From owner-freebsd-ipfw Sun Dec 1 5: 4:21 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id DE32C37B401 for ; Sun, 1 Dec 2002 05:04:20 -0800 (PST) Received: from gs166.sp.cs.cmu.edu (GS166.SP.CS.CMU.EDU [128.2.205.169]) by mx1.FreeBSD.org (Postfix) with SMTP id 74DF043EC2 for ; Sun, 1 Dec 2002 05:04:20 -0800 (PST) (envelope-from dpelleg@gs166.sp.cs.cmu.edu) To: freebsd-ipfw@freebsd.org Subject: logamount in ipfw2 From: Dan Pelleg Date: 01 Dec 2002 08:03:36 -0500 Message-ID: Lines: 9 User-Agent: Gnus/5.0808 (Gnus v5.8.8) XEmacs/21.1 (Cuyahoga Valley) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG It seems that the "log" option in ipfw2 works differently than it does on ipfw. When given no "logamount" argument, then ipfw does as the man page says and sets the limit to the value of net.inet.ip.fw.verbose_limit. On the other hand, ipfw2 sets it to zero (meaning unlimited logging). -- Dan Pelleg To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Wed Dec 4 6:53:54 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 148C537B401 for ; Wed, 4 Dec 2002 06:53:54 -0800 (PST) Received: from diana.northnetworks.ca (att-ws20.switchview.com [216.13.70.20]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3131A43ED4 for ; Wed, 4 Dec 2002 06:53:53 -0800 (PST) (envelope-from iaccounts@northnetworks.ca) Received: from northnetworks.ca ([192.168.0.250]) by diana.northnetworks.ca (8.11.6/8.11.6) with ESMTP id gB4ErqL67876 for ; Wed, 4 Dec 2002 09:53:52 -0500 (EST) (envelope-from iaccounts@northnetworks.ca) Message-ID: <3DEE16D7.1020706@northnetworks.ca> Date: Wed, 04 Dec 2002 09:53:11 -0500 From: Steve Bertrand User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.0rc3) Gecko/20020524 X-Accept-Language: en-us, en MIME-Version: 1.0 To: freebsd-ipfw@freebsd.org Subject: Auto-recover Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG No matter what I do, the auto-recover script (change_rules.sh) will not process my new rules properly when connected via ssh. I suspect that this is due to the flush at the top of my rules script. After modification of my firewall script, I have to log back into the box and the old rules are re-loaded. Is there something special that I have to add or remove from my ruleset to make this process work properly? Tks, Steve To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Wed Dec 4 6:57: 9 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 088B937B401 for ; Wed, 4 Dec 2002 06:57:08 -0800 (PST) Received: from madlen.mts.ru (madlen.mts.ru [212.44.140.2]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5524A43E9C for ; Wed, 4 Dec 2002 06:57:04 -0800 (PST) (envelope-from nomad@mts.ru) Received: from cache2.inside.mts.ru ([192.168.10.3]) by madlen.mts.ru (8.10.2+Sun/8.11.6) with SMTP id gB4EutT22907 for ; Wed, 4 Dec 2002 17:56:55 +0300 (MSK) Received: from milena.mts.ru ([192.168.20.1]) by cache2.inside.mts.ru (NAVGW 2.5.2.12) with SMTP id M2002120417565513220 ; Wed, 04 Dec 2002 17:56:55 +0300 Received: from sloniki ([192.168.53.70]) by milena.mts.ru (8.11.6+Sun/8.11.6) with SMTP id gB4EusY19341; Wed, 4 Dec 2002 17:56:54 +0300 (MSK) Message-ID: <004d01c29ba5$930877b0$4635a8c0@sloniki> From: "Nikolaev D./ MTS" To: "Steve Bertrand" , References: <3DEE16D7.1020706@northnetworks.ca> Subject: Re: Auto-recover Date: Wed, 4 Dec 2002 17:58:15 +0300 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4807.1700 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4910.0300 Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG bash# sleep 10 && ./change_rules.sh & ; exit; After 10 seconds you may log in again. ----- Original Message ----- From: "Steve Bertrand" To: Sent: Wednesday, December 04, 2002 5:53 PM Subject: Auto-recover > No matter what I do, the auto-recover script (change_rules.sh) will not > process my new rules properly when connected via ssh. I suspect that > this is due to the flush at the top of my rules script. After > modification of my firewall script, I have to log back into the box and > the old rules are re-loaded. > > Is there something special that I have to add or remove from my ruleset > to make this process work properly? > > Tks, > Steve > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-ipfw" in the body of the message > > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Wed Dec 4 8: 3: 2 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D440337B401 for ; Wed, 4 Dec 2002 08:03:00 -0800 (PST) Received: from gs166.sp.cs.cmu.edu (GS166.SP.CS.CMU.EDU [128.2.205.169]) by mx1.FreeBSD.org (Postfix) with SMTP id 5BFB243EBE for ; Wed, 4 Dec 2002 08:03:00 -0800 (PST) (envelope-from dpelleg@gs166.sp.cs.cmu.edu) To: Steve Bertrand Cc: freebsd-ipfw@freebsd.org Subject: Re: Auto-recover References: <3DEE16D7.1020706@northnetworks.ca> From: Dan Pelleg Date: 04 Dec 2002 11:02:14 -0500 In-Reply-To: <3DEE16D7.1020706@northnetworks.ca> Message-ID: Lines: 27 