OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Re: need ipfw clarification

From: Bill Moran (wmoranpotentialtech.com)
Date: Fri Feb 04 2005 - 14:09:36 CST


Duane Winner <dwinner-listsatt.net> wrote:

> Thanks Roberto,
>
> Just to make sure I understand though, I only need to be concerned
> "forwarding" and "forward rules" if I'm setting up a multi-homed host
> (i.e., router), is this correct?

It doesn't even apply then. IPFW forwarding forwards packets and rewrites
their IP headers to make one machine look like another. While this is
commonly used on firewalls, it's not the same thing as turning on
forwarding (i.e. routing between interfaces) and isn't required to set
up a multi-homed "router".

For example, I use IPFW forwarding so that my firewall forwards VNC
packets to my desktop, so outsiders can connect directly to my desktop
through the firewall.

> If I'm just using ipfw for single-host based firewall protection, then
> forwarding doesn't apply, right?

That's correct.

>
> Thanks again,
> Duane
>
>
>
> Roberto Nunnari wrote:
>
> > Hi Duane.
> >
> > I had the same problem.. With 5.2.1 I had working forward rules
> > and that were broke with 5.3
> >
> > after some fiddling I managed to have that work again.. just
> > add them to your kernel:
> >
> > options IPFIREWALL
> > options IPFIREWALL_DEFAULT_TO_ACCEPT
> > options IPFIREWALL_VERBOSE
> > options IPFIREWALL_FORWARD
> >
> > if you don't add them to your kernel, forwarding in ipfw will
> > be disabled.
> >
> > Ciao.
> >
> >
> > Duane Winner wrote:
> >
> >> Hello,
> >>
> >> I noticed that after enabling firewall in my kernel (5.3-release), my
> >> dmesg now gives me this:
> >>
> >> ipfw2 initialized, divert disabled, rule-based forwarding disabled,
> >> default to accept, logging limited to 5 packets/entry by default
> >>
> >>
> >> On 5.2.1, I used to get this:
> >>
> >> ipfw2 initialized, divert disabled, rule-based forwarding enabled,
> >> default to accept, logging disabled
> >>
> >> If both cases, I am adding this to my KERNEL config:
> >>
> >> options IPFIREWALL
> >> options IPFIREWALL_DEFAULT_TO_ACCEPT
> >>
> >>
> >> It seems that the major difference between 5.2.1 and 5.3 is that now
> >> rule-based forwarding is disabled.
> >>
> >> Is this correct? And what exactly is rule-based forwarding? I'm
> >> guessing that it doesn't really apply to my situation, as in these
> >> cases, I am using IPFW to create a deny all inbound to my laptop when
> >> I'm on the road. But I just want to make sure.
> >>
> >> Thanks,
> >> DW
> >> _______________________________________________
> >> freebsd-securityfreebsd.org mailing list
> >> http://lists.freebsd.org/mailman/listinfo/freebsd-security
> >> To unsubscribe, send any mail to
> >> "freebsd-security-unsubscribefreebsd.org"
> >
> >
> >
> _______________________________________________
> freebsd-securityfreebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-security
> To unsubscribe, send any mail to "freebsd-security-unsubscribefreebsd.org"

--
Bill Moran
Potential Technologies
http://www.potentialtech.com

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (FreeBSD)

iD8DBQFCA9aAYOm/CGAEZUARAiN/AKCC042SSDQ+q1TI1Z4W27ZibXnlfACgzQcT
rdStOrfppkVtN9df5Lpc30U=
=uEg4
-----END PGP SIGNATURE-----