From owner-freebsd-ipfw@FreeBSD.ORG Mon Jun 7 11:02:26 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 255D216A4F5 for ; Mon, 7 Jun 2004 11:02:26 +0000 (GMT) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id 21C6443D45 for ; Mon, 7 Jun 2004 11:02:26 +0000 (GMT) (envelope-from owner-bugmaster@freebsd.org) Received: from freefall.freebsd.org (peter@localhost [127.0.0.1]) by freefall.freebsd.org (8.12.11/8.12.11) with ESMTP id i57B2LFp043837 for ; Mon, 7 Jun 2004 11:02:21 GMT (envelope-from owner-bugmaster@freebsd.org) Received: (from peter@localhost) by freefall.freebsd.org (8.12.11/8.12.11/Submit) id i57B2L8V043831 for ipfw@freebsd.org; Mon, 7 Jun 2004 11:02:21 GMT (envelope-from owner-bugmaster@freebsd.org) Date: Mon, 7 Jun 2004 11:02:21 GMT Message-Id: <200406071102.i57B2L8V043831@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: peter set sender to owner-bugmaster@freebsd.org using -f From: FreeBSD bugmaster To: ipfw@FreeBSD.org Subject: Current problem reports assigned to you X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 07 Jun 2004 11:02:26 -0000 Current FreeBSD problem reports Critical problems Serious problems S Submitted Tracker Resp. Description ------------------------------------------------------------------------------- o [2002/12/27] kern/46557 ipfw ipfw pipe show fails with lots of queues o [2003/04/22] kern/51274 ipfw ipfw2 create dynamic rules with parent nu f [2003/04/24] kern/51341 ipfw ipfw rule 'deny icmp from any to any icmp o [2004/03/03] misc/63724 ipfw IPFW2 Queues dont t work o [2004/03/14] kern/64240 ipfw IPFW tee terminates rule processing 5 problems total. Non-critical problems S Submitted Tracker Resp. Description ------------------------------------------------------------------------------- a [2001/04/13] kern/26534 ipfw Add an option to ipfw to log gid/uid of w o [2002/12/07] kern/46080 ipfw [PATCH] logamount in ipfw2 does not defau o [2002/12/10] kern/46159 ipfw ipfw dynamic rules lifetime feature o [2002/12/27] kern/46564 ipfw IPFilter and IPFW processing order is not o [2003/02/11] kern/48172 ipfw ipfw does not log size and flags o [2003/03/10] kern/49086 ipfw [patch] Make ipfw2 log to different syslo o [2003/03/12] bin/49959 ipfw ipfw tee port rule skips parsing next rul o [2003/04/09] bin/50749 ipfw ipfw2 incorrectly parses ports and port r o [2003/08/26] kern/55984 ipfw [patch] time based firewalling support fo o [2003/12/30] kern/60719 ipfw ipfw: Headerless fragments generate cryp o [2004/01/12] kern/61259 ipfw [patch] make "ipfw tee" work as intended o [2004/02/09] kern/62598 ipfw no logging on ipfw loadable module o [2004/03/09] kern/63961 ipfw ipfw2 uid matching doesn't work correctly 13 problems total. From owner-freebsd-ipfw@FreeBSD.ORG Mon Jun 7 15:13:30 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4EFB016A4CE for ; Mon, 7 Jun 2004 15:13:30 +0000 (GMT) Received: from linkexpress.com.br (mail.linkexpress.com.br [200.196.99.4]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9306743D54 for ; Mon, 7 Jun 2004 15:13:29 +0000 (GMT) (envelope-from marcos@casadosparafusos.com.br) Received: from proj02 (unknown [200.196.113.10]) by linkexpress.com.br (Postfix) with ESMTP id DA431D7971 for ; Mon, 7 Jun 2004 12:12:09 +0300 (GMT-3) From: "Marcos Martins" To: Date: Mon, 7 Jun 2004 12:15:09 -0300 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 1 (Highest) X-MSMail-Priority: High X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2911.0) X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106 Importance: High X-yoursite-MailScanner-Information: Please contact the ISP for more information X-yoursite-MailScanner: Found to be clean X-yoursite-MailScanner-SpamScore: ss Subject: What's is? X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 07 Jun 2004 15:13:30 -0000 Hello guys, What's "setup", "estabilished", "flush", "keep-state"? I'm not understand this commands. Somebody can help me? Thank's Marcos Martins --- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.698 / Virus Database: 455 - Release Date: 02/06/04 From owner-freebsd-ipfw@FreeBSD.ORG Mon Jun 7 17:46:50 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1B45916A4CE for ; Mon, 7 Jun 2004 17:46:50 +0000 (GMT) Received: from out007.verizon.net (out007pub.verizon.net [206.46.170.107]) by mx1.FreeBSD.org (Postfix) with ESMTP id AABC543D39 for ; Mon, 7 Jun 2004 17:46:49 +0000 (GMT) (envelope-from cswiger@mac.com) Received: from [192.168.1.3] ([68.161.84.3]) by out007.verizon.net (InterMail vM.5.01.06.06 201-253-122-130-106-20030910) with ESMTP id <20040607163212.TFWM28276.out007.verizon.net@[192.168.1.3]>; Mon, 7 Jun 2004 11:32:12 -0500 Message-ID: <40C4988C.6010208@mac.com> Date: Mon, 07 Jun 2004 12:32:12 -0400 From: Chuck Swiger Organization: The Courts of Chaos User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7) Gecko/20040514 X-Accept-Language: en-us, en MIME-Version: 1.0 To: Marcos Martins References: In-Reply-To: Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit X-Authentication-Info: Submitted using SMTP AUTH at out007.verizon.net from [68.161.84.3] at Mon, 7 Jun 2004 11:32:12 -0500 cc: freebsd-ipfw@freebsd.org Subject: Re: What's is? X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 07 Jun 2004 17:46:50 -0000 Marcos Martins wrote: > Hello guys, > > What's "setup", "estabilished", "flush", "keep-state"? I'm not understand > this commands. Somebody can help me? The O'Reilly book, "Building Internet Firewalls" would be a very good starting place for you to read. Failing that, consider RFC-791 through -793, which talk about TCP and IP protocols... -- -Chuck From owner-freebsd-ipfw@FreeBSD.ORG Wed Jun 9 02:59:34 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id BAD6C16A4CE; Wed, 9 Jun 2004 02:59:34 +0000 (GMT) Received: