From owner-freebsd-ipfw@FreeBSD.ORG Sun Mar 30 06:19:06 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 87F1937B404; Sun, 30 Mar 2003 06:19:06 -0800 (PST) Received: from icc.cgu.chel.su (gw.csu.ru [195.54.14.5]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9FC3443FE0; Sun, 30 Mar 2003 06:19:03 -0800 (PST) (envelope-from ilia@cgu.chel.su) Received: from mail.cgu.chel.su (mail.cgu.chel.su [195.54.14.68]) by icc.cgu.chel.su (8.12.6/8.12.6) with ESMTP id h2UEIxKe075561 (version=TLSv1/SSLv3 cipher=EDH-RSA-DES-CBC3-SHA bits=168 verify=NO); Sun, 30 Mar 2003 20:18:59 +0600 (YEKST) (envelope-from ilia@cgu.chel.su) Received: from localhost (localhost [127.0.0.1]) by mail.cgu.chel.su (8.12.8/8.12.5) with ESMTP id h2UEIxtP065383; Sun, 30 Mar 2003 20:18:59 +0600 (YEKST) (envelope-from ilia@cgu.chel.su) Date: Sun, 30 Mar 2003 20:18:53 +0600 (YEKST) From: "Ilia E. Chipitsine" To: Message-ID: <20030330201632.R65324-100000@mail.cgu.chel.su> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII cc: ipfw@FreeBSD.ORG Subject: how to aggregate rules using ipfw2 ? X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 30 Mar 2003 14:19:09 -0000 Dear Sirs, how can I aggregate rules ... ipfw add allow ip from any to 192.168.0.0/16 ipfw add allow ip from any to 10.0.0.0/8 ... into the single rule, probably using { .. or .. } syntax? I read man page, tried few combination, but them don't work for me. Cheers, Ilia Chipitsine From owner-freebsd-ipfw@FreeBSD.ORG Sun Mar 30 14:52:15 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5E37E37B401 for ; Sun, 30 Mar 2003 14:52:15 -0800 (PST) Received: from dartagnan.telusquebec.com (dartagnan.telusquebec.com [142.169.1.123]) by mx1.FreeBSD.org (Postfix) with ESMTP id BFCEE43F85 for ; Sun, 30 Mar 2003 14:52:14 -0800 (PST) (envelope-from max-l@globetrotter.net) Received: from localnetinfoz9 (adsl-66.110.144-102.globetrotter.net [66.110.144.102]) by smtp.globetrotter.net (iPlanet Messaging Server 5.2) with SMTP id <0HCL0088F3J0JW@"TELUS Quebec"> for ipfw@freebsd.org; Sun, 30 Mar 2003 17:52:13 -0500 (EST) Date: Sun, 30 Mar 2003 17:51:23 -0500 From: shatter To: ipfw@freebsd.org Message-id: <003001c2f70e$e3684720$66906e42@localnetinfoz9> MIME-version: 1.0 X-MIMEOLE: Produced By Microsoft MimeOLE V6.00.2800.1106 X-Mailer: Microsoft Outlook Express 6.00.2800.1106 X-Priority: 3 X-MSMail-priority: Normal Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 7BIT X-Content-Filtered-By: Mailman/MimeDel 2.1.1 Subject: ipfw help wanted X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: shatter List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 30 Mar 2003 22:52:16 -0000 Hi, I tryed to read man pages for ipfw, severals sites on internet and I wasn't able to build a rules set for my system. If someone could help me it's would be very appreciated. I need to have a rules set for port 11011 (ssh), 6667-6668-6669-7000 (ircd) and 53 (my bind server) allowed and all other blocked. My system will only be used for the running of an ircd server. Please help me! Max Longs Max-L@Globetrotter.Net From owner-freebsd-ipfw@FreeBSD.ORG Mon Mar 31 01:52:28 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B5BC037B404; Mon, 31 Mar 2003 01:52:28 -0800 (PST) Received: from trillian.nitro.dk (port324.ds1-khk.adsl.cybercity.dk [212.242.113.79]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4745B43FBD; Mon, 31 Mar 2003 01:52:27 -0800 (PST) (envelope-from simon@trillian.nitro.dk) Received: by trillian.nitro.dk (Postfix, from userid 1000) id 7FD072E388; Mon, 31 Mar 2003 11:52:25 +0200 (CEST) Date: Mon, 31 Mar 2003 11:52:25 +0200 From: "Simon L. Nielsen" To: "Ilia E. Chipitsine" Message-ID: <20030331095224.GB87902@nitro.dk> References: <20030330201632.R65324-100000@mail.cgu.chel.su> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="neYutvxvOLaeuPCA" Content-Disposition: inline In-Reply-To: <20030330201632.R65324-100000@mail.cgu.chel.su> User-Agent: Mutt/1.5.3i cc: ipfw@FreeBSD.ORG cc: questions@FreeBSD.ORG Subject: Re: how to aggregate rules using ipfw2 ? X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 31 Mar 2003 09:52:32 -0000 --neYutvxvOLaeuPCA Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On 2003.03.30 20:18:53 +0600, Ilia E. Chipitsine wrote: > how can I aggregate rules ... >=20 > ipfw add allow ip from any to 192.168.0.0/16 > ipfw add allow ip from any to 10.0.0.0/8 >=20 > ... into the single rule, probably using { .. or .. } syntax? > I read man page, tried few combination, but them don't work for me. ipfw add allow ip from any to { 192.168.0.0/16 or 10.0.0.0/8 } should do the trick. --=20 Simon L. Nielsen --neYutvxvOLaeuPCA Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (FreeBSD) iD8DBQE+iA/X8kocFXgPTRwRAp3cAJ0Yu5dFjz2Ci7OC5/28rib1m/SRhACfT3c5 2qvzfHGoMNPt3GpN1SuVoPI= =N9R1 -----END PGP SIGNATURE----- --neYutvxvOLaeuPCA-- From owner-freebsd-ipfw@FreeBSD.ORG Mon