From owner-freebsd-ipfw Mon Jan 15 11:40:28 2001 Delivered-To: freebsd-ipfw@freebsd.org Received: from mail.biographix.com (unknown [207.236.111.133]) by hub.freebsd.org (Postfix) with ESMTP id 5906237B400 for ; Mon, 15 Jan 2001 11:40:10 -0800 (PST) Received: from bottleneck2000 ([209.47.192.126]) by mail.biographix.com (8.11.1/8.11.1) with SMTP id f0FJfP205811 for ; Mon, 15 Jan 2001 14:41:26 -0500 (EST) Message-ID: <007001c07f2b$c64732d0$0c01a8c0@bottleneck2000> From: "Elliott Perrin" To: Subject: Bridging Firewall Date: Mon, 15 Jan 2001 14:45:44 -0500 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.00.2919.6700 X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2919.6700 Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG Wondering if this is possible before I go and build it ISP | | _____xl0_____ | xl1----- Public Servers | | |_____xl2____ | | | LAN xl0 - assigned a.b.c.114/28 xl1 - not assigned xl2 - assigned 192.168.1.0/24 Default Router (At the ISP) - a.b.c.d.113/28 I want to bridge between xl1 and xl0 only, with arp only allowed to pass between addresses within the /28 subnet we have been assigned. I figure that arp only needs to be passed between these machines and it will keep me from having to have a default allow all from any to any rule. Am I looking at a huge headache here. (ie. should I go with Static NAT to our public servers instead) Thanks, ________________________________________ Elliott Perrin Systems Administrator Big Orbit - Specializing in new media for youth web: http://www.bigorbit.com email: eperrin@bigorbit.com [t] 416.516.0705 ext 25 [f] 416.516.9256 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Wed Jan 17 16:21:31 2001 Delivered-To: freebsd-ipfw@freebsd.org Received: from bemtevi.telebrasilia.com.br (unknown [200.181.14.4]) by hub.freebsd.org (Postfix) with ESMTP id 8777E37B69B for ; Wed, 17 Jan 2001 16:21:13 -0800 (PST) Received: from tbscorreiomb01.telebrasilia.com.br (pombo.telebrasilia.com.br [10.61.24.18]) by bemtevi.telebrasilia.com.br with ESMTP (8.7.1/8.7.1) id WAA01235 for ; Wed, 17 Jan 2001 22:21:11 -0200 (BRST) Received: by pombo.telebrasilia.com.br with Internet Mail Service (5.5.2650.21) id ; Wed, 17 Jan 2001 22:26:22 -0200 Message-ID: <64723B9254A1D4119B29009027BDB8C318270E@pombo.telebrasilia.com.br> From: Gustavo Lima dos Santos To: "'ipfw@freebsd.org'" Subject: ssh conflit with ipfw Date: Wed, 17 Jan 2001 22:26:12 -0200 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2650.21) Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG Dear Srs(a), I have using ssh on FreeBSD 4.2 Stable and put rules firewall to restrict the user for use some ports on my net. But the user using de forwarding for use the squid services on machine. The ssh don=B4t have mechanism to blocked it ??? The ssh don=B4t have a file type /etc/hosts.allow and /etc/hosts.deny to controler the services for use some ports forwads, for use only determined ip=B4s ??? Thanks. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Thu Jan 18 0:42:10 2001 Delivered-To: freebsd-ipfw@freebsd.org Received: from proxy.teoresi.it (proxy.teoresi.it [151.4.239.35]) by hub.freebsd.org (Postfix) with ESMTP id CBBE937B400 for ; Thu, 18 Jan 2001 00:41:52 -0800 (PST) Received: from posta.teoresi.it (fw.teoresi.it [151.4.239.34]) by proxy.teoresi.it (Postfix) with ESMTP id 1ED4D3C92 for ; Thu, 18 Jan 2001 09:41:47 +0100 (CET) Received: from pc_rufus (rufus.teoresi.it [192.168.8.143]) by posta.teoresi.it (Postfix) with SMTP id E63ABD592 for ; Thu, 18 Jan 