from mta11.adelphia.net (mta11.adelphia.net [68.168.78.205]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4D39843D45; Wed, 9 Jun 2004 02:59:34 +0000 (GMT) (envelope-from Barbish3@adelphia.net) Received: from barbish ([67.20.101.71]) by mta11.adelphia.net (InterMail vM.5.01.06.08 201-253-122-130-108-20031117) with SMTP id <20040609025923.HNQB21898.mta11.adelphia.net@barbish>; Tue, 8 Jun 2004 22:59:23 -0400 From: "JJB" To: , Date: Tue, 8 Jun 2004 22:59:22 -0400 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.6604 (9.0.2911.0) In-Reply-To: <20040603090004.fsp0rm3wehw0k8@.mailhost.wsf.at> Importance: Normal X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1409 cc: "freebsd-questions@FreeBSD. ORG" Subject: RE: does NATd _prevent_ use of stateful ipfw rules w/ keep-state? X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: Barbish3@adelphia.net List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 09 Jun 2004 02:59:34 -0000 Thanks for your example. I have finally had time to study it and I see the flaw in it. The example works fine for creating the entry in the dynamic table for setup of keep-state inbound and outbound session start requests. It even handles inbound packets that are part of an established session conversations, But for established outbound session conversations the check-state rule releases the packet before it has been nated. There lies in the flaw. Do you have any suggestions on how to correct this? -----Original Message----- From: owner-freebsd-ipfw@freebsd.org [mailto:owner-freebsd-ipfw@freebsd.org]On Behalf Of Thomas Wolf Sent: Thursday, June 03, 2004 3:00 AM To: Barbish3@adelphia.net; freebsd-ipfw@freebsd.org Subject: RE: does NATd _prevent_ use of stateful ipfw rules w/ keep-state? JJB schrieb: > Where do you get off calling my questioning of Luigi Rizzo's answer > as an attack. > I have heard that party line statement all to often over that last 4 > years, with no backup proof. That party line canned answer may be > sufficient for the original thread poster who has not invested the > time yet to come to the realization that it doe's not work. > My post to the tread was meant to bring this problem out so the > experts can look into it and take corrective actions. This should work although some features are missing (loopback, anti-spoofing, identd..): #!/bin/sh log="log" cmd="ipfw add" allow="skipto 10000" oif=rl0 good_tcp="22,25,53,80,443,110" good_udp="53" good_icmp="icmptypes 0,3,8,11,12" ipfw -f flush $cmd 100 divert natd ip from any to any in via $oif $cmd 105 check-state $cmd 110 $allow icmp from any to any $good_icmp $cmd 120 $allow udp from any to any $good_udp out keep-state $cmd 130 $allow tcp from any to any $good_tcp out setup keep-state $cmd 140 deny $log ip from any to any $cmd 10000 divert natd ip from any to any out via $oif $cmd 10010 allow ip from any to any $cmd 10020 deny ip from any to any Thomas -- Thomas Wolf Wiener Software Fabrik Dubas u. Wolf GMBH 1050 Wien, Mittersteig 4 _______________________________________________ freebsd-ipfw@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" From owner-freebsd-ipfw@FreeBSD.ORG Wed Jun 9 07:15:36 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2722E16A4D0 for ; Wed, 9 Jun 2004 07:15:36 +0000 (GMT) Received: from mailhost.wsf.at (server202.serveroffice.com [217.196.72.202]) by mx1.FreeBSD.org (Postfix) with ESMTP id 70BA443D5A for ; Wed, 9 Jun 2004 07:15:34 +0000 (GMT) (envelope-from tw@wsf.at) Received: from mailhost.wsf.at (root@localhost)i597CZ6i083320 for ; Wed, 9 Jun 2004 09:12:35 +0200 (CEST) (envelope-from tw@wsf.at) Received: from mailhost.wsf.at (http.wsf.at [217.196.72.203]) i597CYdn083307; Wed, 9 Jun 2004 09:12:34 +0200 (CEST) (envelope-from tw@wsf.at) Date: Wed, 9 Jun 2004 07:12:34 -0000 To: Barbish3@adelphia.net, freebsd-ipfw@freebsd.org, tw@wsf.at From: Thomas Wolf X-Mailer: twiggi 1.10.3 Message-ID: <20040609091234.fsoyaxik9m8sco@.mailhost.wsf.at> MIME-Version: 1.0 Content-Disposition: inline Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit cc: "freebsd-questions@FreeBSD. ORG" Subject: RE: does NATd _prevent_ use of stateful ipfw rules w/ keep-state? X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: tw@wsf.at List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 09 Jun 2004 07:15:36 -0000 JJB schrieb: > Thanks for your example. I have finally had time to study it > and I see the flaw in it. > > The example works fine for creating the entry in the dynamic table > for setup of keep-state inbound and outbound session start requests. > It even handles inbound packets that are part of an established > session > conversations, But for established outbound session conversations > the check-state rule releases the packet before it has been nated. No. 'check-state' does not unconditionally release a packet but performs the 'action'-part of the rule that installed the dynamic rule - in our case 'skipto 10000' where it gets nat'ed. > There lies in the flaw. > > Do you have any suggestions on how to correct this? Have you tried the script and it really failed? I just double-checked and it works fine on my system. Thomas > > > -----Original Message----- > From: owner-freebsd-ipfw@freebsd.org > [mailto:owner-freebsd-ipfw@freebsd.org]On Behalf Of Thomas Wolf > Sent: Thursday, June 03, 2004 3:00 AM > To: Barbish3@adelphia.net; freebsd-ipfw@freebsd.org > Subject: RE: does NATd _prevent_ use of stateful ipfw rules w/ > keep-state? > > > JJB schrieb: > > > Where do you get off calling my questioning of Luigi Rizzo's > answer > > as an attack. > > I have heard that party line statement all to often over that last > 4 > > years, with no backup proof. That party line canned answer may be > > sufficient for the original thread poster who has not invested the > > time yet to come to the realization that it doe's not work. > > My post to the tread was meant to bring this problem out so the > > experts can look into it and take corrective actions. > > This should work although some features are missing > (loopback, anti-spoofing, identd..): > > #!