From owner-freebsd-ipfw@FreeBSD.ORG Sun Jun 13 18:24:52 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 07C4F16A4CE for ; Sun, 13 Jun 2004 18:24:52 +0000 (GMT) Received: from mta11.adelphia.net (mta11.adelphia.net [68.168.78.205]) by mx1.FreeBSD.org (Postfix) with ESMTP id A781C43D2D for ; Sun, 13 Jun 2004 18:24:51 +0000 (GMT) (envelope-from Barbish3@adelphia.net) Received: from barbish ([67.20.101.71]) by mta11.adelphia.net (InterMail vM.5.01.06.08 201-253-122-130-108-20031117) with SMTP id <20040613182433.GNHW21898.mta11.adelphia.net@barbish> for ; Sun, 13 Jun 2004 14:24:33 -0400 From: "JJB" To: "Freebsd-Ipfw@Freebsd. Org" Date: Sun, 13 Jun 2004 14:24:32 -0400 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.6604 (9.0.2911.0) X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1409 Importance: Normal Subject: Does keep-state work on ICMP protocol X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: Barbish3@adelphia.net List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 13 Jun 2004 18:24:52 -0000 Does keep-state option work on an ICMP protocol rule? If not, shouldn't an syntax error be issued? From owner-freebsd-ipfw@FreeBSD.ORG Sun Jun 13 19:42:13 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0026E16A4CE for ; Sun, 13 Jun 2004 19:42:12 +0000 (GMT) Received: from regulus.redepegasus.com.br (redepegasus.com.br [200.195.61.136]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8F48E43D54 for ; Sun, 13 Jun 2004 19:42:11 +0000 (GMT) (envelope-from jb@redepegasus.com.br) Received: from localhost (localhost.redepegasus.com.br [127.0.0.1]) by regulus.redepegasus.com.br (Postfix) with ESMTP id 04CC81722C for ; Sun, 13 Jun 2004 16:42:27 -0300 (BRT) Received: from regulus.redepegasus.com.br ([127.0.0.1])port 10024) with ESMTP id 06455-07 for ; Sun, 13 Jun 2004 16:42:26 -0300 (BRT) Received: by regulus.redepegasus.com.br (Postfix, from userid 85) id 7107C172C4; Sun, 13 Jun 2004 16:42:26 -0300 (BRT) Received: from zetabootis (zeta-bootis.redepegasus.com.br [200.195.61.253]) by regulus.redepegasus.com.br (Postfix) with ESMTP id D3EBA172C0 for ; Sun, 13 Jun 2004 16:42:25 -0300 (BRT) Message-ID: <013901c4517e$72f3dc90$fd3dc3c8@redepegasus.com.br> From: =?iso-8859-1?Q?Juli=E3o_Braga_-_Rede_Pegasus=AE?= To: References: Date: Sun, 13 Jun 2004 16:41:40 -0300 X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2800.1409 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1409 X-Spam-Checker-Version: SpamAssassin 2.63 (2004-01-11) on regulus.redepegasus.com.br X-Sanitizer: Advosys mail filter MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Subject: Re: ipfw + natd + stateful rules. For the archives X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 13 Jun 2004 19:42:13 -0000 And about the anti-spoofing rule using "verrevpath"? The man rule that "... drops all incoming packets that appear to be coming to the system on the wrong interface. For example, packet with a source address belonging to a host on a protected internal network would be dropped if it tried to enter the system from an external interface." : ipfw add deny ip from any to any not verrevpath in Don't is necessary? JB Pegasus Network Brazil > > Here is the /etc/ipfw.rules file with comments. > > #!/bin/sh > > ################ Start of IPFW rules file > ############################### > # Flush out the list before we begin. > ipfw -q -f flush > > # Set rules command prefix > cmd="ipfw -q add" > skip="skipto 800" > pif="rl0" # public interface name of Nic card > # facing the public internet > > > > ################################################################# > # No restrictions on Inside Lan Interface for private network > # Not needed unless you have Lan. > # Change xl0 to your Lan Nic card interface name > ################################################################# > $cmd 005 allow all from any to any via xl0 > > ################################################################# > # No restrictions on Loopback Interface > ################################################################# > $cmd 010 allow all from any to any via lo0 > > $cmd 014 divert natd ip from any to any in via $pif > > ################################################################# > # Allow the packet through if it has previous been added to the > # the "dynamic" rules table by an allow keep-state statement. > ################################################################# > $cmd 015 check-state > > ################################################################# > # Interface facing Public internet (Outbound Section) > # Interrogate session start requests originating from behind the > # firewall on the private network or from this gateway server > # destine for the public internet. > ################################################################# > > # Allow out access to my ISP's Domain name server. > # x.x.x.x must be the IP address of your ISP's DNS > # Dup these lines if your ISP has more than one DNS server > # Get the IP addresses from /etc/resolv.conf file > $cmd 020 $skip tcp from any to xx.168.240.2 53 out via $pif setup > keep-state > $cmd 021 $skip udp from any to xx.168.240.2 53 out via $pif > keep-state > > # Allow out access to my ISP's DHCP server for cable/DSL > configurations. > $cmd 030 $skip udp from any to xx.70.207.54 67 out via $pif > keep-state > > # Allow out non-secure standard www function > $cmd 040 $skip tcp from any to any 80 out via $pif setup keep-state > > # Allow out secure www function https over TLS SSL > $cmd 050 $skip tcp from any to any 443 out via $pif setup keep-state > > # Allow out send & get email function > $cmd 060 $skip tcp from any to any 25 out via $pif setup keep-state > $cmd 061 $skip tcp from any to any 110 out via $pif setup keep-state > > # Allow out FBSD (make install & CVSUP) functions > # Basically give user root "GOD" privileges. > $cmd 070 $skip tcp from me to any out via $pif setup keep-state uid > root > > # Allow out ping > $cmd 080 $skip icmp from any to any out via $pif > > # Allow out Time > $cmd 090 $skip tcp from any to any 37 out via $pif setup keep-state > > # Allow out nntp news (IE: news groups) > $cmd 100 $skip tcp from any to any 119 out via $pif setup keep-state > > # Allow out secure FTP, Telnet, and SCP > # This function is using SSH (secure shell) > $cmd 110 $skip tcp from any to any 22 out via $pif setup keep-state > > # Allow out whois > $cmd 120 $skip tcp from any to any 43 out via $pif setup keep-state > > # Allow ntp time server > $cmd 130 $skip udp from any to any 123 out via $pif keep-state > > ################################################################# > # Interface facing Public internet (Inbound Section) > # Interrogate packets originating from the public internet > # destine for this gateway server or the private network. > ################################################################# > > # Deny all inbound traffic from non-routable reserved address spaces > $cmd 300 deny all from 192.168.0.0/16 to any in via $pif #RFC 1918 > private IP > $cmd 301 deny all from 172.16.0.0/12 to any in via $pif #RFC 1918 > private IP > $cmd 302 deny all from 10.0.0.0/8 to any in via $pif #RFC 1918 > private IP > $cmd 303 deny all from 127.0.0.0/8 to any in via $pif #loopback > $cmd 304 deny all from 0.0.0.0/8 to any in via $pif #loopback > $cmd 305 deny all from 169.254.0.0/16 to any in via $pif #DHCP > auto-config > $cmd 306 deny all from 192.0.2.0/24 to any in via $pif #reserved > for doc's > $cmd 307 deny all from 204.152.64.0/23 to any in via $pif #Sun > cluster interconnect > $cmd 308 deny all from 224.0.0.0/3 to any in via $pif #Class D > & E multicast > > # Deny ident > $cmd 315 deny tcp from any to any 113 in via $pif > > # Deny all Netbios service. 