2001 09:41:56 +0100 (CET) From: "Roberto Ruffinengo" To: ipfw@freebsd.org Date: Thu, 18 Jan 2001 09:41:15 +0100 MIME-Version: 1.0 Content-type: text/plain; charset=ISO-8859-1 Content-transfer-encoding: 8BIT Comments: Sender has elected to use 8-bit data in this message. If problems arise, refer to postmaster at sender's site. Subject: Re: ssh conflit with ipfw Reply-To: r.ruffinengo@teoresi.it In-reply-to: <64723B9254A1D4119B29009027BDB8C318270E@pombo.telebrasilia.com.br> X-mailer: Pegasus Mail for Win32 (v3.01b) Message-Id: <20010118084156.E63ABD592@posta.teoresi.it> Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG > Dear Srs(a), > > I have using ssh on FreeBSD 4.2 Stable and put rules firewall to > restrict the user for use some ports on my net. > But the user using de forwarding for use the squid services on > machine. > The ssh don´t have mechanism to blocked it ??? squid is a proxy server , sshd (i think you mean sshd not ssh ) is a another applications, while ipfw is a packet forwarder/filtering mechanism. So what is your problem? > The ssh don´t have a file type /etc/hosts.allow and /etc/hosts.deny > to controler the services for use some ports forwads, for use only > determined ip´s ??? > yes, sshd_config, in /etc or /usr/local/etc > Thanks. > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-ipfw" in the body of the message > __________________________________________________________________________ Roberto Ruffinengo Teoresi s.r.l. Via Perugia, 24 - 10152 Torino (TO) Tel. +39 (0)11 2408000 Fax. +39 (0)11 2408024 e-mail: r.ruffinengo@teoresi.it URL: http://www.teoresi.it __________________________________________________________________________ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Thu Jan 18 9:40:24 2001 Delivered-To: freebsd-ipfw@freebsd.org Received: from bss.nexter.ru (unknown [195.208.67.70]) by hub.freebsd.org (Postfix) with ESMTP id 16BAD37B402 for ; Thu, 18 Jan 2001 09:40:05 -0800 (PST) Received: from Wlad (ant.one.nexter.ru [192.168.77.11]) by bss.nexter.ru (8.9.3/8.9.3) with SMTP id UAA22728 for ; Thu, 18 Jan 2001 20:46:54 +0300 (MSK) (envelope-from wlad@nexter.ru) Message-ID: <001501c08175$d8dea300$0b4da8c0@Wlad.one.nexter.ru> From: "Wlad Lepakhin" To: Subject: traffic analizing Date: Thu, 18 Jan 2001 20:41:07 +0300 MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_NextPart_000_0012_01C0818E.FBFA5500" X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 4.72.3110.5 X-MimeOLE: Produced By Microsoft MimeOLE V4.72.3110.3 Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG This is a multi-part message in MIME format. ------=_NextPart_000_0012_01C0818E.FBFA5500 Content-Type: text/plain; charset="koi8-r" Content-Transfer-Encoding: quoted-printable I need to establish traffic analyzer for users, connected to = firewall/router. The first and very simple idea is to use COUNT statement with ipfw, but = it does not suit me due to DHCP using on my network. I am already wrote simple script to add "ipfw add ### count all from any = to ###.###.###.###" "on the fly" when /var/db/dhcp.leases changes but I hope -- there is = more comfortable way to perform "per user" traffic counter. ------=_NextPart_000_0012_01C0818E.FBFA5500 Content-Type: text/html; charset="koi8-r" Content-Transfer-Encoding: quoted-printable

I need to = establish traffic=20 analyzer for users, connected to firewall/router.

The first and = very simple idea=20 is to use COUNT statement with ipfw, but it does not suit me due = to

DHCP using on my=20 network.