/bin/sh > log="log" > cmd="ipfw add" > allow="skipto 10000" > oif=rl0 > good_tcp="22,25,53,80,443,110" > good_udp="53" > good_icmp="icmptypes 0,3,8,11,12" > ipfw -f flush > > $cmd 100 divert natd ip from any to any in via $oif > $cmd 105 check-state > $cmd 110 $allow icmp from any to any $good_icmp > $cmd 120 $allow udp from any to any $good_udp out keep-state > $cmd 130 $allow tcp from any to any $good_tcp out setup keep-state > $cmd 140 deny $log ip from any to any > $cmd 10000 divert natd ip from any to any out via $oif > $cmd 10010 allow ip from any to any > $cmd 10020 deny ip from any to any > > > Thomas > > -- > Thomas Wolf > Wiener Software Fabrik > Dubas u. Wolf GMBH > 1050 Wien, Mittersteig 4 > > _______________________________________________ > freebsd-ipfw@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw > To unsubscribe, send any mail to > "freebsd-ipfw-unsubscribe@freebsd.org" > > _______________________________________________ > freebsd-ipfw@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw > To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" > -- Thomas Wolf Wiener Software Fabrik Dubas u. Wolf GMBH 1050 Wien, Mittersteig 4 From owner-freebsd-ipfw@FreeBSD.ORG Thu Jun 10 22:10:11 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 07B2116A4CE for ; Thu, 10 Jun 2004 22:10:11 +0000 (GMT) Received: from hotmail.com (bay12-f6.bay12.hotmail.com [64.4.35.6]) by mx1.FreeBSD.org (Postfix) with ESMTP id EDEE643D49 for ; Thu, 10 Jun 2004 22:10:10 +0000 (GMT) (envelope-from jackass_wasa@hotmail.com) Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC; Thu, 10 Jun 2004 15:09:58 -0700 Received: from 200.34.223.11 by by12fd.bay12.hotmail.msn.com with HTTP; Thu, 10 Jun 2004 22:09:57 GMT X-Originating-IP: [200.34.223.11] X-Originating-Email: [jackass_wasa@hotmail.com] X-Sender: jackass_wasa@hotmail.com From: "El DaEm0n" To: freebsd-ipfw@freebsd.org Date: Thu, 10 Jun 2004 22:09:57 +0000 Mime-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1; format=flowed Message-ID: X-OriginalArrivalTime: 10 Jun 2004 22:09:58.0278 (UTC) FILETIME=[AAEEAA60:01C44F37] Subject: ipfw X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 10 Jun 2004 22:10:11 -0000 hi everyone im a newbie in IPFW i have a problem so i would explain you: im running phpnuke in my webserver, before, i can send mails automaticly from my server when the users registered in the portal using sendmail ,but, after i installed of IPFW does not leave the messages this is my rules: deny icmp from any to me icmptypes 8 deny ip from any to 127.0.0.0/8 deny ip from 127.0.0.0/8 to any allow ip from any to any deny ip from any to any and i added this to my kernel options RANDOM_IP_ID options TCP_DROP_SYNFIN options IPSTEALTH can somedoby help me?? and tell how can fix this problem? thank´s _________________________________________________________________ Charla con tus amigos en línea mediante MSN Messenger: http://messenger.microsoft.com/es From owner-freebsd-ipfw@FreeBSD.ORG Thu Jun 10 22:14:31 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0B8AF16A4CE for ; Thu, 10 Jun 2004 22:14:31 +0000 (GMT) Received: from mx.hostarica.com (mx.hostarica.com [196.40.45.74]) by mx1.FreeBSD.org (Postfix) with ESMTP id 187A443D55 for ; Thu, 10 Jun 2004 22:14:30 +0000 (GMT) (envelope-from jose@hostarica.com) Received: from localhost (localhost.hostarica.com [127.0.0.1]) by mx.hostarica.com (Postfix) with ESMTP id 7241DF787; Thu, 10 Jun 2004 16:18:11 -0600 (CST) Received: from [192.168.0.69] (unknown [192.168.0.69]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mx.hostarica.com (Postfix) with ESMTP id 5D202F783; Thu, 10 Jun 2004 16:18:10 -0600 (CST) From: Jose Hidalgo Herrera To: El DaEm0n In-Reply-To: References: Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="=-ZZn9PWBiS8qkOPnAijLe" Organization: Corp. Hosta Rica Message-Id: <1086905661.30184.2.camel@jose.hostarica.net> Mime-Version: 1.0 X-Mailer: Ximian Evolution 1.4.6 Date: Thu, 10 Jun 2004 16:14:21 -0600 X-Virus-Scanned: by amavisd 0.1 X-Content-Filtered-By: Mailman/MimeDel 2.1.1 cc: freebsd-ipfw@freebsd.org cc: jose@hostarica.com Subject: Re: ipfw X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: jose@hostarica.com List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 10 Jun 2004 22:14:31 -0000 --=-ZZn9PWBiS8qkOPnAijLe Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Why do you deny traffic from and to 127/8 ? If you are worried about somebody using that addresses do this: allow ip from any to any via lo0 deny log ip from 127/8 to any=20 deny log ip from any to any=20 and then: allow ip from any to any On Thu, 2004-06-10 at 16:09, El DaEm0n wrote: > hi everyone im a newbie in IPFW i have a problem so i would explain you: >=20 > im running phpnuke in my webserver, >=20 > before, i can send mails automaticly from my server when the users =20 > registered in the portal using sendmail ,but, after i installed of IPFW= =20 > does not leave the messages >=20 > this is my rules: >=20 > deny icmp from any to me icmptypes 8 > deny ip from any to 127.0.0.0/8 > deny ip from 127.0.0.0/8 to any > allow ip from any to any > deny ip from any to any >=20 > and i added this to my kernel >=20 > options RANDOM_IP_ID > options TCP_DROP_SYNFIN > options IPSTEALTH >=20 > can somedoby help me?? and tell how can fix this problem? > thank=C2=B4s >=20 > _________________________________________________________________ > Charla con tus amigos en l=C3=ADnea mediante MSN Messenger: =20 > http://messenger.microsoft.com/es >=20 > _______________________________________________ > freebsd-ipfw@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw > To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" 0100101001001000 Jose Hidalgo. Sr. IS Analyst/Sr. Unix=C2=AE SysAdmin T: +506.256.5021 x171 F: +506.256.4334 Toll free: 1.888.451.0125 x171 E: jose@hostarica.com Hostarica - Managed Collocation www.hostarica.com --=-ZZn9PWBiS8qkOPnAijLe Content-Type: application/pgp-signature; name=signature.asc Content-Description: This is a digitally signed message part -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (FreeBSD) iD8DBQBAyN09Mb674RVSRIARAk8vAJ9J6uJ/yX4VspKBWE0GA6mXq/YiuQCff51e jsy6nB+er+dXg5DJT5jDyp4= =lEMu -----END PGP SIGNATURE----- --=-ZZn9PWBiS8qkOPnAijLe-- From owner-freebsd-ipfw@FreeBSD.ORG Thu Jun 10 22:18:45 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 599B616A4CE for ; Thu, 10 Jun 2004 22:18:45 +0000 (GMT) Received: from mx.hostarica.com (mx.hostarica.com [196.40.45.74]) by mx1.FreeBSD.org (Postfix) with ESMTP id E1E7043D39 for ; Thu, 10 Jun 2004 22:18:44 +0000 (GMT) (envelope-from jose@hostarica.com) Received: from localhost (localhost.hostarica.com [127.0.0.1]) by mx.hostarica.com (Postfix) with ESMTP id 7FC7CF78B; Thu, 10 Jun 2004 16:22:19 -0600 (CST) Received: from [192.168.0.69] (unknown [192.168.0.69]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mx.hostarica.com (Postfix) with ESMTP id 6C19BF783; Thu, 10 Jun 2004 16:22:18 -0600 (CST) From: Jose Hidalgo Herrera To: El DaEm0n In-Reply-To: <1086905661.30184.2.camel@jose.hostarica.net> References: <1086905661.30184.2.camel@jose.hostarica.net> Organization: Corp. Hosta Rica Message-Id: <1086905909.30184.4.camel@jose.hostarica.net> Mime-Version: 1.0 X-Mailer: Ximian Evolution 1.4.6 Date: Thu, 10 Jun 2004 16:18:30 -0600 X-Virus-Scanned: by amavisd 0.1 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-Content-Filtered-By: Mailman/MimeDel 2.1.1 cc: freebsd-ipfw@freebsd.org cc: jose@hostarica.com Subject: Re: ipfw X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: jose@hostarica.com List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 10 Jun 2004 22:18:45 -0000 On Thu, 2004-06-10 at 16:14, Jose Hidalgo Herrera wrote: > Why do you deny traffic from and to 127/8 ? > If you are worried about somebody using that addresses do this: > > allow ip from any to any via lo0 > deny log ip from 127/8 to any > deny log ip from any to any Sorry, I meant deny log ip from any to 127/8 > > and then: > allow ip from any to any > > > On Thu, 2004-06-10 at 16:09, El DaEm0n wrote: > > > hi everyone im a newbie in IPFW i have a problem so i would explain you: > > > > im running phpnuke in my webserver, > > > > before, i can send mails automaticly from my server when the users > > registered in the portal using sendmail ,but, after i installed of IPFW > > does not leave the messages > > > > this is my rules: > > > > deny icmp from any to me icmptypes 8 > > deny ip from any to 127.0.0.0/8 > > deny ip from 127.0.0.0/8 to any > > allow ip from any to any > > deny ip from any to any > > > > and i added this to my kernel > > > > options RANDOM_IP_ID > > options TCP_DROP_SYNFIN > > options IPSTEALTH > > > > can somedoby help me?? and tell how can fix this problem? > > thank´s > > > > _________________________________________________________________ > > Charla con tus amigos en lĂ­nea mediante MSN Messenger: > > http://messenger.microsoft.com/es > > > > _______________________________________________ > > freebsd-ipfw@freebsd.org mailing list > > http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw > > To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" From owner-freebsd-ipfw@FreeBSD.ORG Thu Jun 10 23:50:24 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id DC3EC16A4D0; Thu, 10 Jun 2004 23:50:23 +0000 (GMT) Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.126.183]) by mx1.FreeBSD.org (Postfix) with ESMTP id 418AA43D2D; Thu, 10 Jun 2004 23:50:23 +0000 (GMT) (envelope-from max@love2party.net) Received: from [212.227.126.209] (helo=mrelayng.kundenserver.de) by moutng.kundenserver.de with esmtp (Exim 3.35 #1) id 1BYZJO-00074P-00; Fri, 11 Jun 2004 01:50:22 +0200 Received: from [84.128.139.222] (helo=donor.laier.local) by mrelayng.kundenserver.de with asmtp (TLSv1:RC4-MD5:128) (Exim 3.35 #1) id 1BYZJN-0006Fa-00; Fri, 11 Jun 2004 01:50:22 +0200 From: Max Laier To: Ruslan Ermilov Date: Fri, 11 Jun 2004 01:51:10 +0200 User-Agent: KMail/1.6.2 References: <200406092010.i59KAcXH025699@repoman.freebsd.org> <200406100445.44763.max@love2party.net> <20040610214059.GA3228@ip.net.ua> In-Reply-To: <20040610214059.GA3228@ip.net.ua> MIME-Version: 1.0 Content-Type: multipart/signed; protocol="application/pgp-signature"; micalg=pgp-sha1; boundary="Boundary-02=_1PPyANDVJzK3/2W"; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Message-Id: <200406110151.17372.max@love2party.net> X-Provags-ID: kundenserver.de abuse@kundenserver.de auth:e28873fbe4dbe612ce62ab869898ff08 cc: ipfw@freebsd.org Subject: Re: cvs commit: src/sbin/ipfw ipfw.8 ipfw2.c src/sys/netinet in.h ip_fw.h ip_fw2.c raw_ip.c X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 10 Jun 2004 23:50:24 -0000 --Boundary-02=_1PPyANDVJzK3/2W Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline On Thursday 10 June 2004 23:40, Ruslan Ermilov wrote: > On Thu, Jun 10, 2004 at 04:45:37AM +0200, Max Laier wrote: > > On Wednesday 09 June 2004 22:10, Ruslan Ermilov wrote: > > > ru 2004-06-09 20:10:38 UTC > > > > > > FreeBSD src repository > > > > > > Modified files: > > > sbin/ipfw ipfw.8 ipfw2.c > > > sys/netinet in.h ip_fw.h ip_fw2.c raw_ip.c > > > Log: > > > Introduce a new feature to IPFW2: lookup tables. These are > > > useful for handling large sparse