User-Agent: Gnus/5.0808 (Gnus v5.8.8) XEmacs/21.1 (Cuyahoga Valley) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Steve Bertrand writes: > No matter what I do, the auto-recover script (change_rules.sh) will not > process my new rules properly when connected via ssh. I suspect that this > is due to the flush at the top of my rules script. After modification of my > firewall script, I have to log back into the box and the old rules are > re-loaded. Is there something special that I have to add or remove from my > ruleset to make this process work properly? > > You can try adding this to /etc/rc.conf: firewall_quiet="YES" Alternatively, try a scheme that doesn't require a flush. I've written something along these lines, and it lets you update just the part of the ruleset you want (say, www or mail rules). If you want to play with it, the announcement is here: http://www.FreeBSD.org/cgi/getmsg.cgi?fetch=509128+512111+/usr/local/www/db/text/2002/freebsd-stable/20021124.freebsd-stable It installs just like a port and is rc.firewall compatible (up to the part where you plug in your own rules and hosts). -- Dan Pelleg To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Wed Dec 4 9:23:14 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4F5BC37B401 for ; Wed, 4 Dec 2002 09:23:13 -0800 (PST) Received: from diana.northnetworks.ca (att-ws20.switchview.com [216.13.70.20]) by mx1.FreeBSD.org (Postfix) with ESMTP id B6C7543EC2 for ; Wed, 4 Dec 2002 09:23:11 -0800 (PST) (envelope-from iaccounts@northnetworks.ca) Received: from northnetworks.ca ([192.168.0.250]) by diana.northnetworks.ca (8.11.6/8.11.6) with ESMTP id gB4HN5L69711 for ; Wed, 4 Dec 2002 12:23:05 -0500 (EST) (envelope-from iaccounts@northnetworks.ca) Message-ID: <3DEE39C3.5040704@northnetworks.ca> Date: Wed, 04 Dec 2002 12:22:11 -0500 From: Steve Bertrand User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.0rc3) Gecko/20020524 X-Accept-Language: en-us, en MIME-Version: 1.0 To: freebsd-ipfw Subject: Re: Auto-recover References: <3DEE16D7.1020706@northnetworks.ca> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Thanks for the suggestions, but neither worked. The bash command failed with a syntax error, and it appears that the unit sleeps for 10 seconds, then edits the script. The same problem occured. The fw program did not install correctly on my box, besides, it is not exactly what I need at this point. I will take a look at it though and will likely use some of the code for my own purposes. All I want to do is execute the ipfw script from a remote location and have it revert back if I can't get in. I think what I will do is write a perl script that will run the new script, watch for new ssh connections with my username, and revert to the old rules if no connection has been established within a set time. Now that I think about it, perhaps scrambling up the commands in Nicolaev's reply may help me on my way. Steve Steve Bertrand wrote: > No matter what I do, the auto-recover script (change_rules.sh) will > not process my new rules properly when connected via ssh. I suspect > that this is due to the flush at the top of my rules script. After > modification of my firewall script, I have to log back into the box > and the old rules are re-loaded. > Is there something special that I have to add or remove from my > ruleset to make this process work properly? > > Tks, > Steve > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-ipfw" in the body of the message > > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Wed Dec 4 9:33:56 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A285937B401 for ; Wed, 4 Dec 2002 09:33:54 -0800 (PST) Received: from madlen.mts.ru (madlen.mts.ru [212.44.140.2]) by mx1.FreeBSD.org (Postfix) with ESMTP id 02F7D43EBE for ; Wed, 4 Dec 2002 09:33:53 -0800 (PST) (envelope-from nomad@mts.ru) Received: from cache2.inside.mts.ru ([192.168.10.3]) by madlen.mts.ru (8.10.2+Sun/8.11.6) with SMTP id gB4HXjT19408 for ; Wed, 4 Dec 2002 20:33:45 +0300 (MSK) Received: from milena.mts.ru ([192.168.20.1]) by cache2.inside.mts.ru (NAVGW 2.5.2.12) with SMTP id M2002120420334512111 for ; Wed, 04 Dec 2002 20:33:45 +0300 Received: from sloniki ([192.168.53.70]) by milena.mts.ru (8.11.6+Sun/8.11.6) with SMTP id gB4HXjY24743 for ; Wed, 4 Dec 2002 20:33:45 +0300 (MSK) Message-ID: <000901c29bbb$7bb4a0a0$4635a8c0@sloniki> From: "Nikolaev D./ MTS" To: "freebsd-ipfw" References: <3DEE16D7.1020706@northnetworks.ca> <3DEE39C3.5040704@northnetworks.ca> Subject: Re: Auto-recover Date: Wed, 4 Dec 2002 20:35:05 +0300 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4807.1700 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4910.0300 Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG You have to do: 1. run "sleep10 && /bla-bla-bla/change_rules.sh &" 2. then do not wait but logout: "exit" 3. reconnect after some time (10 seconds for