From owner-freebsd-ipfw Wed Mar 21 2:49: 1 2001 Delivered-To: freebsd-ipfw@freebsd.org Received: from whale.sunbay.crimea.ua (whale.sunbay.crimea.ua [212.110.138.65]) by hub.freebsd.org (Postfix) with ESMTP id E2F3B37B718; Wed, 21 Mar 2001 02:48:49 -0800 (PST) (envelope-from ru@whale.sunbay.crimea.ua) Received: (from ru@localhost) by whale.sunbay.crimea.ua (8.11.2/8.11.2) id f2LAiGa59400; Wed, 21 Mar 2001 12:44:16 +0200 (EET) (envelope-from ru) Date: Wed, 21 Mar 2001 12:44:16 +0200 From: Ruslan Ermilov To: Paul Richards Cc: ipfw@FreeBSD.org Subject: Re: cvs commit: src/sys/netinet ip_fw.c Message-ID: <20010321124416.A57754@sunbay.com> Mail-Followup-To: Paul Richards , ipfw@FreeBSD.org References: <200103210819.f2L8JWm19214@freefall.freebsd.org> <20010321105412.B47802@sunbay.com> <3AB87255.B0D4EF02@freebsd-services.co.uk> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <3AB87255.B0D4EF02@freebsd-services.co.uk>; from paul@freebsd-services.co.uk on Wed, Mar 21, 2001 at 09:20:21AM +0000 Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG On Wed, Mar 21, 2001 at 09:20:21AM +0000, Paul Richards wrote: > Move to developers. > [Redirected to -ipfw, see Committer's Guide for -developers usage rules] > Ruslan Ermilov wrote: > > > > On Wed, Mar 21, 2001 at 12:19:32AM -0800, Paul Richards wrote: > > > paul 2001/03/21 00:19:32 PST > > > > > > Modified files: > > > sys/netinet ip_fw.c > > > Log: > > > Only flush rules that have a rule number above that set by a new > > > sysctl, net.inet.ip.fw.permanent_rules. > > > > > > This allows you to install rules that are persistent across flushes, > > > which is very useful if you want a default set of rules that > > > maintains your access to remote machines while you're reconfiguring > > > the other rules. > > > > > > Reviewed by: Mark Murray > > > > > You asked for a review and committed this while many of us were asleep! > > There's always people asleep in the project. This wasn't a major > architectural change, I just thought it worthwhile for a second pair of > eyes to look it over and Mark's more than qualified for that. > > > What I would really prefer is if we had a flag that marked individual > > rules as permanent. Then flush command would skip these rules, and > > another flush command would ignore this flag. > > I thought about that first, but there's no bits left in the flag. > Really? 0x80000000 is unused. Or, alternatively, you may change the IP_FW_F_COMMAND to 0x0000007F (we are unlikely to have more than 128 actions) and use 0x00000080. I propose the name IP_FW_F_PINNED. > This solution has minimal impact on the implementation whereas changing the > structure is a lot more intrusive. I'd also have had to fix the userland > parser to recognise a token for persistent rules, whereas a sysctl was > also a minimal impact change. > I think you should back this out and reimplement this. I can do this, if you wish. :-) > One thing I did think would be useful though is being able to pass a > range to flush, i.e. ipfw flush 1000-1999. > Nope, the flush command should flush all rules, and probably also check the IP_FW_F_PINNED bit in the flags. If the latter is set, it should delete pinned rules as well. The same should be done for "delete". Cheers, -- Ruslan Ermilov Oracle Developer/DBA, ru@sunbay.com Sunbay Software AG, ru@FreeBSD.org FreeBSD committer, +380.652.512.251 Simferopol, Ukraine http://www.FreeBSD.org The Power To Serve http://www.oracle.com Enabling The Information Age To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Wed Mar 21 6:46:52 2001 Delivered-To: freebsd-ipfw@freebsd.org Received: from smtp1.pandora.be (hercules.telenet-ops.be [195.130.132.33]) by hub.freebsd.org (Postfix) with SMTP id 2EFC037B73D for ; Wed, 21 Mar 2001 06:46:49 -0800 (PST) (envelope-from voutah@detroit.org) Received: (qmail 9636 invoked from network); 21 Mar 