Current problem reports assigned to freebsd-ipfw@FreeBSD.org

2011-07-18 Thread FreeBSD bugmaster 
Note: to view an individual PR, use:
  http://www.freebsd.org/cgi/query-pr.cgi?pr=(number).

The following is a listing of current problems submitted by FreeBSD users.
These represent problem reports covering all versions including
experimental development code and obsolete releases.


S Tracker  Resp.  Description

o kern/158066  ipfw   [ipfw] ipfw + netgraph + multicast = multicast packets
p kern/157957  ipfw   [libalias][patch] alias_ftp does not alias data sessio
p kern/157867  ipfw   [patch][ipfw] natd globalport support for ipfw nat
o kern/157796  ipfw   [ipfw] IPFW in-kernel NAT nat loopback / Default Route
o kern/157689  ipfw   [ipfw] ipfw nat config does not accept nonexistent int
o kern/156770  ipfw   [ipfw] [dummynet] [patch]: performance improvement and
f kern/155927  ipfw   [ipfw] ipfw stops to check packets for compliance with
o bin/153252   ipfw   [ipfw][patch] ipfw lockdown system in subsequent call 
o kern/153161  ipfw   IPFIREWALL does not allow specify rules with ICMP code
o kern/152113  ipfw   [ipfw] page fault on 8.1-RELEASE caused by certain amo
o kern/148827  ipfw   [ipfw] divert broken with in-kernel ipfw
o kern/148689  ipfw   [ipfw] antispoof wrongly triggers on link local IPv6 a
o kern/148430  ipfw   [ipfw] IPFW schedule delete broken.
o kern/148091  ipfw   [ipfw] ipfw ipv6 handling broken.
f kern/144269  ipfw   [ipfw] problem with ipfw tables
o kern/143973  ipfw   [ipfw] [panic] ipfw forward option causes kernel reboo
o kern/143621  ipfw   [ipfw] [dummynet] [patch] dummynet and vnet use result
f kern/143474  ipfw   [ipfw] ipfw table contains the same address
o kern/137346  ipfw   [ipfw] ipfw nat redirect_proto is broken
o kern/137232  ipfw   [ipfw] parser troubles
o kern/135476  ipfw   [ipfw] IPFW table breaks after adding a large number o
p kern/131817  ipfw   [ipfw] blocks layer2 packets that should not be blocke
f kern/129036  ipfw   [ipfw] 'ipfw fwd' does not change outgoing interface n
p kern/128260  ipfw   [ipfw] [patch] ipfw_divert damages IPv6 packets
o kern/127230  ipfw   [ipfw] [patch] Feature request to add UID and/or GID l
f kern/127209  ipfw   [ipfw] IPFW table become corrupted after many changes
o kern/122963  ipfw   [ipfw] tcpdump does not show packets redirected by 'ip
s kern/121807  ipfw   [request] TCP and UDP port_table in ipfw
o kern/121122  ipfw   [ipfw] [patch] add support to ToS IP PRECEDENCE fields
o kern/116009  ipfw   [ipfw] [patch] Ignore errors when loading ruleset from
o bin/104921   ipfw   [patch] ipfw(8) sometimes treats ipv6 input as ipv4 (a
o kern/104682  ipfw   [ipfw] [patch] Some minor language consistency fixes a
o kern/103454  ipfw   [ipfw] [patch] [request] add a facility to modify DF b
o kern/103328  ipfw   [ipfw] [request] sugestions about ipfw table
o kern/102471  ipfw   [ipfw] [patch] add tos and dscp support
o kern/97951   ipfw   [ipfw] [patch] ipfw does not tie interface details to 
o kern/95084   ipfw   [ipfw] [regression] [patch] IPFW2 ignores "recv/xmit/v
f kern/91847   ipfw   [ipfw] ipfw with vlanX as the device
o kern/86957   ipfw   [ipfw] [patch] ipfw mac logging
o bin/83046ipfw   [ipfw] ipfw2 error: "setup" is allowed for icmp, but s
o kern/82724   ipfw   [ipfw] [patch] [request] Add setnexthop and defaultrou
o bin/78785ipfw   [patch] ipfw(8) verbosity locks machine if /etc/rc.fir
o kern/60719   ipfw   [ipfw] Headerless fragments generate cryptic error mes
s kern/55984   ipfw   [ipfw] [patch] time based firewalling support for ipfw
o kern/48172   ipfw   [ipfw] [patch] ipfw does not log size and flags
o kern/46159   ipfw   [ipfw] [patch] [request] ipfw dynamic rules lifetime f
a kern/26534   ipfw   [ipfw] Add an option to ipfw to log gid/uid of who cau