Mar 31 11:01:12 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0584937B401 for ; Mon, 31 Mar 2003 11:01:12 -0800 (PST) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id A258143F85 for ; Mon, 31 Mar 2003 11:01:11 -0800 (PST) (envelope-from owner-bugmaster@freebsd.org) Received: from freefall.freebsd.org (peter@localhost [127.0.0.1]) by freefall.freebsd.org (8.12.9/8.12.9) with ESMTP id h2VJ1BUp007001 for ; Mon, 31 Mar 2003 11:01:11 -0800 (PST) (envelope-from owner-bugmaster@freebsd.org) Received: (from peter@localhost) by freefall.freebsd.org (8.12.9/8.12.9/Submit) id h2VJ1BQt006989 for ipfw@freebsd.org; Mon, 31 Mar 2003 11:01:11 -0800 (PST) Date: Mon, 31 Mar 2003 11:01:11 -0800 (PST) Message-Id: <200303311901.h2VJ1BQt006989@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: peter set sender to owner-bugmaster@freebsd.org using -f From: FreeBSD bugmaster To: ipfw@FreeBSD.org Subject: Current problem reports assigned to you X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 31 Mar 2003 19:01:13 -0000 Current FreeBSD problem reports Critical problems Serious problems S Submitted Tracker Resp. Description ------------------------------------------------------------------------------- o [2002/12/27] kern/46557 ipfw ipfw pipe show fails with lots of queues 1 problem total. Non-critical problems S Submitted Tracker Resp. Description ------------------------------------------------------------------------------- o [2002/12/07] kern/46080 ipfw [PATCH] logamount in ipfw2 does not defau o [2003/01/05] bin/46785 ipfw [patch] add sets information to ipfw2 -h o [2003/01/15] bin/47120 ipfw [patch] Sanity check in ipfw(8) 3 problems total. From owner-freebsd-ipfw@FreeBSD.ORG Thu Apr 3 04:42:28 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A2B5837B401 for ; Thu, 3 Apr 2003 04:42:28 -0800 (PST) Received: from gomez.cs.pitt.edu (gomez.cs.pitt.edu [130.49.220.20]) by mx1.FreeBSD.org (Postfix) with ESMTP id EEAAC43F3F for ; Thu, 3 Apr 2003 04:42:27 -0800 (PST) (envelope-from skhattab@cs.pitt.edu) Received: from Stanley (stanley.cs.pitt.edu [136.142.79.169]) by gomez.cs.pitt.edu (8.12.5/8.12.5) with SMTP id h33CgRMq022376 for ; Thu, 3 Apr 2003 07:42:29 -0500 (envelope-from skhattab@cs.pitt.edu) Message-ID: <001001c2f9de$8181d260$a94f8e88@Stanley> From: "Sherif Khattab" To: Date: Thu, 3 Apr 2003 07:42:36 -0500 MIME-Version: 1.0 X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2720.3000 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.1 Subject: Queue Size X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 03 Apr 2003 12:42:28 -0000 Hi, is it possible to query ipfw about the current number of packets = inside some queue, which was created by "ipfw add queue"? Thanks, Sherif From owner-freebsd-ipfw@FreeBSD.ORG Thu Apr 3 10:28:52 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0BFBB37B404 for ; Thu, 3 Apr 2003 10:28:51 -0800 (PST) Received: from kurdistan.ath.cx (adsl-66-122-185-132.dsl.chic01.pacbell.net [66.122.185.132]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2958B43F93 for ; Thu, 3 Apr 2003 10:28:51 -0800 (PST) (envelope-from sereciya@kurdistan.ath.cx) Received: from kurdistan.ath.cx (ns1 [127.0.0.1]) by kurdistan.ath.cx (8.12.8/8.12.6) with ESMTP id h33ISmBd028342; Thu, 3 Apr 2003 10:28:48 -0800 (PST) (envelope-from sereciya@kurdistan.ath.cx) Received: (from sereciya@localhost) by kurdistan.ath.cx (8.12.8/8.12.6/Submit) id h33ISlAC028341; Thu, 3 Apr 2003 10:28:47 -0800 (PST) Date: Thu, 3 Apr 2003 10:28:47 -0800 From: Sereciya Kurdistani To: freebsd-ipfw@freebsd.org Message-ID: <20030403182847.GC23675@kurdistan.ath.cx> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.4i Subject: Quick IPFW Question Concerning Sendmail X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 03 Apr 2003 18:28:52 -0000 Hello, I have a quick question for you ipfw/firewall experts out there. I've have set up an elaborate firewall only to have trouble with Sendmail. I have opened port 25 incoming, and also allow outgoing to another port 25, but I always find stuck mail when I use "mailq". Using tcpdump -- and no firewall -- I've found that between the dns lookups and smtp connections there are in fact some auth lookups too. I opened incoming port 113 and outgoing to 113 but I still have stuck mail! Any help would be greately appreciated, many thanks in advance! -Sereciya Kurdistani PS My basic rules look like: ipfw add NNNN allow \{ tcp or udp \} from any to any smtp,smtps out ipfw add NNNN allow \{ tcp \} log from any to any smtp,smtps in ipfw add NNNN allow \{ tcp or udp \} from any to any auth out ipfw add NNNN allow \{ tcp \} log from any to any auth in and yes, this is ipfw2 on 4.8-STABLE From owner-freebsd-ipfw@FreeBSD.ORG Thu Apr 3 10:53:40 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id AE1A637B401 for ; Thu, 3 Apr 2003 10:53:40 -0800 (PST) Received: from diana.northnetworks.ca (att-ws20.switchview.com [216.13.70.20]) by mx1.FreeBSD.org (Postfix) with ESMTP id B1D1D43F93 for ; Thu, 3 Apr 2003 10:53:39 -0800 (PST) (envelope-from iaccounts@northnetworks.ca) Received: from diana.northnetworks.ca (localhost.northnetworks.ca [127.0.0.1]) h33IrchQ094725; Thu, 3 Apr 2003 13:53:39 -0500 (EST) (envelope-from iaccounts@northnetworks.ca) Received: from localhost (iaccounts@localhost)h33Irc9v094722; Thu, 3 Apr 2003 13:53:38 -0500 (EST) X-Authentication-Warning: diana.northnetworks.ca: iaccounts owned process doing -bs Date: Thu, 3 Apr 2003 13:53:38 -0500 (EST) From: Steve Bertrand To: Sereciya Kurdistani In-Reply-To: <20030403182847.GC23675@kurdistan.ath.cx> Message-ID: <20030403135048.D92663-100000@diana.northnetworks.ca> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII cc: freebsd-ipfw@freebsd.org Subject: Re: Quick IPFW Question Concerning Sendmail X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 03 Apr 2003 18:53:41 -0000 Try allowing access to the sendmail submission port 587/tcp. I honestly don't know if this will help, but it may be worth a shot. Steve > > Hello, > > I have a quick question for you ipfw/firewall experts out there. > > I've have set up an elaborate firewall only to have trouble with > Sendmail. > > I have opened port 25 incoming, and also allow outgoing to another > port 25, but I always find stuck mail when I use "mailq". > > Using tcpdump -- and no firewall -- I've found that between the > dns lookups and smtp connections there are in fact some auth > lookups too. > > I opened incoming port 113 and outgoing to 113 but I still have > stuck mail! > > Any help would be greately appreciated, many thanks in advance! > > -Sereciya Kurdistani > > PS > My basic rules look like: > > ipfw add NNNN allow \{ tcp or udp \} from any to any smtp,smtps out > ipfw add NNNN allow \{ tcp \} log from any to any smtp,smtps in > > ipfw add NNNN allow \{ tcp or udp \} from any to any auth out > ipfw add NNNN allow \{ tcp \} log from any to any auth in > > and yes, this is ipfw2 on 4.8-STABLE > _______________________________________________ > freebsd-ipfw@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw > To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" > From owner-freebsd-ipfw@FreeBSD.ORG Thu Apr 3 13:53:36 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C25C937B401 for ; Thu, 3 Apr 2003 13:53:36 -0800 (PST) Received: from epita.fr (hermes.epita.fr [163.5.255.10]) by mx1.FreeBSD.org (Postfix) with ESMTP id C6FCA43FBF for ; Thu, 3 Apr 2003 13:53:34 -0800 (PST) (envelope-from le-hen_j@epita.fr) Received: from annelo (annelo.epita.fr [10.42.120.68]) by epita.fr id h33LrRN27283 for ipfw@freebsd.org EPITA Paris France Thu, 3 Apr 2003 23:53:29 +0200 (MEST) Date: Thu, 3 Apr 2003 23:53:27 +0200 From: jeremie le-hen To: ipfw@freebsd.org Message-ID: <20030403215327.GJ7538@annelo.epita.fr> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.4i Subject: Implementing ranges in ipfw2 X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 03 Apr 2003 21:53:37 -0000 Hi, I going to implement ranges for IPLEN using the same way as for transport layer ports (struct _ipfw_insn_u16). But I'm wondering if this kind of test should be only applied on first/only fragments, since a malicious application could use small fragment in order to bypass firewall rules. I'm waiting for your comments. -- Jeremie aka TtZ le-hen_j@epita.fr From owner-freebsd-ipfw@FreeBSD.ORG Thu Apr 3 15:55:46 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 705B237B401 for ; Thu, 3 Apr 2003 15:55:46 -0800 (PST) Received: from 12-248-248-228.client.attbi.com (12-248-248-228.client.attbi.com [12.248.248.228]) by mx1.FreeBSD.org (Postfix) with ESMTP id C845443F85 for ; Thu, 3 Apr 2003 15:55:45 -0800 (PST) (envelope-from Bruce.Betz@newelsys.com) MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 Date: Thu, 3 Apr 2003 17:55:44 -0600 content-class: urn:content-classes:message X-MimeOLE: Produced By Microsoft Exchange V6.0.4417.0 Message-ID: <488D20DD55ED2B4F8C298C2877B204B70503C2@www.newelsys.com> X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: the pass and deny commands are reversed Thread-Index: AcL6PIn1LMRdT8U8RZSiz5dgEpEF6w== From: "Bruce Betz" To: Subject: the pass and deny commands are reversed X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 03 Apr 2003 23:55:46 -0000 SSBqdXN0IGRvd25sb2FkZWQgYW5kIGluc3RhbGxlZCBGcmVlQlNEIDUuMCwgcmFuIHRoZSBDVlN1 cCwgYW5kIGNvbXBsaWVkDQp0aGUga2VybmVsIHdpdGggZmlyZXdhbGwgY2FwYWJpbGl0aWVzLiBU aGUgcnVsZSBjb21tYW5kcyBzZWVtIHRvIGJlDQpyZXZlcnNlZC4NCiANClRoZSB3YXkgdG8gcGFz cyB0cmFmZmljIGZyb20gdGhlIHNlcnZlciB0byB0aGUgd29ybGQgd2FzIHRvIGFkZDoNCiANCmlw ZncgYWRkIDAwNTAgZGVueSBpcCBmcm9tIGFueSB0byBhbnkNCiANCkFueSBpZGVhIG9uIHdoYXQg Y29kZSB0byBjaGVjaz8gDQogDQpCcnVjZS4uLg0K From owner-freebsd-ipfw@FreeBSD.ORG Thu Apr 3 16:42:13 