From owner-freebsd-ipfw Mon Apr 23 7:53:15 2001 Delivered-To: freebsd-ipfw@freebsd.org Received: from spiv.fnal.gov (spiv.fnal.gov [131.225.124.126]) by hub.freebsd.org (Postfix) with ESMTP id 74D1037B423 for ; Mon, 23 Apr 2001 07:53:12 -0700 (PDT) (envelope-from neswold@spiv.fnal.gov) Received: (from neswold@localhost) by spiv.fnal.gov (8.9.3/8.9.3) id JAA81627; Mon, 23 Apr 2001 09:53:09 -0500 (CDT) (envelope-from neswold) Date: Mon, 23 Apr 2001 09:53:09 -0500 From: Rich Neswold To: Luigi Rizzo Cc: freebsd-ipfw@FreeBSD.ORG Subject: Re: Protecting IPFW kernel variables... Message-ID: <20010423095308.A81556@spiv.fnal.gov> Reply-To: neswold@fnal.gov References: <20010418113053.A34196@spiv.fnal.gov> <200104181831.UAA49728@info.iet.unipi.it> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0.1i In-Reply-To: <200104181831.UAA49728@info.iet.unipi.it>; from luigi@info.iet.unipi.it on Wed, Apr 18, 2001 at 08:31:45PM +0200 Organization: Fermi National Accelerator Laboratory X-PGP-RSAfprint: 0A C8 A5 76 DF 8E E1 B3 F3 97 BE 73 DA CD 4B C9 X-PGP-RSAkey: ftp://ftp.mcs.net/mcsnet.users/rneswold/pub.key X-Operating-System: FreeBSD 3.4-STABLE Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG If memory serves, didn't Luigi Rizzo say: > > I noticed, however, that even at this secure level, I can still open my > > firewall by using sysctl! > > > > The following patch corrects this: > > > i think it is a bit late for 4.3 also given that CTLFLAG_SECURE is not > used anywhere. If the kernel secure level is >= 0, then my patch would also prevent the system administrator from turning on the firewall (provided it was off before increasing the kernel secure level.) I'm going to upgrade my systems to 4.3 and try this patch out for a while before committing it. -- Rich ------------------------------------------------------------------------ Richard Neswold, Beams Division / Controls Dept | neswold@fnal.gov Fermilab, PO Box 500, MS 360, Batavia, IL 60510 | voice 1.630.840.3454 | fax 1.630.840.3093 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Fri Apr 27 16:21:54 2001 Delivered-To: freebsd-ipfw@freebsd.org Received: from electra.cc.umanitoba.ca (electra.cc.umanitoba.ca [130.179.16.23]) by hub.freebsd.org (Postfix) with ESMTP id D7D7D37B422 for ; Fri, 27 Apr 2001 16:21:46 -0700 (PDT) (envelope-from ummacius@cc.UManitoba.CA) Received: from workhorse (24-109-3-10.ivideon.com [24.109.3.10]) by electra.cc.umanitoba.ca (8.9.0/8.9.0) with SMTP id SAA10535 ; Fri, 27 Apr 2001 18:21:45 -0500 (CDT) Message-ID: <005601c0cf70$bc1edd40$0200a8c0@workhorse> From: "Maciuszonek Artur" To: , Subject: outlook express, ipx and ftp :) Date: Fri, 27 Apr 2001 18:20:35 -0500 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4133.2400 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG Well I have read and read, searched and searched but I guess it's time to consult the experts :) please reply to me directly for I am not subscribed to this group. Here is the dillema: I have set up a firewall/router and have recompiled the kernel for ipfw and natd. Here is my current setup: => cable modem => ep1(external nic 24.109.xxx.xxx) **router/firewall** ep0(internal nic192.168.xxx.xxx) <=> HUB <=> 192.168.xxx.xxx Computer(Win ME) <=> 192.168.xxx.xxx Laptop (Win 2000) What I am having problems with is that on the main computer on the subnet I am unable to use Outlook express to view newsgroups. I can suft the web, download files, I can use napster, ICQ. I have read the man pages for ipfw but I'm still at a loss. The error message I receive is: Server cannot be found: Configuration: Account: news Server: news Protocol: NNTP Port: 119 Secure(SSL): 0 Code: 800ccc0d I added the line in the rc.firewall.current ( see below ) after the rule for ssh (port 22) but without any luck. $fwcmd