2001 14:39:20 -0000 Received: from unknown (HELO smtp2.pandora.be) ([195.130.132.34]) (envelope-sender ) by hercules.telenet-ops.be (qmail-ldap-1.03) with SMTP for ; 21 Mar 2001 14:39:20 -0000 Received: (qmail 17066 invoked from network); 21 Mar 2001 14:39:19 -0000 Received: from unknown (HELO SPAWN) ([213.224.249.9]) (envelope-sender ) by tartarus.telenet-ops.be (qmail-ldap-1.03) with SMTP for ; 21 Mar 2001 14:39:19 -0000 Received: by localhost with Microsoft MAPI; Wed, 21 Mar 2001 15:39:12 +0100 Message-ID: <01C0B21D.13F08760.voutah@detroit.org> From: Voutah Reply-To: "voutah@pi.be" To: "'freebsd-ipfw@freebsd.org'" Subject: re: freebsd 4.2 ipfw natd Date: Wed, 21 Mar 2001 15:39:10 +0100 Organization: Juxtaposition X-Mailer: Microsoft Internet E-mail/MAPI - 8.0.0.4211 Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG hi, I'm having a hard time looking for good examples of IPFW and NATD settings. My FreeBSD machines routes traffice fine, but I think it's absolutely not secure. Could you give me extra tips and maybe an example of a good and secure IPFW list ? Thanx in advance, Voutah www.refckegel.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Wed Mar 21 7:27:14 2001 Delivered-To: freebsd-ipfw@freebsd.org Received: from samar.sasi.com (samar.sasken.com [164.164.56.2]) by hub.freebsd.org (Postfix) with ESMTP id C7FCD37B722 for ; Wed, 21 Mar 2001 07:27:08 -0800 (PST) (envelope-from sseth@sasken.com) Received: from samar (samar.sasi.com [164.164.56.2]) by samar.sasi.com (8.9.3/8.9.3) with SMTP id UAA28351; Wed, 21 Mar 2001 20:56:04 +0530 (IST) Received: from suns3.sasi.com ([10.0.36.3]) by samar.sasi.com; Wed, 21 Mar 2001 20:56:03 +0000 (IST) Received: from localhost (sseth@localhost) by suns3.sasi.com (8.9.3/8.9.3) with ESMTP id UAA08481; Wed, 21 Mar 2001 20:56:03 +0530 (IST) Date: Wed, 21 Mar 2001 20:56:03 +0530 (IST) From: Satyajeet Seth To: Cc: Brahma Naidu Golla Subject: Routing Problem Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG Hi I am having a machine with 3 interfaces, fxp0, nge0 and nge1. nge0 and nge1 are pseudo ethernet interfaces implemented using 'ng_eiface' netgraph nodes in freebsd-current. I wish that the response to ping from a machine on the LAN, host1 to fxp0/nge0/nge1 should come from the same interface. But it comes from the interface given by "route get 'host1'" unless we manually do "route change 'host1' -ifp 'interface'" host1 should be able to ping to fxp0, nge0 and nge1 simultaneously and the responses should come from the same interfaces. Is it possible to do this dynamically using ipfw,natd stateful rules? Or, perhaps there is some other better way? Thanks Satya To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Wed Mar 21 18:39:46 2001 Delivered-To: freebsd-ipfw@freebsd.org Received: from smtp2.mbox.com.au (smtp2.mbox.com.au [203.103.80.178]) by hub.freebsd.org (Postfix) with ESMTP id 1478B37B771 for ; Wed, 21 Mar 2001 18:39:42 -0800 (PST) (envelope-from das@mbox.com.au) Received: from mbox.com.au (webmail.i7mail.com.au [192.168.20.4]) by smtp2.mbox.com.au (Sun Internet Mail Server sims.4.0.2000.05.17.04.13.p6) with ESMTP id <0GAK00KNVUSLPR@smtp2.mbox.com.au> for freebsd-ipfw@freebsd.org; Thu, 22 Mar 2001 10:26:45 +0800 (WST) Date: Thu, 22 Mar 2001 13:37:25 +1100 From: das@mbox.com.au Subject: RE: freebsd 4.2 ipfw natd To: freebsd-ipfw@freebsd.org Cc: voutah@pi.be Message-id: <7e96417ea3ae.7ea3ae7e9641@mbox.com.au> MIME-version: 1.0 X-Mailer: Netscape Webmail Content-type: text/plain; charset=us-ascii Content-language: en Content-disposition: inline Content-transfer-encoding: 7BIT X-Accept-Language: en Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG Not a bad example at: http://www.mostgraveconcern.com/freebsd Check out the dual-homed host (Advanced topic number 4). Sadly there is no example of what to do about ftp. How do I allow ftp for my