137=name, 138=datagram, 139=session > # Netbios is MS/Windows sharing services. > # Block MS/Windows hosts2 name server requests 81 > $cmd 320 deny tcp from any to any 137 in via $pif > $cmd 321 deny tcp from any to any 138 in via $pif > $cmd 322 deny tcp from any to any 139 in via $pif > $cmd 323 deny tcp from any to any 81 in via $pif > > # Deny any late arriving packets > $cmd 330 deny all from any to any frag in via $pif > > # Deny ACK packets that did not match the dynamic rule table > $cmd 332 deny tcp from any to any established in via $pif > > # Allow traffic in from ISP's DHCP server. This rule must contain > # the IP address of your ISP's DHCP server as it's the only > # authorized source to send this packet type. > # Only necessary for cable or DSL configurations. > # This rule is not needed for 'user ppp' type connection to > # the public internet. This is the same IP address you captured > # and used in the outbound section. > $cmd 360 allow udp from xx.70.207.54 to any 68 in via $pif > keep-state > > # Allow in standard www function because I have apache server > $cmd 370 allow tcp from any to me 80 in via $pif setup limit > src-addr 2 > > # Allow in secure FTP, Telnet, and SCP from public Internet > $cmd 380 allow tcp from any to me 22 in via $pif setup limit > src-addr 2 > > # Allow in non-secure Telnet session from public Internet > # labeled non-secure because ID & PW are passed over public > # internet as clear text. > # Delete this sample group if you do not have telnet server enabled. > $cmd 390 allow tcp from any to me 23 in via $pif setup limit > src-addr 2 > > # Allow in secure FTP, Telnet, and SCP from public Internet > $cmd 380 allow tcp from any to me 22 in via $pif setup limit > src-addr 2 > > # Allow in icmp responces > $cmd 390 allow icmp from any to any icmptypes 0,3,11,12 in via $pif > > # Reject & Log all unauthorized incoming connections from the public > internet > $cmd 400 deny log all from any to any in via $pif > > # Reject & Log all unauthorized out going connections to the public > internet > $cmd 450 deny log all from any to any out via $pif > > # This is skipto location for outbound stateful rules > $cmd 800 divert natd ip from any to any out via $pif > $cmd 801 allow ip from any to any > > # Everything else is denied by default > # deny and log all packets that fell through to see what they are > $cmd 999 deny log all from any to any > > > > ################ End of IPFW rules file > ############################### --- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.701 / Virus Database: 458 - Release Date: 6/7/2004 From owner-freebsd-ipfw@FreeBSD.ORG Mon Jun 14 11:02:32 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2B42516A4CE for ; Mon, 14 Jun 2004 11:02:32 +0000 (GMT) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2405043D41 for ; Mon, 14 Jun 2004 11:02:32 +0000 (GMT) (envelope-from owner-bugmaster@freebsd.org) Received: from freefall.freebsd.org (peter@localhost [127.0.0.1]) by freefall.freebsd.org (8.12.11/8.12.11) with ESMTP id i5EB27QE072958 for ; Mon, 14 Jun 2004 11:02:07 GMT (envelope-from owner-bugmaster@freebsd.org) Received: (from peter@localhost) by freefall.freebsd.org (8.12.11/8.12.11/Submit) id i5EB26M3072952 for ipfw@freebsd.org; Mon, 14 Jun 2004 11:02:06 GMT (envelope-from owner-bugmaster@freebsd.org) Date: Mon, 14 Jun 2004 11:02:06 GMT Message-Id: <200406141102.i5EB26M3072952@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: peter set sender to owner-bugmaster@freebsd.org using -f From: FreeBSD bugmaster To: ipfw@FreeBSD.org Subject: Current problem reports assigned to you X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 14 Jun 2004 11:02:32 -0000 Current FreeBSD problem reports Critical problems Serious problems S Submitted Tracker Resp. Description ------------------------------------------------------------------------------- o [2002/12/27] kern/46557 ipfw ipfw pipe show fails with lots of queues o [2003/04/22] kern/51274 ipfw ipfw2 create dynamic rules with parent nu f [2003/04/24] kern/51341 ipfw ipfw rule 'deny icmp from any to any icmp o [2004/03/03] misc/63724 ipfw IPFW2 Queues dont t work o [2004/03/14] kern/64240 ipfw IPFW tee terminates rule processing 5 problems total. Non-critical problems S Submitted Tracker Resp. Description ------------------------------------------------------------------------------- a [2001/04/13] kern/26534 ipfw Add an option to ipfw to log gid/uid of w o [2002/12/07] kern/46080 ipfw [PATCH] logamount in ipfw2 does not defau o [2002/12/10] kern/46159 ipfw ipfw dynamic rules lifetime feature o [2002/12/27] kern/46564 ipfw IPFilter and IPFW processing order is not o [2003/02/11] kern/48172 ipfw ipfw does not log size and flags o [2003/03/10] kern/49086 ipfw [patch] Make ipfw2 log to different syslo o [2003/03/12] bin/49959 ipfw ipfw tee port rule skips parsing next rul o [2003/04/09] bin/50749 ipfw ipfw2 incorrectly parses ports and port r o [2003/08/26] kern/55984 ipfw [patch] time based firewalling support fo o [2003/12/30] kern/60719 ipfw ipfw: Headerless fragments generate cryp o [2004/01/12] kern/61259 ipfw [patch] make "ipfw tee" work as intended o [2004/03/09] kern/63961 ipfw ipfw2 uid matching doesn't work correctly 12 problems total. From owner-freebsd-ipfw@FreeBSD.ORG Mon Jun 14 15:06:29 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8B66216A4CE for ; Mon, 14 Jun 2004 15:06:29 +0000 (GMT) Received: from mx.hostarica.com (mx.hostarica.com [196.40.45.74]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0CCAE43D5D for ; Mon, 14 Jun 2004 15:06:29 +0000 (GMT) (envelope-from jose@hostarica.com) Received: from localhost (localhost.hostarica.com [127.0.0.1]) by mx.hostarica.com (Postfix) with ESMTP id 7EEAFF7C4; Mon, 14 Jun 2004 09:10:44 -0600 (CST) Received: from [192.168.0.69] (unknown [192.168.0.69]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mx.hostarica.com (Postfix) with ESMTP id 6D0D6F7C2; Mon, 14 Jun 2004 09:10:43 -0600 (CST) From: Jose Hidalgo Herrera To: Barbish3@adelphia.net In-Reply-To: References: Organization: Corp. Hosta Rica Message-Id: <1087225575.23828.4.camel@jose.hostarica.net> Mime-Version: 1.0 X-Mailer: Ximian Evolution 1.4.6 Date: Mon, 14 Jun 2004 09:06:15 -0600 X-Virus-Scanned: by amavisd 0.1 Content-Type: text/plain Content-Transfer-Encoding: 7bit X-Content-Filtered-By: Mailman/MimeDel 2.1.1 cc: "Freebsd-Ipfw@Freebsd. Org" cc: jose@hostarica.com Subject: Re: Does keep-state work on ICMP protocol X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: jose@hostarica.com List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 14 Jun 2004 15:06:29 -0000 On Sun, 2004-06-13 at 12:24, JJB wrote: > Does keep-state option work on an ICMP protocol rule? > > If not, shouldn't an syntax error be issued? > Yes it works, I can see the dynamic rules: sh# ipfw -d show | grep icmp 00092 447601 36833705 allow icmp from any to any keep-state icmptype 0,3,5,8,11 00092 57895 4862580 (T 4, slot 20) <-> icmp, xx.xx.xx.xx 0<-> xx.xx.xx.xx 0 00092 0 0 (T 4, slot 59) <-> icmp, xx.xx.xx.xx 0<-> xx.xx.xx.xx 0 > > _______________________________________________ > freebsd-ipfw@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw > To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" Jose Hidalgo PGP: 15524480 jose at hostarica.com From owner-freebsd-ipfw@FreeBSD.ORG Tue Jun 15 19:04:01 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id AF7FA16A4CF for ; Tue, 15 Jun 2004 19:04:01 +0000 (GMT) Received: from mproxy.gmail.com (rproxy.gmail.com [64.233.170.198]) by mx1.FreeBSD.org (Postfix) with SMTP id 58F1D43D53 for ; Tue, 15 Jun 