Date: Wed, 25 Jan 95 11:47:28 IST From: "Ugen J.S.Antsilevich" <ugen@netvision.net.il> To: danny@TFS.COM Cc: freebsd-questions@freefall.cdrom.com Subject: RE: firewalls on freebsd Message-ID: <Chameleon.950125115359.ugen@ugen.NetManage.co.il>
next in thread | raw e-mail | index | archive | help
> >Ugen, > >I am using is a PC 386-33, with two SMC network cards running >FreeBSD 2.0. I'm getting "ipfw: setsocket failed." when doing an "ipfw flush". >ipfw seems to take my "addb" commands, but when I try to do a "list" I get >no output. This makes me think none of my filters have been taken. Already have seen this...Actually the main problemm can be that IP_FW_ADD defines are not synched betwin kernel file netinet/raw_ip.c and ipfw.c utility code..check this...the simplest way is to add printf's to utility and raw_ip.c and see what's happens... > >I am using the generic "IPFIREWALL" kernel that comes in the "/usr/src/sys/i386/conf" directory. I have also asked Poul-Henning Kamp, and Julian Elischer (two >of the contributors to FreeBSD) for help and as of yet neither can find the >problem. > >My goal is to block everything but telnet and ftp accross this connection. So that kernel should work..after my last changes there is no addb commands and there is only one firewall chain and one accounting chain.All commands syntacs left intact except that instead of addb[locking] or addf[orwarding] yoou have now addf[irewall] and so delf[irewall].If your utility still accepts addb this is true sign that it needs recompile. To block everything but ftp and telnet from outside you can use in simplest case addf deny all from 0 to <localaddr:localmask> addf accept tcp from 0 telnet,ftp to <localaddr:localmask> You can make it a bit more sofisticated by adding via <external interface ip> to the end of last command like: addf accept tcp from 0 telnet,ftp to <localaddr:localmask> via <ext. interface IP> This takes ride of last CERT security advisory about possibility to use local insite IP from outside... > >Any help or suggestion would be very very much appreciated. > >Danny E. Reid email: danny@tfs.com >TRW Financial Systems Phone: (510) 645-3406 >300 Lakeside Drive Fax: (510) 465-4943 >Oakland, CA 94612-3540 > > > >----- End Included Message ----- > > -- -=Ugen J.S.Antsilevich=- NetVision - Israeli Commercial Internet | Learning E-mail: ugen@NetVision.net.il | To Fly. [c] Phone : +972-4-550330 |
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Chameleon.950125115359.ugen>