example). Or I did not understand you correctly ? Show "change_rules.sh" please. ----- Original Message ----- From: "Steve Bertrand" To: "freebsd-ipfw" Sent: Wednesday, December 04, 2002 8:22 PM Subject: Re: Auto-recover > Thanks for the suggestions, but neither worked. The bash command failed > with a syntax error, and it appears that the unit sleeps for 10 seconds, > then edits the script. The same problem occured. > > The fw program did not install correctly on my box, besides, it is not > exactly what I need at this point. I will take a look at it though and > will likely use some of the code for my own purposes. > > All I want to do is execute the ipfw script from a remote location and > have it revert back if I can't get in. > > I think what I will do is write a perl script that will run the new > script, watch for new ssh connections with my username, and revert to > the old rules if no connection has been established within a set time. > > Now that I think about it, perhaps scrambling up the commands in > Nicolaev's reply may help me on my way. > > Steve > > Steve Bertrand wrote: > > > No matter what I do, the auto-recover script (change_rules.sh) will > > not process my new rules properly when connected via ssh. I suspect > > that this is due to the flush at the top of my rules script. After > > modification of my firewall script, I have to log back into the box > > and the old rules are re-loaded. > > Is there something special that I have to add or remove from my > > ruleset to make this process work properly? > > > > Tks, > > Steve > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-ipfw" in the body of the message > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-ipfw" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Wed Dec 4 11:12:28 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id BAAEA37B401 for ; Wed, 4 Dec 2002 11:12:27 -0800 (PST) Received: from delivery.infowest.com (delivery.infowest.com [204.17.177.5]) by mx1.FreeBSD.org (Postfix) with ESMTP id 6B54543EAF for ; Wed, 4 Dec 2002 11:12:27 -0800 (PST) (envelope-from agifford@infowest.com) Received: from infowest.com (eq.net [208.186.104.163]) by delivery.infowest.com (Postfix) with ESMTP id 95EBCE3A422 for ; Wed, 4 Dec 2002 12:12:21 -0700 (MST) Message-ID: <3DEE537A.9030807@infowest.com> Date: Wed, 04 Dec 2002 12:11:54 -0700 From: "Aaron D. Gifford" User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.2.1) Gecko/20021130 X-Accept-Language: en-us, en MIME-Version: 1.0 To: freebsd-ipfw@freebsd.org Subject: How hard would it be to add... Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Hello, How difficult would it be for IPFW or IPFW2 to log the local PID for all IP packets that are created or delivered to the local host on which IPFW is running? Also UID/GID could be useful too. I would imagine the code which currently allows for matching packets based on UID shows how to look up the local socket information and could be used to create a new PID/UID/GID logging directive "logids" or something. How difficult would this be? Aaron out. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Wed Dec 4 12:30:34 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 16A8C37B401 for ; Wed, 4 Dec 2002 12:30:32 -0800 (PST) Received: from accord.grasslake.net (accord.grasslake.net [209.98.56.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0A50B43EB2 for ; Wed, 4 Dec 2002 12:30:31 -0800 (PST) (envelope-from swb@grasslake.net) Received: from swbgx150 (honda.grasslake.net [192.168.1.1]) by accord.grasslake.net (8.12.6/8.12.6) with SMTP id gB4KJX6v055834; Wed, 4 Dec 2002 14:19:33 -0600 (CST) (envelope-from swb@grasslake.net) Message-ID: <024d01c29bd4$16874110$62229fc0@ad.campbellmithun.com> From: "Shawn Barnhart" To: "Nikolaev D./ MTS" , "freebsd-ipfw" References: <3DEE16D7.1020706@northnetworks.ca> <3DEE39C3.5040704@northnetworks.ca> <000901c29bbb$7bb4a0a0$4635a8c0@sloniki> Subject: Re: Auto-recover Date: Wed, 4 Dec 2002 14:31:12 -0600 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2800.1106 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106 Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Wouldn't you have to run those commands with nohup? My experience has been that commands backgrounded with '&' stop running if the shell that started them ends, unless you run them with nohup. Unless your shell does this for you automatically, but bash doens't for me. ----- Original Message ----- From: "Nikolaev D./ MTS" To: "freebsd-ipfw" Sent: Wednesday, December 04, 2002 11:35 Subject: Re: Auto-recover > You have to do: > 1. run "sleep10 && /bla-bla-bla/change_rules.sh &" > 2. then do not wait but logout: "exit" > 3. reconnect after some time (10 seconds for example). > > Or I did not understand you correctly ? Show "change_rules.sh" please. > > ----- Original Message ----- > From: "Steve Bertrand" > To: "freebsd-ipfw" > Sent: Wednesday, December 04, 2002 8:22 PM > Subject: Re: Auto-recover > > > > Thanks for the suggestions, but neither worked. The bash command failed > > with a syntax error, and it appears that the unit sleeps for 10 seconds, > > then edits the script. The same problem occured. > > > > The fw program did not install correctly on my box, besides, it is not > > exactly what I need at this point. I will take a look at it though and > > will likely use some of the code for my own purposes. > > > > All I want to do is execute the ipfw script from a remote location and > > have it revert back if I can't get in. > > > > I think what I will do is write a perl script that will run the new > > script, watch for new ssh connections with my username, and revert to > > the old rules if no connection has been established within a set time. > > > > Now that I think about it, perhaps scrambling up the commands in > > Nicolaev's reply may help me on my way. > > > > Steve > > > > Steve Bertrand wrote: > > > > > No matter what I do, the auto-recover script (change_rules.sh) will > > > not process my new rules properly when connected via ssh. I suspect > > > that this is due to the flush at the top of my rules script. After > > > modification of my firewall script, I have to log back into the box > > > and the old rules are re-loaded. > > > Is there something special that I have to add or remove from my > > > ruleset to make this process work properly? > > > > > > Tks, > > > Steve > > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > > with "unsubscribe freebsd-ipfw" in the body of the message > > > > > > > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-ipfw" in the body of the message > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-ipfw" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Wed Dec 4 13: 3:46 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C8F9B37B404 for ; Wed, 4 Dec 2002 13:03:42 -0800 (PST) Received: from diana.northnetworks.ca (att-ws20.switchview.com [216.13.70.20]) by mx1.FreeBSD.org (Postfix) with ESMTP id 455E743ECF for ; Wed, 4 Dec 2002 13:03:41 -0800 (PST) (envelope-from iaccounts@northnetworks.ca) Received: from northnetworks.ca ([192.168.0.250]) by diana.northnetworks.ca (8.11.6/8.11.6) with ESMTP id gB4L3bL72337 for ; Wed, 4 Dec 2002 16:03:37 -0500 (EST) (envelope-from iaccounts@northnetworks.ca) Message-ID: <3DEE6D69.1080504@northnetworks.ca> Date: Wed, 04 Dec 2002 16:02:33 -0500 From: Steve Bertrand User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.0rc3) Gecko/20020524 X-Accept-Language: en-us, en MIME-Version: 1.0 To: freebsd-ipfw@freebsd.org Subject: Re: Auto-recover References: <3DEE16D7.1020706@northnetworks.ca> <3DEE39C3.5040704@northnetworks.ca> <000901c29bbb$7bb4a0a0$4635a8c0@sloniki> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG change_rules.sh should be located in # /usr/share/examples/ipfw/ After reviewing the code, it appears it will not function as required for me. I have converted my firewall script to perl, and am building a setup that will enable me to set the flush rule dynamically, therefore allowing me to only load rules from a certain point down. I am hoping that this will enable me to retain the top few rules, allowing me to remain connected to the server as the new rules are loaded. No loss of connectivity, therefore, no chance of having to drive 100 miles to manually reload the fw. I am far more capable programming in perl or c as opposed to writing shell scripts, so I will gain future expandability of the new script. Thanks for all help!! Nikolaev D./ MTS wrote: >You have to do: >1. run "sleep10 && /bla-bla-bla/change_rules.sh &" >2. then do not wait but logout: "exit" >3. reconnect after some time (10 seconds for example). > >Or I did not understand you correctly ? Show "change_rules.sh" please. > >----- Original Message ----- >From: "Steve Bertrand" >To: "freebsd-ipfw" >Sent: Wednesday, December 04, 2002 8:22 PM >Subject: Re: Auto-recover > > > > >>Thanks for the suggestions, but neither worked. The bash command failed >>with a syntax error, and it appears that the unit sleeps for 10 seconds, >>then edits the script. The same problem occured. >> >>The fw program did not install correctly on my box, besides, it is not >>exactly what I need at this point. I will take a look at it though and >>will likely use some of the code for my own purposes. >> >>All I want to do is execute the ipfw script from a remote location and >>have it revert back if I can't get in. >> >>I think what I will do is write a perl script that will run the new >>script, watch for new ssh connections with my username, and revert to >>the old rules if no connection has been established within a set time. >> >>Now that I think about it, perhaps scrambling up the commands in >>Nicolaev's reply may help me on my way. >> >>Steve >> >>Steve Bertrand wrote: >> >> >> >>>No matter