2004 19:04:01 +0000 (GMT) (envelope-from aldrinleal@gmail.com) Received: by mproxy.gmail.com with SMTP id 34so56508rnh for ; Tue, 15 Jun 2004 12:03:52 -0700 (PDT) Received: by 10.38.97.26 with SMTP id u26mr92627rnb; Tue, 15 Jun 2004 11:57:12 -0700 (PDT) Message-ID: <3534b0b3040615115713cc3589@mail.gmail.com> Date: Tue, 15 Jun 2004 15:57:12 -0300 From: Aldrin Leal To: freebsd-net@freebsd.org, freebsd-hackers@freebsd.org, freebsd-ipfw@freebsd.org Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Subject: Bridging Code - MAC Filtering X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 15 Jun 2004 19:04:01 -0000 Hello, Does the bridging code in FreeBSD 5.2-RELEASE have the hability to perform mac checking for a given IP? If it doesn't, does any kernel hacker could point me to places where i could do it myself? Maybe proper pointers on debugging the bridging facilities, tips, general guidance and so forth? Thanks in advance! -- Aldrin Leal, aldrinleal@gmail.com From owner-freebsd-ipfw@FreeBSD.ORG Tue Jun 15 19:18:42 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2786616A4CF; Tue, 15 Jun 2004 19:18:42 +0000 (GMT) Received: from mx.hostarica.com (mx.hostarica.com [196.40.45.74]) by mx1.FreeBSD.org (Postfix) with ESMTP id 82CEC43D5E; Tue, 15 Jun 2004 19:18:41 +0000 (GMT) (envelope-from jose@hostarica.com) Received: from localhost (localhost.hostarica.com [127.0.0.1]) by mx.hostarica.com (Postfix) with ESMTP id 1D096F777; Tue, 15 Jun 2004 13:21:55 -0600 (CST) Received: from [192.168.0.69] (unknown [192.168.0.69]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mx.hostarica.com (Postfix) with ESMTP id 0994AF770; Tue, 15 Jun 2004 13:21:54 -0600 (CST) From: Jose Hidalgo Herrera To: Aldrin Leal In-Reply-To: <3534b0b3040615115713cc3589@mail.gmail.com> References: <3534b0b3040615115713cc3589@mail.gmail.com> Organization: Corp. Hosta Rica Message-Id: <1087327033.65518.3.camel@jose.hostarica.net> Mime-Version: 1.0 X-Mailer: Ximian Evolution 1.4.6 Date: Tue, 15 Jun 2004 13:17:14 -0600 X-Virus-Scanned: by amavisd 0.1 Content-Type: text/plain Content-Transfer-Encoding: 7bit X-Content-Filtered-By: Mailman/MimeDel 2.1.1 cc: freebsd-net@freebsd.org cc: jose@hostarica.com cc: freebsd-ipfw@freebsd.org Subject: Re: Bridging Code - MAC Filtering X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: jose@hostarica.com List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 15 Jun 2004 19:18:42 -0000 I use arpwatch to monitor IPs, because I filter everything via IP address(ipfw) so if any user plays hacker I'm gonna kick his xxx : - ) On Tue, 2004-06-15 at 12:57, Aldrin Leal wrote: > Hello, > > Does the bridging code in FreeBSD 5.2-RELEASE have the hability > to perform mac checking for a given IP? > > If it doesn't, does any kernel hacker could point me to places > where i could do it myself? Maybe proper pointers on debugging the > bridging facilities, tips, general guidance and so forth? > > Thanks in advance! > > -- Aldrin Leal, aldrinleal@gmail.com > _______________________________________________ > freebsd-hackers@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-hackers > To unsubscribe, send any mail to "freebsd-hackers-unsubscribe@freebsd.org" -- Jose Hidalgo PGP: 15524480 jose at hostarica.com From owner-freebsd-ipfw@FreeBSD.ORG Tue Jun 15 20:01:10 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 84C3716A4CE; Tue, 15 Jun 2004 20:01:10 +0000 (GMT) Received: from deliver.epitech.net (deliver.epitech.net [163.5.0.25]) by mx1.FreeBSD.org (Postfix) with SMTP id 8A41843D48; Tue, 15 Jun 2004 20:01:09 +0000 (GMT) (envelope-from le-hen_j@epita.fr) Received: from epita.fr ([10.42.1.60]) by deliver.epitech.net (SAVSMTP 3.1.2.35) with SMTP id M2004061521554324027 ; Tue, 15 Jun 2004 21:55:43 +0200 Received: from annelo (annelo.epita.fr [10.42.120.68]) by epita.fr id i5FK0iw23071 Tue, 15 Jun 2004 22:00:44 +0200 (CEST) Date: Tue, 15 Jun 2004 22:00:43 +0200 From: Jeremie Le Hen To: Aldrin Leal Message-ID: <20040615200043.GB11154@annelo.epita.fr> References: <3534b0b3040615115713cc3589@mail.gmail.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <3534b0b3040615115713cc3589@mail.gmail.com> User-Agent: Mutt/1.4i cc: freebsd-net@freebsd.org cc: freebsd-ipfw@freebsd.org cc: freebsd-hackers@freebsd.org Subject: Re: Bridging Code - MAC Filtering X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 15 Jun 2004 20:01:10 -0000 > Does the bridging code in FreeBSD 5.2-RELEASE have the hability > to perform mac checking for a given IP? Since you can filter bridged packets using ipfw(8) and the latter is able to match against MAC address, I would say yes. Nevertheless, it may not be suitable enough for your needs, because it requires changing your rules each time you add a machine or change a network card. Regards, -- Jeremie LE HEN aka TtZ/TataZ jeremie.le-hen@epita.fr ttz@epita.fr Hi! I'm a .signature virus! Copy me into your ~/.signature to help me spread! From owner-freebsd-ipfw@FreeBSD.ORG Tue Jun 15 20:07:11 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8337616A4CE; Tue, 15 Jun 2004 20:07:11 +0000 (GMT) Received: from salmon.maths.tcd.ie (salmon.maths.tcd.ie [134.226.81.11]) by mx1.FreeBSD.org (Postfix) with SMTP id 8AED043D48; Tue, 15 Jun 2004 20:07:10 +0000 (GMT) (envelope-from dwmalone@maths.tcd.ie) Received: from walton.maths.tcd.ie by salmon.maths.tcd.ie with SMTP id ; 15 Jun 2004 21:06:59 +0100 (BST) Date: Tue, 15 Jun 2004 21:06:59 +0100 From: David Malone To: Aldrin Leal Message-ID: <20040615200659.GA97862@walton.maths.tcd.ie> References: <3534b0b3040615115713cc3589@mail.gmail.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <3534b0b3040615115713cc3589@mail.gmail.com> User-Agent: Mutt/1.5.3i Sender: dwmalone@maths.tcd.ie cc: freebsd-net@freebsd.org cc: freebsd-ipfw@freebsd.org cc: freebsd-hackers@freebsd.org Subject: Re: Bridging Code - MAC Filtering X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 15 Jun 2004 20:07:11 -0000 On Tue, Jun 15, 2004 at 03:57:12PM -0300, Aldrin Leal wrote: > Does the bridging code in FreeBSD 5.2-RELEASE have the hability > to perform mac checking for a given IP? You could use ipfw2, which can match both on IP address and MAC address. David. From owner-freebsd-ipfw@FreeBSD.ORG Wed Jun 16 12:42:37 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4983816A4DE for ; Wed, 16 Jun 2004 12:42:37 +0000 (GMT) Received: from kogut2.o2.pl (kogut2.o2.pl [212.126.20.58]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0D10743D4C for ; Wed, 16 Jun 2004 12:42:37 +0000 (GMT) (envelope-from fangorn@o2.pl) Received: from [172.16.0.2] (d088.2-0.pl [195.150.72.149]) by kogut2.o2.pl (Postfix) with ESMTP id 054A7AA195 for ; Wed, 16 Jun 2004 14:42:27 +0200 (CEST) From: Fangorn To: freebsd-ipfw@freebsd.org Content-Type: text/plain Message-Id: <1087389772.641.20.camel@desk.myroom.pl> Mime-Version: 1.0 X-Mailer: Ximian Evolution 1.4.6 Date: Wed, 16 Jun 2004 14:42:52 +0200 Content-Transfer-Encoding: 7bit Subject: Multiple_External_IPs+IPFW+arp_proxy+Dummynet+natd_etc X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 16 Jun 2004 12:42:37 -0000 Hello! FreeBSD 5.2.1, IPFW(2 of course), 1 ext_if, 2 int_ifs, P200MMX, 96MB, HDD 2GB I have recently set up a router serving and shaping a small network +/-20 clients (mostly wireless, but that's not important, as the AP does the job). I do a static ARP, I have quite a simple firewall, of course natd is up and running fine. Some pipes and queues pretend to share the traffic fairly :). Now my concern is: 1. What is the best way to assign an external IP (I have 4 available) to a LAN client machine? 