Date: Wed, 1 Mar 2000 11:57:14 -0700 (MST) From: Steve Jorgensen <steve@khoral.com> To: oogali@intranova.net (Omachonu Ogali) Cc: bhishan@cytosine.dhs.org (Bhishan Hemrajani), questions@FreeBSD.ORG Subject: Re: packet filtering from ppp Message-ID: <200003011857.LAA26832@benson> In-Reply-To: <Pine.BSF.4.10.10003011320220.66429-100000@hydrant.intranova.net> from "Omachonu Ogali" at Mar 01, 2000 01:22:52 PM
next in thread | previous in thread | raw e-mail | index | archive | help
Omachonu Ogali wrote >> Sample: >> ipfw add deny tcp from any to any 137-139 in via tun0 >> ipfw add deny udp from any to any 137-139 in via tun0 >> >> What's wrong with applying it to the tun0 device only? Do you want him to >> have further troubles with his internal network? And also, NetBIOS sits on >> UDP ports 137-139. I haven't actually tried ipfw, I was trying to use the tun set filter interface in my ppp.conf file. I was under the (appearently mistaken) impression that you can't use ipfw on the tun0 device. Since both of you seem to be telling me otherwise, I'll do as suggested and use the rc.firewall and ipfw, and modify the simple rules to suit my site. Thanks for your help. Steve >> On Tue, 29 Feb 2000, Bhishan Hemrajani wrote: >> >> > I think you can.... just don't apply them to a specific >> > device, apply them to all tcp attributes. >> > >> > --bhishan >> > >> > > Bhishan Hemrajani wrote >> > > >> Try using rc.firewall in /etc to limit that stuff.. >> > > >> man ipfw >> > > >> >> > > I didn't think you could use the ipfw and rc.firewall stuff on >> > > the tun0 device. Am I mistaken? >> > > >> --bhishan >> > > >> > >> > > >> > I have a little 16 IP number net, that is connected >> > > >> > to the internet via the user ppp on the gateway machine. >> > > >> > I'm running on a FreeBSD 3.4-STABLE machine last cvsup'ed >> > > >> > about a month ago. Since I have real IP numbers, I'm >> > > >> > NOT using the -nat options to ppp, but I would like to use >> > > >> > the set filter syntax to protect myself from prying external >> > > >> > programs (in fact, I've been getting probed on my samba port for >> > > >> > the last couple of weeks from various external ip numbers) >> > > >> > >> > > >> > Anyway, I set up my rules based on instructions I found >> > > >> > in the ppp tutorial at http://www.freebsd.org/tutorials/ppp/x870.html, >> > > >> > but I can't seem to get things to work right. The example shown >> > > >> > indicates that only the specified services will be allowed to >> > > >> > operate through the tun device, and all other packets will be >> > > >> > blocked. However, when I run it, it either lets everything >> > > >> > through or disallows any new external to internal connections >> > > >> > to be started. This behavior is based on the following lines >> > > >> > >> > > >> > set filter in 6 permit 0/0 MYGATEWAYADDR/24 >> > > >> > set filter out 6 permit MYGATEWAYADDR/24 0/0 >> > > >> > >> > > >> > If I have these two lines set, it doesn't matter if I have any >> > > >> > of the other lines in the tutorial, it allows all packets through. >> > > >> > If I comment those two lines out, no new external connections >> > > >> > can be established. Any help is appreciated, and I can make >> > > >> > my full set filter lines available if it's necessary. >> > > >> > >> > > >> > Steve -- ----------------------------------------------------------- Steven Jorgensen steve@khoral.com steve@spukhaus.com ------------------------------+---------------------------- Khoral Research Inc. | PHONE: (505) 837-6500 6200 Uptown Blvd, Suite 200 | FAX: (505) 881-3842 Albuquerque, NM 87110 | URL: http://www.khoral.com/ ----------------------------------------------------------- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200003011857.LAA26832>