address sets. Initial > > > implementation by Vsevolod Lobko , refined by me. > > > > Idea from: pf ;) > > Nice! > > I've asked Vsevolod, and yes, the original idea attributes to PF. I have seen the original thread in ipfw@ and posted some comments, hence=20 the mail in the first place. > Do PF tables allow addr/mask entries as IPFW tables do (I could > not intuit it from reading the pfctl(8) manpage)? You might rather want to look at pf.conf(5). Yes, pf tables allow=20 addr/mask and IPv6 addresses. pf allows an additional "not" qualifier to=20 allow to do something like: { 10/8, !10.10/16, 10.10.10/24 } > One nice difference (and I don't believe PF or IPFilter can do > this) is this optional 32-bit tag value with no special meaning. > For example, we have several thousands of client IPs, and each > client is allowed (through a Web form) to limit bandwidth to > some discrete values (0, 64, 128, 256, 512, and "unlimited") in > Kbps to/from Ukrainian and foreign networks. We have this all > implemented using less than ten IPFW tables: hmmm ... I don't really see the benefit in packing the information into=20 one table. You could as well have different tables for that (with pf only=20 memory limits the number of tables allowed). But it's cool that we=20 inspire eachother and still diverge a bit to find the best solutions for=20 our respective users. Btw, I find it very helpful that pf refers to a table by a name and not a=20 number. Why did you choose to use numbers? [ We might want to transfer this thread to ipfw@ ] =2D-=20 Best regards, | mlaier@freebsd.org Max Laier | ICQ #67774661 http://pf4freebsd.love2party.net/ | mlaier@EFnet --Boundary-02=_1PPyANDVJzK3/2W Content-Type: application/pgp-signature Content-Description: signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (FreeBSD) iD8DBQBAyPP1XyyEoT62BG0RAt7dAJ9DCEFUexCjc9DrkBOFfjB8VRUwoQCaA7mr DtOgTNLYLkwgZsHPWLCmAjI= =lHWm -----END PGP SIGNATURE----- --Boundary-02=_1PPyANDVJzK3/2W-- From owner-freebsd-ipfw@FreeBSD.ORG Fri Jun 11 07:21:46 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 93D1616A4CE for ; Fri, 11 Jun 2004 07:21:46 +0000 (GMT) Received: from tigra.ip.net.ua (tigra.ip.net.ua [82.193.96.10]) by mx1.FreeBSD.org (Postfix) with ESMTP id DF9F643D5C for ; Fri, 11 Jun 2004 07:21:45 +0000 (GMT) (envelope-from ru@ip.net.ua) Received: from heffalump.ip.net.ua (heffalump.ip.net.ua [82.193.96.213]) by tigra.ip.net.ua (8.12.11/8.12.11) with ESMTP id i5B7RY6d098539 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Fri, 11 Jun 2004 10:27:35 +0300 (EEST) (envelope-from ru@ip.net.ua) Received: (from ru@localhost) by heffalump.ip.net.ua (8.12.11/8.12.11) id i5B7LaCt055759; Fri, 11 Jun 2004 10:21:36 +0300 (EEST) (envelope-from ru) Date: Fri, 11 Jun 2004 10:21:36 +0300 From: Ruslan Ermilov To: Max Laier Message-ID: <20040611072136.GB55472@ip.net.ua> References: <200406092010.i59KAcXH025699@repoman.freebsd.org> <200406100445.44763.max@love2party.net> <20040610214059.GA3228@ip.net.ua> <200406110151.17372.max@love2party.net> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="neYutvxvOLaeuPCA" Content-Disposition: inline In-Reply-To: <200406110151.17372.max@love2party.net> User-Agent: Mutt/1.5.6i X-Virus-Scanned: by amavisd-new X-Spam-Checker-Version: SpamAssassin 2.55 (1.174.2.19-2003-05-19-exp) cc: ipfw@FreeBSD.org Subject: Re: cvs commit: src/sbin/ipfw ipfw.8 ipfw2.c src/sys/netinet in.h ip_fw.h ip_fw2.c raw_ip.c X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 11 Jun 2004 07:21:46 -0000 --neYutvxvOLaeuPCA Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Fri, Jun 11, 2004 at 01:51:10AM +0200, Max Laier wrote: > On Thursday 10 June 2004 23:40, Ruslan Ermilov wrote: [...] > > One nice difference (and I don't believe PF or IPFilter can do > > this) is this optional 32-bit tag value with no special meaning. > > For example, we have several thousands of client IPs, and each > > client is allowed (through a Web form) to limit bandwidth to > > some discrete values (0, 64, 128, 256, 512, and "unlimited") in > > Kbps to/from Ukrainian and foreign networks. We have this all > > implemented using less than ten IPFW tables: >=20 > hmmm ... I don't really see the benefit in packing the information into= =20 > one table. You could as well have different tables for that (with pf only= =20 > memory limits the number of tables allowed). >=20 Imagine if I had 1000 possible values for rate limiting, I'd have to use 1000 tables then. Also, the lookup code caches last query so if your ruleset does say hundred lookups: pipe 1 ip from table(0,1) to any pipe 2 ip from table(0,2) to any =2E.. pipe 100 ip from table(0,100) to any and the entry in a table has the value 100, no radix.c code will ever be called for 99 times. If it were 100 different tables, this would not work. > But it's cool that we=20 > inspire eachother and still diverge a bit to find the best solutions for= =20 > our respective users. >=20 Yes, sure. ;) > Btw, I find it very helpful that pf refers to a table by a name and not a= =20 > number. Why did you choose to use numbers? >=20 This is in spirit of the current IPFW syntax: no names for rules, rulesets, pipes, hence no names for tables. ;) Cheers, --=20 Ruslan Ermilov ru@FreeBSD.org FreeBSD committer --neYutvxvOLaeuPCA Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (FreeBSD) iD8DBQFAyV1/qRfpzJluFF4RAreDAJ4+vUhNGY8cSHBRWjW3JFxgSx4GPACgkV2y eaXd2uh9rYLhaNeGD+TgunY= =4njn -----END PGP SIGNATURE----- --neYutvxvOLaeuPCA-- From owner-freebsd-ipfw@FreeBSD.ORG Fri Jun 11 09:11:22 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B0B0516A4CE; Fri, 11 Jun 2004 09:11:22 +0000 (GMT) Received: from xorpc.icir.org (xorpc.icir.org [192.150.187.68]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9C52443D49; Fri, 11 