what I do, the auto-recover script (change_rules.sh) will >>>not process my new rules properly when connected via ssh. I suspect >>>that this is due to the flush at the top of my rules script. After >>>modification of my firewall script, I have to log back into the box >>>and the old rules are re-loaded. >>>Is there something special that I have to add or remove from my >>>ruleset to make this process work properly? >>> >>>Tks, >>>Steve >>> >>> >>>To Unsubscribe: send mail to majordomo@FreeBSD.org >>>with "unsubscribe freebsd-ipfw" in the body of the message >>> >>> >>> >>> >> >>To Unsubscribe: send mail to majordomo@FreeBSD.org >>with "unsubscribe freebsd-ipfw" in the body of the message >> >> >> > > >To Unsubscribe: send mail to majordomo@FreeBSD.org >with "unsubscribe freebsd-ipfw" in the body of the message > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Wed Dec 4 21:50:50 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id AA92C37B401 for ; Wed, 4 Dec 2002 21:50:45 -0800 (PST) Received: from alchemistry.net (alchemistry.net [66.114.66.158]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8E41F43EB2 for ; Wed, 4 Dec 2002 21:50:44 -0800 (PST) (envelope-from mail@krel.org) Received: from amavis by alchemistry.net with scanned-ok (Exim 3.36 #1) id 18JouK-000958-00 for freebsd-ipfw@freebsd.org; Thu, 05 Dec 2002 00:50:44 -0500 Received: from [192.168.0.1] (helo=ilya) by alchemistry.net with smtp (TLSv1:RC4-MD5:128) (Exim 3.36 #1) id 18JouJ-00094v-00 for freebsd-ipfw@freebsd.org; Thu, 05 Dec 2002 00:50:43 -0500 Message-ID: <00d701c29c22$e04bcb80$0100a8c0@ilya> From: "Ilya" To: References: <3DEE16D7.1020706@northnetworks.ca> <3DEE39C3.5040704@northnetworks.ca> <000901c29bbb$7bb4a0a0$4635a8c0@sloniki> <3DEE6D69.1080504@northnetworks.ca> Subject: ipfw2 crashes Date: Thu, 5 Dec 2002 00:55:12 -0500 MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="----=_NextPart_000_00D4_01C29BF8.F761ED60" X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4807.1700 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4910.0300 X-Virus-Scanned: by AMaViS snapshot-20010714 Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG This is a multi-part message in MIME format. ------=_NextPart_000_00D4_01C29BF8.F761ED60 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit I have tried ipfw2 and it core dumps on my box. i saw these errors during boot: ipfw: size mismatch (have 176 want 16420) ipfw: size mismatch (have 176 want 48) ipfw: size mismatch (have 176 want 48) ipfw: size mismatch (have 176 want 48) ipfw: size mismatch (have 176 want 48) ipfw: size mismatch (have 176 want 48) ipfw: size mismatch (have 176 want 48) i cant gdb the core file, so it is attached (its very small), hope it will help. 4.7 stable here is the ruleset: #Flush rules ipfw -f flush ipfw -f zero ipfw -f resetlog #Natd ipfw add divert natd all from any to any via $DIF ipfw add check-state # Allow any traffic from local network to any passing through the # internal interface ipfw add allow ip from $LAN to any keep-state via $LIF ipfw add allow ip from $LAN to any keep-state via $LIF #ipfw add allow ip from $LAN to any via $LIF ipfw add allow ip from $ALCHEMISTRY to any keep-state via $DIF ipfw add allow ip from $IPC to any keep-state via $CIF #Allow incoming requests to reach the following services: ipfw add allow tcp from any to $ALCHEMISTRY 22,25,80 setup keep-state via $DIF ipfw add check-state # Allow DNS traffic from internet to query your DNS (for reverse # lookups etc). ipfw add allow udp from any 53 to $ALCHEMISTRY 53 via $DIF ipfw add allow udp from any 1024-65535 to $ALCHEMISTRY 53 via $DIF ipfw add allow udp from any 53 to $RUMATA 53 via $DIF ipfw add allow udp from any 1024-65535 to $RUMATA 53 via $DIF ipfw add allow udp from any 53 to $ALCHEMISTRY 1024-65535 via $DIF ipfw add allow udp from any 53 to $RUMATA 1024-65535 via $DIF # Allow required ICMP ipfw add allow icmp from any to any icmptypes 3,4,11,12 #httptunel from work #ipfw add allow tcp from any to $RUMATA 443 setup via $DIF #LOCAL ipfw add pass all from any to any via lo0 ipfw add deny log all from any to 127.0.0.0/8 #ipfw add deny log tcp from any to any in via fxp0 established #ipfw add deny log ip from any to any in recv fxp0 frag #ipfw add deny log ip from $LAN to any in via $CIF #ipfw add deny log ip from $LAN to any in via $DIF #ipfw add deny log ip from not $LAN to any in via $CIF #ipfw add deny log ip from not $LAN to any in via $DIF # Stop private networks (RFC1918) from entering the outside interface. ipfw add deny log ip from 192.168.0.0/16 to any in via $CIF ipfw add deny log ip from 192.168.0.0/16 to any in via $DIF ipfw add deny log ip from 172.16.0.0/12 to any in via $CIF ipfw add deny log ip from 172.16.0.0/12 to any in via $DIF ipfw add deny log ip from 10.0.0.0/8 to any in via $CIF ipfw add deny log ip from 10.0.0.0/8 to any in via $DIF ipfw add