I am already wrote simple script = to add=20 "ipfw add ### count all from any to = ###.###.###.###"

"on the fly" when=20 /var/db/dhcp.leases changes but I hope -- there is more comfortable way = to=20 perform

"per user" traffic=20 counter.

------=_NextPart_000_0012_01C0818E.FBFA5500-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Thu Jan 18 9:47:53 2001 Delivered-To: freebsd-ipfw@freebsd.org Received: from excalibur.dotcom.fr (ns.dotcom.fr [195.154.74.11]) by hub.freebsd.org (Postfix) with ESMTP id E918C37B400 for ; Thu, 18 Jan 2001 09:47:35 -0800 (PST) Received: from IPricot.com (pc181.fr.ipricot.com [192.168.31.181]) by excalibur.dotcom.fr (8.9.1/8.9.1) with ESMTP id RAA04739 for ; Thu, 18 Jan 2001 17:47:34 GMT X-To: Message-ID: <3A672C35.44B09ABA@IPricot.com> Date: Thu, 18 Jan 2001 18:47:33 +0100 From: Roman Le Houelleur Organization: dotcom X-Mailer: Mozilla 4.75 [en] (X11; U; FreeBSD 4.1-20000912-STABLE i386) X-Accept-Language: en MIME-Version: 1.0 To: freebsd-ipfw Subject: Unable to use ipfw Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG hello, I've just updated my system from 4.2 release to stable and I'm having problems with the ipfw code. (Actually I would like to use bridge/dummynet/ipfw). First of all, I cannot build ipfw because of IP_FW_IF_TCPEST which is not defined anywhere. Using the 4.2 release version of ipfw I'm not able to enter a rule as simple as: ipfw add deny ip from 192.168.1.1 to 192.168.1.2 ipfw replies: ipfw: getsockopt(IP_FW_ADD): Invalid argument It was working perfectly with the 4.2 release. the ipfw.c I got from cvs is: "src/sbin/ipfw/ipfw.c,v 1.80.2.8 2001/01/10 03:43:33 rwatson" have I done something wrong ? Roman. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Thu Jan 18 10: 3: 2 2001 Delivered-To: freebsd-ipfw@freebsd.org Received: from iguana.aciri.org (iguana.aciri.org [192.150.187.36]) by hub.freebsd.org (Postfix) with ESMTP id 3496737B400 for ; Thu, 18 Jan 2001 10:02:45 -0800 (PST) Received: (from rizzo@localhost) by iguana.aciri.org (8.11.1/8.11.1) id f0II2MA66030; Thu, 18 Jan 2001 10:02:22 -0800 (PST) (envelope-from rizzo) From: Luigi Rizzo Message-Id: <200101181802.f0II2MA66030@iguana.aciri.org> Subject: Re: Unable to use ipfw In-Reply-To: <3A672C35.44B09ABA@IPricot.com> from Roman Le Houelleur at "Jan 18, 2001 6:47:33 pm" To: roman@IPricot.com (Roman Le Houelleur) Date: Thu, 18 Jan 2001 10:02:22 -0800 (PST) Cc: freebsd-ipfw@FreeBSD.ORG X-Mailer: ELM [version 2.4ME+ PL43 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG you have to make sure that /usr/include/netinet/*.h files are in sync with those in /sys/netinet (this applies to all header files) cheers luigi > > I've just updated my system from 4.2 release to stable and > I'm having problems with the ipfw code. > (Actually I would like to use bridge/dummynet/ipfw). > > First of all, I cannot build ipfw because of > IP_FW_IF_TCPEST which is not defined anywhere. > > Using the 4.2 release version of ipfw I'm not able to > enter a rule as simple as: > ipfw add deny ip from 192.168.1.1 to 192.168.1.2 > > ipfw replies: > ipfw: getsockopt(IP_FW_ADD): Invalid argument > > It was working perfectly with the 4.2 release. > the ipfw.c I got from cvs is: > "src/sbin/ipfw/ipfw.c,v 1.80.2.8 2001/01/10 03:43:33 rwatson" > > have I done something wrong ? > > Roman. > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-ipfw" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Thu Jan 18 10: 7:50 2001 Delivered-To: freebsd-ipfw@freebsd.org Received: from iguana.aciri.org (iguana.aciri.org [192.150.187.36]) by hub.freebsd.org (Postfix) with ESMTP id 1906937B400 for ; Thu, 18 Jan 2001 10:07:33 -0800 (PST) Received: (from rizzo@localhost) by iguana.aciri.org (8.11.1/8.11.1) id f0II4J766035; Thu, 18 Jan 2001 10:04:19 -0800 (PST) (envelope-from rizzo) From: Luigi Rizzo Message-Id: <200101181804.f0II4J766035@iguana.aciri.org> Subject: Re: traffic analizing In-Reply-To: <001501c08175$d8dea300$0b4da8c0@Wlad.one.nexter.ru> from Wlad Lepakhin at "Jan 18, 2001 8:41: 7 pm" To: wlad@nexter.ru (Wlad Lepakhin) Date: Thu, 18 Jan 2001 10:04:19 -0800 (PST) Cc: ipfw@FreeBSD.ORG X-Mailer: ELM [version 2.4ME+ PL43 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG can't you do something like ipfw add pipe 1 ip from any to any ipfw pipe 1 config mask dst-ip 0xffffffff and then ipfw pipe 1 show will show you traffic per destination. cheers luigi > I need to establish traffic analyzer for users, connected to firewall/router. > The first and very simple idea is to use COUNT statement with ipfw, but it does not suit me due to > DHCP using on my network. > I am already wrote simple script to add "ipfw add ### count all from any to ###.###.###.###" > "on the fly" when /var/db/dhcp.leases changes but I hope -- there is more comfortable way to perform > "per user" traffic counter. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Thu Jan 18 10:21:32 2001 Delivered-To: freebsd-ipfw@freebsd.org Received: from excalibur.dotcom.fr (ns.dotcom.fr [195.154.74.11]) by hub.freebsd.org (Postfix) with ESMTP id 8191337B400 for ; Thu, 18 Jan 2001 10:21:15 -0800 (PST) Received: from IPricot.com (pc181.fr.ipricot.com [192.168.31.181]) by excalibur.dotcom.fr (8.9.1/8.9.1) with ESMTP id SAA05425 for ; Thu, 18 Jan 2001 18:21:14 GMT X-To: Message-ID: <3A673419.83352257@IPricot.com> Date: Thu, 18 Jan 2001 19:21:13 +0100 From: Roman Le Houelleur Organization: dotcom X-Mailer: Mozilla 4.75 [en] (X11; U; FreeBSD 4.1-20000912-STABLE i386) X-Accept-Language: en MIME-Version: 1.0 To: freebsd-ipfw@FreeBSD.ORG Subject: Re: Unable to use ipfw References: <200101181802.f0II2MA66030@iguana.aciri.org> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG Luigi Rizzo wrote: > > you have to make sure that /usr/include/netinet/*.h files > are in sync with those in /sys/netinet (this applies to > all header files) > > cheers > luigi it works ! thank you. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Fri Jan 19 10:35:33 2001 Delivered-To: freebsd-ipfw@freebsd.org Received: from new-dns.whc.net (new-dns.whc.net [204.90.111.214]) by hub.freebsd.org (Postfix) with ESMTP id D51DB37B401 for ; Fri, 19 Jan 2001 10:35:16 -0800 (PST) Received: from null ([206.249.222.250]) by smtp.whc.net (8.11.2/8.10.1/kbp) with SMTP id for ; Fri, 19 Jan 2001 11:34:12 -0700 (MST) Reply-To: From: "Carlos Andrade" To: Subject: upgrading to 4.2 was a bad idea Date: Fri, 19 Jan 2001 11:30:58 -0700 Message-ID: <000001c08245$f7c34de0$fadef9ce@rjstech.com> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook CWS, Build 9.0.2416 (9.0.2911.0) Importance: Normal X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2919.6600 Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG Ipfw was giving the same errors that people have mentioned on this list. I have not seen any other debate on this anywhere. The FreeBSD web site has nothing on this. Any ideas why this happened and how it can be fixed? ipfw: getsockopt(I{_FW_ADD)): Protocol not available ---- Carlos A. Andrade IS Manager RJS Technologies 915.845.5228 ext 13 915.845.2119 fax carlos@rjstech.