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E61FB37B401 for ; Thu, 3 Apr 2003 16:42:13 -0800 (PST) Received: from ns2.itga.com.au (ns2.itga.com.au [210.9.89.249]) by mx1.FreeBSD.org (Postfix) with ESMTP id 6052843F75 for ; Thu, 3 Apr 2003 16:42:12 -0800 (PST) (envelope-from gnb@itga.com.au) Received: from lightning.itga.com.au (lightning.itga.com.au [192.168.71.20]) by ns2.itga.com.au (8.12.9/8.12.9) with ESMTP id h340g9dW007828; Fri, 4 Apr 2003 10:42:09 +1000 (EST) (envelope-from gnb@itga.com.au) Received: from lightning.itga.com.au (localhost [127.0.0.1]) by lightning.itga.com.au (8.9.3/8.9.3) with ESMTP id KAA28376; Fri, 4 Apr 2003 10:42:09 +1000 (EST) Message-Id: <200304040042.KAA28376@lightning.itga.com.au> X-Mailer: exmh version 2.4 05/15/2001 with nmh-1.0.4 From: Gregory Bond To: "Bruce Betz" In-reply-to: Your message of Thu, 03 Apr 2003 17:55:44 -0600. Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Fri, 04 Apr 2003 10:42:08 +1000 Sender: gnb@itga.com.au cc: ipfw@freebsd.org Subject: Re: the pass and deny commands are reversed X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 04 Apr 2003 00:42:14 -0000 Bruce.Betz@newelsys.com said: > Any idea on what code to check? First thing to check is to be double- or triple-sure that the ipfw userland and the kernel are compiled from the same set of sources. I.e. after the cvsup you did a buildworld, installworld, buildkernel, installkernel and reboot (not in that order!) From owner-freebsd-ipfw@FreeBSD.ORG Thu Apr 3 20:01:50 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8CCE037B401 for ; Thu, 3 Apr 2003 20:01:50 -0800 (PST) Received: from kurdistan.ath.cx (adsl-64-163-110-168.dsl.chic01.pacbell.net [64.163.110.168]) by mx1.FreeBSD.org (Postfix) with ESMTP id 96FCF43F93 for ; Thu, 3 Apr 2003 20:01:49 -0800 (PST) (envelope-from sereciya@kurdistan.ath.cx) Received: from kurdistan.ath.cx (ns1 [127.0.0.1]) by kurdistan.ath.cx (8.12.8/8.12.6) with ESMTP id h3441oQU000225; Thu, 3 Apr 2003 20:01:50 -0800 (PST) (envelope-from sereciya@kurdistan.ath.cx) Received: (from sereciya@localhost) by kurdistan.ath.cx (8.12.8/8.12.6/Submit) id h343bbia031955; Thu, 3 Apr 2003 19:37:37 -0800 (PST) Date: Thu, 3 Apr 2003 19:34:55 -0800 From: Sereciya Kurdistani To: freebsd-ipfw@freebsd.org Message-ID: <20030404033455.GA31867@kurdistan.ath.cx> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.4i Subject: Sereciya :: Some thoughts on IPFW(2) X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 04 Apr 2003 04:01:50 -0000 Hello, I hope that it is not inappropriate or out of place contacting you directly. I would like to thank you for all the effort you put into ipfw, you're greatly simplifying my life! Thank you! Thank you! Thank you! Before we had block style features of ipfw2, we had to make extensive use of the skipto clause to achieve the same functionality ; that meant lots and lots of ipfw entries. Now, instead of having to do: ^^^^^^^^^^^^^^^^^^^^^^^^^^^^ ipfw add 10001 skipto 10012 all from ${myhost} to not ${myhost} out via ${oif_1} ipfw add 10011 skipto 10020 all from any to any ipfw add 10012 add allow ah from any to any rtsp out via ${oif_1} ipfw add 10013 add allow udp from any to any rtsp out via ${oif_1} ipfw add 10014 add allow tcp from any to any rtsp out via ${oif_1} ipfw add 10021 add ... We can finaly do: ^^^^^^^^^^^^^^^^ ipfw add 10011 skipto 10013 all from from ${myhost} to not ${myhost} out via ${oif_1} ipfw add 10012 skipto 10020 all from any to any out via ${oif_1} ipfw add 10013 add allow \{ ah or udp or tcp \} from any to any rtsp out via ${oif_1} ipfw add 10021 add ... Additionaly, I have one comment, and one question/request. Comment: ^^^^^^^ Unlike the documentation in the manpage*, the following syntax -- defined block/portnumber list/block -- is not correct: ipfw add NNNN allow tcp from some_ip to another_ip \{ port_num1, portnum2 \} I have found that when using port numbers, the brackets {}'s or ()'s will cause an error; it does work if you omit them. *I'm tracking 4.7 STABLE, I'm currently up to 4.8-RC Request/Question: ^^^^^^^^^^^^^^^^ Something that would be extremely useful would be support for an implied "and" clause... Imagine using: ipfw add 10011 add allow \{ ah or udp or tcp \} from ${myhost} to \{ not ${myhost} \} rtsp out via ${oif_1} Instead of: ipfw add 10011 skipto 10013 all from from ${myhost} to not ${myhost} out via ${oif_1}* ipfw add 10012 skipto 10020 all from any to any out via ${oif_1} ipfw add 10013 add allow \{ ah or udp or tcp \} from any to any rtsp out via ${oif_1} ipfw add 10021 add ... *For those who are paranoid and want to make sure that a packet is not coming back to the originating host... (I know rtsp is a bad example, imagine this with dns, or ssh or something else if you so choose ;) Also... ^^^^ I know that there was an instance where I would have found support for an "and" clause within the definition blocks -- for instance a list of ip addresses -- very useful ; However, unfortunately I can not remember it! ipfw add 10013 add allow \{ ah or udp or tcp \} from ${myhost} to \{ ${somehost} and ${anotherhost} \} out via ${oif_1} I am certain that this would cut down on some skipto's somewhere. Once again, thank you for all your efforts on ipfw. We are all very appreciative ;) -Sereciya Kurdistani From owner-freebsd-ipfw@FreeBSD.ORG Thu Apr 3 23:28:09 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7B77637B401 for ; Thu, 3 Apr 2003 23:28:09 -0800 (PST) Received: from xorpc.icir.org (xorpc.icir.org [192.150.187.68]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0EF4343F75 for ; Thu, 3 Apr 2003 23:28:09 -0800 (PST) (envelope-from rizzo@xorpc.icir.org) Received: from xorpc.icir.org (localhost [127.0.0.1]) by xorpc.icir.org (8.12.9/8.12.3) with ESMTP id h347S6CO058885; Thu, 3 Apr 2003 23:28:06 -0800 (PST) (envelope-from rizzo@xorpc.icir.org) Received: (from rizzo@localhost) by xorpc.icir.org (8.12.9/8.12.3/Submit) id h347S6T0058884; Thu, 3 Apr 2003 23:28:06 -0800 (PST) (envelope-from rizzo) Date: Thu, 3 Apr 2003 23:28:06 -0800 From: Luigi Rizzo To: Sereciya Kurdistani Message-ID: <20030403232806.A58813@xorpc.icir.org> References: <20030404033455.GA31867@kurdistan.ath.cx> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: <20030404033455.GA31867@kurdistan.ath.cx>; from sereciya@kurdistan.ath.cx on Thu, Apr 03, 2003 at 07:34:55PM -0800 cc: freebsd-ipfw@freebsd.org Subject: Re: Sereciya :: Some thoughts on IPFW(2) X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 04 Apr 2003 07:28:09 -0000 hi, > Unlike the documentation in the manpage*, the following syntax -- defined > block/portnumber list/block -- is not correct: > > ipfw add NNNN allow tcp from some_ip to another_ip \{ port_num1, portnum2 \} i do not believe this form is in the manpage, you certainly need an "or" operator in a brace-enclosed block. > Something that would be extremely useful would be support for an implied "and" clause... there has always been an implicit AND between all components of ipfw rules, either single match operations ("from xxx") or or-blocks ("{ iplen 30 or src-port 100-200 }") cheers luigi From owner-freebsd-ipfw@FreeBSD.ORG Thu Apr 3 23:33:14 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A5ED937B401 for ; Thu, 3 Apr 2003 23:33:14 -0800 (PST) Received: from xorpc.icir.org (xorpc.icir.org [192.150.187.68]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3936D43F93 for ; Thu, 3 Apr 2003 23:33:14 -0800 (PST) (envelope-from rizzo@xorpc.icir.org) Received: from xorpc.icir.org (localhost [127.0.0.1]) by xorpc.icir.org (8.12.9/8.12.3) with ESMTP id h347XBCO058985; Thu, 3 Apr 2003 23:33:11 -0800 (PST) (envelope-from rizzo@xorpc.icir.org) Received: (from rizzo@localhost) by xorpc.icir.org (8.12.9/8.12.3/Submit) id h347X3Ie058984; Thu, 3 Apr 2003 23:33:03 -0800 (PST) (envelope-from rizzo) Date: Thu, 3 Apr 2003 23:33:03 -0800 From: Luigi Rizzo To: jeremie le-hen Message-ID: <20030403233303.B58813@xorpc.icir.org> References: <20030403215327.GJ7538@annelo.epita.fr> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: <20030403215327.GJ7538@annelo.epita.fr>; from le-hen_j@epita.fr on Thu, Apr 03, 2003 at 11:53:27PM +0200 cc: ipfw@freebsd.org Subject: Re: Implementing ranges in ipfw2 X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 04 Apr 2003 07:33:14 -0000 i would just implement the iplen check, there is another option which deals with fragment and can be used in conjunction with this one if needed. Also a different handling of fragments (when talking of size) makes little sense because one could always force a small MTU to generate short packets. The reason people are generally concerned with fragments is that the protocol-specific information (port numbers etc) are not available in fragments past the first one, but the length information is in the IP header anyways. cheers luigi On Thu, Apr 03, 2003 at 11:53:27PM +0200, jeremie le-hen wrote: > Hi, > > I going to implement ranges for IPLEN using the same way as for transport > layer ports (struct _ipfw_insn_u16). But I'm wondering if this kind of test > should be only applied on first/only fragments, since a malicious application > could use small fragment in order to bypass firewall rules. > > I'm waiting for your comments. > -- > Jeremie aka TtZ > le-hen_j@epita.fr > _______________________________________________ > freebsd-ipfw@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw > To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" From owner-freebsd-ipfw@FreeBSD.ORG Fri Apr 4 07:48:20 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 514A637B404 for ; Fri, 4 Apr 2003 07:48:20 -0800 (PST) Received: from kurdistan.ath.cx (adsl-64-163-110-168.dsl.chic01.pacbell.net [64.163.110.168]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8C09043F93 for ; Fri, 4 Apr 2003 07:48:19 -0800 (PST) (envelope-from sereciya@kurdistan.ath.cx) Received: from kurdistan.ath.cx (ns1 [127.0.0.1]) by kurdistan.ath.cx (8.12.8/8.12.6) with ESMTP id h34FmIQU015718; Fri, 4 Apr 2003 07:48:18 -0800 (PST) (envelope-from sereciya@kurdistan.ath.cx) Received: (from sereciya@localhost) by kurdistan.ath.cx (8.12.8/8.12.6/Submit) id h34FmHKK015717; Fri, 4 Apr 2003 07:48:17 -0800 (PST) Date: Fri, 4 Apr 2003 07:48:17 -0800 From: Sereciya Kurdistani To: freebsd-ipfw@freebsd.org Message-ID: <20030404154817.GA3721@kurdistan.ath.cx> References: <0AF1BBDF1218F14E9B4CCE414744E70F1F3CC3@exchange.wanglobal.