2. How (if at all) it affects traffic shaping? I would be greatful for a bunch of ideas and eternally greatful for examples of working scripts/firewall rules etc. Disclaimer: Yes, I did a google research, and found nothing that would cover the afformentioned problem. :-) At least nothing else than 'Well, you might try this ports thingy, but I don't really know if it helps.' ;-D PS: (or BTW) Maybe someone also has a solution to a problem of sharing two external connections in a reasonable way in such a network? Of course load-balancing would be desirable, but any working examples are welcome. Thank You for Your patience. -- Best regards, Fangorn fangornCUT(AT)MEo2.pl From owner-freebsd-ipfw@FreeBSD.ORG Wed Jun 16 19:58:56 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2760A16A4CE for ; Wed, 16 Jun 2004 19:58:56 +0000 (GMT) Received: from mx.hostarica.com (mx.hostarica.com [196.40.45.74]) by mx1.FreeBSD.org (Postfix) with ESMTP id 6D19D43D54 for ; Wed, 16 Jun 2004 19:58:55 +0000 (GMT) (envelope-from jose@hostarica.com) Received: from localhost (localhost.hostarica.com [127.0.0.1]) by mx.hostarica.com (Postfix) with ESMTP id 522EEF7E4; Wed, 16 Jun 2004 14:03:28 -0600 (CST) Received: from [192.168.0.69] (unknown [192.168.0.69]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mx.hostarica.com (Postfix) with ESMTP id 3AF6CF7DC; Wed, 16 Jun 2004 14:03:27 -0600 (CST) From: Jose Hidalgo Herrera To: Fangorn In-Reply-To: <1087389772.641.20.camel@desk.myroom.pl> References: <1087389772.641.20.camel@desk.myroom.pl> Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="=-vGn2IItNWJ20YnNwVnfV" Organization: Corp. Hosta Rica Message-Id: <1087415916.87203.9.camel@jose.hostarica.net> Mime-Version: 1.0 X-Mailer: Ximian Evolution 1.4.6 Date: Wed, 16 Jun 2004 13:58:36 -0600 X-Virus-Scanned: by amavisd 0.1 X-Content-Filtered-By: Mailman/MimeDel 2.1.1 cc: freebsd-ipfw@freebsd.org cc: jose@hostarica.com Subject: Re: Multiple_External_IPs+IPFW+arp_proxy+Dummynet+natd_etc X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: jose@hostarica.com List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 16 Jun 2004 19:58:56 -0000 --=-vGn2IItNWJ20YnNwVnfV Content-Type: text/plain Content-Transfer-Encoding: quoted-printable On Wed, 2004-06-16 at 06:42, Fangorn wrote: > Hello! >=20 > FreeBSD 5.2.1, IPFW(2 of course), 1 ext_if, 2 int_ifs, P200MMX, 96MB, > HDD 2GB > I have recently set up a router serving and shaping a small network > +/-20 clients (mostly wireless, but that's not important, as the AP does > the job). >=20 > I do a static ARP, I have quite a simple firewall, of course natd is up > and running fine. Some pipes and queues pretend to share the traffic > fairly :). Now my concern is: >=20 > 1. What is the best way to assign an external IP (I have 4 available) to > a LAN client machine? > 2. How (if at all) it affects traffic shaping? you can:=20 1) use the other interface for the DMZ ( but you lose 1 ip for the router's interface) 2) forward traffic sent to the public ips to private ips ej.=20 ipfw add fwd privateip,80 tcp from any to publicip 80 setup keep-state You have the same bandwidth, unless you buy more! >=20 > I would be greatful for a bunch of ideas and eternally greatful for > examples of working scripts/firewall rules etc.=20 >=20 > Disclaimer: Yes, I did a google research, and found nothing that would > cover the afformentioned problem. :-) At least nothing else than 'Well, > you might try this ports thingy, but I don't really know if it helps.' > ;-D >=20 > PS: (or BTW) Maybe someone also has a solution to a problem of sharing > two external connections in a reasonable way in such a network? Of > course load-balancing would be desirable, but any working examples are > welcome. >=20 > Thank You for Your patience. -- Hi! I'm a .signature virus!=20 Copy me into your ~/.signature to help me spread! Jose Hidalgo PGP: 15524480 jose at hostarica.com --=-vGn2IItNWJ20YnNwVnfV Content-Type: application/pgp-signature; name=signature.asc Content-Description: This is a digitally signed message part -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (FreeBSD) iD8DBQBA0KZsMb674RVSRIARAtV3AKCPmHPH+xuAYNd3IF3W+O4ThEKXngCfexpu w8OwP1dPU0pMTqs2Gpd05hM= =m/K/ -----END PGP SIGNATURE----- --=-vGn2IItNWJ20YnNwVnfV-- From owner-freebsd-ipfw@FreeBSD.ORG Fri Jun 18 15:02:16 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E24DB16A4CE for ; Fri, 18 Jun 2004 15:02:16 +0000 (GMT) Received: from smtp.nildram.co.uk (smtp.nildram.co.uk [195.112.4.54]) by mx1.FreeBSD.org (Postfix) with ESMTP id 7617D43D31 for ; Fri, 18 Jun 2004 15:02:16 +0000 (GMT) (envelope-from nullentropy@lineone.net) Received: from [192.168.1.102] (orbital.gotadsl.co.uk [81.6.215.230]) by smtp.nildram.co.uk (Postfix) with ESMTP id C7AC42511C9 for ; Fri, 18 Jun 2004 15:53:30 +0100 (BST) Message-ID: <40D301EA.3080606@lineone.net> Date: Fri, 18 Jun 2004 15:53:30 +0100 From: Robert Downes User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7) Gecko/20040608 X-Accept-Language: en, fr, en-us MIME-Version: 1.0 To: freebsd-ipfw@freebsd.org Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Subject: Blocked outbound traffic - what is it? X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 18 Jun 2004 15:02:17 -0000 Having set up IPFW for NAT + stateful rules (as posted to this list recently, using skipto rules), my firewall setup seems to be doing a good job. GRC.COM reports all service ports as stealthed, and I seem to have no problem browsing web pages, checking mail, etc. But calling ` /var/log/security | grep out` gives a lot of reports of blocked outbound traffic to port 80 on legitimate websites. And occassionally to port 110 on legitimate mail servers. Seeing as I'm not having a problem with web browsing, and my mail *seems* to be collected without complaint from the client, why is so much outbound traffic being blocked? What are these packets doing to offend the IPFW ruleset? -- Bob From owner-freebsd-ipfw@FreeBSD.ORG Fri Jun 18 15:50:37 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 16DF116A4CE for ; Fri, 18 Jun 2004 15:50:37 +0000 (GMT) Received: from mta9.adelphia.net (mta9.adelphia.net [68.168.78.199]) by mx1.FreeBSD.org (Postfix) with ESMTP id 903EB43D5C for ; Fri, 18 Jun 2004 15:50:34 +0000 (GMT) (envelope-from Barbish3@adelphia.net) Received: from barbish ([67.20.101.71]) by mta9.adelphia.net (InterMail vM.6.01.03.02 201-2131-111-104-20040324) with SMTP id <20040618154916.NPMH23406.mta9.adelphia.net@barbish>; Fri, 18 Jun 2004 11:49:16 -0400 From: "JJB" To: "Robert Downes" , Date: Fri, 18 Jun 2004 11:49:15 -0400 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.6604 (9.0.2911.0) Importance: Normal In-Reply-To: <40D301EA.3080606@lineone.net> X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1409 Subject: RE: Blocked outbound traffic - what is it? X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: Barbish3@adelphia.net List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 18 Jun 2004 15:50:37 -0000 you may be reading the blocked log records wrong. Post complete content of your rules set plus ipfw log content for people to look at -----Original Message----- From: owner-freebsd-ipfw@freebsd.org [mailto:owner-freebsd-ipfw@freebsd.org]On Behalf Of Robert Downes Sent: Friday, June 18, 2004 10:54 AM To: freebsd-ipfw@freebsd.org Subject: Blocked outbound traffic - what is it? Having set up IPFW for NAT + stateful rules (as posted to this list recently, using skipto rules), my firewall setup seems to be doing a good job. GRC.COM reports all service ports as stealthed, and I seem to have no problem browsing web pages, checking mail, etc. But calling ` /var/log/security | grep out` gives a lot of reports of blocked outbound traffic to port 80 on legitimate