deny log ip from any to 192.168.0.0/16 in via $CIF ipfw add deny log ip from any to 192.168.0.0/16 in via $DIF ipfw add deny log ip from any to 172.16.0.0/12 in via $CIF ipfw add deny log ip from any to 172.16.0.0/12 in via $DIF ipfw add deny log ip from any to 10.0.0.0/8 in via $CIF ipfw add deny log ip from any to 10.0.0.0/8 in via $DIF ipfw add deny ip from 212.9.233.50 to any in via $CIF ipfw add deny ip from 212.9.233.50 to any in via $DIF # Stop draft-manning-dsua-01.txt nets on the outside interface ipfw add deny log all from 0.0.0.0/8 to any in via $CIF ipfw add deny log all from 0.0.0.0/8 to any in via $DIF ipfw add deny log all from 169.254.0.0/16 to any in via $CIF ipfw add deny log all from 169.254.0.0/16 to any in via $DIF ipfw add deny log all from 192.0.2.0/24 to any in via $CIF ipfw add deny log all from 192.0.2.0/24 to any in via $DIF ipfw add deny log all from 224.0.0.0/4 to any in via $CIF ipfw add deny log all from 224.0.0.0/4 to any in via $DIF ipfw add deny log all from 240.0.0.0/4 to any in via $CIF ipfw add deny log all from 240.0.0.0/4 to any in via $DIF ipfw add deny log all from any to 0.0.0.0/8 in via $CIF ipfw add deny log all from any to 0.0.0.0/8 in via $DIF ipfw add deny log all from any to 169.254.0.0/16 in via $CIF ipfw add deny log all from any to 169.254.0.0/16 in via $DIF ipfw add deny log all from any to 192.0.2.0/24 in via $CIF ipfw add deny log all from any to 192.0.2.0/24 in via $DIF ipfw add deny log all from any to 224.0.0.0/4 in via $CIF ipfw add deny log all from any to 224.0.0.0/4 in via $DIF ipfw add deny log all from any to 240.0.0.0/4 in via $CIF ipfw add deny log all from any to 240.0.0.0/4 in via $DIF # Allow all established connections to persist (setup required # for new connections). ipfw add allow tcp from any to any established #Deny Everything else ipfw add 65534 deny log ip from any to any via $CIF in ipfw add 65534 deny log ip from any to any via $DIF in ------=_NextPart_000_00D4_01C29BF8.F761ED60 Content-Type: application/x-gzip; name="ipfw.core.gz" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="ipfw.core.gz" H4sICLPc2z0AA2lwZncuY29yZQDt2gl8lOWBx/EnIZO8iSCsoqK71neFaKiYTEK4IqkTcpCUXCZB AupCSAYykMuZBAKtJbVqgyIepWItrtTq6iq7tYddt9WGVnfrelRqxase2MWjW3fLbj23YPb/zDtD DsJRZLvu7u/74Zdn5r3nnTMT1hWXlyQkJKSamCQzyiTELueaAbnGNckmI7aMMe8Mmrc9wQwRvTpO VTuOiV9WybHL0fmuWhKbv8tryHz7M5DqzXe9Uoasn2C3nzF4+0Pm++3PH/V5R5QYLT7fbrQ5dpwl 4WBwTm1R9LKdVq7uU/OnpJjjND6kGVlmoAlqut38+33RbWfYTVenOmkaesYNOglfS3LOsHtNTDDO e3198fWd2PYTB+173Qn9/cb0R931YvZ2x+yInUI7/ZPH3oYWNcoMPX92Wqhj2eohCx8wAQAAAADw P6IpuKytodVEOte0d7SZprZIuLHZhNoiwcaucDB7/6Uc09be0BJqiAQjmhbsnK7r53a2NJ17aVcw vMYEtaLfnO/vTm/pPt+kd5n0lqbM9MyclibtonttirP7MI20zLbDXD/SjuX+nc+lOOMP0961h592 JNsZqWO5//N135znBsPh9nCe29W2sq19dZtbXlXo1tS4q4LhSKi9zaQ3ubobvR+6Q6fqUqN7kIn2 Dm9qddMj+zPp/tymdH/OAe1/+C2qqiyuKS6JjmWVZXUme6rJzjHZ2Sbbb2aZmWaGmW7mVxcV1BWb yqq6spKFpvCC+cU1C+fHxgpTFh2N97OyqrC0oHJuscnOjW6zuKbGrlcwv67UVNbX1NQW15mF+8ei qoqCskqjA5hfW1wU3UFFtZaLTa8trrmwpKCs3JRU1VR4W9LPqhpTUFRUVldWVVlQbqprdPwXzC+r Lasrro3ucsjTK9OkpqaagP2hE6J/xjVuRpqdqknpLV26ByLBcKihJU2XwsFl4WCk2bvYGV5jLwS7 O0L2kjtZV1pDbaHWrtY0PcVc28BgL9kfGa5J87bd5JrJRs9If263t4B2bOd5B6L7rMWuHLGrRUz8 7tdd37mmI2g0LmsPtzZ0eo8Pc/HEjNTU8+ySadq0P6fb1dHo9s2+MsWpV51f9bKXd8Wm1Q+aN/46 73KPumNjijPu6hSn45qBy7Ov8ebZy29d463zwQ0pzqbrNf1q7/qkDSlOs7pv08D+nI3euFXTzzRp Z15sLjYtwTZ3dr776aVdy3Tx0C9/WV2RcJZe87JaQkttjVmZmd6oF7mstsjijnCorTOz0biuSR1h /YI5hUXFJXNLyz47r7yisqr6gprauvkXLqhfuKhhaaNeW5c3h1asbGlta++4NBzp7Fq1unvNWn92 ztTcadNnzJx1TpbJP/TxNUT06OjUM9E9Mz1yprusIdQSbMpzl2mITpnitujlWHdn2sjrr+/t7b33 nnvumXF3inPzoAqGXbdVjTDNdsmw61NUelN6o91+WPVuS3H2qDtio+0RdXPs8jZ1sNtXWlBbmudW dXW67cvcdr3qLGtpX+12NCwPRjJdt6ytMRzUe050ghsJrQ0Ov5ndL6Q41eruWBer7kHXe2OjnTbS /uv39fVtaXP2z7vnlRTHfpd5p0b7He0WjfZ7zs0a7ffeGzX6NF6l0X5fvVaj/V65VaPdSJNG+zhZ qNEea4VG+z1yicbRGj+jcYxGv8bjNboax2o8/pWB40t81TuGD2PHsCe27zdj+xgsIZb7+4Of48Hs d8xHslxcmraeaEaZJOMzySbFOHoWpJnjzGgzxhxvxppxh1k/4TDzbx7rRG/jtbHxS7Hx87FxtUa7 jUhsbImNIY32frkkNi6MjQcz+HbbExW9Mt6J3kd2Xs8Ex7mjx+dUf9nnJKlJak+vz6nX+L1rfE7T Rp8zQc1UD17nc1o0br/Z52xSj6pn1EsqkDFxckt7Y0NLZ6g1mNmYOiNz2gyzoKy8qGDOnBrtK7jQ cWx2uYZI4/6lZhzkuCfFvmDPc4e8SMVenDREX52mrHKzM3Pc7FmzZmX5Z2blzHT9/jz9y851O4Kd wbBb3N3hTjqK7TfYwzvCrQ+8rA3a/h2v+Jxxr+p8qZdU3S6dT5X7ms/pVXt261y/rnOpzBs6f6pO 9ai3NK9e0zeMMH9rbH50J2/6oo+JXo3DH981XW3Bioblocrhb8zDjHtf21b77NqJR9Ac/ZhjhnYk 6x1JAb2yZCQdfaN9JkElqlEqSflUskpRjkpVh9pG2nqfOU6NVmPU8WqsMuuTjm0H2/+p2r8arcao 49VYZU5NOrYN33fioR4l+P/Cvp7Yh4J9T7HvvfY9377f2/d6+6Jj3+Pte4d9b7fv6/Y93b6f2/dy +574J+oEdaIar05SJ6tTjPc35FPVaepP1Z+p09WnlP2bsav+XJ2pJir7wp2uzlJnK/tH78nq0+oc NUWda+zvGt7fmP0qW+Woqcb7O/404/3d2r7PzFT2NTpPnadmK/sx9DPK/k4YUA1qqbIf8uxva0G1 TC033t/JQ2qFWmm8v/u2KvtRu111qEuN99kwojpVl1ql7N+Cu9UatVZdpC5Wl6i/UIvVkj/i/j+n Pq8uU19Q61SP+qK6XH1JXaGuVFepL6tetV5dra5RG9S1aqO6Tl2vblA3qq+oTeqr6ia1Wd2svqZu UV9XW9St6i/VbWqr+oa6XX1T3aHuVH+l7lJ3q79W96h71Tb1N+pv1beM9/8Lvq2+o76rvqfuV99X