internal clients? eg. # HTTP - Allow access to our web server ${fwcmd} add pass tcp from any to any 80 setup What should it be for ftp? I know ftp opens up all sort of other ports, but not sure what to do. I guess it is different if you want passive/active ftp. Anybody got examples of both? Thanks, Dave Seddon To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Wed Mar 21 23:20:58 2001 Delivered-To: freebsd-ipfw@freebsd.org Received: from mip.co.za (puck.mip.co.za [209.212.106.44]) by hub.freebsd.org (Postfix) with ESMTP id BFB7837B71C for ; Wed, 21 Mar 2001 23:20:29 -0800 (PST) (envelope-from patrick@mip.co.za) Received: from patrick (patrick.mip.co.za [10.3.13.181]) by mip.co.za (8.9.3/8.9.3) with SMTP id JAA27797 for ; Thu, 22 Mar 2001 09:20:09 +0200 (SAST) (envelope-from patrick@mip.co.za) From: "Patrick O'Reilly" To: Subject: RE: cvs commit: src/sys/netinet ip_fw.c Date: Thu, 22 Mar 2001 09:20:09 +0200 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2910.0) In-Reply-To: <20010321124416.A57754@sunbay.com> X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2314.1300 Importance: Normal Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG Gents, If I may throw in my 2c worth - from the point of view of a user (I'd love to be a contributor, but will need to learn some C first ;-) I think the idea of being able to 'pin' some rules to survive a flush is excellent. The default rule (# 65535) behaves somewhat like that already. I guess it would be nice to be able to do something like: ------- ipfw -P add 1000 allow udp from any to any 53 # -P: permanent ipfw add 1100 allow tcp from 10.x.x.x to any 80 ------- and then when you wish to delete the fancy rules but keep the base system running you could do: ------- ipfw delete all ------- Which would delete ALL rules, but NOT those created the -P (permanent) flag. ipfw flush would still flush the lot. One great advantage of this would be that it could be much safer to remotely administer a firewall. If the rules enabling the remote administration are set up with -p then you cannot make the mistake of locking yourself out (well, you could still 'flush' yourself out, but a 'delete all' would be safe!) And, by the way, an option to 'delete #-#' would be nice too. Forgive me if I am sticking my nose where it does not belong - but please understand that I am 100% in support of the concepts of this change. Since I am not in a position to help with writing code at present, let me at least offer my support in testing of these changes if you need that. Patrick O'Reilly. -----Original Message----- From: owner-freebsd-ipfw@FreeBSD.ORG [mailto:owner-freebsd-ipfw@FreeBSD.ORG]On Behalf Of Ruslan Ermilov Sent: 21 March 2001 12:44 To: Paul Richards Cc: ipfw@FreeBSD.ORG Subject: Re: cvs commit: src/sys/netinet ip_fw.c On Wed, Mar 21, 2001 at 09:20:21AM +0000, Paul Richards wrote: > Move to developers. > [Redirected to -ipfw, see Committer's Guide for -developers usage rules] > Ruslan Ermilov wrote: > > > > On Wed, Mar 21, 2001 at 12:19:32AM -0800, Paul Richards wrote: > > > paul 2001/03/21 00:19:32 PST > > > > > > Modified files: > > > sys/netinet ip_fw.c > > > Log: > > > Only flush rules that have a rule number above that set by a new > > > sysctl, net.inet.ip.fw.permanent_rules. > > > > > > This allows you to install rules that are persistent across flushes, > > > which is very useful if you want a default set of rules that > > > maintains your access to remote machines while you're reconfiguring > > > the other rules. > > > > > > Reviewed by: Mark Murray > > > > > You asked for a review and committed this while many of us were asleep! > > There's always people asleep in the project. This wasn't a major > architectural change, I just thought it worthwhile for a second pair of > eyes to look it over and Mark's more than qualified for that. > > > What I would really prefer is if we had a flag that marked individual > > rules as permanent. Then flush command would skip these rules, and > > another flush command would ignore this flag. > > I thought about that first, but there's no bits left in the flag. > Really? 