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <0AF1BBDF1218F14E9B4CCE414744E70F1F3CC3@exchange.wanglobal.net> User-Agent: Mutt/1.4i Subject: Re: IPFW stateful deny question X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 04 Apr 2003 15:48:20 -0000 Sten, > Thank you for responding! > > What I was after was a firewall setup that could block potential hackers for the > duration of a stateful rule life period when they tried to portscan certain services. > > Say if someone tried to access port 80 on box 1.2.3.4 it would match by a firewall rule > And a stateful deny rule would be setup that would deny all IP packets from that someone. In that case... you're going to have to set up some kind of check where -- through a number of skipto's -- where *if* packets coming from a particular ip source matched all the previous skiptos, then the port would be closed; very very complicated. I'm guessing it would have to look something like: ipfw add 1001 check-state ipfw add 1002 skipto 1004 all from any to any ftp in via ${oif_1} #keep-state? *ipfw add 1003 skipto 65535 all from any to any in via ${oif_1} ipfw add 1004 skipto 1006 all from any to any ssh in via ${oif_1} #keep-state? *ipfw add 1005 skipto 65535 all from any to any in via ${oif_1} ipfw add 1006 skipto 1008 all from any to any http,https in via ${oif_1} keep-state *Using the skipto's to keep from another packet that did not match the previous checks to jump in. All packets that hit the keep-state must have passed by *all* previous skiptos. Hope that helps Sten, that's the best I can do at the moment ;) You have certainly started me thinking about a solution, Good Luck! -Sereciya Kurdistani From owner-freebsd-ipfw@FreeBSD.ORG Fri Apr 4 09:47:57 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id F126637B401 for ; Fri, 4 Apr 2003 09:47:56 -0800 (PST) Received: from thufir.bluecom.no (thufir.bluecom.no [217.118.32.12]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2456F43F3F for ; Fri, 4 Apr 2003 09:47:56 -0800 (PST) (envelope-from erik@pentadon.com) Received: from erik (tromso-dhcp-234-175.bluecom.no [62.101.234.175]) by thufir.bluecom.no (Postfix) with ESMTP id 7CACF50EE6E for ; Fri, 4 Apr 2003 19:47:28 +0200 (CEST) From: "Erik Paulsen Skålerud" To: Date: Fri, 4 Apr 2003 19:45:35 +0200 Message-ID: <001301c2fad1$ff7fce30$0a00000a@yes.no> X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook, Build 10.0.4510 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106 Importance: Normal Subject: Prioritizing empty TCP ACKs X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 04 Apr 2003 17:47:57 -0000 Does anyone know if this can be done with ipfw and dummynet? http://www.benzedrine.cx/ackpri.html Erik. From owner-freebsd-ipfw@FreeBSD.ORG Fri Apr 4 10:14:31 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8727E37B404 for ; Fri, 4 Apr 2003 10:14:31 -0800 (PST) Received: from kurdistan.ath.cx (adsl-64-163-110-168.dsl.chic01.pacbell.net [64.163.110.168]) by mx1.FreeBSD.org (Postfix) with ESMTP id 844CA43FD7 for ; Fri, 4 Apr 2003 10:14:30 -0800 (PST) (envelope-from sereciya@kurdistan.ath.cx) Received: from kurdistan.ath.cx (ns1 [127.0.0.1]) by kurdistan.ath.cx (8.12.8/8.12.6) with ESMTP id h34IETQU019132; Fri, 4 Apr 2003 10:14:29 -0800 (PST) (envelope-from sereciya@kurdistan.ath.cx) Received: (from sereciya@localhost) by kurdistan.ath.cx (8.12.8/8.12.6/Submit) id h34IESeY019131; Fri, 4 Apr 2003 10:14:28 -0800 (PST) Date: Fri, 4 Apr 2003 10:14:28 -0800 From: Sereciya Kurdistani To: freebsd-ipfw@freebsd.org Message-ID: <20030404181428.GA19093@kurdistan.ath.cx> References: <20030403182847.GC23675@kurdistan.ath.cx> <20030403135048.D92663-100000@diana.northnetworks.ca> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20030403135048.D92663-100000@diana.northnetworks.ca> User-Agent: Mutt/1.4i Subject: Re: Sereciya :: Quick IPFW Question Concerning Sendmail X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 04 Apr 2003 18:14:31 -0000 Hello Steve, Hello Everybody, I was having some trouble earlier with my firewall setup w/ sendmail (original question/posting below); I believe I have -- more-or-less -- solved the problem. > > Hello, > > > > I have a quick question for you ipfw/firewall experts out there. > > > > I've have