f6ceUH+vfqB+qB5UD6kfKfufGrarH6ufqIfVI+of1D+qn6pH1T+px9Tj6gn1pPqZekrtUD9XT6tf qGfUTvWsek49r15QL6pfqpfUy+oV9arx/jvIa+pX6p/VbvW6ekO9qd5Sv1b/on6j3lb/qv5N/Vbt Uf+u/kP9znj/V+Vd9Z56X32gPlT/qX6v9qp96iMT+1xoeP4XGO8jTaEqUvbDU4maq0pVmfqsmme8 /zNToSpVlapWFyj7ebdW1an56kK1QNWrhWqROfjz/4+1f57/PP9Hev4fyq5F3u+gVvz3b/u4sT8m zEh23GH8w9hF7euJfQ24bMiW95zvjZMC3rjQGwPXeWPvw9644oPo2HNFpn2amB0nNEbHK57bHB2D Tz5pR3fx1kT7FHprVekMO96+6bRWjYHXt/hv13j9px558FmNuWe9u3J0oenZNWPNwwWFZuvzVy7I XVVoHq1c3vrjewtN/g1Ldte/VhjYcH/36d86qaj6t796dvdp84pu3FmR/NSenqL4eqe0+e6//4Gv lLz74fm/HlU1syLndP+HpasvXzS7L7Lu5aqTuh5c//zm7zy9ZfbUu+7eOfG9sln5d71TtG/snTm3 bt7wlPODi9IL27c1ZSQ/OuK3WPa11PQf8NXHAZKGXd/e7DhP7E52klSvKlKH20bcRaGB/dnvQOz1 +H0+IXT02x0sbdgvGx0fY7tbm73vP+xtttlj7Agd/pwN2LPuwGkD395snZnqmCWpztfPdZyNqkst UQFlH8v2925fbNnZsfGIvms6O8XpUONPTnHennDgd1grpmsfyqjHpznOVvUF1aQCyqjtuY5zm+pR C1SemqIeXJjiXHHJob8Xs7fQPujsZ8y3dALH6Q1261UJJjBnrOm5Sa/Ur73rM4/dct7egpHP5WNz HOdh9UP1XbVN3am+qb6hblO3qlvUZrVJ3aB6VY/KLHScs9Tparwao3xqr+a9o95Wu9VLw9Z/Qe1Q VVq2oNDb5/TCA4/x0N/vxL7cPugXPNMO9/XR4bbfEI7Ev0CaejRfT0XfjO1nKvuh3X7Wsk/y6ItE ovcZzN6BjrdY9LNZwHif01zjvcaO81bxtnEUDnH7ljZEgtNzY7cu17t12dlZ/lzXn5s31Z+XO9Vt aGwOHurGHe78dXa2fKx7R+cjY+LkcLBxcSR4aWZj6kzdCxlzguGVwZbgmsnujKzs3KxZuQdZ9VDH 17Q0S1tta7c/Fy8P7n8MZU7Xkeb4/ToN+pfj+mflZWfnZfvd9qXhULDtwENd3NwQaa6Pil6Pv2b8 Id9T2+fwhpeP7PtvAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAPi/IiE29vYYM8ZeqHYyTNJRbmxJquMGUp1Tz3WcY3JwAAAAAAAAAAAAAAAAAAAA APAJsnVvX9+h5o+KjQkjzNvexv+zBgAAAIBjKpDquMZnLjPrzAf9Qx3R+tWpjklK0+9ySeb4/+ZD BQAAAAAAH0eC6e8/wzyS6F1bMdH7i+y3X/pl/jkj/XEWAAAAAAD87xZIPeD/XQfi0zQGRpgPAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAABwKAt2JDumOtWJX8+314dJUONHWHfHO319Tc8kOwkjzLPL97zb1zd4 2jhdj+5vyYH7Gx8rcbe3vYxErR9fKJDq+Oyg9S99LtmJH8vg7dvlbZFfDBy/nX/5zoHlrXk/9+bH lx8sKX47dT7SNNwX29/w5azpI9zmPVp+zK6B5e311171rtvll+4bej6siTclOaMGb1P7Ln2vr2/w Prfs9dYbaf2Dsvdp7H7NOOKVjr35r3vn+8TOKYGk94cev1/XH/qZNz86L2nougFNSzzHmOj5mWfM 4z7jJvX3O5t0PuzpsSWY8f3mJ3rEqCVa/pSdSdHt2XNmN/fETJ9jl4uvM3gfAU279cWk/fP7Y9Pj 17fu/QPONwB8gmzQ69e0Lw68vsVfz+z07/ckOWdr3oaXUw54vz8Yu516vQddsm/g/ahdXaFuULeq u9Wj6mn1hvqd+kid+FFf3xmqV934kbd+/H3PviS7yheblmwnjjMmfmCp6gEdb4q9Uu187LezUMey 1SbS3L7aLM7PiiwNtWVFpxRWVZaUzV1cW1pcXp6fZSdHmk11TVllXXFNfkNHJNvoQkV+Y3tbJGea Ka2qKM7PCre3d5rC8oLa2uqCutL8rK5IOKulvbGhJWtF08rszJzMnLxMM79WG4guWVFQpk2vaghn tTaEWry1y6vmVhZoW9Er1QVztWxrezhoSuqqF1drw2UXFi+uqCoqzl9YXGvmlFcVzqstW1ScP894 e7THnxfdr3dp/9X9F7zjiQy7vv9qfXZ2zfThS8eP3k431QuKYrc0dm5im89aqRME0183ady1RZPG V78fqLPPkq5RG5vHP1CvDyXVT/b85qPrB82fEJ9f9NNA+ck7E8zAYuvfi39Gsc/TsbpR/wVGGSLi ADADAA== ------=_NextPart_000_00D4_01C29BF8.F761ED60-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Fri Dec 6 9: 4:56 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0E16137B401 for ; Fri, 6 Dec 2002 09:04:55 -0800 (PST) Received: from alchemistry.net (66-234-45-101.nyc.cable.nyct.net [66.234.45.101]) by mx1.FreeBSD.org (Postfix) with ESMTP id E04BD43EA9 for ; Fri, 6 Dec 2002 09:04:53 -0800 (PST) (envelope-from mail@krel.org) Received: from amavis by alchemistry.net with scanned-ok (Exim 3.36 #1) id 18KLuC-000MrE-00 for freebsd-ipfw@freebsd.org; Fri, 06 Dec 2002 12:04:48 -0500 Received: from ilya by alchemistry.net with local (Exim 3.36 #1) id 18KLuB-000Mr4-00 for freebsd-ipfw@freebsd.org; Fri, 06 Dec 2002 12:04:47 -0500 Date: Fri, 6 Dec 2002 12:04:47 -0500 From: Ilya To: freebsd-ipfw@freebsd.org Subject: Re: Auto-recover Message-ID: <20021206170447.GA87411@krel.org> Reply-To: mail@krel.org References: <3DEE16D7.1020706@northnetworks.ca> <3DEE39C3.5040704@northnetworks.ca> <000901c29bbb$7bb4a0a0$4635a8c0@sloniki> <3DEE6D69.1080504@northnetworks.ca> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <3DEE6D69.1080504@northnetworks.ca> User-Agent: Mutt/1.5.1i X-Virus-Scanned: by AMaViS snapshot-20010714 Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG I have a following setup: fxp0 - cable fxp1 -lan fxp2 - dsl i got it running with fwd rule, so that natd is on cable, web/mail/etc is on dsl. I have two problems with current setup: 1 when dynamic rules expire, it disrupts an idle session, ssh for example. I increased net.inet.ip.fw.dyn_syn_lifetime: 300 and that gave me 5min. in man i read about keepalive. But do i understand correctly that it is only available in ipfw2 ? 