From owner-freebsd-questions@FreeBSD.ORG Sun Apr 25 07:59:41 2004 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1A5F116A4CE for ; Sun, 25 Apr 2004 07:59:41 -0700 (PDT) Received: from mta10.adelphia.net (mta10.adelphia.net [68.168.78.202]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8F1EA43D41 for ; Sun, 25 Apr 2004 07:59:40 -0700 (PDT) (envelope-from Barbish3@adelphia.net) Received: from barbish ([67.20.101.71]) by mta10.adelphia.net (InterMail vM.5.01.06.08 201-253-122-130-108-20031117) with SMTP id <20040425145939.TVED8065.mta10.adelphia.net@barbish>; Sun, 25 Apr 2004 10:59:39 -0400 From: "JJB" To: "Robert Storey" , Date: Sun, 25 Apr 2004 10:59:38 -0400 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.6604 (9.0.2911.0) In-Reply-To: <20040425215549.3205faab.y2kbug@ms25.hinet.net> X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165 Importance: Normal Subject: RE: installing ipfilter X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: Barbish3@adelphia.net List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 25 Apr 2004 14:59:41 -0000 Ipfilter is an built in firewall just like IPFW. They both are distributed in the base Freebsd system. Ipfilter is the name of the firewall "man ipf" will show you the info you are looking for. Ipfilter is an loadable module which means it is not necessary to add kernel option statements to the kernel source and recompile the kernel. The addition of the ipfilter rc.conf statements will automatically load the ipfilter module. Rc.conf statements. ipfilter_enable="YES" # Start ipf firewall ipfilter_rules="/etc/ipf.rules" # loads rules definition text file # IE: not script file with rules in it ipmon_enable="YES" # Start ip monitor log ipmon_flags="-Ds" # D = start as daemon # s = log to syslog # v = log tcp window, ack, seq # n = map ip & port to names ipnat_enable="YES" # Enable ipfilter Nat function ipnat_rules="/etc/ipnat.rules" Sample ipnat rules # Provide special NAT services for FTP from LAN users. map dc0 10.0.10.0/29 -> 0/32 proxy port 21 ftp/tcp # Provide special NAT services for FTP from gateway system. map dc0 0.0.0.0/0 -> 0/32 proxy port 21 ftp/tcp # Provide Normal NAT services for LAN users. # NAT my private LAN ip address to what every my dynamic ISP address is. map dc0 10.0.10.0/29 -> 0/32 # Provide NAT services for user ppp Dial in tun0 connections. map tun0 10.0.0.0/29 -> 0/32 Sample ipfilter rules ################################################################# # For testing only allow pass all Bypasses the rest of the rules #pass in log quick on dc0 all #pass out log quick on dc0 all #log out quick on dc0 all ################################################################# ################################################################# # No restrictions on Inside Lan Interface for private network # Not needed unless you have Lan ################################################################# #pass out quick on xl0 all # production server config #pass in quick on xl0 all # production server config pass out quick on rl0 all # development server config pass in quick on rl0 all # development server config ################################################################# # No restrictions on Loopback Interface ################################################################# pass in quick on lo0 all pass out quick on lo0 all ################################################################# # Interface facing Public internet (Outbound Section) # Interrogate session start requests originating from behind the # firewall on the private network # or from this gateway server destine for the public internet. ################################################################# # Allow out access to my ISP's Domain name server. # xxx.xxx.xxx.xxx must be the IP address of your ISP's DNS. # Dup these lines if your ISP has more than one DNS server # Get the IP addresses from /etc/resolv.conf file pass out quick on dc0 proto tcp from any to 168.162.40.2 port = 53 flags S keep state pass out quick on dc0 proto udp from any to 168.162.40.2 port = 53 keep state #pass out log quick on dc0 proto udp from any to any port = 53 keep state # Allow out access to my ISP's DHCP server for cable or DSL networks. # This rule is not needed for 'user ppp' type connection to the # public internet, so you can delete this whole group. # Use the following rule and check log for IP address. # Then put IP address in commented out rule & delete first rule pass out quick on dc0 proto udp from any to 168.170.21.152 port = 67 keep state # Allow out non-secure standard www function pass out quick on dc0 proto tcp from any to any port = 80 flags S keep state # Allow out secure www function https over TLS SSL pass out quick on dc0 proto tcp from any to any port = 443 flags S keep state # Allow out send & get email function pass out quick on dc0 proto tcp from any to any port = 25 flags S keep state pass out quick on dc0 proto tcp from any to any port = 110 flags S keep state # Allow out Time pass out quick on dc0 proto tcp from any to any port = 37 flags S keep state # Allow out nntp news pass out quick on dc0 proto tcp from any to any port = 119 flags S keep state # Allow out gateway & LAN users non-secure FTP ( both passive & active modes) # This function uses the IPNAT built in FTP proxy function coded in # the nat rules file to make this single rule function correctly. # If you want to use the pkg_add command to install application packages # on your