set up an elaborate firewall only to have trouble with > > Sendmail. > > > > I have opened port 25 incoming, and also allow outgoing to another > > port 25, but I always find stuck mail when I use "mailq". > > > > Using tcpdump -- and no firewall -- I've found that between the > > dns lookups and smtp connections there are in fact some auth > > lookups too. > > > > I opened incoming port 113 and outgoing to 113 but I still have > > stuck mail! > > > > Any help would be greately appreciated, many thanks in advance! > > > > -Sereciya Kurdistani > > > > PS > > My basic rules look like: > > > > ipfw add NNNN allow \{ tcp or udp \} from any to any smtp,smtps out > > ipfw add NNNN allow \{ tcp \} log from any to any smtp,smtps in > > > > ipfw add NNNN allow \{ tcp or udp \} from any to any auth out > > ipfw add NNNN allow \{ tcp \} log from any to any auth in > > > > and yes, this is ipfw2 on 4.8-STABLE Here is what happens... Your mail client, on a high port 1024-65535, makes a connection to the remote server on port 25, Sendmail. Various connections are made back to your orignation high ports from the remote server, port 25. I'll toss in a dns lookup or two here... (outgoing) Somewhere here, you make a connection to the remote server, port 113, auth. ( I've noticed that the remote server does *not* need to connect to your auth port, you do not need to open it; this is a perfect canidate for a stateful rule... ) Then... the remote server makes a connection from a low port 1-1024 to your high port 1024-65535. The following rules seem to work: ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ allow log { udp or tcp } from any to any dst-port 25,113,465 out via tun0 allow log tcp from any to any dst-port 25,113,465 in via tun0 check-state allow log tcp from any 1-1024,1024-65535 to any dst-port 1024-65535,1-1024 out via tun0 keep-state allow log tcp from any 1-1024 to any dst-port 1024-65535 in via tun0 vvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvv If anybody has a better explanation, please let me know. I'm working on trial-and-error ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ here, mostly error ;) TIA -Sereciya Kurdistani PS Who says "count" is not a useful feature in ipfw? From owner-freebsd-ipfw@FreeBSD.ORG Sat Apr 5 03:24:06 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6489537B401 for ; Sat, 5 Apr 2003 03:24:06 -0800 (PST) Received: from mout0.freenet.de (mout0.freenet.de [194.97.50.131]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0ACAC43F85 for ; Sat, 5 Apr 2003 03:24:05 -0800 (PST) (envelope-from ino-qc@spotteswoode.de.eu.org) Received: from [194.97.50.136] (helo=mx3.freenet.de) by mout0.freenet.de with asmtp (Exim 4.14) id 191lmF-0005Je-LX for freebsd-ipfw@FreeBSD.ORG; Sat, 05 Apr 2003 13:24:03 +0200 Received: from p3e9baa91.dip.t-dialin.net ([62.155.170.145] helo=spotteswoode.dnsalias.org) by mx3.freenet.de with asmtp (ID inode@freenet.de) (Exim 4.14 #2) id 191lmF-00013Q-Az for freebsd-ipfw@FreeBSD.ORG; Sat, 05 Apr 2003 13:24:03 +0200 Received: (qmail 2717 invoked by uid 0); 5 Apr 2003 11:24:02 -0000 Date: 5 Apr 2003 13:24:02 +0200 Message-ID: From: "clemens fischer" To: "Erik Paulsen =?iso-8859-15?q?Sk=E5lerud?=" In-Reply-To: <001301c2fad1$ff7fce30$0a00000a@yes.no> ("Erik Paulsen =?iso-8859-15?q?Sk=E5lerud"'s?= message of "Fri, 4 Apr 2003 19:45:35 +0200") References: <001301c2fad1$ff7fce30$0a00000a@yes.no> User-Agent: Gnus/5.090017 (Oort Gnus v0.17) Emacs/21.3.50 (berkeley-unix) MIME-Version: 1.0 Content-Type: text/plain; charset=latin-iso8859-9 Content-Transfer-Encoding: 8bit cc: freebsd-ipfw@FreeBSD.ORG Subject: Re: Prioritizing empty TCP ACKs X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 05 Apr 2003 11:24:06 -0000 "Erik Paulsen Skålerud" : > Does anyone know if this can be done with ipfw and dummynet? > > http://www.benzedrine.cx/ackpri.html how about reading this article to the end, where a link is included to further information about the exact question you asked? clemens From owner-freebsd-ipfw@FreeBSD.ORG Sat Apr 5 03:57:46 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id AF4AB37B401 for ; Sat, 5 Apr 2003 03:57:46 -0800 (PST) Received: from thufir.bluecom.no (thufir.bluecom.no [217.118.32.12]) by mx1.FreeBSD.org (Postfix) with ESMTP id EA79C43FA3 for ; Sat, 5 Apr 2003 03:57:45 -0800 (PST) (envelope-from erik@pentadon.com) Received: from erik (tromso-dhcp-234-175.bluecom.no [62.101.234.175]) by thufir.bluecom.no (Postfix) with ESMTP id E18B450EDBF; Sat, 5 Apr 2003 13:57:43 +0200 (CEST) From: "Erik Paulsen Skålerud" To: "'clemens fischer'" Date: Sat, 5 Apr 2003 13:55:49 +0200 Message-ID: <007001c2fb6a$4d276dd0$0a00000a@yes.no> X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook, Build 10.0.4510 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106 In-Reply-To: Importance: Normal cc: freebsd-ipfw@FreeBSD.ORG Subject: RE: Prioritizing empty TCP ACKs X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 05 Apr 2003 11:57:47 -0000 > how about reading this article to the end, where a link is > included to further information about the exact question you asked? Gee! A link to luigis page about dummynet? No, I havent been there to look, for sure! Gee, thanks! Wooaaa!. > clemens > From owner-freebsd-ipfw@FreeBSD.ORG Sat Apr 5 05:50:58 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C38CC37B401 for ; Sat, 5 Apr 2003 05:50:58 -0800 (PST) Received: from accord.grasslake.net (accord.grasslake.net [209.98.56.