From owner-freebsd-ipfw Sun Sep 16 7:52:45 2001 Delivered-To: freebsd-ipfw@freebsd.org Received: from point.osg.gov.bc.ca (point.osg.gov.bc.ca [142.32.102.44]) by hub.freebsd.org (Postfix) with ESMTP id 1734437B407 for ; Sun, 16 Sep 2001 07:52:40 -0700 (PDT) Received: (from daemon@localhost) by point.osg.gov.bc.ca (8.8.7/8.8.8) id HAA25587 for ; Sun, 16 Sep 2001 07:52:39 -0700 Received: from passer.osg.gov.bc.ca(142.32.110.29) via SMTP by point.osg.gov.bc.ca, id smtpda25585; Sun Sep 16 07:52:27 2001 Received: (from uucp@localhost) by passer.osg.gov.bc.ca (8.11.6/8.9.1) id f8GEqQE85800 for ; Sun, 16 Sep 2001 07:52:26 -0700 (PDT) Received: from UNKNOWN(10.1.2.1), claiming to be "cwsys.cwsent.com" via SMTP by passer9.cwsent.com, id smtpda85784; Sun Sep 16 07:52:22 2001 Received: (from smtpd@localhost) by cwsys.cwsent.com (8.11.6/8.9.1) id f8GEqMc62754 for ; Sun, 16 Sep 2001 07:52:22 -0700 (PDT) Message-Id: <200109161452.f8GEqMc62754@cwsys.cwsent.com> X-Authentication-Warning: cwsys.cwsent.com: smtpd set sender to using -f Received: from localhost.cwsent.com(127.0.0.1), claiming to be "cwsys" via SMTP by localhost.cwsent.com, id smtpdA62747; Sun Sep 16 07:51:55 2001 X-Mailer: exmh version 2.5 07/13/2001 with nmh-1.0.4 Reply-To: Cy Schubert - ITSD Open Systems Group From: Cy Schubert - ITSD Open Systems Group X-Sender: schubert To: freebsd-ipfw@freebsd.org Subject: Qtfw 0.4 (fwd) Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Sun, 16 Sep 2001 07:51:55 -0700 Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG This came to me via SECTOOLS. Someone here might find this useful. Regards, Phone: (250)387-8437 Cy Schubert Fax: (250)387-5766 Team Leader, Sun/Alpha Team Internet: Cy.Schubert@osg.gov.bc.ca Open Systems Group, ITSD Ministry of Management Services Province of BC ------- Forwarded Message [headers removed] Mailing-List: contact sectools-help@securityfocus.com; run by ezmlm Precedence: bulk List-Id: List-Post: List-Help: List-Unsubscribe: List-Subscribe: Delivered-To: mailing list sectools@securityfocus.com Delivered-To: moderator for sectools@securityfocus.com Received: (qmail 9556 invoked from network); 15 Sep 2001 19:40:44 -0000 Date: Sat, 15 Sep 2001 13:40:44 -0600 From: aleph1@securityfocus.com To: sectools@securityfocus.com Subject: Qtfw 0.4 Message-ID: <20010915134044.P1818@securityfocus.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Qtfw 0.4 by Ryzhyk Eugeney (http://freshmeat.net/users/rzheka/) Friday, September 14th 2001 04:04 Category: System :: Networking :: Firewalls About: Qtfw is a Qt GUI frontend for FreeBSD's ipfw utility. It helps configure the firewall in FreeBSD with a nice and comprehensive user interface. User can edit rules in the current list, save rules for future use, configure kernel sysctl variables, and finally, create shell script from qtfw rules. Changes: Now creates shell script from ipfw rules; kernel configuration; significant improvements in user interface, and different Qt GUI styles; bug fixes; changed source tree structure; now works with qtfw resource file; added some documentation. License: BSD License URL: http://freshmeat.net/projects/qtfw/ - -- Elias Levy SecurityFocus http://www.securityfocus.com/ Si vis pacem, para bellum ------- End of Forwarded Message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Wed Sep 19 1:23:39 2001 Delivered-To: freebsd-ipfw@freebsd.org Received: from star.rila.bg (star.rila.bg [194.141.1.32]) by hub.freebsd.org (Postfix) with ESMTP id 3D9B037B415; Wed, 19 Sep 2001 01:23:33 -0700 (PDT) Received: from star.rila.bg (vlady@localhost [127.0.0.1]) by star.rila.bg (8.11.4/8.11.4) with ESMTP id f8J8Pkc09377; Wed, 19 Sep 2001 11:25:46 +0300 (EEST) (envelope-from vlady@star.rila.bg) Message-Id: <200109190825.f8J8Pkc09377@star.rila.bg> X-Mailer: exmh version 2.4 05/15/2001 with nmh-1.0.3 To: freebsd-hackers@freebsd.org Cc: freebsd-ipfw@freebsd.org From: "Vladimir Terziev" Subject: Problem with IPFW and NATD (also sent to freebad-net mailing list) Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Wed, 19 Sep 2001 11:25:45 +0300 Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Hi, I have a gateway machine which runs NATD and have IP packet filter IPFW with the following rules: ipfw add 100 allow ip from any to any via lo0 ipfw add 10002 skipto 20000 tcp from 192.168.15.2 to any 21 ipfw