Jun 2004 09:11:22 +0000 (GMT) (envelope-from rizzo@icir.org) Received: from xorpc.icir.org (localhost [127.0.0.1]) by xorpc.icir.org (8.12.9p1/8.12.8) with ESMTP id i5B9BDgd074244; Fri, 11 Jun 2004 02:11:13 -0700 (PDT) (envelope-from rizzo@xorpc.icir.org) Received: (from rizzo@localhost) by xorpc.icir.org (8.12.9p1/8.12.3/Submit) id i5B9BDeU074243; Fri, 11 Jun 2004 02:11:13 -0700 (PDT) (envelope-from rizzo) Date: Fri, 11 Jun 2004 02:11:13 -0700 From: Luigi Rizzo To: Ruslan Ermilov Message-ID: <20040611021113.A73239@xorpc.icir.org> References: <200406092010.i59KAcXH025699@repoman.freebsd.org> <20040610214059.GA3228@ip.net.ua> <200406110151.17372.max@love2party.net> <20040611072136.GB55472@ip.net.ua> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: <20040611072136.GB55472@ip.net.ua>; from ru@freebsd.org on Fri, Jun 11, 2004 at 10:21:36AM +0300 cc: Max Laier cc: ipfw@freebsd.org Subject: Re: cvs commit: src/sbin/ipfw ipfw.8 ipfw2.c src/sys/netinet in.h ip_fw.h ip_fw2.c raw_ip.c X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 11 Jun 2004 09:11:22 -0000 On Fri, Jun 11, 2004 at 10:21:36AM +0300, Ruslan Ermilov wrote: ... > > number. Why did you choose to use numbers? > > > This is in spirit of the current IPFW syntax: no names for rules, > rulesets, pipes, hence no names for tables. ;) to elaborate further: it makes a lot of sense for the internal representation of object identifiers to use numbers, so that we do not need to store them in variable-size structures (in ipfw1 this would have been a nightmare; not so much in ipfw2) and the first lookup is still fast (subsequent lookups cache a pointer to the target). We should at some point introduce symbolic identifiers, probably of the type @foo or with some special character in front, to make it clear that these names are not hostnames or ipfw options. cheers luigi From owner-freebsd-ipfw@FreeBSD.ORG Fri Jun 11 11:24:17 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D590716A4D0 for ; Fri, 11 Jun 2004 11:24:17 +0000 (GMT) Received: from tigra.ip.net.ua (tigra.ip.net.ua [82.193.96.10]) by mx1.FreeBSD.org (Postfix) with ESMTP id CA20343D2D for ; Fri, 11 Jun 2004 11:24:16 +0000 (GMT) (envelope-from ru@ip.net.ua) Received: from heffalump.ip.net.ua (heffalump.ip.net.ua [82.193.96.213]) by tigra.ip.net.ua (8.12.11/8.12.11) with ESMTP id i5BBTq9H024978 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Fri, 11 Jun 2004 14:29:54 +0300 (EEST) (envelope-from ru@ip.net.ua) Received: (from ru@localhost) by heffalump.ip.net.ua (8.12.11/8.12.11) id i5BBNq3H001123; Fri, 11 Jun 2004 14:23:52 +0300 (EEST) (envelope-from ru) Date: Fri, 11 Jun 2004 14:23:51 +0300 From: Ruslan Ermilov To: Luigi Rizzo Message-ID: <20040611112351.GB434@ip.net.ua> References: <200406092010.i59KAcXH025699@repoman.freebsd.org> <20040610214059.GA3228@ip.net.ua> <200406110151.17372.max@love2party.net> <20040611072136.GB55472@ip.net.ua> <20040611021113.A73239@xorpc.icir.org> <20040611092900.GA434@ip.net.ua> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="H1spWtNR+x+ondvy" Content-Disposition: inline In-Reply-To: <20040611092900.GA434@ip.net.ua> User-Agent: Mutt/1.5.6i X-Virus-Scanned: by amavisd-new X-Spam-Checker-Version: SpamAssassin 2.55 (1.174.2.19-2003-05-19-exp) cc: ipfw@FreeBSD.org Subject: Re: wrong output syntax in ipfw(8) X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 11 Jun 2004 11:24:18 -0000 --H1spWtNR+x+ondvy Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Fri, Jun 11, 2004 at 12:29:00PM +0300, Ruslan Ermilov wrote: > Luigi, >=20 > While we're on the IPFW2 topic, I noticed one glitch when > printing IPFW2 rules: >=20 > OK: >=20 > # ipfw add 1 count ip from { 1 or 2 } to any > 00001 count ip from { 0.0.0.1 or 0.0.0.2 } to any >=20 > Wrong: >=20 > # ipfw add 1 count ip from any to { 1 or 2 } > 00001 count ip from any to { 0.0.0.1 or dst-ip 0.0.0.2 } >=20 > This happens because when we get to printing the 0.0.0.2, > all 3-tuple (proto, src-ip, and dst-ip) is already defined. > As such, HAVE_OPTIONS is set, so " dst-ip" is prepended. > Can you fix it, as I'm lost in debris of ipfw2.c? ;) >=20 > P.S. Yes, I'm well aware of the first paragraph of the > ipfw(8) manpage. ;) >=20 So far, I've come up with the following patch. It's odd and very hackish but seems to DTRT: %%% --- ipfw2.c~ Fri Jun 11 12:05:56 2004 +++ ipfw2.c Fri Jun 11 13:01:13 2004 @@ -860,7 +860,7 @@ print_icmptypes(ipfw_insn_u32 *cmd) static void show_prerequisites(int *flags, int want, int cmd) { - if ( (*flags & HAVE_IP) =3D=3D HAVE_IP) + if ( !cmd && (*flags & HAVE_IP) =3D=3D HAVE_IP) *flags |=3D HAVE_OPTIONS; =20 if ( (*flags & (HAVE_MAC|HAVE_MACTYPE|HAVE_OPTIONS)) =3D=3D HAVE_MAC && @@ -1096,15 +1096,21 @@ show_ipfw(struct ip_fw *rule, int pcwidt case O_IP_DST_MASK: case O_IP_DST_ME: case O_IP_DST_SET: + { + int saved_flags =3D flags; + show_prerequisites(&flags, HAVE_PROTO|HAVE_SRCIP, 0); if (!(flags & HAVE_DSTIP)) printf(" to"); if ((cmd->len & F_OR) && !or_block) printf(" {"); + if (or_block && !