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id 6189043FAF for ; Sat, 5 Apr 2003 05:50:57 -0800 (PST) (envelope-from swb@grasslake.net) Received: from twinstar (twinstar.grasslake.net [192.168.1.2]) by accord.grasslake.net (8.12.9/8.12.9) with SMTP id h35DZGMa010519 for ; Sat, 5 Apr 2003 07:35:21 -0600 (CST) (envelope-from swb@grasslake.net) Message-ID: <00b301c2fb7a$218b14a0$0201a8c0@twinstar> From: "Shawn Barnhart" To: Date: Sat, 5 Apr 2003 07:49:03 -0600 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2800.1106 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106 Subject: fwd and bridging X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 05 Apr 2003 13:50:59 -0000 The manpage states that fwd rules (like for transparent proxying) will not match bridged packets. Will they ever, or is there some fundamental reason they can't? From owner-freebsd-ipfw@FreeBSD.ORG Sat Apr 5 09:49:00 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8169437B401 for ; Sat, 5 Apr 2003 09:49:00 -0800 (PST) Received: from kurdistan.ath.cx (adsl-64-163-110-168.dsl.chic01.pacbell.net [64.163.110.168]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8501F43FA3 for ; Sat, 5 Apr 2003 09:48:59 -0800 (PST) (envelope-from sereciya@kurdistan.ath.cx) Received: from kurdistan.ath.cx (ns1 [127.0.0.1]) by kurdistan.ath.cx (8.12.8/8.12.6) with ESMTP id h35HmsQU054058; Sat, 5 Apr 2003 09:48:56 -0800 (PST) (envelope-from sereciya@kurdistan.ath.cx) Received: (from sereciya@localhost) by kurdistan.ath.cx (8.12.8/8.12.6/Submit) id h35HmrGi054003; Sat, 5 Apr 2003 09:48:53 -0800 (PST) Date: Sat, 5 Apr 2003 09:48:53 -0800 From: Sereciya Kurdistani To: freebsd-ipfw@freebsd.org Message-ID: <20030405174853.GA94738@kurdistan.ath.cx> References: <20030403182847.GC23675@kurdistan.ath.cx> <20030403135048.D92663-100000@diana.northnetworks.ca> Mime-Version: 1.0 Content-Type: text/plain; charset=unknown-8bit Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: <20030403135048.D92663-100000@diana.northnetworks.ca> User-Agent: Mutt/1.4i Subject: Re: Quick IPFW Question Concerning Sendmail X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 05 Apr 2003 17:49:00 -0000 Earlier... > > Hello, > > > > I have a quick question for you ipfw/firewall experts out there. > > > > I've have set up an elaborate firewall only to have trouble with > > Sendmail. > > > > I have opened port 25 incoming, and also allow outgoing to another > > port 25, but I always find stuck mail when I use "mailq". > > > > Using tcpdump -- and no firewall -- I've found that between the > > dns lookups and smtp connections there are in fact some auth > > lookups too. > > > > I opened incoming port 113 and outgoing to 113 but I still have > > stuck mail! > > > > Any help would be greately appreciated, many thanks in advance! > > > > -Sereciya Kurdistani > > > > PS > > My basic rules look like: > > > > ipfw add NNNN allow \{ tcp or udp \} from any to any smtp,smtps out > > ipfw add NNNN allow \{ tcp \} log from any to any smtp,smtps in > > > > ipfw add NNNN allow \{ tcp or udp \} from any to any auth out > > ipfw add NNNN allow \{ tcp \} log from any to any auth in > > Later I found out that I had to allow connections to my high port from outside low ports incoming: ipfw allow tcp from any 1-1024 to any 1025-65535 in via ${oif_1}... The reason for this was that I forgot to add a "keep-state" ;)) Here's my final solution: vvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvv ipfw add NNNN check-state ipfw add NNNN allow { udp or tcp } from any to any dst-port smtp,auth,smtps out via tun0 keep-state ipfw add NNNN allow log tcp from any to any dst-port smtp,smtps in via tun0 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ This way, you don't have to allow any ports open for any incoming traffic not matched by the stateful rules, ;) -- +--------------------------------------------------------------+ | Welat xwe ava nake, dest bidin hevdu, pist nedin tu dijminî | | Riya azadiyê ne hêsan e, hêviya xwe bernedin, dema me | | nêzîk e. | | | | Hevaltî bi kesên du rû nekin, hevaltî bi hevdu ra bikin | | Ne ji hevaltiya wan kesên pêxwas û rû dirêj, ne bi wan | | kesên xwînperest, ne jî ji yên din. | | | | -Sêrêciya Kurdistanî | +--------------------------------------------------------------+