2 I see strange behaviour where, an ssh session is made from cable interface for example, dynamic rules are created and all good, i dont see any connection issues, but my last rules which are set to deny all on that interface, what didnt match "setup" rules or keep-state, seem to catch ocasional traffic from target ssh server to source client. Same thing happens with www traffic, for both server and natd. A lan client opens connection to some www outside, all is good, but occasionally I see packets rejected from that server to client, which i believe should be part of connection. it doesnt bother me much, since its i dont see any adverse effect on clients, but i was wondering why it happens. a list of rules is below. thx a lot. ipfw list 00100 allow ip from any to any via lo0 00200 deny log logamount 200 ip from any to 127.0.0.0/8 00300 divert 8668 ip from any to any via fxp0 00400 fwd dsl_router ip from dsl_ip1 to any out xmit fxp0 00500 fwd dsl_router ip from dsl_ip2 to any out xmit fxp0 00600 check-state 00700 allow ip from dsl_ip1 to any keep-state via fxp2 00800 allow ip from dsl_ip2 to any keep-state via fxp2 00900 allow ip from 66.234.45.101 to any keep-state via fxp0 01000 allow ip from any to any keep-state via fxp1 01100 allow tcp from any to dsl_ip1 22,25,80,443 keep-state via fxp2 setup 01200 allow tcp from any to dsl_ip2 22,25,80,443 keep-state via fxp2 setup 01300 allow tcp from any to 66.234.45.101 22,113 keep-state via fxp0 setup 01400 allow udp from any 1024-65535,53 to dsl_ip1 53 via fxp2 01500 allow udp from any 1024-65535,53 to dsl_ip2 53 via fxp2 01600 allow udp from any 53 to dsl_ip1 1024-65535 via fxp2 01700 allow udp from any 53 to dsl_ip2 1024-65535 via fxp2 01800 allow udp from dsl_ip1 53 to any 1024-65535,53 via fxp2 01900 allow udp from dsl_ip2 53 to any 1024-65535,53 via fxp2 02000 allow icmp from any to any icmptype 3,4,11,12 02100 deny ip from any to any in recv fxp0 frag 02200 deny ip from any to any in recv fxp2 frag 65533 deny log logamount 200 ip from any to any in recv fxp0 65533 deny log logamount 200 ip from any to any in recv fxp2 65535 allow ip from any to any To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Fri Dec 6 16:51:27 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9168237B401 for ; Fri, 6 Dec 2002 16:51:26 -0800 (PST) Received: from sccrmhc03.attbi.com (sccrmhc03.attbi.com [204.127.202.63]) by mx1.FreeBSD.org (Postfix) with ESMTP id 776B843EBE for ; Fri, 6 Dec 2002 16:51:22 -0800 (PST) (envelope-from crist.clark@attbi.com) Received: from blossom.cjclark.org (12-234-91-48.client.attbi.com[12.234.91.48]) by sccrmhc03.attbi.com (sccrmhc03) with ESMTP id <2002120700512100300cfqbne>; Sat, 7 Dec 2002 00:51:21 +0000 Received: from blossom.cjclark.org (localhost. [127.0.0.1]) by blossom.cjclark.org (8.12.6/8.12.3) with ESMTP id gB70pKeq058651; Fri, 6 Dec 2002 16:51:20 -0800 (PST) (envelope-from crist.clark@attbi.com) Received: (from cjc@localhost) by blossom.cjclark.org (8.12.6/8.12.6/Submit) id gB70pIOF058650; Fri, 6 Dec 2002 16:51:18 -0800 (PST) X-Authentication-Warning: blossom.cjclark.org: cjc set sender to crist.clark@attbi.com using -f Date: Fri, 6 Dec 2002 16:51:18 -0800 From: "Crist J. Clark" To: Steve Bertrand Cc: freebsd-ipfw@FreeBSD.ORG Subject: Re: Auto-recover Message-ID: <20021207005118.GA57927@blossom.cjclark.org> Reply-To: "Crist J. Clark" References: <3DEE16D7.1020706@northnetworks.ca> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <3DEE16D7.1020706@northnetworks.ca> User-Agent: Mutt/1.4i X-URL: http://people.freebsd.org/~cjc/ Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Wed, Dec 04, 2002 at 09:53:11AM -0500, Steve Bertrand wrote: > No matter what I do, the auto-recover script (change_rules.sh) will not > process my new rules properly when connected via ssh. I suspect that > this is due to the flush at the top of my rules script. After > modification of my firewall script, I have to log back into the box and > the old rules are re-loaded. > > Is there something special that I have to add or remove from my ruleset > to make this process work properly? What's in the temporary file, ${TMPDIR:-/tmp}/change_rules.XXXXXX, when you log back in? -- Crist J. Clark | cjclark@alum.mit.edu | cjclark@jhu.edu http://people.freebsd.org/~cjc/ | cjc@freebsd.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Sat Dec 7 15:15:40 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 15A7937B401 for ; Sat, 7 Dec 2002 15:15:40 -0800 (PST) Received: from gs166.sp.cs.cmu.edu (GS166.SP.CS.CMU.EDU [128.2.205.169]) by mx1.FreeBSD.org (Postfix) with SMTP id 9564643EC5 for ; Sat, 7 Dec 2002 15:15:39 -0800 (PST) (envelope-from dpelleg@gs166.sp.cs.cmu.edu) To: Dan Pelleg Cc: freebsd-ipfw@freebsd.org Subject: Re: logamount in ipfw2 References: From: Dan Pelleg Date: 07 Dec 2002 18:15:32 -0500 In-Reply-To: Message-ID: Lines: 15 User-Agent: Gnus/5.0808 (Gnus v5.8.8) XEmacs/21.1 (Cuyahoga Valley) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Dan Pelleg writes: > It seems that the "log" option in ipfw2 works differently than it does on > ipfw. When given no "logamount" argument, then ipfw does as the man page > says and sets the limit to the value of net.inet.ip.fw.verbose_limit. > On the other hand, ipfw2 sets it to zero (meaning unlimited logging). > I've opened a PR for this (kern/46080). It includes a patch to mimic the ipfw functionality (admittedly, the code is taken from the corresponding section in ipfw.c). -- Dan Pelleg To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message