(saved_flags & HAVE_OPTIONS)) + flags &=3D ~HAVE_OPTIONS; print_ip((ipfw_insn_ip *)cmd, (flags & HAVE_OPTIONS) ? " dst-ip" : ""); flags |=3D HAVE_DSTIP; break; + } =20 case O_IP_DSTPORT: show_prerequisites(&flags, HAVE_IP, 0); %%% If someone has a better fix, please let me know. ;) Cheers, --=20 Ruslan Ermilov ru@FreeBSD.org FreeBSD committer --H1spWtNR+x+ondvy Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (FreeBSD) iD8DBQFAyZZHqRfpzJluFF4RArGjAJ0bbLQ41C3jMjdhlfHtQVYqaXh8+QCbBS9Y W2T7av7q6KhmO9Cmkjdg51o= =n29m -----END PGP SIGNATURE----- --H1spWtNR+x+ondvy-- From owner-freebsd-ipfw@FreeBSD.ORG Fri Jun 11 13:47:32 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B551016A4CE; Fri, 11 Jun 2004 13:47:32 +0000 (GMT) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9682343D4C; Fri, 11 Jun 2004 13:47:32 +0000 (GMT) (envelope-from ru@FreeBSD.org) Received: from freefall.freebsd.org (ru@localhost [127.0.0.1]) i5BDlWZL099552; Fri, 11 Jun 2004 13:47:32 GMT (envelope-from ru@freefall.freebsd.org) Received: (from ru@localhost) by freefall.freebsd.org (8.12.11/8.12.11/Submit) id i5BDlWMo099548; Fri, 11 Jun 2004 13:47:32 GMT (envelope-from ru) Date: Fri, 11 Jun 2004 13:47:32 GMT From: Ruslan Ermilov Message-Id: <200406111347.i5BDlWMo099548@freefall.freebsd.org> To: barbish3@adelphia.net, ru@FreeBSD.org, ipfw@FreeBSD.org Subject: Re: kern/62598: no logging on ipfw loadable module X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 11 Jun 2004 13:47:32 -0000 Synopsis: no logging on ipfw loadable module State-Changed-From-To: open->closed State-Changed-By: ru State-Changed-When: Fri Jun 11 13:47:08 GMT 2004 State-Changed-Why: Patches are welcome. http://www.freebsd.org/cgi/query-pr.cgi?pr=62598 From owner-freebsd-ipfw@FreeBSD.ORG Fri Jun 11 18:44:15 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 20DCE16A4CE; Fri, 11 Jun 2004 18:44:15 +0000 (GMT) Received: from mta11.adelphia.net (mta11.adelphia.net [68.168.78.205]) by mx1.FreeBSD.org (Postfix) with ESMTP id 883B643D4C; Fri, 11 Jun 2004 18:44:14 +0000 (GMT) (envelope-from fbsd_user@a1poweruser.com) Received: from barbish ([67.20.101.71]) by mta11.adelphia.net (InterMail vM.5.01.06.08 201-253-122-130-108-20031117) with SMTP id <20040611184413.PINY21898.mta11.adelphia.net@barbish>; Fri, 11 Jun 2004 14:44:13 -0400 From: "fbsd_user" To: "Freebsd-Ipfw@Freebsd. Org" , "freebsd-questions@FreeBSD. ORG" Date: Fri, 11 Jun 2004 14:44:11 -0400 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.6604 (9.0.2911.0) In-Reply-To: <40C8EA33.2040205@nyc.rr.com> Importance: Normal X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1409 cc: asolomon15 cc: freebsd-ipfw.20.openmacews@spamgourmet.com Subject: ipfw + natd + stateful rules. For the archives X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: fbsd_user@a1poweruser.com List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 11 Jun 2004 18:44:15 -0000 For the list's archives. Here is everything you need for ipfw/natd/stateful. Add these statements to kernel source and compile kernel to enable # Enable kernel IPFW. # option IPFIREWALL # Adds filtering code into kernel option IPFIREWALL_VERBOSE # enable logging thru syslogd(8) option IPFIREWALL_VERBOSE_LIMIT=5 # stop attack via syslog flooding option IPDIVERT # needed to use natd from IPFW /etc/rc.conf # Required For IPFW kernel firewall support firewall_enable="YES" # Start daemon firewall_script="/etc/ipfw.rules" # run my custom rules if present # sh /etc/ipfw.rules will load # new rules file after editing. firewall_logging="YES" # Enable events logging natd_enable="YES" # Required For IPFW nat function natd_interface="rl0" # interface name of public internet Nic natd_flags="-dynamic -m" #-m = preserve port numbers if possible Here is the /etc/ipfw.rules file without comments. #!/bin/sh cmd="ipfw -q add" skip="skipto 500" pif=rl0 ks="keep-state" good_tcpo="22,25,37,43,53,80,443,110,119" ipfw -q -f flush $cmd 002 allow all from any to any via xl0 # exclude Lan traffic $cmd 003 allow all from any to any via lo0 # exclude loopback traffic $cmd 100 divert natd ip from any to any in via $pif $cmd 101 check-state # Authorized outbound packets $cmd 120 $skip udp from any to xx.168.240.2 53 out via $pif $ks $cmd 121 $skip udp from any to xx.168.240.5 53 out via $pif $ks $cmd 125 $skip tcp from any to any $good_tcpo out via $pif setup $ks $cmd 130 $skip icmp from any to any out via $pif $cmd 135 $skip udp from any to any 123 out via $pif $ks # Deny all inbound traffic from non-routable reserved address spaces $cmd 300 deny all from 192.168.0.0/16 to any in via $pif #RFC 1918 private IP $cmd 301 deny all from 172.16.0.0/12 to any in via $pif #RFC 1918 private IP $cmd 302 deny all from 10.0.0.0/8 to any in via $pif #RFC 1918 private IP $cmd 303 deny all from 127.0.0.0/8 to any in via $pif #loopback $cmd 304 deny all from 0.0.0.0/8 to any in via $pif #loopback $cmd 305 deny all from 169.254.0.0/16 to any in via $pif #DHCP auto-config $cmd 306 deny all from 192.0.2.0/24 to any in via $pif #reserved for doc's $cmd 307 deny all from 204.152.64.0/23 to any in via $pif #Sun cluster interconnect $cmd 308 deny all from 224.0.0.0/3 to any in via $pif #Class D & E multicast # Authorized inbound packets $cmd 400 allow udp from xx.70.207.54 to any 68 in $ks $cmd 420 allow tcp from any to me 80 in via $pif setup limit src-addr 1 $cmd 425 allow icmp from any to any icmptypes 0,3,11,12 in via $pif $cmd 450 deny log ip from any to any # This is skipto location for outbound stateful rules $cmd 500 divert natd ip from any to any out via $pif $cmd 510 allow ip from any to any ######################## end of rules ################## Here is the /etc/ipfw.rules file with comments. #!