add allow tcp from any 119 to any 119 setup I have looked through /etc/protocols but none are listed for NNTP......:( I also would like to be able to let IPX thought the firewall to the outside and let it back in. again there is no listing for IPX in /etc/protocols :( The same goes for acess to an ftp server that in on the main computer in the internal subnet. The server is on port 27015. Again I have tried to use add allow tcp from any 27015 to any 27015 setup add allow ipx-in-ip from any to any setup and again no luck. I have also modified # Stop spoofing of your internal network range $fwcmd add deny log ip from $inwr to any in via $oif From deny to allow in order for the internal network to be able to acess the outside. Does this pose any security issues? Hmm sorry about the lengthy e-mail but I hope someone will help me tackle this problem. ###########################################################3 # Simple stateful network firewall rules for IPFW with NAT v. 1.01 # See bottom of file for instructions and description of rules # Created 20001206206 by Peter Brezny, pbrezny@purplecat.net (with a great # deal of help from freebsd-security@freebsd.org). Specific questions # about the use of ipfw should be directed to freebsd-ipfw@freebsd.org or # more general security questions to freebsd-security@freebsd.org. # Use this script at your own risk. # # if you don't know the a.b.c.0/xx notation for ip networks the ipsubnet # calculator can help you. /usr/ports/net/ipsc-0.4.2 # ########################### # # Brief Installation instructions # # Name this script /etc/rc.firewall.current # Edit /etc/rc.conf to include # gateway_enable="YES" # firewall_enable="YES" # firewall_script="/etc/rc.firewall.current" # natd_enable="YES" # natd_interface="***" #replace with your external ifX # natd_flags="-dynamic" # Make sure your kernel is configured to handle ipfw and natd # See the FreeBSD handbook on how to do this. # ############################ # # Define your variables # fwcmd="/sbin/ipfw" #leave as is if using ipfw oif="oifx" #set to outside interface name onwr="a.b.c.d/24" #set to outside network range oip="a.b.c.d" #set to outside ip address iif="ifx" #set to internal interface name inwr="x.y.z.x/24" #set to internal network range iip="x.y.z.x" #set to internal ip address ns1="e.f.g.h" #set to primary name server best if = oif #ntp="i.j.k.l" #set to ip of NTP server or leave as is # # End of required user input if you only intend to allow ssh connections to # this box from the outside. If other services are required, edit line 96 # as necessary. # # Rules with descriptions # # # Force a flush of the current firewall rules before we reload $fwcmd -f flush # # Allow your loop back to work $fwcmd add allow all from any to any via lo0 # # Prevent spoofing of your loopback $fwcmd add deny log all from any to 127.0.0.0/8 # # Stop spoofing of your internal network range $fwcmd add deny log ip from $inwr to any in via $oif # # Stop spoofing from inside your private ip range $fwcmd add deny log ip from not $inwr to any in via $iif # # Stop private networks (RFC1918) from entering the outside interface. $fwcmd add deny log ip from 192.168.0.0/16 to any in via $oif $fwcmd add deny log ip from 172.16.0.0/12 to any in via $oif $fwcmd add deny log ip from 10.0.0.0/8 to any in via $oif $fwcmd add deny log ip from any to 192.168.0.0/16 in via $oif $fwcmd add deny log ip from any to 172.16.0.0/12 in via $oif $fwcmd add deny log ip from any to 10.0.0.0/8 in via $oif # # Stop draft-manning-dsua-01.txt nets on the outside interface $fwcmd add deny all from 0.0.0.0/8 to any in via $oif $fwcmd add deny all from 169.254.0.0/16 to any in via $oif $fwcmd add deny all from 192.0.2.0/24 to any in via $oif $fwcmd add deny all from 224.0.0.0/4 to any in