add 10003 skipto 20000 tcp from 192.168.15.2 to any 53,6667,6668 ipfw add 10004 skipto 20000 udp from 192.168.15.2 to any 53,4000 ipfw add 11000 deny ip from 192.168.15.0/24 to any ipfw add 20000 divert natd ip from any to any via an0 ipfw add 63000 allow ip from PUBLIC_IP to any ipfw add 64000 allow ip from any to PUBLIC_IP ipfw add 30001 allow tcp from any 21 to 192.168.15.2 established ipfw add 30002 allow tcp from any 53,6667,6668 to 192.168.15.2 established ipfw add 30003 allow udp from any 53,4000 to 192.168.15.2 ipfw add 65000 deny ip from any to any The gateway machine is FreeBSD 4.4-RC and has 2 interfaces (internal, and external - an0). I need only one of machines in the local network to have connectivity to "the rest of the world". I've read all the documentation about ipfw(8), divert(4) and natd(8). Regarding to it the above rules should provide what I want, but they don't !!! Does anybody have an idea why? regards, Vladimir To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Sat Sep 22 7:16: 1 2001 Delivered-To: freebsd-ipfw@freebsd.org Received: from nollie.summersault.com (nollie.summersault.com [208.10.44.140]) by hub.freebsd.org (Postfix) with SMTP id AD69037B411 for ; Sat, 22 Sep 2001 07:15:54 -0700 (PDT) Received: (qmail 30190 invoked by uid 1001); 22 Sep 2001 14:15:54 -0000 Date: Sat, 22 Sep 2001 09:15:54 -0500 (EST) From: Chris Hardie To: freebsd-hackers@freebsd.org, Subject: net.inet.ip.fw.one_pass=0 not effective in filtering bridge? Message-ID: X-Request-PGP: http://www.summersault.com/chris/me/pgp-pubring.txt MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Hi. I've got a filtering bridge running on FreeBSD 4.3 with ipfw and a customized rc.firewall config. The setup has been working well for a while now. I was unfortunately alerted to a hole after a box behind the firewall was cracked because ports that I thought were protected...weren't. It turns out that traffic to/from the machine in question was being passed through a pipe early in the rc.firewall config, and that the ipfw processing terminated when the packets came out of the pipe, so they never saw the rules farther down that would have dropped those packets headed for bad places. A-ha! "Easy" you say - just do sysctl -w net.inet.ip.fw.one_pass=0 and according to the ipfw man page, that will cause the packets to be re-injected into the firewall when they come out of the pipe, starting where they left off. Well, this just doesn't seem to be taking effect! I've crawled through docs and mailing lists. Setting net.inet.ip.fw.one_pass seems to be the common solution, but a few other people have mentioned the same ineffectiveness of that, and then those threads just drop off. So I'm wondering if it's possible that, because the kernel is compiled with "options BRIDGE", that packets are strictly only going through the firewall rules once, and that net.inet.ip.fw.one_pass=0 isn't having an effect in this case? If my wondering is in error, I'm looking for suggestions about how to verify the behavior I'm seeing and how to achieve the desired result: to use pipes AND deny rules that come after. I'm happy to send along the particular rules, but wanted to see if the question could be answered using theory first. (This message addresses an issue similar to but separate from the "ipfw" thread on freebsd-questions started by Rick Norman on Sep 18. I also posted this message there.) Any help is much appreciated. Thanks, Chris -- Chris Hardie ----------------------------- ----- mailto:chris@summersault.com ---------- -------- http://www.summersault.com/chris/ -- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Sat Sep 22 7:24:34 2001 Delivered-To: freebsd-ipfw@freebsd.org Received: from totem.fix.no (totem.fix.no [213.142.66.130]) by hub.freebsd.org (Postfix) with ESMTP id 9F7CE37B408 for ; Sat, 22 Sep 2001 07:24:32 -0700 (PDT) Received: by totem.fix.no (Postfix, from userid 1000) id 621263C83; Sat, 22 Sep 2001 16:24:30 +0200 (CEST) Date: Sat, 22 Sep 2001 16:24:30 +0200 From: Anders Nordby To: Cy Schubert - ITSD Open Systems Group Cc: freebsd-ipfw@freebsd.org Subject: Re: Qtfw 0.4 (fwd) Message-ID: <20010922162430.A93642@totem.fix.no> References: <200109161452.f8GEqMc62754@cwsys.cwsent.