websites. And occassionally to port 110 on legitimate mail servers. Seeing as I'm not having a problem with web browsing, and my mail *seems* to be collected without complaint from the client, why is so much outbound traffic being blocked? What are these packets doing to offend the IPFW ruleset? -- Bob _______________________________________________ freebsd-ipfw@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" From owner-freebsd-ipfw@FreeBSD.ORG Fri Jun 18 16:10:09 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6E38216A4CE for ; Fri, 18 Jun 2004 16:10:09 +0000 (GMT) Received: from smtp.nildram.co.uk (smtp.nildram.co.uk [195.112.4.54]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3217E43D53 for ; Fri, 18 Jun 2004 16:10:09 +0000 (GMT) (envelope-from nullentropy@lineone.net) Received: from [192.168.1.102] (orbital.gotadsl.co.uk [81.6.215.230]) by smtp.nildram.co.uk (Postfix) with ESMTP id 8966F24F0E2; Fri, 18 Jun 2004 16:55:20 +0100 (BST) Message-ID: <40D3106A.9030403@lineone.net> Date: Fri, 18 Jun 2004 16:55:22 +0100 From: Robert Downes User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7) Gecko/20040608 X-Accept-Language: en, fr, en-us MIME-Version: 1.0 To: freebsd-ipfw@freebsd.org References: <40D301EA.3080606@lineone.net> <000d01c4554a$906deac0$af00a8c0@orange> In-Reply-To: <000d01c4554a$906deac0$af00a8c0@orange> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Subject: Re: Blocked outbound traffic - what is it? X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 18 Jun 2004 16:10:09 -0000 Matthew McGehrin wrote: >You need to post your ruleset to the list along with some of your log's, or >your not going to get a response. > The ruleset is the one posted to this list recently: http://lists.freebsd.org/mailman/htdig/freebsd-ipfw/2004-June/001182.html and some of the output of `cat /var/log/security | grep out`: Jun 18 15:32:37 epia kernel: ipfw: 450 Deny TCP 192.168.1.102:3066 64.158.223.128:80 out via rl0 Jun 18 16:03:39 epia kernel: ipfw: 450 Deny TCP 192.168.1.102:3113 216.136.173.10:110 out via rl0 Jun 18 16:07:56 epia kernel: ipfw: 450 Deny TCP 192.168.1.102:3118 213.189.140.44:80 out via rl0 Jun 18 16:09:45 epia kernel: ipfw: 450 Deny TCP 192.168.1.102:3123 216.136.173.10:110 out via rl0 Jun 18 16:23:39 epia kernel: ipfw: 450 Deny TCP 192.168.1.102:3136 216.136.173.10:110 out via rl0 Jun 18 16:31:53 epia kernel: ipfw: 450 Deny TCP 192.168.1.102:3181 65.59.207.13:80 out via rl0 Jun 18 16:31:58 epia kernel: ipfw: 450 Deny TCP 192.168.1.102:3181 65.59.207.13:80 out via rl0 These are just a few of many similar entries. The requests to port 110 are to a legitimate mail server. The requests to port 80 seem to be to banner-ad addresses, and to addresses that are legitimate but are not the same IP as the original browser request. But my point is: what feature of these packets is making them fail the filter, and why do I not seem to be missing anything on the pages (such as banner ads) even though requests are being blocked? If it's perfectly reasonable for these packets to be denied, then I'm happy with that. But I'm worried that something important is being killed on the spot. (Even though I can't work out what.) -- Bob From owner-freebsd-ipfw@FreeBSD.ORG Fri Jun 18 16:50:43 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 34EAD16A4CE for ; Fri, 18 Jun 2004 16:50:43 +0000 (GMT) Received: from mta11.adelphia.net (mta11.adelphia.net [68.168.78.205]) by mx1.FreeBSD.org (Postfix) with ESMTP id B0F8243D1F for ; Fri, 18 Jun 2004 16:50:42 +0000 (GMT) (envelope-from Barbish3@adelphia.net) Received: from barbish ([67.20.101.71]) by mta11.adelphia.net (InterMail vM.5.01.06.08 201-253-122-130-108-20031117) with SMTP id <20040618164928.TWZV11133.mta11.adelphia.net@barbish>; Fri, 18 Jun 2004 12:49:28 -0400 From: "JJB" To: "Robert Downes" , Date: Fri, 18 Jun 2004 12:49:27 -0400 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.6604 (9.0.2911.0) Importance: Normal In-Reply-To: <40D3106A.9030403@lineone.net> X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1409 Subject: RE: Blocked outbound traffic - what is it? X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: Barbish3@adelphia.net List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 18 Jun 2004 16:50:43 -0000 Those web sites are ms/windows spyware reporting home about where you browse. Just type those ip address into your browser and you will see dubble-click banner page. Your ipfw rules are doing there thing of not allowing those ms/windows spyware do their thing. >From your ipfw log I would say the ms/windows box you are using is compromised. Looks to me like you have email virus and spyware on that box. Ipfw is working just fine. Use nslookup ipaddress from FBSD command line to checkout out those loged ip address next time. The ip address of the 110 packet is not your ISP's pop3 email server I bet. By the way there are 2 examples in the archive email you referenced and you have made your own changes to one of them so they have no meaning to what you are using on your box. People need to see what YOU are running not some generic sample. Just for your education next time you have problem. And blow away your ms/windows system and reinstall to get known clean system and all those outbound log records will stop happening. -----Original Message----- From: owner-freebsd-ipfw@freebsd.org [mailto:owner-freebsd-ipfw@freebsd.org]On Behalf Of Robert Downes Sent: Friday, June 18, 2004 11:55 AM To: freebsd-ipfw@freebsd.org Subject: Re: Blocked outbound traffic - what is it? Matthew McGehrin wrote: >You need to post your ruleset to the list along with some of your log's, or >your not going to get a response. > The ruleset is the one posted to this list recently: http://lists.freebsd.org/mailman/htdig/freebsd-ipfw/2004-June/001182 .html and some of the output of `cat /var/log/security | grep out`: Jun 18 15:32:37 epia kernel: ipfw: 450 Deny TCP 192.168.1.102:3066 64.158.223.128:80 out via rl0 Jun 18 16:03:39 epia kernel: ipfw: 450 Deny TCP 192.168.1.102:3113 216.136.173.10:110 out via rl0 Jun 18 16:07:56 epia kernel: ipfw: 450 Deny TCP 192.168.1.102:3118 213.189.140.44:80 out via rl0 Jun 18 16:09:45 epia kernel: ipfw: 450 Deny TCP 192.168.1.102:3123 216.136.173.10:110 out via rl0 Jun 18 16:23:39 epia kernel: ipfw: 450 Deny TCP 192.168.1.102:3136 216.136.173.10:110 out via rl0 Jun 18 16:31:53 epia kernel: ipfw: 450 Deny TCP 192.168.1.102:3181 65.59.207.13:80 out via rl0 Jun 18 16:31:58 epia kernel: ipfw: 450 Deny TCP 192.168.1.102:3181 65.59.207.13:80 out via rl0 These are just a few of many similar entries. The requests to port 110 are to a legitimate mail server. The requests to port 80 seem to be to banner-ad addresses, and to addresses that are legitimate but are not the same IP as the original browser request. But my point is: what feature of these packets is making them fail the filter, and why do I not seem to be missing anything on the pages (such as banner ads) even though requests are being blocked? If it's perfectly reasonable for these packets to be denied, then I'm happy with that. But I'm worried that something important is being killed on the spot. (Even though I can't work out what.) -- Bob _______________________________________________ freebsd-ipfw@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" From owner-freebsd-ipfw@FreeBSD.ORG Fri Jun 18 18:44:58 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6BEA516A4CE for ; Fri, 18 Jun 2004 18:44:58 +0000 (GMT) Received: from smtp.nildram.co.uk (smtp.nildram.co.uk [195.112.4.54]) by mx1.FreeBSD.org (Postfix) with ESMTP id D323343D2D for ; Fri, 18 Jun 2004 18:44:57 +0000 (GMT) (envelope-from