gateway system you need this rule. pass out quick on dc0 proto tcp from any to any port = 21 flags S keep state # Allow out secure FTP, Telnet, and SCP # This function is using SSH (secure shell) pass out quick on dc0 proto tcp from any to any port = 22 flags S keep state # Allow out non-secure Telnet pass out quick on dc0 proto tcp from any to any port = 23 flags S keep state # Allow out FBSD CVSUP function pass out quick on dc0 proto tcp from any to any port = 5999 flags S keep state # Allow out all icmp to public Internet pass out quick on dc0 proto icmp from any to any keep state # Allow out all ident to public Internet #block out quick on dc0 proto tcp from any to any port = 113 # Allow out whois for LAN PC to public Internet pass out quick on dc0 proto tcp from any to any port = 43 flags S keep state # block ports that show on log and are ok to stop logging # Deny tcp port 81 - hosts2 name server. winme is doing this. block out quick on dc0 proto tcp from any to any port = 81 # Block and log only the first occurrence of everything # else that's trying to get out. # This rule enforces the block all by default logic. block out log first quick on dc0 all ################################################################# # Interface facing Public internet (Inbound Section) # Interrogate packets originating from the public internet # destine for this gateway server or the private network. ################################################################# # Block all inbound traffic from non-routable or reserved address spaces block in quick on dc0 from 192.168.0.0/16 to any #RFC 1918 private IP block in quick on dc0 from 172.16.0.0/12 to any #RFC 1918 private IP block in quick on dc0 from 10.0.0.0/8 to any #RFC 1918 private IP block in quick on dc0 from 127.0.0.0/8 to any #loopback block in quick on dc0 from 0.0.0.0/8 to any #loopback block in quick on dc0 from 169.254.0.0/16 to any #DHCP auto-config block in quick on dc0 from 192.0.2.0/24 to any #reserved for doc's block in quick on dc0 from 204.152.64.0/23 to any #Sun cluster interconnect block in quick on dc0 from 224.0.0.0/3 to any #Class D & E multicast ##### Block a bunch of different nasty things. ############ # That I don't want to see in the log # Block frags block in quick on dc0 all with frags # Block short tcp packets block in quick on dc0 proto tcp all with short # block source routed packets block in quick on dc0 all with opt lsrr block in quick on dc0 all with opt ssrr # Block nmap OS fingerprint attempts # Log first occurrence of these so I can get their IP address block in log first quick on dc0 proto tcp from any to any flags FUP # Block anything with special options block in quick on dc0 all with ipopts # Block public pings block in quick on dc0 proto icmp all icmp-type 8 # Block ident #block in quick on dc0 proto tcp from any to any port = 113 # Block all Netbios service. 137=name, 138=datagram, 139=session # Netbios is MS/Windows sharing services. # Block MS/Windows hosts2 name server requests 81 block in log first quick on dc0 proto tcp/udp from any to any port = 137 block in log first quick on dc0 proto tcp/udp from any to any port = 138 block in log first quick on dc0 proto tcp/udp from any to any port = 139 block in log first quick on dc0 proto tcp/udp from any to any port = 81 # Allow traffic in from ISP's DHCP server. This rule must contain # the IP address of your ISP's DHCP server as it's the only # authorized source to send this packet type. Only necessary for # cable or DSL configurations. This rule is not needed for # 'user ppp' type connection to the public internet. # This is the same IP address you captured and # used in the outbound section. pass in quick on dc0 proto udp from 168.170.21.152 to any port = 68 keep state # Allow in standard www function because I have apache server #pass in quick on dc0 proto tcp from any to any port = 80 flags S keep state # Allow in non-secure Telnet session from public Internet # labeled non-secure because ID & PW are passed over public internet as clear text. # Delete this sample group if you do not have telnet server enabled. #pass in quick on dc0 proto tcp from any to any port = 23 flags S keep state # Allow in secure FTP, Telnet, and SCP from public Internet # This function is using SSH (secure shell) #pass in quick on dc0 proto tcp from any to any port = 22 flags S keep state # Block and log only first occurrence of all remaining traffic # coming into the firewall. The logging of only the first # occurrence stops an 'denial of service' attack targeted # at filling up your log file space. # This rule enforces the block all by default logic. block in log first quick on dc0 all -----Original Message----- From: owner-freebsd-questions@freebsd.org [mailto:owner-freebsd-questions@freebsd.org]On Behalf Of Robert Storey Sent: Sunday, April 25, 2004 9:56 AM To: freebsd-questions@freebsd.org Subject: installing ipfilter I wanted to do some experimenting with ipfilter, and strangely, I can't figure out how to install it. It doesn't seem to be installed. If I do "which ipfilter" or "man ipfilter", there's no indication of its existence. I tried "locate ipfilter", I do find this: /usr/share/examples/ipfilter /usr/src/contrib/ipfilter Neither of these appear to be what I need. I've looked in /usr/ports, and can't find it there either. I'm using 5.2-RELEASE. best regards, Robert _______________________________________________ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.org"