness.net) Received: from localhost (nick@localhost) by cody.jharris.com (8.11.1/8.9.3) with ESMTP id f26JR3677067; Tue, 6 Mar 2001 13:27:03 -0600 (CST) (envelope-from nick@rogness.net) Date: Tue, 6 Mar 2001 13:27:03 -0600 (CST) From: Nick Rogness X-Sender: nick@cody.jharris.com To: Bradley Senff Cc: "'freebsd-ipfw@freebsd.org'" Subject: Re: IPFW and forwarding from one interface to another (LONG) In-Reply-To: <40DFA2708D54D41193F20001025665B61ABBB7@MAIL> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG On Tue, 6 Mar 2001, Bradley Senff wrote: [snip] > # HERE IS what should be FORCING the traffic back through dc0 > # but it isn't! > # I have also tried to use 5.5.5.6/30 as well, but no dice. > add 11000 fwd 5.5.5.5 ip from 1.1.1.0/24 to any via in dc1 ipfw fwd only works on outbound traffic. Nick Rogness - Keep on routing in a Free World... "FreeBSD: The Power to Serve!" To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Tue Mar 6 11:12:34 2001 Delivered-To: freebsd-ipfw@freebsd.org Received: from excalibur.dotcom.fr (ns.dotcom.fr [195.154.74.11]) by hub.freebsd.org (Postfix) with ESMTP id 16A0637B71A for ; Tue, 6 Mar 2001 11:12:28 -0800 (PST) (envelope-from roman@IPricot.com) Received: from IPricot.com (pc181.fr.ipricot.com [192.168.31.181]) by excalibur.dotcom.fr (8.9.1/8.9.1) with ESMTP id TAA06758 for ; Tue, 6 Mar 2001 19:12:24 GMT X-To: Message-ID: <3AA53697.4B12517@IPricot.com> Date: Tue, 06 Mar 2001 20:12:23 +0100 From: Roman Le Houelleur Organization: dotcom X-Mailer: Mozilla 4.75 [en] (X11; U; FreeBSD 4.2-STABLE i386) X-Accept-Language: en MIME-Version: 1.0 To: freebsd-ipfw Subject: getsockopt Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG hi, I would like to get some information about a specific rule I made from a user program. But the getsockopt () syscall always returns information concerning the very first rule of the chain, not the one I want. here is the (too simple ?) code I use: struct ip_fw rule; int len; bzero (&rule, sizeof (struct ip_fw)); rule.fw_number = MY_RULE_NBR; len = sizeof (rule); if (getsockopt (env->raw_sd, IPPROTO_IP, IP_FW_GET, &rule, &len) == -1) { perror ("getsockopt (IP_FW_GET)"); return -1; } I could not find precise information in the man page (ipfw 4) and don't have much time to check the source code in details. Though it seems to me IP_FW_GET is made to return the entire rule chain... thanks for any explanation, Roman. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Wed Mar 7 3:54:39 2001 Delivered-To: freebsd-ipfw@freebsd.org Received: from doormat.odey.co.uk (doormat.odey.co.uk [195.13.88.6]) by hub.freebsd.org (Postfix) with ESMTP id 3B4A837B718 for ; Wed, 7 Mar 2001 03:54:16 -0800 (PST) (envelope-from B.Sutton@odey.co.uk) Received: (from proxy@localhost) by doormat.odey.co.uk (8.9.3/8.9.3) id LAA29311 for ; Wed, 7 Mar 2001 11:54:06 GMT Received: from (odeydom.odey.co.uk [192.168.100.4]) by doormat.odey.co.uk via smap (V2.1) id xma029290; Wed, 7 Mar 01 11:53:40 GMT To: freebsd-ipfw@freebsd.org Subject: masquerade firewall as external host only on one port X-Mailer: Lotus Notes Release 5.0.4a July 24, 2000 Message-ID: From: "Blair Sutton/Odey" Date: Wed, 7 Mar 2001 11:53:33 +0000 X-MIMETrack: Serialize by Router on odeydom/Odey(Release 5.0.5 |September 22, 2000) at 03/07/2001 11:53:40 AM, Serialize complete at 03/07/2001 11:53:40 AM MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG hi, i am trying to set up a firewall router. it has some services running on it, squid, dns and ssh. what i would like is to get the firewall to trap all traffic originating from the internal net 192.168.0.0/24 and travelling to external internet machines on a port say 6666 and pass this on to natd. so natd can then translate the source address to the external IP of the firewall, say dc0/X.X.X.X. the internal address is say fxp0/Y.Y.Y.Y (within 192.168.0.0/24) visually:- | internet | | v | firewall -dc0/ X.X.X.X | (squid/3128) (dns/53) (ssh/22) | firewall fxp0/Y.Y.Y.Y | | v | 192.168.0.0/24 | the reason is because we have an application on our internal network which does not allow proxy connections so it will attempt to connect to an external host on the internet on port 6666. i would like the firewall to masquerade on this port internally. what follows is my current setup which is probably too obscured to be of any help in a diagnosis but may show what i am attempting to do. if anyone has achieved this or something similar let me know. thank you in advance. ps: my kernel has all required firewall and divert options, and i have read the natd manual. my current ipfw list looks like this:- allow ip from any to any via lo0 deny ip from any to 127.0.0.0/8 allow tcp from any to any established divert natd tcp from any to any 6666 divert natd tcp from any 6666 to any allow tcp from any to X.X.X.X 6666 setup allow tcp from any to Y.Y.Y.Y 22 setup allow tcp from any to X.X.X.X 22 setup allow udp from any 53 to Y.Y.Y.Y allow udp from any 53 to X.X.X.X allow udp from Y.Y.Y.Y to any 53 allow udp from X.X.X.X to any 53 allow tcp from any to Y.Y.Y.Y 53 setup allow udp from any to Y.Y.Y.Y 53 allow udp from Y.Y.Y.Y 53 to any allow udp from Y.Y.Y.Y to any allow udp from X.X.X.X to any allow tcp from Y.Y.Y.Y to any setup allow tcp from X.X.X.X to any setup allow tcp from any to Y.Y.Y.Y 3128 setup deny log logamount 10 tcp from any to any in recv fxp0 setup deny ip from any to any my current natd.cf looks like this:- log no deny_incoming no use_sockets no same_ports yes verbose yes port natd interface dc0 redirect_port tcp external_host:6666 6666 redirect_port udp external_host:6666 6666 Odey Asset Management Ltd. 12 Upper Grosvenor St, London W1K 2ND. Tel: +44 (0) 20 7208 1400, Fax +44 (0) 20 7208 1401. Regulated by IMRO. Registered in England N0. 2651507. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Wed Mar 7 22:50:19 2001 Delivered-To: freebsd-ipfw@freebsd.org Received: from mailhost01.reflexnet.net (mailhost01.reflexnet.net [64.6.192.82]) by hub.freebsd.org (Postfix) with ESMTP id B8D6C37B71B for ; Wed, 7 Mar 2001 22:50:17 -0800 (PST) (envelope-from cjc@rfx-216-196-73-168.users.reflexcom.com) Received: from rfx-216-196-73-168.users.reflexcom.com ([216.196.73.168]) by mailhost01.reflexnet.net with Microsoft SMTPSVC(5.5.1877.197.19); Wed, 7 Mar 2001 22:48:16 -0800 Received: (from cjc@localhost) by rfx-216-196-73-168.users.reflexcom.com (8.11.1/8.11.1) id f286o1g32968; Wed, 7 Mar 2001 22:50:01 -0800 (PST) (envelope-from cjc) Date: Wed, 7 Mar 2001 22:49:54 -0800 From: "Crist J. Clark" To: Blair Sutton/Odey Cc: freebsd-ipfw@FreeBSD.ORG Subject: Re: masquerade firewall as external host only on one port Message-ID: <20010307224954.L1367@cjc-desktop.users.reflexcom.com> Reply-To: cjclark@alum.mit.edu References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from B.Sutton@odey.co.uk on Wed, Mar 07, 2001 at 11:53:33AM +0000 Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG On Wed, Mar 07, 2001 at 