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Fri Jan 19 10:40:11 2001 Delivered-To: freebsd-ipfw@freebsd.org Received: from iguana.aciri.org (iguana.aciri.org [192.150.187.36]) by hub.freebsd.org (Postfix) with ESMTP id 4E60937B402 for ; Fri, 19 Jan 2001 10:39:54 -0800 (PST) Received: (from rizzo@localhost) by iguana.aciri.org (8.11.1/8.11.1) id f0JIdli07445; Fri, 19 Jan 2001 10:39:47 -0800 (PST) (envelope-from rizzo) From: Luigi Rizzo Message-Id: <200101191839.f0JIdli07445@iguana.aciri.org> Subject: Re: upgrading to 4.2 was a bad idea In-Reply-To: <000001c08245$f7c34de0$fadef9ce@rjstech.com> from Carlos Andrade at "Jan 19, 2001 11:30:58 am" To: carlos@rjstech.com Date: Fri, 19 Jan 2001 10:39:47 -0800 (PST) Cc: ipfw@FreeBSD.ORG X-Mailer: ELM [version 2.4ME+ PL43 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG there is no bug in the system. The errors that people mentioned were just due to those people not doing the upgrade properly -- i.e. misalignment between the header files used by the kernel and those used by userland programs in /usr/include/*/ (specifically netinet/) cheers luigi > Ipfw was giving the same errors that people have mentioned on this list. I > have not seen any other debate on this anywhere. The FreeBSD web site has > nothing on this. Any ideas why this happened and how it can be fixed? > ipfw: getsockopt(I{_FW_ADD)): Protocol not available > > ---- > Carlos A. Andrade > IS Manager > RJS Technologies > 915.845.5228 ext 13 915.845.2119 fax > carlos@rjstech.com > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-ipfw" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Fri Jan 19 11: 0:46 2001 Delivered-To: freebsd-ipfw@freebsd.org Received: from kira.epconline.net (kira.epconline.net [209.83.132.2]) by hub.freebsd.org (Postfix) with ESMTP id 39A4737B402 for ; Fri, 19 Jan 2001 11:00:28 -0800 (PST) Received: from therock (betterguard.epconline.net [209.83.132.193]) by kira.epconline.net (8.11.1/8.11.1) with SMTP id f0JJ0PL66540; Fri, 19 Jan 2001 13:00:25 -0600 (CST) (envelope-from carock@epconline.net) From: "Chuck Rock" To: , Subject: RE: upgrading to 4.2 was a bad idea Date: Fri, 19 Jan 2001 13:00:25 -0600 Message-ID: <001601c0824a$14d666c0$1805010a@epconline.net> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook 8.5, Build 4.71.2173.0 Importance: Normal In-reply-to: <000001c08245$f7c34de0$fadef9ce@rjstech.com> X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG I get those errors when I don't have IPFIREWALL compiled in the kernel. It's not compiled in the GENERIC kernel, you have to put it in there and compile yourself. Read configuring a customer kernel on the FreeBSD web site from the handbook. Chuck > -----Original Message----- > From: owner-freebsd-ipfw@FreeBSD.ORG > [mailto:owner-freebsd-ipfw@FreeBSD.ORG]On Behalf Of Carlos Andrade > Sent: Friday, January 19, 2001 12:31 PM > To: ipfw@FreeBSD.ORG > Subject: upgrading to 4.2 was a bad idea > > > Ipfw was giving the same errors that people have mentioned on > this list. I > have not seen any other debate on this anywhere. The FreeBSD web site has > nothing on this. Any ideas why this happened and how it can be fixed? > ipfw: getsockopt(I{_FW_ADD)): Protocol not available > > ---- > Carlos A. Andrade > IS Manager > RJS Technologies > 915.845.5228 ext 13 915.845.2119 fax > carlos@rjstech.com > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-ipfw" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Sat Jan 20 21:44: 5 2001 Delivered-To: freebsd-ipfw@freebsd.org Received: from mail7.nc.rr.com (fe7.southeast.rr.com [24.93.67.54]) by hub.freebsd.org (Postfix) with ESMTP id 0C1DD37B400 for ; Sat, 20 Jan 2001 21:43:47 -0800 (PST) Received: from babbleon.org ([24.163.43.236]) by mail7.nc.rr.com with Microsoft SMTPSVC(5.5.1877.537.53); Sun, 21 Jan 2001 00:43:45 -0500 Message-ID: <3A6A7655.E428629D@babbleon.org> Date: Sun, 21 Jan 2001 00:40:37 -0500 From: The Babbler Organization: None to speak of X-Mailer: Mozilla 4.75 [en] (X11; U; Linux 2.2.15-4mdk i686) X-Accept-Language: en MIME-Version: 1.0 To: freebsd-ipfw@freebsd.org Subject: IPSEC tunnelling Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG I realize that the official charter of this group is to work on the *new* firewall code, and I'm working at RELEASE, which doesn't qualify, but I have tried freebsd-questions and been met with overwhelming silence, and this seems to me to be the closest group, so I hope you folks will be willing to indulge me. And pointing me at the doc is more than fine. I've tried searching the www.freebsd.org site, but didn't find anything relavent there. Of course I can't recall any occaison when I ever have . . . Anyway, I'm trying to get my FreeBSD gateway/firewall machine set up so that it will allow my wife's VPN access to work; this requires IPSEC packets to get through. Has anybody done this? Any helpful hints? I turned on the IPSEC and the tunneling options in the kernel (details below) and I'm letting "esp" and "udp" packets through (again, details are below). FWIW, I tried this in Linux and couldn't ever get it to work; this was a motivation for trying FreeBSD. It's still not working, but I can at least follow the network traffic better in FreeBSD, which at least let me fix my rules. (The rules I used under Linux seem to have been bad.) At this point, it *looks* from the security logs as if all related packets are getting through, but the VPN still can't connect so I'm missing something somewhere. I'm thinking that the forwarding (natd) rule may be wrong. My gateway/firewall machine is multiplexing multiple internal-network machines to a single cable modem connection by using natd. Everything but this VPN tunnellling seems to be working peachy. Here's what I'm enabling in the kernel that I believe to be related: ------------------------------------------------------------------------------- # IPFIREWALL enables support for IP firewall construction, in # conjunction with the `ipfw' program. IPFIREWALL_VERBOSE sends # logged packets to the system logger. IPFIREWALL_VERBOSE_LIMIT # WARNING: IPFIREWALL defaults to a policy of "deny ip from any to any" # IPFIREWALL_DEFAULT_TO_ACCEPT causes the default rule (at boot) to options IPFIREWALL #firewall options IPFIREWALL_VERBOSE #print information about # options IPFIREWALL_FORWARD #enable transparent proxy support options IPFIREWALL_VERBOSE_LIMIT=100 #limit verbosity # options IPFIREWALL_DEFAULT_TO_ACCEPT #allow everything by default # IPDIVERT enables the divert IP sockets, used by ``ipfw divert'' options IPDIVERT #divert sockets options IPSEC #IP security options IPSEC_ESP #IP security (crypto; define w/ IPSEC) options IPSEC_DEBUG #debug for IP security ------------------------------------------------------------------------------- And here are the rules that are