nullentropy@lineone.net) Received: from [192.168.1.102] (orbital.gotadsl.co.uk [81.6.215.230]) by smtp.nildram.co.uk (Postfix) with ESMTP id 8BCEF251B04; Fri, 18 Jun 2004 19:43:05 +0100 (BST) Message-ID: <40D337BC.5060403@lineone.net> Date: Fri, 18 Jun 2004 19:43:08 +0100 From: Robert Downes User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7) Gecko/20040608 X-Accept-Language: en, fr, en-us MIME-Version: 1.0 To: freebsd-ipfw@freebsd.org References: In-Reply-To: Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Subject: Re: Blocked outbound traffic - what is it? X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 18 Jun 2004 18:44:58 -0000 JJB wrote: >Those web sites are ms/windows spyware reporting home about where >you browse. Just type those ip address into your browser and you >will see dubble-click banner page. Your ipfw rules are doing there >thing of not allowing those ms/windows spyware do their thing. > > I'm fairly sure it's not spyware. I've run virus and adware/spyware scans, and nothing has shown up. >>From your ipfw log I would say the ms/windows box you are using is >compromised. Looks to me like you have email virus and spyware on >that box. Ipfw is working just fine. > > I'm sure IPFW is working fine. But I'm curious as to where these requests are coming from. >Use nslookup ipaddress from FBSD command line to checkout out >those loged ip address next time. > > I have been doing so. The names of most addresses are legitimate. Some, though, are for banner ad companies. For instance, when testing by going to microsoft.com (a site I was sure would use banner ads and the like), I get a denied outgoing packet to 207.46.248.107 port 80. The name of this address is reported as c.microsoft.com. Looking through the source code for the microsoft.com main page, there is an entry for c.microsoft.com in a section of JavaScript which seems to call for a 'trans_pixel.asp?' from c.microsoft.com. I assume this is a quiet little transparent image created by a tracking script. But what I want to know is: how come Mozilla can happily request most images from port 80 with success, but a strange little image like this one does not have its request granted? Is it because this image is on a third-party URL (and hence different IP address)? Do image requests look different (in packet details terms) to initial requests for an HTML page? >The ip address of the 110 packet is not your ISP's pop3 email server >I bet. > No. The addresses are all part of the domains of the groups that supply my mail service. However, the addresses resolve to names that are slightly different to my actual POP server name. E.g. my POP server is port 110 at pop.mail.yahoo.com (216.136.173.10) and the denied packets are asking to go to 216.136.173.10 port 110 but nslookup reports the name as pop.vip.sc5.yahoo.com but I thought that IPFW ignored names unless they were explicitly specified (and no names are specified). So something else is making those packets fail. But I still receive mail perfectly well to that account. So it's all a little mysterious. (To me, that is. I'm sure veterans know what is going on.) -- Bob From owner-freebsd-ipfw@FreeBSD.ORG Fri Jun 18 19:23:29 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6470A16A4CE for ; Fri, 18 Jun 2004 19:23:29 +0000 (GMT) Received: from btsoftware.com (213-84-82-9.adsl.xs4all.nl [213.84.82.9]) by mx1.FreeBSD.org (Postfix) with SMTP id B06F543D45 for ; Fri, 18 Jun 2004 19:23:27 +0000 (GMT) (envelope-from bts@iae.nl) Received: from viper.office (viper.office [192.168.0.1] ) by btsoftware.com (Hethmon Brothers Smtpd) ; Fri, 18 Jun 2004 21:22:22 +0200 Message-Id: <200406182122.2239016.6@btsoftware.com> From: "Martin" To: "freebsd-ipfw@freebsd.org" , "Robert Downes" Date: Fri, 18 Jun 2004 21:22:18 +0200 (CEST) Priority: Normal X-Mailer: PMMail 2.20.2382 for OS/2 Warp 4.5 In-Reply-To: <40D3106A.9030403@lineone.net> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Subject: Re: Blocked outbound traffic - what is it? X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: Martin List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 18 Jun 2004 19:23:29 -0000 - Is rl0 your outside interface ? - Do you have Natd on the outside interface or reversed on the inside interface ? - Do you have multiple outside interfaces ? - 192.168.1.102 is this system on your internal network ? - Do you have a local DNS (or hosts file) running where you mapped away spying hosts ? - "out" means outgoing, but "via rl0" does not mean "out thru rl0". It could means more or less "a packet having to do something with rl0, either in or out". - Do you have rules in your FW, causing to bypass natd ? - Do you have static natd routing ? - Do you do IP/port forwarding on specific ports ? Please post your rules. Martin. On Fri, 18 Jun 2004 16:55:22 +0100, Robert Downes wrote: >Matthew McGehrin wrote: > >>You need to post your ruleset to the list along with some of your log's, or >>your not going to get a response. >> >The ruleset is the one posted to this list recently: > > >http://lists.freebsd.org/mailman/htdig/freebsd-ipfw/2004-June/001182.html > >and some of the output of `cat /var/log/security | grep out`: > >Jun 18 15:32:37 epia kernel: ipfw: 450 Deny TCP 192.168.1.102:3066 >64.158.223.128:80 out via rl0 >Jun 18 16:03:39 epia kernel: ipfw: 450 Deny TCP 192.168.1.102:3113 >216.136.173.10:110 out via rl0 >Jun 18 16:07:56 epia kernel: ipfw: 450 Deny TCP 192.168.1.102:3118 >213.189.140.44:80 out via rl0 >Jun 18 16:09:45 epia kernel: ipfw: 450 Deny TCP 192.168.1.102:3123 >216.136.173.10:110 out via rl0 >Jun 18 16:23:39 epia kernel: ipfw: 450 Deny TCP 192.168.1.102:3136 >216.136.173.10:110 out via rl0 >Jun 18 16:31:53 epia kernel: ipfw: 450 Deny TCP 192.168.1.102:3181 >65.59.207.13:80 out via rl0 >Jun 18 16:31:58 epia kernel: ipfw: 450 Deny TCP 192.168.1.102:3181 >65.59.207.13:80 out via rl0 > >These are just a few of many similar entries. The requests to port 110 >are to a legitimate mail server. The requests to port 80 seem to be to >banner-ad addresses, and to addresses that are legitimate but are not >the same IP as the original browser request. > >But my point is: what feature of these packets is making them fail the >filter, and why do I not seem to be missing anything on the pages (such >as banner ads) even though requests are being blocked? > >If it's perfectly reasonable for these packets to be denied, then I'm >happy with that. But I'm worried that something important is being >killed on the spot. (Even though I can't work out what.) > >-- >Bob > >_______________________________________________ >freebsd-ipfw@freebsd.org mailing list >http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw >To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" > From owner-freebsd-ipfw@FreeBSD.ORG Fri Jun 18 20:52:12 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 77C4616A4CE for ; Fri, 18 Jun 2004 20:52:12 +0000 (GMT) Received: from smtp.nildram.co.uk (smtp.nildram.co.uk [195.112.4.54]) by mx1.FreeBSD.org (Postfix) with ESMTP id BC2D943D1D for ; Fri, 18 Jun 2004 20:52:11 +0000 (GMT) (envelope-from nullentropy@lineone.net) Received: from [192.168.1.102] (orbital.gotadsl.co.uk [81.6.215.230]) by smtp.nildram.co.uk (Postfix) with ESMTP id 37B3224F49C; Fri, 18 Jun 2004 21:51:38 +0100 (BST) Message-ID: <40D355DA.3040707@lineone.net> Date: Fri, 18 Jun 2004 21:51:38 +0100 From: Robert Downes User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7) Gecko/20040608 X-Accept-Language: en, fr, en-us MIME-Version: 1.0 To: "freebsd-ipfw@freebsd.org" References: <200406182122.2239016.6@btsoftware.com> In-Reply-To: <200406182122.2239016.6@btsoftware.