11:53:33AM +0000, Blair Sutton/Odey wrote: > hi, > > i am trying to set up a firewall router. it has some services running on > it, squid, dns and ssh. > what i would like is to get the firewall to trap all traffic originating > from the internal net > 192.168.0.0/24 and travelling to external internet machines on a port say > 6666 and pass > this on to natd. so natd can then translate the source address to the > external IP of the > firewall, say dc0/X.X.X.X. the internal address is say fxp0/Y.Y.Y.Y > (within 192.168.0.0/24) OK. So the internal machines can only reach the outside on HTTP through a squid proxy except for one service going to port 6666 which will be NAT'ed. Rather limited access, but hey, it's your net. Instead of these, > divert natd tcp from any to any 6666 > divert natd tcp from any 6666 to any I think your NAT rules should be, divert natd tcp from 192.168.0.0/24 to any 6666 out via dc0 divert natd tcp from any 6666 to X.X.X.X in via dc0 As for some of these others... If you are only doing NAT on 6666, it does not make sense to let other traffic out. You should be using 'via ' a lot more in your rules. -- Crist J. Clark cjclark@alum.mit.edu To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Thu Mar 8 1:28:43 2001 Delivered-To: freebsd-ipfw@freebsd.org Received: from doormat.odey.co.uk (doormat.odey.co.uk [195.13.88.6]) by hub.freebsd.org (Postfix) with ESMTP id 5C55437B718 for ; Thu, 8 Mar 2001 01:28:29 -0800 (PST) (envelope-from B.Sutton@odey.co.uk) Received: (from proxy@localhost) by doormat.odey.co.uk (8.9.3/8.9.3) id JAA17048 for ; Thu, 8 Mar 2001 09:28:09 GMT Received: from (odeydom.odey.co.uk [192.168.100.4]) by doormat.odey.co.uk via smap (V2.1) id xma017012; Thu, 8 Mar 01 09:27:46 GMT To: freebsd-ipfw@FreeBSD.ORG Subject: Re: masquerade firewall as external host only on one port X-Mailer: Lotus Notes Release 5.0.4a July 24, 2000 Message-ID: From: "Blair Sutton/Odey" Date: Thu, 8 Mar 2001 09:27:43 +0000 X-MIMETrack: Serialize by Router on odeydom/Odey(Release 5.0.5 |September 22, 2000) at 03/08/2001 09:27:45 AM, Serialize complete at 03/08/2001 09:27:45 AM MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG Thankyou Crist, I eventually got the thing working with your advice and the also noting that the initial clause allow tcp from any to any established had to come after the natd statements, otherwise it would catch the return packets from the natd established connnection. For future readers of this thread, make sure when you set up your ipfw rules they occur in this order:- divert natd tcp from ............ [ you may want to catch only ] divert natd tcp from ............ [ specific poackets ] allow tcp from any to any established [ ENSURE YOUR NATD PORTS ARE ALLOWED HERE ] [ YOUR OTHER FIREWALL RULES HERE ] deny ip from any to any "Crist J. Clark" Sent by: owner-freebsd-ipfw@FreeBSD.ORG 08/03/2001 06:49 Please respond to cjclark To: Blair Sutton/Odey cc: freebsd-ipfw@FreeBSD.ORG Subject: Re: masquerade firewall as external host only on one port On Wed, Mar 07, 2001 at 11:53:33AM +0000, Blair Sutton/Odey wrote: > hi, > > i am trying to set up a firewall router. it has some services running on > it, squid, dns and ssh. > what i would like is to get the firewall to trap all traffic originating > from the internal net > 192.168.0.0/24 and travelling to external internet machines on a port say > 6666 and pass > this on to natd. so natd can then translate the source address to the > external IP of the > firewall, say dc0/X.X.X.X. the internal address is say fxp0/Y.Y.Y.Y > (within 192.168.0.0/24) OK. So the internal machines can only reach the outside on HTTP through a squid proxy except for one service going to port 6666 which will be NAT'ed. Rather limited access, but hey, it's your net. Instead of these, > divert natd tcp from any to any 6666 > divert natd tcp from any 6666 to any I think your NAT rules should be, divert natd tcp from 192.168.0.0/24 to any 6666 out via dc0 divert natd tcp from any 6666 to X.X.X.X in via dc0 As for some of these others... If you are only doing NAT on 6666, it does not make sense to let other traffic out. You should be using 'via ' a lot more in your rules. -- Crist J. Clark cjclark@alum.mit.edu To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Thu Mar 8 1:48:28 2001 Delivered-To: freebsd-ipfw@freebsd.org Received: from mip.co.za (puck.mip.co.za [209.212.106.44]) by hub.freebsd.org (Postfix) with ESMTP id 53AF137B718; Thu, 8 Mar 2001 01:48:11 -0800 (PST) (envelope-from patrick@mip.co.za) Received: from patrick (patrick.mip.co.za [10.3.13.181]) by mip.co.za (8.9.3/8.9.3) with SMTP id LAA84667; Thu, 8 Mar 2001 11:47:45 +0200 (SAST) (envelope-from patrick@mip.co.za) From: "Patrick O'Reilly" To: "FreeBSD Network List" , "FreeBSD IPFW List" Subject: FW: MS Shares through IPFW Date: Thu, 8 Mar 2001 11:47:45 +0200 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2910.0) Importance: Normal X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2314.1300 Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG Hi all! I need to allow some M$ clients to access M$ shares on an NT server, the clients and server being on opposite sides of a FreeBSD ipfw firewall. The firewall is running fine (has been for 6 months) but I cannot get this D**N Netbios stuff going. In my desperation I have gone as far as adding these two very loose rules, which are the very first rules in the ipfw chain: -------- /sbin/ipfw -q add 00009 allow log ip from 10.5.5.0/24 to 10.3.3.240 /sbin/ipfw -q add 00009 allow log ip from 10.3.3.240 to 10.5.5.0/24 -------- The 10.5.5.0/24 Subnet includes the client we are testing, and 10.3.3.240 is the NT Server. The 10.5.5.0/24 Subnet is remote across a VPN, but there are IP tunnels in place so that the extra hops are transparent -> I don't THINK they should be causing our problems. When the Client tries to map the share on the Server there is a whole bunch of traffic logged against rule #9, including ports UDP 137 and TCP 139, going back and forth between the client and server. The client is prompted for a login/password, which we enter VERY CAREFULLY to make sure we got it right, but thereafter the connection is refused. Is this something about M$ security, or is there something else I am not seeing that the firewall might be denying? The only curious thing I have observed is the following lines in the ipfw.log interspersed among all the "Accept" logs between these computers: -------- Mar 7 11:16:08 eccles /kernel: ipfw: 65534 Deny UDP 0.0.0.0:68 10.3.3.240:67 in via rl2 Mar 7 11:16:08 eccles /kernel: ipfw: 9 Accept UDP 10.5.5.1:67 10.3.3.240:67 in via rl2 Mar 7 11:16:08 eccles /kernel: ipfw: 9 Accept UDP 10.5.5.1:67 10.3.3.240:67 out via rl0 -------- I believe ports 67 and 68 are used for DHCP - we are not using DHCP anywhere, so I don't understand why this pops up, but I include it as it may be relevant ?!? Also, why is the source IP on the first line 0.0.0.0 ? Anyone with some more M$ / Netbios expertise - PLEASE HELP. Thanks, Patrick. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Thu Mar 8 2:26:46 2001 Delivered-To: freebsd-ipfw@freebsd.org Received: from doormat.odey.co.uk (doormat.odey.co.uk [195.13.88.6]) by hub.freebsd.org (Postfix) with ESMTP id 3E89537B718 for ; Thu, 8 Mar 2001 02:26:34 -0800 (PST) (envelope-from B.Sutton@odey.co.uk) Received: (from proxy@localhost) by doormat.odey.co.uk (8.9.3/8.9.3) id KAA18828 for ; Thu, 8 Mar 2001 10:26:33 GMT Received: from (odeydom.odey.co.uk [192.168.100.4]) by doormat.odey.co.uk via smap (V2.1) id xma018730; Thu, 8 Mar 01 10:25:15 GMT To: "FreeBSD IPFW List" Subject: Re: FW: MS Shares through IPFW X-Mailer: Lotus Notes Release 5.0.4a July 24, 2000 Message-ID: From: "Blair Sutton/Odey" Date: Thu, 8 Mar 2001 10:25:14 +0000 X-MIMETrack: Serialize by Router on odeydom/Odey(Release 5.0.5 |September 22, 2000) at 03/08/2001 10:25:14 AM, Serialize complete at 03/08/2001 10:25:14 AM MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG Assuming your MS clients are not running NetBEUI. And they are just running TCP/IP with static IP addresses, I cannot see why DHCP requests are being made. Check the network TCP/IP conf on the MS client, make sure it does not attempt to get an IP address automatically. What may help too is setting the WINS server option (helps CIFS/SMB packets cross subnets). Can you get a complete listing of your ipfw conf and possibly some sample tcpdumps? "Patrick O'Reilly" Sent by: owner-freebsd-ipfw@FreeBSD.ORG 08/03/2001 09:47 To: "FreeBSD Network List" , "FreeBSD IPFW List" cc: Subject: FW: MS Shares through IPFW Hi all! I need to allow some M$ clients to access M$ shares on an NT server, the clients and server being on opposite sides of a FreeBSD ipfw firewall. The firewall is running fine (has been for 6 months) but I cannot get this D**N Netbios stuff going. In my desperation I have gone as far as adding these two very loose rules, which are the very first rules in the ipfw chain: -------- /sbin/ipfw -q add 00009 allow log ip from 10.5.5.0/24 to 10.3.3.240 /sbin/ipfw -q add 00009 allow log ip from 10.3.3.240 to 10.5.5.0/24 -------- The 10.5.5.0/24 Subnet includes the client we are testing, and 10.3.3.240 is the NT Server. The 10.5.5.0/24 Subnet is remote across a VPN, but there are IP tunnels in place so that the extra hops are transparent -> I don't THINK they should be causing our problems. When the Client tries to map the share on the Server there is a whole bunch of traffic logged against rule #9, including ports UDP 137 and TCP 139, going back and forth between the client and server. The client is prompted for a login/password, which we enter VERY CAREFULLY to make sure we got it right, but thereafter the connection is refused. Is this something about M$ security, or is there something else I am not seeing that the firewall might be denying? The only curious thing I have observed is the following lines in the ipfw.log interspersed among all the "Accept" logs between these computers: -------- Mar 7 11:16:08 eccles /kernel: ipfw: 65534 Deny UDP 0.0.0.0:68 10.3.3.240:67 in via rl2 Mar 7 11:16:08 eccles /kernel: ipfw: 9 Accept UDP 10.5.5.1:67 10.3.3.240:67 in via rl2 Mar 7 11:16:08 eccles /kernel: ipfw: 9 Accept UDP 10.5.5.1:67 10.3.3.240:67 out via rl0 -------- I believe ports 67 and 68 are used for DHCP - we are not using DHCP anywhere, so I don't understand why this pops up, but I include it as it may be relevant ?!? Also, why is the source IP on the first line 0.0.0.0 ? Anyone with some more M$ / Netbios expertise - PLEASE HELP. Thanks, Patrick. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Thu Mar 8 2:27: 9 2001 Delivered-To: freebsd-ipfw@freebsd.org Received: from elvis.mu.org (elvis.mu.org [207.154.226.10]) by hub.freebsd.org (Postfix) with ESMTP id DCCD537B71A; Thu, 8 Mar 2001 02:27:02 -0800 (PST) (envelope-from billf@elvis.mu.org) Received: by elvis.mu.org (Postfix, from userid 1098) id 4CA9D81D18; Thu, 8 Mar 2001 04:26:52 -0600 (CST) Date: Thu, 8 Mar 2001 04:26:52 -0600 From: Bill Fumerola To: Patrick O'Reilly Cc: FreeBSD Network List , FreeBSD IPFW List Subject: Re: FW: MS Shares through IPFW Message-ID: <20010308042652.Q31752@elvis.mu.org> References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from patrick@mip.co.za on Thu, Mar 08, 2001 at 11:47:45AM +0200 X-Operating-System: FreeBSD 4.2-FEARSOME-20010209 i386 Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG On Thu, Mar 08, 2001 at 11:47:45AM +0200, Patrick O'Reilly wrote: > In my desperation I have gone as far as adding these two very loose rules, > which are the very first rules in the ipfw chain: > -------- > /sbin/ipfw -q add 00009 allow log ip from 10.5.5.0/24 to 10.3.3.240 > /sbin/ipfw -q add 00009 allow log ip from 10.3.3.240 to 10.5.5.0/24 > -------- > > The 10.5.5.0/24 Subnet includes the client we are testing, and 10.3.3.240 is > the NT Server. The 10.5.5.0/24 Subnet is remote across a VPN, but there are > IP tunnels in place so that the extra hops are transparent -> I don't THINK > they should be causing our problems. "Transparent" hops wouldn't be the problem. IP packets coming across the wire don't know the difference, neither does ipfw. > When the Client tries to map the share on the Server there is a whole bunch > of traffic logged against rule #9, including ports UDP 137 and TCP 139, > going back and forth between the client and server. The client is prompted > for a login/password, which we enter VERY CAREFULLY to make sure we got it > right, but thereafter the connection is refused. If the client is prompted for a login/password it would seem that a connection has been established (and the firewall doesn't seem to be the problem). If you REALLY want to know what makes this windows crap tick, put the two clients on the same subnet (on a hub, that makes this easy) and make your connection and have a sniffer like tcpdump or (if you're running X) ethereal. You'll get the entire picture and know exactly what rules to write instead of bogusly allowing * (if protecting those subnets is a goal). > -------- > Mar 7 11:16:08 eccles /kernel: ipfw: 65534 Deny UDP 0.0.0.0:68 > 10.3.3.240:67 in via rl2 > > I believe ports 67 and 68 are used for DHCP - we are not using DHCP > anywhere, so I don't understand why this pops up, but I include it as it may > be relevant ?!? Also, why is the source IP on the first line 0.0.0.0 ? What is the IP of a machine that has no IP (hint: and is looking for one..)? -- Bill Fumerola - security yahoo / Yahoo! inc. - fumerola@yahoo-inc.com / billf@FreeBSD.