intended to let the relavent packets through. fwcmd is ipfw; inet/imask is the inside network; and onet/omask is the outside network. ------------------------------------------------------------------------------- ntvpn=any ${fwcmd} add divert natd log udp from ${inet}:${imask} 500 to ${ntvpn} 500 ${fwcmd} add accept log udp from ${onet}:${omask} 500 to ${ntvpn} 500 ${fwcmd} add accept log udp from ${ntvpn} 500 to ${onet}:${omask} 500 ${fwcmd} add accept log udp from ${ntvpn} 500 to ${inet}:${imask} 500 ${fwcmd} add divert natd log esp from ${inet}:${imask} 500 to ${ntvpn} 500 ${fwcmd} add accept log esp from ${onet}:${omask} 500 to ${ntvpn} 500 ${fwcmd} add accept log esp from ${ntvpn} 500 to ${onet}:${omask} 500 ------------------------------------------------------------------------------- -- "Brian, the man from babble-on" bts@babbleon.org Brian T. Schellenberger http://www.babbleon.org Support http://www.eff.org. Support decss defendents. Support http://www.programming-freedom.org. Boycott amazon.com. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Sat Jan 20 23:24:38 2001 Delivered-To: freebsd-ipfw@freebsd.org Received: from mailhost01.reflexnet.net (mailhost01.reflexnet.net [64.6.192.82]) by hub.freebsd.org (Postfix) with ESMTP id 6195D37B402 for ; Sat, 20 Jan 2001 23:24:21 -0800 (PST) Received: from rfx-216-196-73-168.users.reflexcom.com ([216.196.73.168]) by mailhost01.reflexnet.net with Microsoft SMTPSVC(5.5.1877.197.19); Sat, 20 Jan 2001 23:22:32 -0800 Received: (from cjc@localhost) by rfx-216-196-73-168.users.reflexcom.com (8.11.1/8.11.0) id f0L7OLC25738; Sat, 20 Jan 2001 23:24:21 -0800 (PST) (envelope-from cjc) Date: Sat, 20 Jan 2001 23:24:21 -0800 From: "Crist J. Clark" To: The Babbler Cc: freebsd-ipfw@FreeBSD.ORG Subject: Re: IPSEC tunnelling Message-ID: <20010120232421.O10761@rfx-216-196-73-168.users.reflex> Reply-To: cjclark@alum.mit.edu References: <3A6A7655.E428629D@babbleon.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0i In-Reply-To: <3A6A7655.E428629D@babbleon.org>; from bts@babbleon.org on Sun, Jan 21, 2001 at 12:40:37AM -0500 Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG On Sun, Jan 21, 2001 at 12:40:37AM -0500, The Babbler wrote: > > I realize that the official charter of this group is to work on the > *new* firewall code, and I'm working at RELEASE, which doesn't qualify, > but I have tried freebsd-questions and been met with overwhelming > silence, and this seems to me to be the closest group, so I hope you > folks will be willing to indulge me. And pointing me at the doc is more > than fine. I've tried searching the www.freebsd.org site, but didn't > find anything relavent there. Of course I can't recall any occaison > when I ever have . . . > > Anyway, I'm trying to get my FreeBSD gateway/firewall machine set up so > that it will allow my wife's VPN access to work; this requires IPSEC > packets to get through. > > Has anybody done this? Any helpful hints? Yes, I have done it. But it depends on the VPN implementation. NAT, the basic concept, not natd(8), just plain breaks some aspects of IPSEC. If the VPN you are trying to use enforces a policy that will not work through NAT... it won't work through NAT. Do you know what the policies of the VPN are? What do the logs on the client (which you should have access to) and the server (which you may not have access to) look like? -- Crist J. Clark cjclark@alum.mit.edu To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message