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <200109161452.f8GEqMc62754@cwsys.cwsent.com> User-Agent: Mutt/1.3.22.1i X-PGP-Key: http://anders.fix.no/pgp/ X-PGP-Key-FingerPrint: 1E0F C53C D8DF 6A8F EAAD 19C5 D12A BC9F 0083 5956 Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Hi, On Sun, Sep 16, 2001 at 07:51:55AM -0700, Cy Schubert - ITSD Open Systems Group wrote: > This came to me via SECTOOLS. Someone here might find this useful. FYI qtfw is in ports: ports/security/qtfw. Cheers, -- Anders. "I love deadlines. I love the whooshing sound they make as they fly by." - unknown To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Sat Sep 22 8:17:58 2001 Delivered-To: freebsd-ipfw@freebsd.org Received: from info.iet.unipi.it (info.iet.unipi.it [131.114.9.184]) by hub.freebsd.org (Postfix) with ESMTP id 1D23E37B41C; Sat, 22 Sep 2001 08:17:50 -0700 (PDT) Received: (from luigi@localhost) by info.iet.unipi.it (8.9.3/8.9.3) id RAA66779; Sat, 22 Sep 2001 17:08:20 +0200 (CEST) (envelope-from luigi) From: Luigi Rizzo Message-Id: <200109221508.RAA66779@info.iet.unipi.it> Subject: Re: net.inet.ip.fw.one_pass=0 not effective in filtering bridge? In-Reply-To: from Chris Hardie at "Sep 22, 2001 09:15:54 am" To: Chris Hardie Date: Sat, 22 Sep 2001 17:08:20 +0200 (CEST) Cc: freebsd-hackers@FreeBSD.ORG, freebsd-ipfw@FreeBSD.ORG X-Mailer: ELM [version 2.4ME+ PL61 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG in fact one_pass does not work with bridging, it might be as simple as changing one line in bridge.c if (ip_fw_chk_ptr && bdg_ipfw != 0 && src != NULL) { struct ip *ip ; int i; - if (rule != NULL) /* dummynet packet, already partially processed */ + if (rule != NULL && fw_one_pass) goto forward; /* HACK! I should obey the fw_one_pass */ but i never had a chance to test it. If you want to give this a try, I'd be glad to know how it works. cheers luigi > Hi. I've got a filtering bridge running on FreeBSD 4.3 with ipfw and > a customized rc.firewall config. The setup has been working well for > a while now. I was unfortunately alerted to a hole after a box behind > the firewall was cracked because ports that I thought were > protected...weren't. > > It turns out that traffic to/from the machine in question was being > passed through a pipe early in the rc.firewall config, and that the > ipfw processing terminated when the packets came out of the pipe, so > they never saw the rules farther down that would have dropped those > packets headed for bad places. > > A-ha! "Easy" you say - just do > sysctl -w net.inet.ip.fw.one_pass=0 > and according to the ipfw man page, that will cause the packets to be > re-injected into the firewall when they come out of the pipe, starting > where they left off. Well, this just doesn't seem to be taking > effect! > > I've crawled through docs and mailing lists. Setting > net.inet.ip.fw.one_pass seems to be the common solution, but a few > other people have mentioned the same ineffectiveness of that, and then > those threads just drop off. So I'm wondering if it's possible that, > because the kernel is compiled with "options BRIDGE", that packets are > strictly only going through the firewall rules once, and that > net.inet.ip.fw.one_pass=0 isn't having an effect in this case? > > If my wondering is in error, I'm looking for suggestions about how to > verify the behavior I'm seeing and how to achieve the desired result: to > use pipes AND deny rules that come after. I'm happy to send along the > particular rules, but wanted to see if the question could be answered > using theory first. > > (This message addresses an issue similar to but separate from the "ipfw" > thread on freebsd-questions started by Rick Norman on Sep 18. I also > posted this message there.) > > Any help is much appreciated. > > Thanks, > Chris > > -- Chris Hardie ----------------------------- > ----- mailto:chris@summersault.com ---------- > -------- http://www.summersault.com/chris/ -- > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-hackers" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Sat Sep 22 8:58:54 2001 Delivered-To: freebsd-ipfw@freebsd.org Received: from nollie.summersault.com (nollie.summersault.com [208.10.44.140]) by hub.freebsd.org (Postfix) with SMTP id 51EF937B415 for ; Sat, 22 Sep 2001 08:58:29 -0700 (PDT) Received: (qmail 34812 invoked by uid 1001); 22 Sep 2001 15:58:28 -0000 Date: Sat, 22 Sep 2001 10:58:28 -0500 (EST) From: Chris Hardie To: Luigi Rizzo Cc: freebsd-hackers@FreeBSD.ORG, , Subject: Re: net.inet.ip.fw.one_pass=0 not effective in filtering bridge? In-Reply-To: <200109221508.RAA66779@info.iet.unipi.it> Message-ID: X-Request-PGP: http://www.summersault.com/chris/me/pgp-pubring.txt MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Luigi, I don't currently have a box I can experiment with, but I'll try to put something together. Do you have a sense of how "risky" your proposed change is? :) In any case, I might recommend an update to the dummynet(4) man page that clarifies this behavior. These two excerpts: "When acting as a bridge, the ipfw filter is invoked only once, in the in- put path, for bridged packets." AND "Depending on the setting of the sysctl variable `net.inet.ip.fw.one_pass', packets coming from a pipe can be either forwarded to their destination, or passed again through the ipfw rules, starting from the one after the matching rule." could probably be more proximal to each other, and/or you could explicitly state that the sysctl variable has no effect in current bridging. I see that you've done this on your ip_dummynet section of your personal website: "NOTE: there is always one pass for bridged packets." It may also be useful to explicitly state this in the Filtering Bridges article by Nick Sayer: http://www.freebsd.org/doc/en_US.ISO8859-1/articles/filtering-bridges/filtering-bridges-ipfirewall.html My concern is that typical users won't read or test closely enough to know this, and will assume that their dummynet bridges are working the way I thought mine was. Thanks, Chris On Sat, 22 Sep 2001, Luigi Rizzo wrote: > in fact one_pass does not work with bridging, > it might be as simple as changing one line in bridge.c > > if (ip_fw_chk_ptr && bdg_ipfw != 0 && src != NULL) { > struct ip *ip ; > int i; > > - if (rule != NULL) /* dummynet packet, already partially processed */ > + if (rule != NULL && fw_one_pass) > goto forward; /* HACK! I should obey the fw_one_pass */ > > but i never had a chance to test it. > If you want to give this a try, I'd be glad to know how it works. > > cheers > luigi > > > Hi. I've got a filtering bridge running on FreeBSD 4.3 with ipfw and > > a customized rc.firewall config. The setup has been working well for > > a while now. I was unfortunately alerted to a hole after a box behind > > the firewall was cracked because ports that I thought were > > protected...weren't. > > > > It turns out that traffic to/from the machine in question was being > > passed through a pipe early in the rc.firewall config, and that the > > ipfw processing terminated when the packets came out of the pipe, so > > they never saw the rules farther down that would have dropped those > > packets headed for bad places. > > > > A-ha! "Easy" you say - just do > > sysctl -w net.inet.ip.fw.one_pass=0 > > and according to the ipfw man page, that will cause the packets to be > > re-injected into the firewall when they come out of the pipe, starting > > where they left off. Well, this just doesn't seem to be taking > > effect! > > > > I've crawled through docs and mailing lists. Setting > > net.inet.ip.fw.one_pass seems to be the common solution, but a few > > other people have mentioned the same ineffectiveness of that, and then > > those threads just drop off. So I'm wondering if it's possible that, > > because the kernel is compiled with "options BRIDGE", that packets are > > strictly only going through the firewall rules once, and that > > net.inet.ip.fw.one_pass=0 isn't having an effect in this case? > > > > If my wondering is in error, I'm looking for suggestions about how to > > verify the behavior I'm seeing and how to achieve the desired result: to > > use pipes AND deny rules that come after. I'm happy to send along the > > particular rules, but wanted to see if the question could be answered > > using theory first. > > > > (This message addresses an issue similar to but separate from the "ipfw" > > thread on freebsd-questions started by Rick Norman on Sep 18. I also > > posted this message there.) > > > > Any help is much appreciated. > > > > Thanks, > > Chris > > > > -- Chris Hardie ----------------------------- > > ----- mailto:chris@summersault.com ---------- > > -------- http://www.summersault.com/chris/ -- > > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message