via $oif $fwcmd add deny all from 240.0.0.0/4 to any in via $oif $fwcmd add deny all from any to 0.0.0.0/8 in via $oif $fwcmd add deny all from any to 169.254.0.0/16 in via $oif $fwcmd add deny all from any to 192.0.2.0/24 in via $oif $fwcmd add deny all from any to 224.0.0.0/4 in via $oif $fwcmd add deny all from any to 240.0.0.0/4 in via $oif # # Divert all packets through natd $fwcmd add divert natd all from any to any via $oif # # Allow all established connections to persist (setup required # for new connections). $fwcmd add allow tcp from any to any established # # Allow incomming requests to reach the following services: # To allow multiple services you may list them separated # by a coma, for example ...to $oip 22,25,110,80 setup $fwcmd add allow tcp from any to $oip 22 setup # # NOTE: you may have to change your client to passive or active mode # to get ftp to work once enabled, only ssh enabled by default. # 21:ftp # 22:ssh enabled by default # 23:telnet # 25:smtp # 110:pop # 143:imap # 80:http # 443:ssl # # Allow icmp packets for diagnostic purposes (ping traceroute) # you may wish to leave commented out. # $fwcmd add allow icmp from any to any # # Allow required ICMP $fwcmd add allow icmp from any to any icmptypes 3,4,11,12 # # Allow DNS traffic from internet to query your DNS (for reverse # lookups etc). $fwcmd add allow udp from any 53 to $ns1 53 # # Allow time update traffic # $fwcmd add allow udp from $ntp 123 to $oip 123 # # Checks packets against dynamic rule set below. $fwcmd add check-state # # Allow any traffic from firewall ip to any going out the # external interface $fwcmd add allow ip from $oip to any keep-state out via $oif # # Allow any traffic from local network to any passing through the # internal interface $fwcmd add allow ip from $inwr to any keep-state via $iif # # Deny everything else $fwcmd add 65435 deny log ip from any to any # ##################################################### # # End firewall script. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Sat Apr 28 5:47:29 2001 Delivered-To: freebsd-ipfw@freebsd.org Received: from relay.planetinternet.be (relay.planetinternet.be [194.119.232.24]) by hub.freebsd.org (Postfix) with ESMTP id 5FA1A37B422 for ; Sat, 28 Apr 2001 05:47:26 -0700 (PDT) (envelope-from voutah@detroit.org) Received: from c1041 (matrix.staf.planetinternet.be [194.119.237.2]) by relay.planetinternet.be (8.11.2/8.9.3) with SMTP id f3SClOD30602 for ; Sat, 28 Apr 2001 14:47:24 +0200 Message-ID: <001601c0cfe0$fdea7980$0101010a@ccc.planetinternet.be> From: "Wouter Cuypers" To: Subject: VNC howto Date: Sat, 28 Apr 2001 14:44:40 +0200 MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_NextPart_000_0013_01C0CFF1.C15958E0" X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4522.1200 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200 Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG This is a multi-part message in MIME format. ------=_NextPart_000_0013_01C0CFF1.C15958E0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Hi, How do I get VNC throught my ipfw firewall ? Is this a secure connection = ? I have tried VNC on the internal LAN but I'm a little curious about the = performance over the internet. My upload is limited to 16kb/s, will this = be enough or just frustrating ? Voutah ------=_NextPart_000_0013_01C0CFF1.C15958E0 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable
Hi,
 
How do I get VNC throught my ipfw = firewall ? Is=20 this a secure connection ?
I have tried VNC on the internal LAN = but I'm a=20 little curious about the performance over the internet. My upload is = limited to=20 16kb/s, will this be enough or just frustrating ?
 
Voutah
 
------=_NextPart_000_0013_01C0CFF1.C15958E0-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message