47 problems total.

___
freebsd-ipfw@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw
To unsubscribe, send any mail to "freebsd-ipfw-unsubscr...@freebsd.org"

ipfw and nat problem

2011-07-18 Thread David van Rensburg - PC Network 
Hi

Ive been having a problem with ipfw and nat. I can get nat to work but I want 
the following:
My lan must only have access to outgoing port 80
I want to be able to allow some lan users access to ftp and outgoing 3389 
(remote desktop), but by default only port 80
I have transparent proxy work in ipfw.
I want to be able to limit outgoing and incoming to the freebsd server 
according to port.
I want a default deny.

ANY help or point me in the right direction would be great. I have been 
googling for a week now and cant find anything similar. Most examples don't use 
a default deny and don't allow certain services to the lan users.

oif="rl0"
freebsd box with 2 network cards
192.168.1.3 - lan side (all lan clients 192.168.1.x)
192.168.0.2 - router side of card (machine default gateways to 192.168.0.1 
which is the router)
Rc.conf:
gateway_enable="YES"
natd_enable="YES"
natd_interface="rl0"
natd_flags="-s -u -m"
firewall_enable="YES"
firewall_logging_enable="YES"
firewall_quiet="NO"
#firewall_type="simple blah"
firewall_script="/etc/firewall.local"

natd_flags="-f /etc/natd.conf"

Im using the following rules which isn't working properly eg the actual freebsd 
can ftp out for some reason.
00100   0 0 divert 8668 ip from not me to any via rl0
00150   0 0 fwd 192.168.1.3,3128 tcp from not me to any dst-port 80
00250  24  1440 allow ip from any to any via lo0
00350   0 0 deny ip from any to 127.0.0.0/8
00450   0 0 deny ip from 127.0.0.0/8 to any
00550   0 0 deny tcp from any to any frag
00650   0 0 check-state
00750 241 27480 allow tcp from any to any established
00850  24  5676 allow ip from any to any out keep-state
00950   0 0 allow tcp from any to any dst-port 22 in
01050   0 0 allow tcp from any to any dst-port 22 out
01150   0 0 allow udp from any to any dst-port 53 in
01250   0 0 allow tcp from any to any dst-port 53 in
01350   0 0 allow udp from any to any dst-port 53 out
01450   0 0 allow tcp from any to any dst-port 53 out
01550   0 0 allow tcp from 192.168.1.99 to any dst-port 3389
01650 462 53744 deny ip from any to any
65535 122 12588 allow ip from any to any


David van Rensburg
PC Network
Tel: 0215107600
Fax: 0215104165
www.pcnetwork.co.za

This electronic communication and the attached file(s) are subject to terms and 
conditions which can be accessed on the following link:
http://www.pcnetwork.co.za/terms as well as the acceptable usage policy which 
can be accessed on: http://www.pcnetwork.co.za/aup
If you are unable to view the above, please contact 
supp...@pcnetwork.co.za for a copy.