0x80000000 is unused. Or, alternatively, you may change the IP_FW_F_COMMAND to 0x0000007F (we are unlikely to have more than 128 actions) and use 0x00000080. I propose the name IP_FW_F_PINNED. > This solution has minimal impact on the implementation whereas changing the > structure is a lot more intrusive. I'd also have had to fix the userland > parser to recognise a token for persistent rules, whereas a sysctl was > also a minimal impact change. > I think you should back this out and reimplement this. I can do this, if you wish. :-) > One thing I did think would be useful though is being able to pass a > range to flush, i.e. ipfw flush 1000-1999. > Nope, the flush command should flush all rules, and probably also check the IP_FW_F_PINNED bit in the flags. If the latter is set, it should delete pinned rules as well. The same should be done for "delete". Cheers, -- Ruslan Ermilov Oracle Developer/DBA, ru@sunbay.com Sunbay Software AG, ru@FreeBSD.org FreeBSD committer, +380.652.512.251 Simferopol, Ukraine http://www.FreeBSD.org The Power To Serve http://www.oracle.com Enabling The Information Age To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Wed Mar 21 23:23:26 2001 Delivered-To: freebsd-ipfw@freebsd.org Received: from esper.modulus.org (esper.modulus.org [202.181.1.249]) by hub.freebsd.org (Postfix) with ESMTP id A400237B71F for ; Wed, 21 Mar 2001 23:23:21 -0800 (PST) (envelope-from andrew@modulus.org) Received: from Avon (avon.modulus.org [202.181.1.250]) by esper.modulus.org (Postfix) with SMTP id B243B1B0 for ; Thu, 22 Mar 2001 18:23:19 +1100 (EST) From: "Andrew Snow" To: Subject: RE: cvs commit: src/sys/netinet ip_fw.c Date: Thu, 22 Mar 2001 18:23:21 +1100 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="US-ASCII" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2910.0) In-Reply-To: X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2919.6700 Importance: Normal Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG What would be better is firstly the ability to delete a range of rule numbers, but better than that would be support for 'rule groups', where you could bunch a number of rules together under the same group name or number and manipulate them seperately. - Andrew > -----Original Message----- > From: owner-freebsd-ipfw@FreeBSD.ORG > [mailto:owner-freebsd-ipfw@FreeBSD.ORG]On Behalf Of Patrick O'Reilly > Sent: Thursday, 22 March 2001 6:20 PM > To: ipfw@FreeBSD.ORG > Subject: RE: cvs commit: src/sys/netinet ip_fw.c > > > Gents, > > If I may throw in my 2c worth - from the point of view of a user (I'd love > to be a contributor, but will need to learn some C first ;-) I think the > idea of being able to 'pin' some rules to survive a flush is > excellent. The > default rule (# 65535) behaves somewhat like that already. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Wed Mar 21 23:31:12 2001 Delivered-To: freebsd-ipfw@freebsd.org Received: from mip.co.za (puck.mip.co.za [209.212.106.44]) by hub.freebsd.org (Postfix) with ESMTP id 453E837B720 for ; Wed, 21 Mar 2001 23:30:42 -0800 (PST) (envelope-from patrick@mip.co.za) Received: from patrick (patrick.mip.co.za [10.3.13.181]) by mip.co.za (8.9.3/8.9.3) with SMTP id JAA27952 for ; Thu, 22 Mar 2001 09:30:25 +0200 (SAST) (envelope-from patrick@mip.co.za) From: "Patrick O'Reilly" To: Subject: RE: freebsd 4.2 ipfw natd Date: Thu, 22 Mar 2001 09:30:25 +0200 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2910.0) In-Reply-To: <7e96417ea3ae.7ea3ae7e9641@mbox.com.au> X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2314.1300 Importance: Normal Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG Re FTP: FTP Servers listen on Port 21, and then establish an FTP-Data connection in 'reverse' on their port 20 back to the client. So you need to have rules something like this: ------------------ # FTP - Allow access from our LAN to External FTP servers ${fwcmd} add pass tcp from any to any 21 setup ${fwcmd} add pass tcp from any 20 to any 1024-65535 setup # FTP - Allow access from the net to our FTP server ${fwcmd} add pass tcp from any to x.x.x.x 21 setup ${fwcmd} add pass tcp from x.x.x.x 20 to any 1024-65535 setup ------------------ You will need to allow established, or use stateful rules, to keep the connection running after setup. Patrick O'Reilly. -----Original Message----- From: owner-freebsd-ipfw@FreeBSD.ORG [mailto:owner-freebsd-ipfw@FreeBSD.ORG]On Behalf Of das@mbox.com.au Sent: 22 March 2001 04:37 To: freebsd-ipfw@FreeBSD.ORG Cc: voutah@pi.be Subject: RE: freebsd 4.2 ipfw natd Not a bad example at: http://www.mostgraveconcern.com/freebsd Check out the dual-homed host (Advanced topic number 4). Sadly there is no example of what to do about ftp. How do I allow ftp for my internal clients? eg. # HTTP - Allow access to our web server ${fwcmd} add pass tcp from any to any 80 setup What should it be for ftp? I know ftp opens up all sort of other ports, but not sure what to do. I guess it is different if you want passive/active ftp. Anybody got examples of both? Thanks, Dave Seddon To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Thu Mar 22 0:54: 6 2001 Delivered-To: freebsd-ipfw@freebsd.org Received: from elvis.mu.org (elvis.mu.org [207.154.226.10]) by hub.freebsd.org (Postfix) with ESMTP id A707C37B71A for ; Thu, 22 Mar 2001 00:54:04 -0800 (PST) (envelope-from billf@elvis.mu.org) Received: by elvis.mu.org (Postfix, from userid 1098) id EB0A781D01; Thu, 22 Mar 2001 02:53:53 -0600 (CST) Date: Thu, 22 Mar 2001 02:53:53 -0600 From: Bill Fumerola To: Andrew Snow Cc: ipfw@freebsd.org Subject: Re: cvs commit: src/sys/netinet ip_fw.c Message-ID: <20010322025353.N2567@elvis.mu.org> References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from andrew@modulus.org on Thu, Mar 22, 2001 at 06:23:21PM +1100 X-Operating-System: FreeBSD 4.2-FEARSOME-20010209 i386 Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG On Thu, Mar 22, 2001 at 06:23:21PM +1100, Andrew Snow wrote: > > What would be better is firstly the ability to delete a range of rule > numbers, but better than that would be support for 'rule groups', where you > could bunch a number of rules together under the same group name or number > and manipulate them seperately. already being worked on(amongst other things)... [billf.yahoo-fumerola 00:57:10] < /home/fumerola/sys/netinet > pcvs diff -u0 |grep -e '^[+-]'|wc -l cvs server: Diffing . 708 -- Bill Fumerola - security yahoo / Yahoo! inc. - fumerola@yahoo-inc.com / billf@FreeBSD.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Thu Mar 22 2: 8:49 2001 Delivered-To: freebsd-ipfw@freebsd.org Received: from hawk.prod.itd.earthlink.net (hawk.prod.itd.earthlink.net [207.217.120.22]) by hub.freebsd.org (Postfix) with ESMTP id 4DB5E37B722 for ; Thu, 22 Mar 2001 02:08:47 -0800 (PST) (envelope-from dhagan@colltech.com) Received: from colltech.com (1Cust186.tnt1.clarksburg.wv.da.uu.net [63.21.114.186]) by hawk.prod.itd.earthlink.net (EL-8_9_3_3/8.9.3) with ESMTP id CAA07343; Thu, 22 Mar 2001 02:07:59 -0800 (PST) Message-ID: <3AB9CFC4.11018F6E@colltech.com> Date: Thu, 22 Mar 2001 05:11:16 -0500 From: Daniel Hagan X-Mailer: Mozilla 4.73 [en] (WinNT; U) X-Accept-Language: en MIME-Version: 1.0 To: "Patrick O'Reilly" Cc: freebsd-ipfw@FreeBSD.ORG Subject: Re: freebsd 4.2 ipfw natd References: Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG Patrick O'Reilly wrote: > ------------------ > # FTP - Allow access from our LAN to External FTP servers > ${fwcmd} add pass