From owner-freebsd-ipfw Wed Feb 7 5:47: 7 2001 Delivered-To: freebsd-ipfw@freebsd.org Received: from pvo.pegasus.com.br (www.pvo.pegasus.com.br [200.202.233.9]) by hub.freebsd.org (Postfix) with ESMTP id D0C4037B4EC for ; Wed, 7 Feb 2001 05:46:44 -0800 (PST) Received: from algol (unverified [200.202.233.115]) by pvo.pegasus.com.br (Vircom SMTPRS 4.5.186) with SMTP id for ; Wed, 7 Feb 2001 11:52:14 -0300 Message-ID: <016f01c0910c$3e6c64a0$73e9cac8@redepegasus.com.br> From: =?iso-8859-1?B?Sm/jbyBQZWRybw==?= To: Subject: Problems with IPFW Date: Wed, 7 Feb 2001 11:45:32 -0200 MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_NextPart_000_016C_01C090FB.79F89860" X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.00.2615.200 X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2615.200 Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG This is a multi-part message in MIME format. ------=_NextPart_000_016C_01C090FB.79F89860 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Hi, I have an email server that works together with the WorldGroup and I = configure a firewall to protect the network. But when I put the firewall = on air with respectives rules (I use ipfw), my email server does not = send emails. When I free everything again it looks ok.=20 But the detail most impressive is that I liberated the access of the = machine that has the server of email with the machine that has the = WorldGroup and I didn't get success.=20 =20 Somebody has some idea of that I can make?=20 TIA, JPedro ------=_NextPart_000_016C_01C090FB.79F89860 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable
Hi,
 
I have an email server that works = together with the=20 WorldGroup and I configure a firewall to protect the network. But when I = put the=20 firewall on air with respectives rules (I use ipfw), my email server = does not=20 send emails. When I free everything again it looks ok.
 
But the detail most impressive is that = I liberated=20 the access of the machine that has the server of email with the machine = that has=20 the WorldGroup and I didn't get success.
 
Somebody has some = idea of=20 that I can make?
 
TIA,
 

JPedro
------=_NextPart_000_016C_01C090FB.79F89860-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Wed Feb 7 17: 4:26 2001 Delivered-To: freebsd-ipfw@freebsd.org Received: from juice.shallow.net (node16229.a2000.nl [24.132.98.41]) by hub.freebsd.org (Postfix) with ESMTP id A3A5837B69C for ; Wed, 7 Feb 2001 17:04:08 -0800 (PST) Received: from localhost (joshua@localhost) by juice.shallow.net (8.11.1/8.11.1) with ESMTP id f18149842041; Thu, 8 Feb 2001 02:04:09 +0100 (CET) (envelope-from joshua@roughtrade.net) Date: Thu, 8 Feb 2001 02:04:09 +0100 (CET) From: Joshua Goodall To: Christoph Sold Cc: Subject: Re: freebsd-ipfw@FreeBSD.org In-Reply-To: <3A79D919.53061763@i-clue.de> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG On Thu, 1 Feb 2001, Christoph Sold wrote: > Hi folks, > > for the first time, I need to do some redirect: > > On a box with a single interface I want to run an untrusted application > on port 23. I know, I can run it suid root, but i did not want to for > obvious reasons. > > Q: How to redirect from interface ed0, port 80, to the very same > machine, untrusted port, e.g. 1234? possibly, ipfw add divert 23 tcp from any to localhost:1234 hth j To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Wed Feb 7 18: 8:25 2001 Delivered-To: freebsd-ipfw@freebsd.org Received: from rapidnet.com (rapidnet.com [205.164.216.1]) by hub.freebsd.org (Postfix) with ESMTP id 1806937B401 for ; Wed, 7 Feb 2001 18:08:08 -0800 (PST) Received: from localhost (nick@localhost) by rapidnet.com (8.9.3/8.9.3) with ESMTP id TAA83053; Wed, 7 Feb 2001 19:07:51 -0700 (MST) Date: Wed, 7 Feb 2001 19:07:51 -0700 (MST) From: Nick Rogness To: Joshua Goodall Cc: Christoph Sold , ipfw@FreeBSD.ORG Subject: Re: freebsd-ipfw@FreeBSD.org