___
freebsd-ipfw@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw
To unsubscribe, send any mail to "freebsd-ipfw-unsubscr...@freebsd.org"

FW: ipfw and nat problem

2011-07-18 Thread David van Rensburg - PC Network 

>Hi
>
>Yes sorry - I suppose I was assuming that goes without saying.
>Will open 443 for https and close 80 and do a transparent squid proxy
>which I got to wkr.
>
>I just cant seem to understand in and out.
>Does in mean INTO the BOX or into the specific interface what happens if
>you don¹t specify an interface when u say in or out?
>OR does in mean into the internal network from outside or just into the
>box?
>
>Please just elaborate on that for me ?
>
>David.
>
>On 2011/07/18 8:32 PM, "Chuck Swiger"  wrote:
>
>>On Jul 18, 2011, at 10:41 AM, David van Rensburg - PC Network wrote:
>>> Ive been having a problem with ipfw and nat. I can get nat to work but
>>>I want the following:
>>> My lan must only have access to outgoing port 80
>>
>>For web access to be useful for most cases, you also need to permit 443
>>for HTTPS.
>>
>>> I want to be able to allow some lan users access to ftp and outgoing
>>>3389 (remote desktop), but by default only port 80
>>> I have transparent proxy work in ipfw.
>>> I want to be able to limit outgoing and incoming to the freebsd server
>>>according to port.
>>> I want a default deny.
>>
>>You haven't mentioned anything about DNS, NTP, SMTP & POP3/IMAP.  For web
>>access or remote desktop to function, you'll need to permit DNS traffic
>>so they can find the machines they are connecting to.  And most networks
>>want to have network time and email working.
>>
>>> ANY help or point me in the right direction would be great. I have been
>>>googling for a week now and cant find anything similar. Most examples
>>>don't use a default deny and don't allow certain services to the lan
>>>users.
>>
>>Start with:
>>
>>  http://www.freebsd.org/doc/handbook/firewalls-ipfw.html
>>
>>...and the books recommended in /etc/rc.firewall:
>>
>># If you don't know enough about packet filtering, we suggest that you
>># take time to read this book:
>>#
>># Building Internet Firewalls, 2nd Edition
>># Brent Chapman and Elizabeth Zwicky
>>#
>># O'Reilly & Associates, Inc
>># ISBN 1-56592-871-7
>># http://www.ora.com/
>># http://www.oreilly.com/catalog/fire2/
>>#
>># For a more advanced treatment of Internet Security read:
>>#
>># Firewalls and Internet Security: Repelling the Wily Hacker, 2nd Edition
>># William R. Cheswick, Steven M. Bellowin, Aviel D. Rubin
>>#
>># Addison-Wesley / Prentice Hall
>># ISBN 0-201-63466-X
>># http://www.pearsonhighered.com/
>># http://www.pearsonhighered.com/educator/academic/product/0,3110,0201634
>>6
>>6X,00.html
>>
>>Regards,
>>-- 
>>-Chuck
>>
>>
>

___
freebsd-ipfw@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw
To unsubscribe, send any mail to "freebsd-ipfw-unsubscr...@freebsd.org"

Re: ipfw and nat problem

2011-07-18 Thread Chuck Swiger 
On Jul 18, 2011, at 11:53 AM, David van Rensburg - PC Network wrote:
> Yes sorry - I suppose I was assuming that goes without saying.

Well, you can't design working firewall rulesets with unstated requirements.

> Will open 443 for https and close 80 and do a transparent squid proxy
> which I got to wkr.

You need to permit *both* 80 and 443, either directly or via the Squid proxy.

> I just cant seem to understand in and out.
> Does in mean INTO the BOX or into the specific interface what happens if
> you don¹t specify an interface when u say in or out?
> OR does in mean into the internal network from outside or just into the
> box?
> 
> Please just elaborate on that for me ?

In refers to incoming traffic to the box running IPFW (and also NAT'ed traffic 
which gets re-written by natd to your internal clients); out refers to traffic 
generated from the box (and/or from NAT traffic from internal machines via 
natd).  If that doesn't make sense, consider using "recv", "xmit", and "via 
ifX" instead:

 recv | xmit | via {ifX | if* | ipno | any}
 Matches packets received, transmitted or going through, respec-
 tively, the interface specified by exact name (ifX), by device
 name (if*), by IP address, or through some interface.

