Date: Fri, 24 Jun 2005 09:21:26 -0400 From: "fbsd_user" <fbsd_user@a1poweruser.com> To: "Lupe Christoph" <lupe@lupe-christoph.de> Cc: ports@freebsd.org Subject: RE: FreeBSD Port: doorman-0.8 Message-ID: <MIEPLLIBMLEEABPDBIEGMEIKHHAA.fbsd_user@a1poweruser.com> In-Reply-To: <1119600047.42bbbdafe55ad@buexe.b-5.de>
next in thread | previous in thread | raw e-mail | index | archive | help
This is a multi-part message in MIME format.
------=_NextPart_000_0015_01C5789E.189AEF20
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
Your wrote
Even more would I appreciate if you were able to test doormand with
ipfw.
I don't have the time to set up infrastructure to do this test.
I reply.
Lets collaborate. I have a work bench infrastructure where I can
test doorman with all 3 of the FreeBSD built in firewalls IPF, IPFW,
and PF.
I have completed testing using IPF. I changed the ipf_add script and
added new comments. I am sending it to you as a attached file.
I also found a problem with the file permission as installed by the
port. The file permission have to be read, write, exec for owner
only. Owner has to be root. not just the files in
/usr/locat/etc/doormand but also for doormand, knock, and .knockcf.
This afternoon I will run through the testing of PF and them IPFW.
All 3 firewall are based on the sample firewall files contained in
the handbook firewall section. I will keep you informed of any
changes I make to the firewall add scripts.
I also experienced some problems with the knock program and how it
process the .kickcf file. After I document the problem can you fix
it or should I report it to the doorman group at the sourceforge
project?
------=_NextPart_000_0015_01C5789E.189AEF20
Content-Type: application/octet-stream;
name="ipf_add.before_block"
Content-Transfer-Encoding: quoted-printable
Content-Disposition: attachment;
filename="ipf_add.before_block"
#!/bin/sh=0A=
#=0A=
# *********************************************************************=0A=
# This script is designed to work using the IPFilter sample rule set =0A=
# (/etc/ipf.rules) from the FreeBSD handbook IPF firewall section.=0A=
# The sample rule set contains an explicit block all rule that marks the =0A=
# end of the outbound section and the end of the inbound section.=0A=
# =0A=
# The script will scan the in core rules for the 2 explicit block rules,=0A=
# and use their rule numbers to insert the temporary firewall rules to =0A=
# pass doorman approved services.=0A=
#=0A=
# The script will insert it's rules before the block rule found by the =
scan.=0A=
# The block rules are expected to look like the content filling the =0A=
# $inblock and $outblock variables defined below. You must use the =0A=
# ipfstat -ion command to display what the rules look like in core=0A=
# because that is the form of the rule the scan will match on.=0A=
#=0A=
# You can modify the content filling the $inblock and $outblock variables=0A=
# with the ipfstat -ion listed rule content of the rule location where =0A=
# you want the doorman temporary firewall rules inserted before. =0A=
# This allows you to customize this script to work with your personal =0A=
# firewall rules file.=0A=
# =0A=
# Note that it does not use locking, so concurrent accesses may=0A=
# interfere with each other.=0A=
# *********************************************************************=0A=
#=0A=
# file "ipf_add.before_block"=0A=
# IPFilter add script, called by "doormand". =0A=
# This add two "pass in quick" rules to the firewall.=0A=
#=0A=
# Called with five arguments:=0A=
#=0A=
# $1 : name of the interface (e.g. ne0)=0A=
# $2 : source IP; i.e. dotted-decimal address of the 'knock' client=0A=
# $3 : source port; when this script is called for the first time=0A=
# for a connection (man 8 doormand), this argument will be set=0A=
# to a single "0" (0x30) character. This means that the source=0A=
# port is not yet known, and a broad rule allowing any source=0A=
# port is required.=0A=
# $4 : destination IP; that is, the IP address of the interface =0A=
# in argument 1.=0A=
# $5 : The port number of the requested service (e.g. 22 for ssh, etc.)=0A=
#=0A=
=0A=
# This script expects the IPFilter ruleset to have two rules like this:=0A=
outblock=3D"block out log first quick on $1 from any to any"=0A=
inblock=3D"block in log quick on $1 from any to any"=0A=
# The new rules will be inserted just before these blocking rules.=0A=
=0A=
if [ $3 =3D 0 ]; then=0A=
inrule=3D"pass in quick on $1 proto TCP from $2 to $4 =
port =3D $5"=0A=
outrule=3D"pass out quick on $1 proto TCP from $4 port =3D $5 to $2"=0A=
else=0A=
inrule=3D"pass in quick on $1 proto TCP from $2 port =3D $3 to $4 =
port =3D $5"=0A=
outrule=3D"pass out quick on $1 proto TCP from $4 port =3D $5 to $2 =
port =3D $3"=0A=
fi=0A=
=0A=
#=0A=
# acquire lock (not implemented)=0A=
#=0A=
=0A=
# Find the rule numbers of the block rules.=0A=
inruleno=3D`ipfstat -in | sed -n -e "s/@\([0-9]*\) $inblock/\1/p"`=0A=
outruleno=3D`ipfstat -on | sed -n -e "s/@\([0-9]*\) $outblock/\1/p"`=0A=
=0A=
# Insert new rules.=0A=
ret=3D`(echo @$inruleno $inrule; echo @$outruleno $outrule) | /sbin/ipf =
-f - 2>&1`=0A=
=0A=
#=0A=
# release lock (not implemented)=0A=
#=0A=
=0A=
if [ -z "$ret" ]; then=0A=
echo 0=0A=
else=0A=
echo -1 3 $ret=0A=
fi=0A=
------=_NextPart_000_0015_01C5789E.189AEF20--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?MIEPLLIBMLEEABPDBIEGMEIKHHAA.fbsd_user>