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Thu Mar 8 2:30:32 2001 Delivered-To: freebsd-ipfw@freebsd.org Received: from obsecurity.dyndns.org (adsl-63-207-60-158.dsl.lsan03.pacbell.net [63.207.60.158]) by hub.freebsd.org (Postfix) with ESMTP id AE2F937B71A for ; Thu, 8 Mar 2001 02:30:30 -0800 (PST) (envelope-from kris@obsecurity.org) Received: by obsecurity.dyndns.org (Postfix, from userid 1000) id A1BE266B09; Thu, 8 Mar 2001 02:30:29 -0800 (PST) Date: Thu, 8 Mar 2001 02:30:29 -0800 From: Kris Kennaway To: fbsd Cc: freebsd-ipfw@freebsd.org Subject: Re: is 2.2.8 affected? FreeBSD-SA-01:08.ipfw [REVISED] Message-ID: <20010308023029.A74860@mollari.cthul.hu> References: <3A8BD1C5.FDBEBDC0@typhoon.co.jp> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="TB36FDmn/VVEgNH/" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <3A8BD1C5.FDBEBDC0@typhoon.co.jp>; from fbsd@typhoon.co.jp on Thu, Feb 15, 2001 at 09:55:33PM +0900 Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG --TB36FDmn/VVEgNH/ Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Thu, Feb 15, 2001 at 09:55:33PM +0900, fbsd wrote: >=20 > I apologize if this has been asked recently... >=20 > Is FreeBSD 2.2.X affected by the problems outlined in the above > mentioned > advisory? If so, I'ld have to schedule upgrades for a number of > machines:( I can't remember, but I think so. It's certainly vulnerable to any number of other remote vulnerabilities and hasn't been supported for security fixes for a number of years. Kris --TB36FDmn/VVEgNH/ Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE6p19FWry0BWjoQKURAjusAKDWo4iQPvGZXAdOvMipDc3uAHJxmACgriKp VYJA9lj5YIbprpKJQbqtQII= =fWiX -----END PGP SIGNATURE----- --TB36FDmn/VVEgNH/-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Thu Mar 8 3:37:38 2001 Delivered-To: freebsd-ipfw@freebsd.org Received: from msexchange.alx.unitedway.org (msmail.unitedway.org [38.204.190.251]) by hub.freebsd.org (Postfix) with ESMTP id BA51637B718; Thu, 8 Mar 2001 03:37:33 -0800 (PST) (envelope-from Johnny.Dang@msmail.unitedway.org) Received: by msmail.unitedway.org with Internet Mail Service (5.5.2650.21) id <1080MXH7>; Thu, 8 Mar 2001 06:38:15 -0500 Message-ID: From: Johnny.Dang@msmail.unitedway.org To: patrick@mip.co.za, freebsd-net@freebsd.org, freebsd-ipfw@freebsd.org Subject: RE: MS Shares through IPFW Date: Thu, 8 Mar 2001 06:38:14 -0500 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2650.21) Content-Type: multipart/alternative; boundary="----_=_NextPart_001_01C0A7C4.42DACABC" Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG This message is in MIME format. Since your mail reader does not understand this format, some or all of this message may not be legible. ------_=_NextPart_001_01C0A7C4.42DACABC Content-Type: text/plain; charset="iso-8859-1" Hi Patrick, Another issue here is the workgroup of the NT/Win PCs. You will have to set all PCs in the same workgroup named such as MYWORKGROUP, plus do you use authentication at all? Is your NT network in a peer-to-peer or domain schema? I hope this help. ------_=_NextPart_001_01C0A7C4.42DACABC Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable RE: MS Shares through IPFW

Hi Patrick,

Another issue here is the workgroup of the NT/Win = PCs. You will have to set all PCs in the same workgroup named such as = MYWORKGROUP, plus do you use authentication at all? Is your NT network = in a peer-to-peer or domain schema? I hope this help.

------_=_NextPart_001_01C0A7C4.42DACABC-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Thu Mar 8 6:21:59 2001 Delivered-To: freebsd-ipfw@freebsd.org Received: from mip.co.za (puck.mip.co.za [209.212.106.44]) by hub.freebsd.org (Postfix) with ESMTP id A4B9537B71A; Thu, 8 Mar 2001 06:21:35 -0800 (PST) (envelope-from patrick@mip.co.za) Received: from patrick (patrick.mip.co.za [10.3.13.181]) by mip.co.za (8.9.3/8.9.3) with SMTP id QAA90760; Thu, 8 Mar 2001 16:21:24 +0200 (SAST) (envelope-from patrick@mip.co.za) From: "Patrick O'Reilly" To: "FreeBSD Network List" , "FreeBSD IPFW List" Subject: RE: FW: MS Shares through IPFW Date: Thu, 8 Mar 2001 16:21:24 +0200 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="US-ASCII" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2910.0) X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2314.1300 Importance: Normal In-reply-to: <20010308042652.Q31752@elvis.mu.org> Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG FIXED !!! Thanks to you all (Bill, Blair and Johnny) for your help. It turns out the problem was not at the transport level at all (seriously red face now!) The login and password was the issue - Since the clients and server are not on the same windows NT domain, the NT server was validating the login against local users, not against users registered on the NT PDC. I have had a local user added to the NT server for the purpose of this connection, given the user access to the share AND the NTFS directories and files, and now it works just fine. PS: I have tightened the firewall rules to: > -------- > /sbin/ipfw -q add 00009 allow tcp from 10.5.5.0/24 to 10.3.3.240 139 > /sbin/ipfw -q add 00009 allow tcp from 10.3.3.240 139 to 10.5.5.0/24 > -------- and it works that way. This might help the next person trying to do the same thing... I'm still getting DHCP stuff floating about, but I'm sure that is another issue altogether... Thanks again, Patrick. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Thu Mar 8 13:22:19 2001 Delivered-To: freebsd-ipfw@freebsd.org Received: from johnnydang.net (cp160443-a.mtgmry1.md.home.com [65.1.242.45]) by hub.freebsd.org (Postfix) with ESMTP id F10FD37B718 for ; Thu, 8 Mar 2001 13:22:11 -0800 (PST) (envelope-from johnny.dang@johnnydang.net) Received: from localhost (johnny_dang@localhost) by johnnydang.net (8.11.1/8.11.1) with ESMTP id f28LNrK00290 for ; Thu, 8 Mar 2001 16:23:54 -0500 (EST) (envelope-from johnny.dang@johnnydang.net) X-Authentication-Warning: johnnydang.net: johnny_dang owned process doing -bs Date: Thu, 8 Mar 2001 16:23:53 -0500 (EST) From: Johnny Dang X-Sender: johnny_dang@johnnydang.net To: FreeBSD IpFW Subject: Need Help SOS Message-ID: Organization: JOHNNYDANG.NET MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG Some how, I mistype the rc.conf and it is stuck right now. How do I boot with floppy to edit or let's say copy some file from the /dev/whatever to a floppy. This will help me at this time but also later for another problem: I want my boss to feel the power of FreeBSD...I want to install FreeBSD on his PC...The problem is he needs NT to check his mail (Exchange) and the Group Calendar (Exchange). I will have to dual boot, NT and FreeBSD. There are several web sites that show how to copy the bootsec.bsd to a small partition so that he can use the NT Boot loader. I will have to install FreeBSD to boot from the / partition (not the MBR)... As a result, I need to boot to FreeBSD and copy that 512 Magic file to c:\... But right now, I need to bypass this rc.conf.... It stops and I could not do anything...Last time this happen, I ended up re-install the entire FreeBSD for a single mistyping.... Please help ++++++++++++++++++++++++++++++++++++++++++++++++++ "The instructions said to use Windows 98 or better, so I installed FreeBSD...It is working now!..." ++++++++++++++++++++++++++++++++++++++++++++++++++ Johnny Dang Senior Network Engineer/MCSE + Internet To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Thu Mar 8 16:18:16 2001 Delivered-To: freebsd-ipfw@freebsd.org Received: from mail.knight-trosoft.com (mail.knight-trosoft.com [209.180.70.2]) by hub.freebsd.org (Postfix) with ESMTP id 4909337B71A for ; Thu, 8 Mar 2001 16:18:13 -0800 (PST) (envelope-from johnp@mail.knight-trosoft.com) Received: (from johnp@localhost) by mail.knight-trosoft.com (8.11.0/8.11.0) id f290E4982180; Thu, 8 Mar 2001 18:14:04 -0600 (CST) Date: Thu, 8 Mar 2001 18:14:04 -0600 (CST) From: John Prince Message-Id: <200103090014.f290E4982180@mail.knight-trosoft.com> To: FREEBSD-IPFW@FreeBSD.ORG, johnny.dang@johnnydang.net Subject: Re: Need Help SOS In-Reply-To: Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG Try boot -s ?? --john > From owner-freebsd-ipfw@FreeBSD.ORG Thu Mar 8 15:18:21 2001 > Date: Thu, 8 Mar 2001 16:23:53 -0500 (EST) > From: Johnny Dang > To: FreeBSD IpFW > Subject: Need Help SOS > > Some how, I mistype the rc.conf and it is stuck right now. How do I boot > with floppy to edit or let's say copy some file from the /dev/whatever to > a floppy. This will help me at this time but also later for another > problem: I want my boss to feel the power of FreeBSD...I want to install > FreeBSD on his PC...The problem is he needs NT to check his mail > (Exchange) and the Group Calendar (Exchange). I will have to dual boot, > NT and FreeBSD. There are several web sites that show how to copy the > bootsec.bsd to a small partition so that he can use the NT Boot loader. I > will have to install FreeBSD to boot from the / partition (not the > MBR)... As a result, I need to boot to FreeBSD and copy that 512 Magic > file to c:\... > > But right now, I need to bypass this rc.conf.... It stops and I could not > do anything...Last time this happen, I ended up re-install the entire > FreeBSD for a single mistyping.... Please help > > ++++++++++++++++++++++++++++++++++++++++++++++++++ > "The instructions said to use Windows 98 or better, > so I installed FreeBSD...It is working now!..." > ++++++++++++++++++++++++++++++++++++++++++++++++++ > Johnny Dang > Senior Network Engineer/MCSE + Internet > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-ipfw" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Fri Mar 9 16:24:31 2001 Delivered-To: freebsd-ipfw@freebsd.org Received: from VL-MS-MR002.sc1.videotron.ca (relais.videotron.ca [24.201.245.36]) by hub.freebsd.org (Postfix) with ESMTP id 1E00337B718 for ; Fri, 9 Mar 2001 16:24:29 -0800 (PST) (envelope-from patrick@netzuno.com) Received: from jacuzzi ([24.200.106.26]) by VL-MS-MR002.sc1.videotron.ca (Netscape Messaging Server 4.15) with ESMTP id G9YH4N05.3GD for ; Fri, 9 Mar 2001 19:24:23 -0500 Received: from cognac (cognac.local.mindstep.com [192.168.10.4]) by jacuzzi (Postfix) with SMTP id 2EC333DA5 for ; Fri, 9 Mar 2001 19:00:17 -0500 (EST) From: "Patrick Bihan-Faou" To: Subject: interface specification extension for ipfw Date: Fri, 9 Mar 2001 19:25:49 -0500 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2911.0) X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 Importance: Normal Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG Hi, I am currently building a firewall using ipfw, and I am facing a small issue. In order to group my rules in some meaningfull way (to me), the first thing I do is split the packets per interface. Depending on the recv interface, I go to a different region of the ruleset using "skipto". Now, according to the ipfw man page, packets generated by or destined to the local host will not have recv or xmit interface information respectively. This make it a bit difficult to separate the traffic for the localhost from the rest. In order to make this easy, being able to specify the interface in a negative way would be required: ipfw count from any to any in recv !any Alternativelly, using a separate interface keyword to identify the locally generated or destined packets would be nice too, although it would be a bit less powerfull than the negation (the keyword would only be equivalent to "!any" and it would not allow something like "!ed0"). Now is something like this already implemented (in that case I guess it is undocumented), or is it something that people (beside me) would find useful ? Patrick. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Fri Mar 9 18:22:16 2001 Delivered-To: freebsd-ipfw@freebsd.org Received: from elvis.mu.org (elvis.mu.org [207.154.226.10]) by hub.freebsd.org (Postfix) with ESMTP id BA31F37B718 for ; Fri, 9 Mar 2001 18:22:14 -0800 (PST) (envelope-from billf@elvis.mu.org) Received: by elvis.mu.org (Postfix, from userid 1098) id 524E581D2B; Fri, 9 Mar 2001 20:22:04 -0600 (CST) Date: Fri, 9 Mar 2001 20:22:04 -0600 From: Bill Fumerola To: Patrick Bihan-Faou Cc: freebsd-ipfw@freebsd.org Subject: Re: interface specification extension for ipfw Message-ID: <20010309202204.Y31752@elvis.mu.org> References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from patrick@netzuno.com on Fri, Mar 09, 2001 at 07:25:49PM -0500 X-Operating-System: FreeBSD 4.2-FEARSOME-20010209 i386 Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG On Fri, Mar 09, 2001 at 07:25:49PM -0500, Patrick Bihan-Faou wrote: > I am currently building a firewall using ipfw, and I am facing a small > issue. In order to group my rules in some meaningfull way (to me), the first > thing I do is split the packets per interface. Depending on the recv > interface, I go to a different region of the ruleset using "skipto". > Now, according to the ipfw man page, packets generated by or destined to the > local host will not have recv or xmit interface information respectively. I'm working on interface specific ipfw lists already. Once I can get a -current kernel that doesn't lock my test box solid after being booted for 5 minutes maybe I'll even be able to continue work. -- Bill Fumerola - security yahoo / Yahoo! inc. - fumerola@yahoo-inc.com / billf@FreeBSD.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Fri Mar 9 21:56:59 2001 Delivered-To: freebsd-ipfw@freebsd.org Received: from VL-MS-MR002.sc1.videotron.ca (relais.videotron.ca [24.201.245.36]) by hub.freebsd.org (Postfix) with ESMTP id D1C4F37B719 for ; Fri, 9 Mar 2001 21:56:56 -0800 (PST) (envelope-from patrick@netzuno.com) Received: from jacuzzi ([24.200.106.26]) by VL-MS-MR002.sc1.videotron.ca (Netscape Messaging Server 4.15) with ESMTP id G9YWIV03.ROT; Sat, 10 Mar 2001 00:56:55 -0500 Received: from cognac (cognac.local.mindstep.com [192.168.10.4]) by jacuzzi (Postfix) with SMTP id E73FA3DA5; Sat, 10 Mar 2001 00:58:23 -0500 (EST) From: "Patrick Bihan-Faou" To: "Bill Fumerola" Cc: Subject: RE: interface specification extension for ipfw Date: Sat, 10 Mar 2001 00:58:21 -0500 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2911.0) X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 Importance: Normal In-Reply-To: <20010309202204.Y31752@elvis.mu.org> Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG Hi Bill, > I'm working on interface specific ipfw lists already. Once I can > get a -current > kernel that doesn't lock my test box solid after being booted for > 5 minutes > maybe I'll even be able to continue work. I guess that what you are working on is more or less what I am trying to implement using the various skipto's. As my needs are fairly urgent, I'll just hack a "local" interface name that will match packets originating from/destined to the local host (basically the !any case). When you get around to do you changes, let me know and I'll happily test it (on RELENG_4 though). Patrick. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Fri Mar 9 22:33:28 2001 Delivered-To: freebsd-ipfw@freebsd.org Received: from elvis.mu.org (elvis.mu.org [207.154.226.10]) by hub.freebsd.org (Postfix) with ESMTP id D5ECD37B718 for ; Fri, 9 Mar 2001 22:33:26 -0800 (PST) (envelope-from billf@elvis.mu.org) Received: by elvis.mu.org (Postfix, from userid 1098) id 705CD81D2B; Sat, 10 Mar 2001 00:33:16 -0600 (CST) Date: Sat, 10 Mar 2001 00:33:16 -0600 From: Bill Fumerola To: Patrick Bihan-Faou Cc: freebsd-ipfw@freebsd.org Subject: Re: interface specification extension for ipfw Message-ID: <20010310003316.Z31752@elvis.mu.org> References: <20010309202204.Y31752@elvis.mu.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from patrick@netzuno.com on Sat, Mar 10, 2001 at 12:58:21AM -0500 X-Operating-System: FreeBSD 4.2-FEARSOME-20010209 i386 Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG On Sat, Mar 10, 2001 at 12:58:21AM -0500, Patrick Bihan-Faou wrote: > As my needs are fairly urgent, I'll just hack a "local" interface name that > will match packets originating from/destined to the local host (basically > the !any case). you mean like the 'me' keyword that phk committed recently? -- Bill Fumerola - security yahoo / Yahoo! inc. - fumerola@yahoo-inc.com / billf@FreeBSD.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Fri Mar 9 23:35:18 2001 Delivered-To: freebsd-ipfw@freebsd.org Received: from mailhost01.reflexnet.net (mailhost01.reflexnet.net [64.6.192.82]) by hub.freebsd.org (Postfix) with ESMTP id 9B04037B718 for ; Fri, 9 Mar 2001 23:35:15 -0800 (PST) (envelope-from cjc@rfx-216-196-73-168.users.reflexcom.com) Received: from rfx-216-196-73-168.users.reflexcom.com ([216.196.73.168]) by mailhost01.reflexnet.net with Microsoft SMTPSVC(5.5.1877.197.19); Fri, 9 Mar 2001 23:33:15 -0800 Received: (from cjc@localhost) by rfx-216-196-73-168.users.reflexcom.com (8.11.1/8.11.1) id f2A7Z6e50701; Fri, 9 Mar 2001 23:35:06 -0800 (PST) (envelope-from cjc) Date: Fri, 9 Mar 2001 23:35:05 -0800 From: "Crist J. Clark" To: Patrick Bihan-Faou Cc: freebsd-ipfw@FreeBSD.ORG Subject: Re: interface specification extension for ipfw Message-ID: <20010309233505.B50418@rfx-216-196-73-168.users.reflex> Reply-To: cjclark@alum.mit.edu References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from patrick@netzuno.com on Fri, Mar 09, 2001 at 07:25:49PM -0500 Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG On Fri, Mar 09, 2001 at 07:25:49PM -0500, Patrick Bihan-Faou wrote: > Hi, > > I am currently building a firewall using ipfw, and I am facing a small > issue. In order to group my rules in some meaningfull way (to me), the first > thing I do is split the packets per interface. Depending on the recv > interface, I go to a different region of the ruleset using "skipto". > Now, according to the ipfw man page, packets generated by or destined to the > local host will not have recv or xmit interface information respectively. > > This make it a bit difficult to separate the traffic for the localhost from > the rest. Well, you said you want to group traffic by recv interface. I don't see what is tough about that. If you have three intefaces, if[012], 01000 skipto 20000 ip from any to any recv if0 01100 skipto 30000 ip from any to any recv if1 01200 skipto 40000 ip from any to any recv if2 10000 [start of rules for traffic generated by this host] Anything that is not passed by these three is traffic that was not received by any interface, i.e. traffic generated by the machine. Now, the second problem, separating traffic _too_ the host. Trying to use interface information to figure out which traffic is destined for this host is kind of awkward. How does the machine figure out which interface the packet would (or would not) go to? It checks the IP address of the datagram and then looks at the routing table. Why don't you take the more direct approach and just check the destination IP of the datagram to determine what is meant for this host? -- Crist J. Clark cjclark@alum.mit.edu To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Sat Mar 10 7:18:36 2001 Delivered-To: freebsd-ipfw@freebsd.org Received: from VL-MS-MR001.sc1.videotron.ca (relais.videotron.ca [24.201.245.36]) by hub.freebsd.org (Postfix) with ESMTP id C26A337B718 for ; Sat, 10 Mar 2001 07:18:33 -0800 (PST) (envelope-from patrick@netzuno.com) Received: from jacuzzi ([24.200.106.26]) by VL-MS-MR001.sc1.videotron.ca (Netscape Messaging Server 4.15) with ESMTP id G9ZMIX03.OX7; Sat, 10 Mar 2001 10:18:33 -0500 Received: from cognac (cognac.local.mindstep.com [192.168.10.4]) by jacuzzi (Postfix) with SMTP id 38D123DA5; Sat, 10 Mar 2001 10:20:08 -0500 (EST) From: "Patrick Bihan-Faou" To: "Bill Fumerola" Cc: Subject: RE: interface specification extension for ipfw Date: Sat, 10 Mar 2001 10:19:57 -0500 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2911.0) X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 Importance: Normal In-Reply-To: <20010310003316.Z31752@elvis.mu.org> Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG > > > As my needs are fairly urgent, I'll just hack a "local" > interface name that > > will match packets originating from/destined to the local host > (basically > > the !any case). > > you mean like the 'me' keyword that phk committed recently? > Humm I saw these commits and I am using the "me" keyword. My understanding was that it matches IP addresses not interfaces. Did I miss something ? Can I write: ipfw count ip from any to any in recv me Patrick. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Sat Mar 10 7:32:27 2001 Delivered-To: freebsd-ipfw@freebsd.org Received: from VL-MS-MR003.sc1.videotron.ca (relais.videotron.ca [24.201.245.36]) by hub.freebsd.org (Postfix) with ESMTP id 0DEC437B718 for ; Sat, 10 Mar 2001 07:32:21 -0800 (PST) (envelope-from patrick@netzuno.com) Received: from jacuzzi ([24.200.106.26]) by VL-MS-MR003.sc1.videotron.ca (Netscape Messaging Server 4.15) with ESMTP id G9ZN5W01.9O2; Sat, 10 Mar 2001 10:32:20 -0500 Received: from cognac (cognac.local.mindstep.com [192.168.10.4]) by jacuzzi (Postfix) with SMTP id A54BE3DA5; Sat, 10 Mar 2001 10:33:51 -0500 (EST) From: "Patrick Bihan-Faou" To: Cc: Subject: RE: interface specification extension for ipfw Date: Sat, 10 Mar 2001 10:33:41 -0500 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2911.0) X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 Importance: Normal In-Reply-To: <20010309233505.B50418@rfx-216-196-73-168.users.reflex> Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG Hi, > Well, you said you want to group traffic by recv interface. I don't > see what is tough about that. If you have three intefaces, if[012], > > 01000 skipto 20000 ip from any to any recv if0 > 01100 skipto 30000 ip from any to any recv if1 > 01200 skipto 40000 ip from any to any recv if2 > 10000 [start of rules for traffic generated by this host] > > Anything that is not passed by these three is traffic that was not > received by any interface, i.e. traffic generated by the machine. This is the type of scheme I use currently. However it forces me to look at the traffic on all the other interfaces first. I my specific application, it is not really practical to have an exhaustive list of interfaces when the rules are generated. Some of them may be "logically" out of service and thus completely ignored. My goal was to implement something like: [ host with ed0 ed1 xl0 xl1 ] 10 skipto 1000 ip from any to any in recv ed0 20 skipto 2000 ip from any to any in recv xl0 30 skipto 3000 ip from any to any in recv local 40 deny ip from any to any Where the last rule of that block rejects traffic on interfaces I don't want to use for now (in this case ed1 and xl1). > Now, the second problem, separating traffic _too_ the host. Trying to > use interface information to figure out which traffic is destined for > this host is kind of awkward. How does the machine figure out which > interface the packet would (or would not) go to? It checks the IP > address of the datagram and then looks at the routing table. Why don't > you take the more direct approach and just check the destination IP of > the datagram to determine what is meant for this host? Well the ipfw man page clearly indicates that on the second pass, the xmit interface contains information on where the packet is going. In case of pakets destined TO the host, there is no xmit interface. Again, I find that this is quite a nice feature, if it can be exploited in the firewall rule set in an non awkward way. I am not ignoring your argument about testing the IP address, but again this is not always the practical solution: you either need to specify all known ip addresses for that host, or you can use the new "me" keyword. However this is more expensive that testing an interface specification. The interface information is already resolved by the IP stack, an pretty much represents a more or less equivalent information to the "me" keyword for IP addresses. One thing I am still not clear about is does the "me" keyword also matches broadcast packets ? say if my IP is 192.168.1.1/24, does me match 192.168.1.255 ? What about 255.255.255.255 ? My feeling is NO, but I may be wrong. Patrick. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Sat Mar 10 9:28:19 2001 Delivered-To: freebsd-ipfw@freebsd.org Received: from VL-MS-MR003.sc1.videotron.ca (relais.videotron.ca [24.201.245.36]) by hub.freebsd.org (Postfix) with ESMTP id 3D82A37B718 for ; Sat, 10 Mar 2001 09:28:15 -0800 (PST) (envelope-from patrick@netzuno.com) Received: from jacuzzi ([24.200.106.26]) by VL-MS-MR003.sc1.videotron.ca (Netscape Messaging Server 4.15) with ESMTP id G9ZSJ201.FOV for ; Sat, 10 Mar 2001 12:28:14 -0500 Received: from cognac (cognac.local.mindstep.com [192.168.10.4]) by jacuzzi (Postfix) with SMTP id 792033DA5 for ; Sat, 10 Mar 2001 12:29:51 -0500 (EST) From: "Patrick Bihan-Faou" To: Subject: RE: interface specification extension for ipfw Date: Sat, 10 Mar 2001 12:29:39 -0500 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2911.0) X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 Importance: Normal In-Reply-To: <20010309233505.B50418@rfx-216-196-73-168.users.reflex> Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG OK, I have done a couple of experiments, and now I am confused. The statement in the manpage (regarding whether or not the interface information is set) seems to be incorrect. 00001 483 113807 count ip from any to any 00002 245 17088 count ip from any to any in 00003 25 3887 count ip from any to any in recv rl0 00004 218 12895 count ip from any to any in recv rl1 00005 2 306 count ip from any to any in recv lo0 00006 245 17088 count ip from any to any in recv any 00007 238 96719 count ip from any to any out 00008 22 3536 count ip from any to any out recv rl0 00009 23 1166 count ip from any to any out recv rl1 00010 0 0 count ip from any to any out recv lo0 00011 45 4702 count ip from any to any out recv any 00012 25 1309 count ip from any to any out xmit rl0 00013 211 95104 count ip from any to any out xmit rl1 00014 2 306 count ip from any to any out xmit lo0 00015 238 96719 count ip from any to any out xmit any 00016 0 0 count ip from any to any out recv rl0 xmit rl0 00017 22 3536 count ip from any to any out recv rl0 xmit rl1 00018 0 0 count ip from any to any out recv rl0 xmit lo0 00019 22 3536 count ip from any to any out recv rl0 xmit any 00020 23 1166 count ip from any to any out recv rl1 xmit rl0 00021 0 0 count ip from any to any out recv rl1 xmit rl1 00022 0 0 count ip from any to any out recv rl1 xmit lo0 00023 23 1166 count ip from any to any out recv rl1 xmit any 00024 0 0 count ip from any to any out recv lo0 xmit rl0 00025 0 0 count ip from any to any out recv lo0 xmit rl1 00026 0 0 count ip from any to any out recv lo0 xmit lo0 00027 0 0 count ip from any to any out recv lo0 xmit any 00028 23 1166 count ip from any to any out recv any xmit rl0 00029 22 3536 count ip from any to any out recv any xmit rl1 00030 0 0 count ip from any to any out recv any xmit lo0 00031 45 4702 count ip from any to any out recv any xmit any These traces seem to suggest that no packets are ever passed to the firewall rules without proper interface information. I certainly cannot confirm that the following statement is valid in a reliable way: A packet may not have a receive or transmit interface: packets originating from the local host have no receive interface, while packets destined for the local host have no transmit interface. For rules with the "in" keyword, I cannot find any packet that don't have the "recv" interface information set (count for rule #2 == #6 == #3 + #4 + #5). For rules with the "out" keyword, the xmit interface is also always indicated (#7 == #15 == #12 + #13 + #14). However rules with the "out" keyword may loose the "recv" interface information (#7 != #11). I first thought that maybe the diversion to natd was causing this (not shown in the above snippet), but the number of packets that have been diverted is equal to the number of packets that have "recv" interface information with the "out" keyword (rule #11). The test traffic included pings from the host, going through the host (this is my router to the internet), from the host to the host itself. I am getting increasingly confused with all of this, and any word of wisdom would be greatly appreciated. Specifically: - is it possible to have no "recv" interface with the "in" keyword ? - what makes the "recv" interface information unavailable for "out" rules ? Could it be that locally generated packets are never subjected to the "in" rules ? Thanks in advance! Patrick. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Sat Mar 10 9:31:38 2001 Delivered-To: freebsd-ipfw@freebsd.org Received: from gndrsh.dnsmgr.net (GndRsh.dnsmgr.net [198.145.92.4]) by hub.freebsd.org (Postfix) with ESMTP id 0A06737B718 for ; Sat, 10 Mar 2001 09:31:36 -0800 (PST) (envelope-from freebsd@gndrsh.dnsmgr.net) Received: (from freebsd@localhost) by gndrsh.dnsmgr.net (8.9.3/8.9.3) id JAA33577; Sat, 10 Mar 2001 09:31:25 -0800 (PST) (envelope-from freebsd) From: "Rodney W. Grimes" Message-Id: <200103101731.JAA33577@gndrsh.dnsmgr.net> Subject: Re: interface specification extension for ipfw In-Reply-To: from Patrick Bihan-Faou at "Mar 10, 2001 10:19:57 am" To: patrick@netzuno.com (Patrick Bihan-Faou) Date: Sat, 10 Mar 2001 09:31:25 -0800 (PST) Cc: billf@mu.org (Bill Fumerola), freebsd-ipfw@FreeBSD.ORG X-Mailer: ELM [version 2.4ME+ PL54 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG > > > > > > As my needs are fairly urgent, I'll just hack a "local" > > interface name that > > > will match packets originating from/destined to the local host > > (basically > > > the !any case). > > > > you mean like the 'me' keyword that phk committed recently? > > > > Humm I saw these commits and I am using the "me" keyword. My understanding > was that it matches IP addresses not interfaces. Did I miss something ? Can > I write: > > ipfw count ip from any to any in recv me No, but it should be trivial to patch the code to allow your !any, if you consider that !any is the same as =null: ipfw count ip from any to any in recv null Ie, the recv keyword looks at the ifp in the mbuff, the ifp will be null for packets originated on the local machine. IIRC similiar logic can be applied to xmit. -- Rod Grimes - KD7CAX @ CN85sl - (RWG25) rgrimes@gndrsh.dnsmgr.net To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Sat Mar 10 10:59:19 2001 Delivered-To: freebsd-ipfw@freebsd.org Received: from femail2.rdc1.on.home.com (femail2.rdc1.on.home.com [24.2.9.89]) by hub.freebsd.org (Postfix) with ESMTP id 6EE0F37B719 for ; Sat, 10 Mar 2001 10:59:13 -0800 (PST) (envelope-from dennisjun@home.com) Received: from wilma ([24.114.163.66]) by femail2.rdc1.on.home.com (InterMail vM.4.01.03.00 201-229-121) with SMTP id <20010310185905.WEQA606.femail2.rdc1.on.home.com@wilma> for ; Sat, 10 Mar 2001 10:59:05 -0800 Message-ID: <001101c0a994$32005370$0300a8c0@wilma> From: "Dennis Jun" To: Subject: proftpd and uid/gid based filtering Date: Sat, 10 Mar 2001 13:59:12 -0500 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4133.2400 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG Hello all! I'm having some trouble getting proftpd to run child processes something other than root. Actually, it sort of does but I'm not sure. I'm running proftpd 1.2.1 on FreeBSD 4.2-STABLE. When I do do a ps and a sockstat, it appears proftpd has switched to the correct user: ~$ ps auxw | grep proftp nobody 239 0.0 1.8 1320 524 ?? Is 16Jan94 1:50.82 proftpd: proftpd (accepting connections) (proftpd) ftp 4169 0.0 3.3 1360 980 ?? I 1:31PM 0:00.21 proftpd: proftpd: ftp - 192.168.0.3: anonymous: IDLE (proftpd) ~$ sockstat -4 | grep proftp ftp proftpd 4169 0 tcp4 192.168.0.1.21 192.168.0.3.2350 ftp proftpd 4169 1 tcp4 192.168.0.1.21 192.168.0.3.2350 nobody proftpd 239 0 tcp4 *.21 *.* However, when I do a top, under "USERNAME" it is root: 239 root 2 0 1320K 524K select 1:51 0.00% 0.00% proftpd 4169 root 2 0 1360K 980K select 0:00 0.00% 0.00% proftpd My problem is, when I try to use FreeBSD's firewall (ipfw) user id (UID) based filtering, it recognises the owner of the processes as root and not as ftp. Can anyone shed some light or provide an alternative solution? (Please e-mail me directly as well because I'm not on the list. Thanx.) Furthermore, I've tried changing the user/group directives in proftpd.conf to root/wheel from nobody/nogroup, but I get the exact same result. I have thought about running it from the ftp account, however I'd to use port 21 and have access to the shadow passwords. Here's the pam.conf if it helps: ~$ cat /etc/pam.conf | grep ftp ftp auth required pam_unix.so try_first_pass ftp account required pam_unix.so try_first_pass BTW, ftp is obviously an anonymous account. I have included my proftpd.conf file as well: ~$ cat /usr/local/etc/proftpd.conf # # To have more informations about Proftpd configuration # look at : http://www.proftpd.org/ # # This is a basic ProFTPD configuration file (rename it to # 'proftpd.conf' for actual use. It establishes a single server # and a single anonymous login. It assumes that you have a user/group # "nobody" and "ftp" for normal operation and anon. ServerName "Cappy's Personal FTP Server" ServerType standalone DefaultServer on ServerIdent off # RateReadBPS 30000 UseReverseDNS off # Port 21 is the standard FTP port. Port 21 # Umask 022 is a good standard umask to prevent new dirs and files # from being group and world writable. Umask 022 # To prevent DoS attacks, set the maximum number of child processes # to 30. If you need to allow more than 30 concurrent connections # at once, simply increase this value. Note that this ONLY works # in standalone mode, in inetd mode you should use an inetd server # that allows you to limit maximum number of processes per service # (such as xinetd) MaxInstances 60 # Set the user and group that the server normally runs at. User nobody Group nogroup # Normally, we want files to be overwriteable. AllowOverwrite on DenyAll ######################################################################### # # # Uncomment lines with only one # to allow basic anonymous access # # # ######################################################################### ### A basic anonymous configuration, no upload directories. AllowAll User ftp Group operator ### We want clients to be able to login with "anonymous" as well as "ftp" UserAlias friends ftp AllowForeignAddress on AnonRequirePassword on ### Limit the maximum number of anonymous logins MaxClients 30 MaxClientsPerHost 5 ### It is wise when making an 'ftp' user that you either block its ### ability to login either via /etc/login.access or my giving it ### an invalid shell. ### Uncomment this if the 'ftp' user you made has an invalid shell RequireValidShell off ### We want 'welcome.msg' displayed at login, and '.message' displayed ### in each newly chdired directory. DisplayLogin welcome.msg # DisplayFirstChdir .message ### Limit WRITE everywhere in the anonymous chroot DenyAll AllowAll HideNoAccess To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message