 The via keyword causes the interface to always be checked.  If
 recv or xmit is used instead of via, then only the receive or
 transmit interface (respectively) is checked.  By specifying
 both, it is possible to match packets based on both receive and
 transmit interface, e.g.:

   ipfw add deny ip from any to any out recv ed0 xmit ed1

 The recv interface can be tested on either incoming or outgoing
 packets, while the xmit interface can only be tested on outgoing
 packets.  So out is required (and in is invalid) whenever xmit is
 used.

 A packet may not have a receive or transmit interface: packets
 originating from the local host have no receive interface, while
 packets destined for the local host have no transmit interface.

Regards,
-- 
-Chuck

___
freebsd-ipfw@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw
To unsubscribe, send any mail to "freebsd-ipfw-unsubscr...@freebsd.org"

Re: FW: ipfw and nat problem

2011-07-18 Thread Grégoire Leroy 
Hi,

> >I just cant seem to understand in and out.
> >Does in mean INTO the BOX or into the specific interface what happens if
> >you don¹t specify an interface when u say in or out?
> >OR does in mean into the internal network from outside or just into the
> >box?

in and out are filters, like from and to. If you don't specify the interface, 
it'll match all packets which go into the box (or go out, for out).
If you specify an interface, it'll be more precise.

Example :

# In and out packets which go through outgoing interface
from any to any via oif

# idem, but in packets only
from any to any in via oif

# out packets through all interfaces
from any to any out

Regards,
Grégoire Leroy


signature.asc
Description: This is a digitally signed message part.

Re: ipfw and nat problem

2011-07-18 Thread David van Rensburg - PC Network 
>
>Ok so why cant I resolve names here.. Ive added rule 20 and 21
Ive deleted rule 60 then I cant telnet mailserver 25 so the set seems to
be working...



[root@bsd ~]# ipfw show
5 589 53220 allow ip from any to any via alc0
00010   0 0 allow ip from any to any via lo0
00011   0 0 fwd 192.168.1.3,3128 tcp from not me to any dst-port 80
00014   0 0 divert 8668 ip from any to any in via rl0
00015   0 0 check-state
00020   0 0 skipto 800 udp from any to any dst-port 53 out via rl0
setup keep-state
00021   0 0 skipto 800 tcp from any to any dst-port 53 out via rl0
setup keep-state
00040   0 0 skipto 800 tcp from any to any dst-port 80 out via rl0
setup keep-state
00050   0 0 skipto 800 tcp from any to any dst-port 443 out via rl0
setup keep-state
00060   0 0 skipto 800 tcp from any to any dst-port 25 out via rl0
setup keep-state
00061   0 0 skipto 800 tcp from any to any dst-port 110 out via rl0
setup keep-state
00080   0 0 skipto 800 icmp from any to any out via rl0 keep-state
00110   0 0 skipto 800 tcp from any to any dst-port 22 out via rl0
setup keep-state
00120   0 0 skipto 800 tcp from any to any dst-port 43 out via rl0
setup keep-state
00130   0 0 skipto 800 udp from any to any dst-port 123 out via rl0
keep-state
00300   0 0 deny ip from 192.168.0.0/16 to any in via rl0
00301   0 0 deny ip from 172.16.0.0/12 to any in via rl0
00302   0 0 deny ip from 10.0.0.0/8 to any in via rl0
00303   0 0 deny ip from 127.0.0.0/8 to any in via rl0
00304   0 0 deny ip from 0.0.0.0/8 to any in via rl0
00305   0 0 deny ip from 169.254.0.0/16 to any in via rl0
00306   0 0 deny ip from 192.0.2.0/24 to any in via rl0
00307   0 0 deny ip from 204.152.64.0/23 to any in via rl0
00308   0 0 deny ip from 224.0.0.0/3 to any in via rl0
00315   0 0 deny tcp from any to any dst-port 113 in via rl0
00320   0 0 deny tcp from any to any dst-port 137 in via rl0
00321   0 0 deny tcp from any to any dst-port 138 in via rl0
00322   0 0 deny tcp from any to any dst-port 139 in via rl0
00323   0 0 deny tcp from any to any dst-port 81 in via rl0
00330   0 0 deny ip from any to any frag in via rl0
00332   0 0 deny tcp from any to any established in via rl0
00370   0 0 allow tcp from any to me dst-port 80 in via rl0 setup
limit src-addr 2
00380   0 0 allow tcp from any to me dst-port 22 in via rl0 setup
limit src-addr 2
00385   0 0 allow tcp from any to any dst-port 22
00390   0 0 allow tcp from any to me dst-port 23 in via rl0 setup
limit src-addr 2
00400   0 0 deny log logamount 5 ip from any to any in via rl0
00450   4   240 deny log logamount 5 ip from any to any out via rl0
00800   0 0 divert 8668 ip from any to any out via rl0
00801   0 0 allow ip from any to any
00999   0 0 deny log logamount 5 ip from any to any
65535   0 0 allow ip from any to any
[root@bsd ~]# 
[root@bsd ~]# 