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Subject: Re: Blocked outbound traffic - what is it? X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 18 Jun 2004 20:52:12 -0000 Martin wrote: >- Is rl0 your outside interface ? > > Yes. >- Do you have Natd on the outside interface or reversed on the inside interface ? > > natd on rl0. >- Do you have multiple outside interfaces ? > > No, only rl0 talks to the ADSL 'modem' (which has my FreeBSD router in the DMZ to avoid double-NAT translation). >- 192.168.1.102 is this system on your internal network ? > > Yes, a Windows machine. >- Do you have a local DNS (or hosts file) running where you mapped away spying hosts ? > > I have BIND running, but I'm not sure what you mean by 'mapped away sping hosts'. >- "out" means outgoing, but "via rl0" does not mean "out thru rl0". It could means > more or less "a packet having to do something with rl0, either in or out". > > The rules in my set actually all say 'in recv' and 'out xmit' but for some reason the security log file converts all of those to 'via'. I can't explain why. >- Do you have rules in your FW, causing to bypass natd ? > > I don't think so (except localhost). See my ruleset below (posted due to great demand). >- Do you have static natd routing ? > > Uhmmm... not sure. I'm using IPFW and natd and using the 'divert natd' lines in the ruleset. >- Do you do IP/port forwarding on specific ports ? > > Do you mean am I using keep-state rules to allow packets to certain ports [yes], or do you mean am I using the divert action to certain ports [no]? >Please post your rules. > > Here they are. They are almost exactly the same as the ruleset posted by someone to this list a few days ago, just with some lines commented out, all 'via' replaced with 'recv' or 'xmit', and a few additional deny rules to stop Microsoft-vulnerability probing on ports 135 and 445 (which I was getting a huge number of). ################ Start of IPFW rules file ############################### # Flush out the list before we begin. ipfw -q -f flush # Set rules command prefix cmd="ipfw -q add" skip="skipto 800" pif="rl0" # public interface name of Nic card # facing the public internet ################################################################# # No restrictions on Inside Lan Interface for private network # Not needed unless you have Lan. # Change xl0 to your Lan Nic card interface name ################################################################# $cmd 005 allow all from any to any via vr0 ################################################################# # No restrictions on Loopback Interface ################################################################# $cmd 010 allow all from any to any via lo0 $cmd 014 divert natd ip from any to any in recv $pif ################################################################# # Allow the packet through if it has previous been added to the # the "dynamic" rules table by an allow keep-state statement. ################################################################# $cmd 015 check-state ################################################################# # Interface facing Public internet (Outbound Section) # Interrogate session start requests originating from behind the # firewall on the private network or from this gateway server # destine for the public internet. ################################################################# # Allow out access to my ISP's Domain name server. # x.x.x.x must be the IP address of your ISP's DNS # Dup these lines if your ISP has more than one DNS server # Get the IP addresses from /etc/resolv.conf file $cmd 020 $skip tcp from any to xxx.xxx.xxx.xxx 53 out xmit $pif setup keep-state $cmd 021 $skip udp from any to xxx.xxx.xxx.xxx 53 out xmit $pif keep-state $cmd 022 $skip tcp from any to xxx.xxx.xxx.xxx 53 out xmit $pif setup keep-state $cmd 023 $skip udp from any to xxx.xxx.xxx.xxx 53 out xmit $pif keep-state # Bob: allow outbound requests to nameservers, and replies $cmd 025 $skip udp from 192.168.0.100 to any 53 out xmit $pif keep-state # Allow out access to my ISP's DHCP server for cable/DSL configurations. #$cmd 030 $skip udp from any to xx.70.207.54 67 out via $pif keep-state # Allow out non-secure standard www function $cmd 040 $skip tcp from any to any 80 out xmit $pif setup keep-state # Allow out secure www function https over TLS SSL $cmd 050 $skip tcp from any to any 443 out xmit $pif setup keep-state # Allow out send & get email function $cmd 060 $skip tcp from any to any 25 out xmit $pif setup keep-state $cmd 061 $skip tcp from any to any 110 out xmit $pif setup keep-state # Allow out FBSD (make install & CVSUP) functions # Basically give user root "GOD" privileges. $cmd 070 $skip tcp from me to any out xmit $pif setup keep-state uid root # Allow out ping $cmd 080 $skip icmp from any to any out xmit $pif # Allow out Time $cmd 090 $skip tcp from any to any 37 out xmit $pif setup keep-state # Allow out nntp news (IE: news groups) $cmd 100 $skip tcp from any to any 119 out xmit $pif setup keep-state # Allow out secure FTP, Telnet, and SCP # This function is using SSH (secure shell) $cmd 110 $skip tcp from any to any 22 out xmit $pif setup keep-state # Allow out whois $cmd 120 $skip tcp from any to any 43 out xmit $pif setup keep-state # Allow ntp time server $cmd 130 $skip udp from any to any 123 out xmit $pif keep-state ################################################################# # Interface facing Public internet (Inbound Section) # Interrogate packets originating from the public internet # destine for this gateway server or the private network. ################################################################# # Deny all inbound traffic from non-routable reserved address spaces $cmd 300 deny all from 192.168.0.0/16 to any in recv $pif #RFC 1918 private IP $cmd 301 deny all from 172.16.0.0/12 to any in recv $pif #RFC 1918 private IP $cmd 302 deny all from 10.0.0.0/8 to any in recv $pif #RFC 1918 private IP $cmd 303 deny all from 127.0.0.0/8 to any in recv $pif #loopback $cmd 304 deny all from 0.0.0.0/8 to any in recv $pif #loopback $cmd 305 deny all from 169.254.0.0/16 to any in recv $pif #DHCP auto-config $cmd 306 deny all from 192.0.2.0/24 to any in recv $pif #reserved for doc's $cmd 307 deny all from 204.152.64.0/23 to any in recv $pif #Sun cluster interconnect $cmd 308 deny all from 224.0.0.0/3 to any in recv $pif #Class D & E multicast # Deny ident $cmd 315 deny tcp from any to any 113 in recv $pif # Deny all Netbios service. 137=name, 138=datagram, 139=session # Netbios is MS/Windows sharing services. # Block MS/Windows hosts2 name server requests 81 $cmd 320 deny all from any to any 137 in recv $pif $cmd 321 deny tcp from any to any 138 in recv $pif $cmd 322 deny tcp from any to any 139 in recv $pif $cmd 323 deny tcp from any to any 81 in recv $pif # Bob: also block 135 and 445 because of similar MS-vulnerability attacks $cmd 324 deny tcp from any to any 135 in recv $pif $cmd 325 deny tcp from any to any 445 in recv $pif # Deny any late arriving packets $cmd 330 deny all from any to any frag in recv $pif # Deny ACK packets that did not match the dynamic rule table $cmd 332 deny tcp from any to any established in recv $pif # Allow traffic in from ISP's DHCP server. This rule must contain # the IP address of your ISP's DHCP server as it's the only # authorized source to send this packet type. # Only necessary for cable or DSL configurations. # This rule is not needed for 'user ppp' type connection to # the public internet. This is the same IP address you captured # and used in the outbound section. #$cmd 360 allow udp from xx.70.207.54 to any 68 in via $pif keep-state # Allow in standard