In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG On Thu, 8 Feb 2001, Joshua Goodall wrote: > > Hi folks, > > > > for the first time, I need to do some redirect: > > > > On a box with a single interface I want to run an untrusted application > > on port 23. I know, I can run it suid root, but i did not want to for > > obvious reasons. > > > > Q: How to redirect from interface ed0, port 80, to the very same > > machine, untrusted port, e.g. 1234? > > possibly, > > ipfw add divert 23 tcp from any to localhost:1234 ipfw fwd may also be a possiblity...depending on the circumstances: ipfw add fwd 127.0.0.1,1234 tcp from any to any 80 via ed0 But like I said, it depends on the circumstances and what you are actually trying to do. See the ipfw(8) manpage for more details. Nick Rogness - Keep on routing in a Free World... "FreeBSD: The Power to Serve " To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Thu Feb 8 10:47:44 2001 Delivered-To: freebsd-ipfw@freebsd.org Received: from mail.biographix.com (unknown [207.236.111.133]) by hub.freebsd.org (Postfix) with ESMTP id 7FCA237B6AA for ; Thu, 8 Feb 2001 10:47:26 -0800 (PST) Received: from bottleneck2000 ([192.168.1.12]) by mail.biographix.com (8.11.1/8.11.1) with SMTP id f18Imm642324 for ; Thu, 8 Feb 2001 13:48:49 -0500 (EST) Message-ID: <004c01c09200$87028b00$0c01a8c0@bottleneck2000> From: "Elliott Perrin" To: Subject: Question regarding PPPoE and IPFW Date: Thu, 8 Feb 2001 13:54:11 -0500 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.00.2919.6700 X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2919.6700 Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG I am setting up a gateway machine for a friend at his home and i was wondering if ipfw will work over a PPPoE link, and whether or not I should filter traffic based upon the Ethernet Interface or based upon the tun0 interface created when a connection occurs. I also have a question about the packet filtering process. I have a LAN behind an FBSD 4.2 box doing NAT and IPFW. There is also a separate LAN (DMZ if you will) where the public servers reside. From what I have read in the ipfw man pages the divert natd all from any to any rule should change the packets from our internal LAN. However the only way the LAN is able to get out to the internet is with an allow all from 192.168.1.0/24 to any rule. I was just wondering (for future reference) is this normal behavior? Regards, Elliott Perrin eperrin@bigorbit.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Fri Feb 9 9:16: 7 2001 Delivered-To: freebsd-ipfw@freebsd.org Received: from web4504.mail.yahoo.com (web4504.mail.yahoo.com [216.115.105.65]) by hub.freebsd.org (Postfix) with SMTP id 33C8437BDF5 for ; Fri, 9 Feb 2001 08:54:41 -0800 (PST) Message-ID: <20010209165441.8505.qmail@web4504.mail.yahoo.com> Received: from [199.207.255.50] by web4504.mail.yahoo.com; Fri, 09 Feb 2001 08:54:41 PST Date: Fri, 9 Feb 2001 08:54:41 -0800 (PST) From: Jon Reply-To: cykyc@yahoo.com Subject: FreeBSD Application firewall w/o ip forwarding enabled To: ipfw@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG Hello All, Is anyone aware of, or are there any implementations of ipfw, IP Filter, fwtk, or other ports/pkgs that allow for an application-type firewall to exist on FreeBSD that does not rely on IP forwarding? This would be used to limit the types of traffic from the firewall to the DMZ internally. The hope would be a wide range of application support (FTP, SMTP, DNS, HTTP, HTTPS, telnet, etc...), but if at least one of these are supported, then that's a start. Thanks, Jon __________________________________________________ Do You Yahoo!? Get personalized email addresses from Yahoo! Mail - only $35 a year! http://personal.mail.yahoo.com/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Fri Feb 9 10:45: 2 2001 Delivered-To: freebsd-ipfw@freebsd.org Received: from iguana.aciri.org (iguana.aciri.org [192.150.187.36]) by hub.freebsd.org (Postfix) with ESMTP id 9BEBF37B503 for ; Fri, 9 Feb 2001 10:44:42 -0800 (PST) Received: (from rizzo@localhost) by iguana.aciri.org (8.11.1/8.11.1) id f19Iifg06092; Fri, 9 Feb 2001 10:44:41 -0800 (PST) (envelope-from rizzo) From: Luigi Rizzo Message-Id: <200102091844.f19Iifg06092@iguana.aciri.org> Subject: Re: FreeBSD Application firewall w/o ip forwarding enabled In-Reply-To: <20010209165441.8505.qmail@web4504.mail.yahoo.com> from Jon at "Feb 9, 2001 8:54:41 am" To: cykyc@yahoo.com Date: Fri, 9 Feb 2001 10:44:41 -0800 (PST) Cc: ipfw@FreeBSD.ORG X-Mailer: ELM [version 2.4ME+ PL43 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG in freebsd bridging is integrated with ipfw so you can use that (i assume the reason you do not want forwarding is to avoid remapping addrsses ?) see http://www.iet.unipi.it/~luigi/ip_dummynet/ and the bridge and ipfw manpages cheers luigi ----------------------------------+----------------------------------------- Luigi RIZZO, luigi@iet.unipi.it . ACIRI/ICSI (on leave from Univ. di Pisa) http://www.iet.unipi.it/~luigi/ . 1947 Center St, Berkeley CA 94704 Phone: (510) 666 2927 ----------------------------------+----------------------------------------- > > Is anyone aware of, or are there any implementations > of ipfw, IP Filter, fwtk, or other ports/pkgs that > allow for an application-type firewall to exist on > FreeBSD that does not rely on IP forwarding? This > would be used to limit the types of traffic from the > firewall to the DMZ internally. The hope would be a > wide range of application support (FTP, SMTP, DNS, > HTTP, HTTPS, telnet, etc...), but if at least one of > these are supported, then that's a start. > > Thanks, > > Jon > > __________________________________________________ > Do You Yahoo!? > Get personalized email addresses from Yahoo! Mail - only $35 > a year! http://personal.mail.yahoo.com/ > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-ipfw" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Fri Feb 9 11:54:30 2001 Delivered-To: freebsd-ipfw@freebsd.org Received: from web4501.mail.yahoo.com (web4501.mail.yahoo.com [216.115.105.62]) by hub.freebsd.org (Postfix) with SMTP id C510C37B684 for ; Fri, 9 Feb 2001 11:54:12 -0800 (PST) Message-ID: <20010209195412.27578.qmail@web4501.mail.yahoo.com> Received: from [199.207.255.50] by web4501.mail.yahoo.com; Fri, 09 Feb 2001 11:54:12 PST Date: Fri, 9 Feb 2001 11:54:12 -0800 (PST) From: Jon Reply-To: cykyc@yahoo.com Subject: Re: FreeBSD Application firewall w/o ip forwarding enabled To: Luigi Rizzo Cc: ipfw@FreeBSD.ORG In-Reply-To: <200102091844.f19Iifg06092@iguana.aciri.org> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG > use that (i assume the reason you do not want > forwarding > is to avoid remapping addrsses ?) It's not to avoid remapping addresses, but to try and use the firewall as an application firewall instead of a packet filter firewall. The running application on the firewall would be in charge of receiving whatever type of information on the external interface and then redirecting it to the internal interface, instead of simple NAT'n and IP forwarding, which is at the network level. > see http://www.iet.unipi.it/~luigi/ip_dummynet/ > > and the bridge and ipfw manpages > > cheers > luigi __________________________________________________ Do You Yahoo!? Get personalized email addresses from Yahoo! Mail - only $35 a year! http://personal.mail.yahoo.com/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Fri Feb 9 12: 6:14 2001 Delivered-To: freebsd-ipfw@freebsd.org Received: from distortion.dk (distortion.dk [195.249.147.156]) by hub.freebsd.org (Postfix) with ESMTP id 311DC37B69D for ; Fri, 9 Feb 2001 12:05:56 -0800 (PST) Received: from petri2000 ([194.192.131.99]) by distortion.dk (8.9.3/8.9.1) with SMTP id VAA52933; Fri, 9 Feb 2001 21:07:21 +0100 (CET) (envelope-from freebsd@petri.cc) Message-ID: <00db01c092d3$b08561e0$8632a8c0@atomic.dk> From: "Nicolai Petri" To: Cc: References: <20010209165441.8505.qmail@web4504.mail.yahoo.com> Subject: Re: FreeBSD Application firewall w/o ip forwarding enabled Date: Fri, 9 Feb 2001 21:05:45 +0100 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4133.2400 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG From: "Jon" Subject: FreeBSD Application firewall w/o ip forwarding enabled > Hello All, > > Is anyone aware of, or are there any implementations > of ipfw, IP Filter, fwtk, or other ports/pkgs that > allow for an application-type firewall to exist on > FreeBSD that does not rely on IP forwarding? This > would be used to limit the types of traffic from the > firewall to the DMZ internally. The hope would be a > wide range of application support (FTP, SMTP, DNS, > HTTP, HTTPS, telnet, etc...), but if at least one of > these are supported, then that's a start. Have you looked at the firewall toolkit (ports/security/fwtk) ? It is based on application proxies. The only sad thing is the not-allways-useful license on the toolkit. Check it out. :) --- Nicolai Petri Software Developer /* "The nice thing about standards is that there * are so many of them to choose from." * -- Andrew Tannenbaum */ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Fri Feb 9 16:26:56 2001 Delivered-To: freebsd-ipfw@freebsd.org Received: from karon.dynas.se (karon.dynas.se [192.71.43.4]) by hub.freebsd.org (Postfix) with SMTP id 96EB937B67D for ; Fri, 9 Feb 2001 16:26:38 -0800 (PST) Received: (qmail 14819 invoked from network); 10 Feb 2001 00:26:36 -0000 Received: from spirit.sto.dynas.se (HELO spirit.dynas.se) (172.16.1.10) by 172.16.1.1 with SMTP; 10 Feb 2001 00:26:36 -0000 Received: (qmail 26406 invoked from network); 10 Feb 2001 00:26:34 -0000 Received: from explorer.rsa.com (10.81.217.59) by spirit.dynas.se with SMTP; 10 Feb 2001 00:26:34 -0000 Received: (from mikko@localhost) by explorer.rsa.com (8.11.1/8.11.1) id f1A0QVs09860; Fri, 9 Feb 2001 16:26:31 -0800 (PST) (envelope-from mikko) Date: Fri, 9 Feb 2001 16:26:31 -0800 (PST) From: Mikko Tyolajarvi Message-Id: <200102100026.f1A0QVs09860@explorer.rsa.com> To: cykyc@yahoo.com Cc: freebsd-ipfw@freebsd.org Subject: Re: FreeBSD Application firewall w/o ip forwarding enabled Newsgroups: local.freebsd.ipfw References: <200102091844.f19Iifg06092@iguana.aciri.org> <20010209195412.27578.qmail@web4501.mail.yahoo.com> X-Newsreader: NN version 6.5.6 (NOV) Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG In local.freebsd.ipfw you write: >> use that (i assume the reason you do not want >> forwarding >> is to avoid remapping addrsses ?) >It's not to avoid remapping addresses, but to try and >use the firewall as an application firewall instead of >a packet filter firewall. The running application on >the firewall would be in charge of receiving whatever >type of information on the external interface and then >redirecting it to the internal interface, instead of >simple NAT'n and IP forwarding, which is at the >network level. I don't know exactly what you are trying to accomplish, but the TIS fwtk is a pure application level proxy toolkit. Maybe that will be enough? If the firewall is supposed to look like it is forwarding packets, but transparently filters them through application proxies, then you can use ipfw rules to forward allowed traffic to your proxies, and deny everything else. I have written programs that do this, and they work just fine, but are not available as freeware... Hmm... it looks like someone has made patches for FWTK to handle transparent proxying - see . Haven't tried it, though. Also, the Juniper firewall toolkit looks like it might be what you are looking for, but I haven't tried that either. $.02, /Mikko -- Mikko Työläjärvi_______________________________________mikko@rsasecurity.com RSA Security To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message