___
freebsd-ipfw@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw
To unsubscribe, send any mail to "freebsd-ipfw-unsubscr...@freebsd.org"

Re: ipfw and nat problem

2011-07-18 Thread Chuck Swiger 
On Jul 18, 2011, at 10:41 AM, David van Rensburg - PC Network wrote:
> Ive been having a problem with ipfw and nat. I can get nat to work but I want 
> the following:
> My lan must only have access to outgoing port 80

For web access to be useful for most cases, you also need to permit 443 for 
HTTPS.

> I want to be able to allow some lan users access to ftp and outgoing 3389 
> (remote desktop), but by default only port 80
> I have transparent proxy work in ipfw.
> I want to be able to limit outgoing and incoming to the freebsd server 
> according to port.
> I want a default deny.

You haven't mentioned anything about DNS, NTP, SMTP & POP3/IMAP.  For web 
access or remote desktop to function, you'll need to permit DNS traffic so they 
can find the machines they are connecting to.  And most networks want to have 
network time and email working.

> ANY help or point me in the right direction would be great. I have been 
> googling for a week now and cant find anything similar. Most examples don't 
> use a default deny and don't allow certain services to the lan users.

Start with:

  http://www.freebsd.org/doc/handbook/firewalls-ipfw.html

...and the books recommended in /etc/rc.firewall:

# If you don't know enough about packet filtering, we suggest that you
# take time to read this book:
#
#   Building Internet Firewalls, 2nd Edition
#   Brent Chapman and Elizabeth Zwicky
#
#   O'Reilly & Associates, Inc
#   ISBN 1-56592-871-7
#   http://www.ora.com/
#   http://www.oreilly.com/catalog/fire2/
#
# For a more advanced treatment of Internet Security read:
#
#   Firewalls and Internet Security: Repelling the Wily Hacker, 2nd Edition
#   William R. Cheswick, Steven M. Bellowin, Aviel D. Rubin
#
#   Addison-Wesley / Prentice Hall
#   ISBN 0-201-63466-X
#   http://www.pearsonhighered.com/
#   
http://www.pearsonhighered.com/educator/academic/product/0,3110,020163466X,00.html

Regards,
-- 
-Chuck

___
freebsd-ipfw@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw
To unsubscribe, send any mail to "freebsd-ipfw-unsubscr...@freebsd.org"

Re: ipfw and nat problem

2011-07-18 Thread Chuck Swiger 
On Jul 18, 2011, at 12:17 PM, David van Rensburg - PC Network wrote:
> In can mean traffic going from the lan to the internet AND from the
> internet to the lan because either way it goes into the box as if flows
> through the box correct?

Yes, I think so.  Most people seem to prefer to use "recv via 
_external_interface_" rather than "in" to identify traffic from the Internet at 
large incoming towards their machine or local subnet.

Regards,
-- 
-Chuck

___
freebsd-ipfw@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw
To unsubscribe, send any mail to "freebsd-ipfw-unsubscr...@freebsd.org"