www function because I have apache server #$cmd 370 allow tcp from any to me 80 in via $pif setup limit src-addr 2 # Allow in secure FTP, Telnet, and SCP from public Internet #$cmd 380 allow tcp from any to me 22 in via $pif setup limit src-addr 2 # Allow in non-secure Telnet session from public Internet # labeled non-secure because ID & PW are passed over public # internet as clear text. # Delete this sample group if you do not have telnet server enabled. #$cmd 390 allow tcp from any to me 23 in via $pif setup limit src-addr 2 # Allow in secure FTP, Telnet, and SCP from public Internet #$cmd 380 allow tcp from any to me 22 in via $pif setup limit src-addr 2 # Allow in icmp responces $cmd 390 allow icmp from any to any icmptypes 0,3,11,12 in recv $pif # Reject & Log all unauthorized incoming connections from the public internet $cmd 400 deny log all from any to any in recv $pif # Reject & Log all unauthorized out going connections to the public internet $cmd 450 deny log all from any to any out xmit $pif # This is skipto location for outbound stateful rules $cmd 800 divert natd ip from any to any out xmit $pif $cmd 801 allow ip from any to any # Everything else is denied by default # deny and log all packets that fell through to see what they are $cmd 999 deny log all from any to any ################ End of IPFW rules file ############################### -- Bob From owner-freebsd-ipfw@FreeBSD.ORG Sat Jun 19 07:55:53 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C2E1416A4CE for ; Sat, 19 Jun 2004 07:55:53 +0000 (GMT) Received: from pathfinder.roks.biz (roks.biz [82.207.80.37]) by mx1.FreeBSD.org (Postfix) with ESMTP id 915DF43D48 for ; Sat, 19 Jun 2004 07:55:50 +0000 (GMT) (envelope-from padla@roks.biz) Received: from admin.office.roks.biz (admin.office.roks.biz [192.168.100.103]) by pathfinder.roks.biz (8.12.11/8.12.11) with ESMTP id i5J7tWeN013137; Sat, 19 Jun 2004 10:55:32 +0300 (EEST) (envelope-from padla@pathfinder.roks.biz) Received: from admin.office.roks.biz (localhost.roks.biz [127.0.0.1]) i5J7tXOY000735; Sat, 19 Jun 2004 10:55:33 +0300 (EEST) (envelope-from padla@admin.office.roks.biz) Received: (from padla@localhost) by admin.office.roks.biz (8.12.11/8.12.11/Submit) id i5J7tWwd000734; Sat, 19 Jun 2004 10:55:32 +0300 (EEST) (envelope-from padla) Date: Sat, 19 Jun 2004 10:55:32 +0300 From: quetzal@roks.biz To: Robert Downes Message-ID: <20040619075532.GA690@roks.biz> Mail-Followup-To: quetzal@roks.biz, Robert Downes , "freebsd-ipfw@freebsd.org" References: <200406182122.2239016.6@btsoftware.com> <40D355DA.3040707@lineone.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <40D355DA.3040707@lineone.net> User-Agent: Mutt/1.4.2.1i cc: "freebsd-ipfw@freebsd.org" Subject: Re: Blocked outbound traffic - what is it? X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 19 Jun 2004 07:55:54 -0000 On Friday, 18 June 2004 at 21:51:38 +0100, Robert Downes wrote: > > # Deny ACK packets that did not match the dynamic rule table > $cmd 332 deny tcp from any to any established in recv $pif > > # Allow traffic in from ISP's DHCP server. This rule must contain > # the IP address of your ISP's DHCP server as it's the only > # authorized source to send this packet type. > # Only necessary for cable or DSL configurations. > # This rule is not needed for 'user ppp' type connection to > # the public internet. This is the same IP address you captured > # and used in the outbound section. > #$cmd 360 allow udp from xx.70.207.54 to any 68 in via $pif keep-state > > # Allow in standard www function because I have apache server > #$cmd 370 allow tcp from any to me 80 in via $pif setup limit src-addr 2 > > # Allow in secure FTP, Telnet, and SCP from public Internet > #$cmd 380 allow tcp from any to me 22 in via $pif setup limit src-addr 2 > > # Allow in non-secure Telnet session from public Internet > # labeled non-secure because ID & PW are passed over public > # internet as clear text. > # Delete this sample group if you do not have telnet server enabled. > #$cmd 390 allow tcp from any to me 23 in via $pif setup limit src-addr 2 > > # Allow in secure FTP, Telnet, and SCP from public Internet > #$cmd 380 allow tcp from any to me 22 in via $pif setup limit src-addr 2 > > # Allow in icmp responces > $cmd 390 allow icmp from any to any icmptypes 0,3,11,12 in recv $pif > > # Reject & Log all unauthorized incoming connections from the public > internet > $cmd 400 deny log all from any to any in recv $pif > > # Reject & Log all unauthorized out going connections to the public internet > $cmd 450 deny log all from any to any out xmit $pif > > # This is skipto location for outbound stateful rules > $cmd 800 divert natd ip from any to any out xmit $pif > $cmd 801 allow ip from any to any > > # Everything else is denied by default > # deny and log all packets that fell through to see what they are > $cmd 999 deny log all from any to any > > > > ################ End of IPFW rules file > ############################### Hi, Robert. You dont need to worry about trojans. By logic of your rules, I think that this packets are blocked becouse of the ending lifetime of some dynamic rules. See net.inet.ip.fw.dyn_fin_lifetime and net.inet.ip.fw.dyn_rst_lifetime in man ipfw(8) and you probably understand what i am talking about. Also you can try tcpdump to trace what occurs during the final phase of tcp session. Best regards and sorry for my english Nikolay Pavlov. From owner-freebsd-ipfw@FreeBSD.ORG Sat Jun 19 14:26:39 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9F79116A4CE for ; Sat, 19 Jun 2004 14:26:39 +0000 (GMT) Received: from sccrmhc12.comcast.net (sccrmhc12.comcast.net [204.127.202.56]) by mx1.FreeBSD.org (Postfix) with ESMTP id 670F443D2F for ; Sat, 19 Jun 2004 14:26:39 +0000 (GMT) (envelope-from matt@atopia.net) Received: from [192.168.1.100] (pcp02025587pcs.plsntv01.nj.comcast.net[68.44.29.50]) by comcast.net (sccrmhc12) with ESMTP id <2004061914252301200hojvne>; Sat, 19 Jun 2004 14:25:23 +0000 Message-ID: <40D44E3D.5020805@atopia.net> Date: Sat, 19 Jun 2004 10:31:25 -0400 From: Matt Juszczak User-Agent: Mozilla Thunderbird 0.6 (X11/20040526) X-Accept-Language: en-us, en MIME-Version: 1.0 To: freebsd-ipfw@freebsd.org Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Subject: IPFW questions: mac filtering X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 19 Jun 2004 14:26:39 -0000 Hello everyone, I originally posted the following message to -questions last night and got a lot of replies: ----------------------------------------- Is there a way to do IP redirection without using layer 3? (IPNAT or routing)? I have a bridge setup and want to redirect any port 80 traffic outgoing through the bridge to a specific server .... but it seems I can only do this with ipfw's forward/fwd or ipnat's rdr commands ... which are all layer 3 oriented and dont work with just a bridge... ----------------------------------------- What I basically wanted to know was whether I could just use a bridge on my FreeBSD box, but still use ipfw or ipnat's forward/rdr options. Looks like the answer is no... seems i actually have to do routing or NAT to get this working ...... So i had another idea, which has sparked another quesiton. Even as a bridge, can ipfw still filter by source mac address (as long as the bridge is on the same subnet, since layer 2 addresses aren't passed very far)......if so, is there a document i can read on how I could filter by mac addresses? Thanks again for everyone's continuing help. And if anyone has any ideas about my quoted question above that I asked to -questions last night, please let me know. For now I'm just assuming its a lost cause. -Matt