tcp from any to any 21 setup > ${fwcmd} add pass tcp from any 20 to any 1024-65535 setup This would make the firewall transparent to ftp sessions in _both_ directions, not just from your lan out. > # FTP - Allow access from the net to our FTP server > ${fwcmd} add pass tcp from any to x.x.x.x 21 setup > ${fwcmd} add pass tcp from x.x.x.x 20 to any 1024-65535 setup FTP is a crappy protocol to packet filter. I'm not familiar with the issues involved, but I believe proxy servers located in a DMZ (or integrated into the firewall) are a much better solution than packet filters. Sorry I can't give you a more detailed explanation. Daniel To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Thu Mar 22 2:32:39 2001 Delivered-To: freebsd-ipfw@freebsd.org Received: from mip.co.za (puck.mip.co.za [209.212.106.44]) by hub.freebsd.org (Postfix) with ESMTP id 397B237B719 for ; Thu, 22 Mar 2001 02:32:33 -0800 (PST) (envelope-from patrick@mip.co.za) Received: from patrick (patrick.mip.co.za [10.3.13.181]) by mip.co.za (8.9.3/8.9.3) with SMTP id MAA30980; Thu, 22 Mar 2001 12:32:18 +0200 (SAST) (envelope-from patrick@mip.co.za) From: "Patrick O'Reilly" To: "Daniel Hagan" Cc: Subject: RE: freebsd 4.2 ipfw natd Date: Thu, 22 Mar 2001 12:32:17 +0200 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2910.0) In-Reply-To: <3AB9CFC4.11018F6E@colltech.com> X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2314.1300 Importance: Normal Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG Oooops! I was not paying attention, was I? The first example does allow FTP both ways! A better example would be: -------------- # FTP - Allow access from our LAN to External FTP servers ${fwcmd} add pass tcp from z.z.z.z/24 to any 21 setup ${fwcmd} add pass tcp from any 20 to z.z.z.z/24 1024-65535 setup -------------- where z.z.z.z/24 is your LAN's network IP and Netmask. (The z.z.z.z also suitably representing my prior state of mind :) Daniel's points re FTP and security are entirely valid too. FTP is known to be somewhat flaky on the security front. A Proxy would be best (I have not done that before), else make sure the FTP server is dedicated to that task and isolated from the rest of your network so that if it is cracked the damage is contained. Personally, we use a dedicated FTP server in our DMZ to achieve this goal (Isolated from the LAN, and contained to the server if it gets cracked). Thanks for the wake-up call Daniel :) Patrick. -----Original Message----- From: Daniel Hagan [mailto:dhagan@colltech.com] Sent: 22 March 2001 12:11 To: Patrick O'Reilly Cc: freebsd-ipfw@FreeBSD.ORG Subject: Re: freebsd 4.2 ipfw natd Patrick O'Reilly wrote: > ------------------ > # FTP - Allow access from our LAN to External FTP servers > ${fwcmd} add pass tcp from any to any 21 setup > ${fwcmd} add pass tcp from any 20 to any 1024-65535 setup This would make the firewall transparent to ftp sessions in _both_ directions, not just from your lan out. > # FTP - Allow access from the net to our FTP server > ${fwcmd} add pass tcp from any to x.x.x.x 21 setup > ${fwcmd} add pass tcp from x.x.x.x 20 to any 1024-65535 setup FTP is a crappy protocol to packet filter. I'm not familiar with the issues involved, but I believe proxy servers located in a DMZ (or integrated into the firewall) are a much better solution than packet filters. Sorry I can't give you a more detailed explanation. Daniel To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Thu Mar 22 8: 8:41 2001 Delivered-To: freebsd-ipfw@freebsd.org Received: from cj90.in.cjcj.com (conx.aracnet.com [216.99.200.135]) by hub.freebsd.org (Postfix) with SMTP id ABD4C37B718 for ; Thu, 22 Mar 2001 08:08:39 -0800 (PST) (envelope-from cj@cjcj.com) Received: from cj15.in.cjcj.com (192.168.100.115) by cj90.in.cjcj.com (T5.1-12K, OpenVMS V7.2 VAX); Thu, 22 Mar 2001 11:08:36 -0500 Message-ID: <3ABA2383.CC065BFA@cjcj.com> Date: Thu, 22 Mar 2001 08:08:35 -0800 From: CJ X-Mailer: Mozilla 4.76 [en] (Windows NT 5.0; U) X-Accept-Language: en MIME-Version: 1.0 To: "freebsd-ipfw@FreeBSD.ORG" Subject: Two T1s Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG Can FreeBSD firewall NAT two different outside lines simultaneously? To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Thu Mar 22 9:17:15 2001 Delivered-To: freebsd-ipfw@freebsd.org Received: from relay.ultimanet.com (relay.ultimanet.com [205.179.129.1]) by hub.freebsd.org (Postfix) with ESMTP id B0A3F37B718 for ; Thu, 22 Mar 2001 09:17:13 -0800 (PST) (envelope-from randy@Cloudfactory.ORG) Received: from Cloudfactory.ORG (cloudfactory.org [205.179.129.18]) by relay.ultimanet.com (8.9.3/8.9.3) with ESMTP id JAA10086; Thu, 22 Mar 2001 09:21:21 -0800 Message-Id: <200103221721.JAA10086@relay.ultimanet.com> To: CJ Cc: freebsd-ipfw@FreeBSD.ORG Subject: Re: Two T1s In-Reply-To: Message from CJ of "Thu, 22 Mar 2001 08:08:35 PST." <3ABA2383.CC065BFA@cjcj.com> Date: Thu, 22 Mar 2001 09:17:00 -0800 From: Randy Primeaux Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG I'm assuming "different" indicates two unique network providers. Are your T1's being delivered via static route, or do you plan to implement a unique Autonomous System via Border Gateway Protocol (eBGP4)? I think it's not so much a question of whether ipfw or ipfilter can work with natd; your success is more dependent upon your network engineering. CJ writes: > Can FreeBSD firewall NAT two different outside lines > simultaneously? -- Randy Primeaux randy@cloudfactory.org tranze@hyperreal.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Thu Mar 22 9:40:18 2001 Delivered-To: freebsd-ipfw@freebsd.org Received: from SMunzaniT20.nuclio.local (nucliox.nuclio.com [63.119.219.200]) by hub.freebsd.org (Postfix) with ESMTP id 2653637B73B for ; Thu, 22 Mar 2001 09:40:07 -0800 (PST) (envelope-from sam@munzani.com) Received: from SMunzaniT20 ([172.24.0.95]) by SMunzaniT20.nuclio.local with Microsoft SMTPSVC(5.0.2195.1600); Thu, 22 Mar 2001 11:40:03 -0600 Message-ID: <004a01c0b2f7$203e8b90$5f0018ac@nuclio.local> Reply-To: "Sam Munzani" From: "Sam Munzani" To: References: Subject: unsubscribe Date: Thu, 22 Mar 2001 11:40:03 -0600 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4133.2400 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 X-OriginalArrivalTime: 22 Mar 2001 17:40:03.0401 (UTC) FILETIME=[203E8B90:01C0B2F7] Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG unsubscribe To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Thu Mar 22 19: 4:49 2001 Delivered-To: freebsd-ipfw@freebsd.org Received: from ns.itga.com.au (ns.itga.com.au [202.53.40.210]) by hub.freebsd.org (Postfix) with ESMTP id 8ED2D37B71F for ; Thu, 22 Mar 2001 19:04:42 -0800 (PST) (envelope-from gnb@itga.com.au) Received: from lightning.itga.com.au (lightning.itga.com.au [192.168.71.20]) by ns.itga.com.au (8.9.3/8.9.3) with ESMTP id OAA82943; Fri, 23 Mar 2001 14:04:34 +1100 (EST) (envelope-from gnb@itga.com.au) Received: from itga.com.au (lightning.itga.com.au [192.168.71.20]) by lightning.itga.com.au (8.9.3/8.9.3) with ESMTP id OAA01851; Fri, 23 Mar 2001 14:04:33 +1100 (EST) Message-Id: <200103230304.OAA01851@lightning.itga.com.au> From: Gregory Bond To: CJ Cc: "freebsd-ipfw@FreeBSD.ORG" , gnb@itga.com.au Subject: Re: Two T1s In-reply-to: Your message of Thu, 22 Mar 2001 08:08:35 -0800. Date: Fri, 23 Mar 2001 14:04:33 +1100 Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG > Can FreeBSD firewall NAT two different outside lines > simultaneously? Sure. You need two natd's listening on two ports and two divert rules. Not supported with the standard rc.conf/rc.network but dead easy to add. Getting the routing doing what you want is often harder.... To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message