OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Re: Setting up simple firewall with ipfw
From: Greg Hormann (ghormannalumni.indiana.edu)
Date: Sat Jun 10 2000 - 13:46:20 CDT

Thanks. ssh/ftp now work correctly through the firewall.

Logging still doesn't work. (Its not showing up in /var/log/* or the
console. I've tried playing with net.inet.ip.fw.verbose_limit, but that
didn't help either.

As for the first question, I think I may have figured it out. Haven't
tried it yet, but I could have my firewall script figure out the current
ip from ifconfig. Then, I would just need to call my firewall script each
time a new IP address was assigned. (Should be easy using hooks from
dhclient)

Thanks again.

Greg.

On Sat, 10 Jun 2000, John F Cuzzola wrote:

>
> *** by default firewall messages are logged in /var/log/messages(I
> think). I usually create a seperate file for firewall logging
> (/var/log/firewall.log) then change /etc/syslogd.conf appropriately

>
> *** you have rules with the same numbers (two rules 100 & 200). In my
> experience with FreeBSD 4 this sometimes causes problems. Renumber your
> rules so each one has its own unique rule number. Your ssh setup looks
> like it should work. SSH only uses tcp so the rule:
> > 00500 0 0 allow udp from any to any 22
> can be deleted.
>
> as for ftp. When you are using true ftp (instead of passive) a connection
> is made FROM a computer port 20 TO you on some port. So the rules:
>
> > 00700 0 0 allow tcp from any to any 20 via ed0
> > 00800 0 0 allow tcp from any to any 21 via ed0
>
> are almost right. Rule 700 should read:
> ipfw add 700 allow tcp from any 20 to any via ed0
> (the port 20 comes from the host you are contacting it doesn't connect
> back to you on port 20)

To Unsubscribe: send mail to majordomoFreeBSD.org
with "unsubscribe freebsd-security" in the body of the message