/bin/sh ################ Start of IPFW rules file ############################### # Flush out the list before we begin. ipfw -q -f flush # Set rules command prefix cmd="ipfw -q add" skip="skipto 800" pif="rl0" # public interface name of Nic card # facing the public internet ################################################################# # No restrictions on Inside Lan Interface for private network # Not needed unless you have Lan. # Change xl0 to your Lan Nic card interface name ################################################################# $cmd 005 allow all from any to any via xl0 ################################################################# # No restrictions on Loopback Interface ################################################################# $cmd 010 allow all from any to any via lo0 $cmd 014 divert natd ip from any to any in via $pif ################################################################# # Allow the packet through if it has previous been added to the # the "dynamic" rules table by an allow keep-state statement. ################################################################# $cmd 015 check-state ################################################################# # Interface facing Public internet (Outbound Section) # Interrogate session start requests originating from behind the # firewall on the private network or from this gateway server # destine for the public internet. ################################################################# # Allow out access to my ISP's Domain name server. # x.x.x.x must be the IP address of your ISP's DNS # Dup these lines if your ISP has more than one DNS server # Get the IP addresses from /etc/resolv.conf file $cmd 020 $skip tcp from any to xx.168.240.2 53 out via $pif setup keep-state $cmd 021 $skip udp from any to xx.168.240.2 53 out via $pif keep-state # Allow out access to my ISP's DHCP server for cable/DSL configurations. $cmd 030 $skip udp from any to xx.70.207.54 67 out via $pif keep-state # Allow out non-secure standard www function $cmd 040 $skip tcp from any to any 80 out via $pif setup keep-state # Allow out secure www function https over TLS SSL $cmd 050 $skip tcp from any to any 443 out via $pif setup keep-state # Allow out send & get email function $cmd 060 $skip tcp from any to any 25 out via $pif setup keep-state $cmd 061 $skip tcp from any to any 110 out via $pif setup keep-state # Allow out FBSD (make install & CVSUP) functions # Basically give user root "GOD" privileges. $cmd 070 $skip tcp from me to any out via $pif setup keep-state uid root # Allow out ping $cmd 080 $skip icmp from any to any out via $pif # Allow out Time $cmd 090 $skip tcp from any to any 37 out via $pif setup keep-state # Allow out nntp news (IE: news groups) $cmd 100 $skip tcp from any to any 119 out via $pif setup keep-state # Allow out secure FTP, Telnet, and SCP # This function is using SSH (secure shell) $cmd 110 $skip tcp from any to any 22 out via $pif setup keep-state # Allow out whois $cmd 120 $skip tcp from any to any 43 out via $pif setup keep-state # Allow ntp time server $cmd 130 $skip udp from any to any 123 out via $pif keep-state ################################################################# # Interface facing Public internet (Inbound Section) # Interrogate packets originating from the public internet # destine for this gateway server or the private network. ################################################################# # Deny all inbound traffic from non-routable reserved address spaces $cmd 300 deny all from 192.168.0.0/16 to any in via $pif #RFC 1918 private IP $cmd 301 deny all from 172.16.0.0/12 to any in via $pif #RFC 1918 private IP $cmd 302 deny all from 10.0.0.0/8 to any in via $pif #RFC 1918 private IP $cmd 303 deny all from 127.0.0.0/8 to any in via $pif #loopback $cmd 304 deny all from 0.0.0.0/8 to any in via $pif #loopback $cmd 305 deny all from 169.254.0.0/16 to any in via $pif #DHCP auto-config $cmd 306 deny all from 192.0.2.0/24 to any in via $pif #reserved for doc's $cmd 307 deny all from 204.152.64.0/23 to any in via $pif #Sun cluster interconnect $cmd 308 deny all from 224.0.0.0/3 to any in via $pif #Class D & E multicast # Deny ident $cmd 315 deny tcp from any to any 113 in via $pif # Deny all Netbios service. 137=name, 138=datagram, 139=session # Netbios is MS/Windows sharing services. # Block MS/Windows hosts2 name server requests 81 $cmd 320 deny tcp from any to any 137 in via $pif $cmd 321 deny tcp from any to any 138 in via $pif $cmd 322 deny tcp from any to any 139 in via $pif $cmd 323 deny tcp from any to any 81 in via $pif # Deny any late arriving packets $cmd 330 deny all from any to any frag in via $pif # Deny ACK packets that did not match the dynamic rule table $cmd 332 deny tcp from any to any established in via $pif # Allow traffic in from ISP's DHCP server. This rule must contain # the IP address of your ISP's DHCP server as it's the only # authorized source to send this packet type. # Only necessary for cable or DSL configurations. # This rule is not needed for 'user ppp' type connection to # the public internet. This is the same IP address you captured # and used in the outbound section. $cmd 360 allow udp from xx.70.207.54 to any 68 in via $pif keep-state # Allow in standard www function because I have apache server $cmd 370 allow tcp from any to me 80 in via $pif setup limit src-addr 2 # Allow in secure FTP, Telnet, and SCP from public Internet $cmd 380 allow tcp from any to me 22 in via $pif setup limit src-addr 2 # Allow in non-secure Telnet session from public Internet # labeled non-secure because ID & PW are passed over public # internet as clear text. # Delete this sample group if you do not have telnet server enabled. $cmd 390 allow tcp from any to me 23 in via $pif setup limit src-addr 2 # Allow in secure FTP, Telnet, and SCP from public Internet $cmd 380 allow tcp from any to me 22 in via $pif setup limit src-addr 2 # Allow in icmp responces $cmd 390 allow icmp from any to any icmptypes 0,3,11,12 in via $pif # Reject & Log all unauthorized incoming connections from the public internet $cmd 400 deny log all from any to any in via $pif # Reject & Log all unauthorized out going connections to the public internet $cmd 450 deny log all from any to any out via $pif # This is skipto location for outbound stateful rules $cmd 800 divert natd ip from any to any out via $pif $cmd 801 allow ip from any to any # Everything else is denied by default # deny and log all packets that fell through to see what they are $cmd 999 deny log all from any to any ################ End of IPFW rules file ###############################