Re: IPF firewalling

From: Erik Norgaard (norgaard_at_locolomo.org)
Date: 01/16/05

  • Next message: Kris Kennaway: "Re: buildkernel fails with 5.3" 
    Date: Sun, 16 Jan 2005 19:27:09 +0100
To: gabor.kovesdan@freemail.hu

    Kövesdán Gábor wrote:

    > pass in quick on rl0 proto udp from any to any port = 68 keep state
    > pass in quick proto udp from any to any port = 53 keep state keep frags

    First I see that you have left out "on rl0" in this line.

    > pass in quick on rl0 proto tcp/udp from any to any port = 42 keep state keep
    > frags

    you don't need this. dns uses port 53, both tcp and udp.

    > pass in quick on rl0 proto tcp from any to any port = 22 flags S keep state
    > pass in quick on rl0 proto tcp from any to any port = 25 keep state
    > pass in quick on rl0 proto tcp from any to any port = 21 keep state
    > pass in quick on rl0 proto tcp from any to any port = 20 keep state
    > pass in quick on rl0 proto tcp from any to any port = 80 keep state

    use flags S for all tcp rules for your security.

    > block return-rst in log quick on rl0 proto tcp from any to any
    > block return-icmp-as-dest(port-unr) in log quick on rl0 proto udp from any
    > to any
    > block in quick on rl0 all
    >
    > pass in quick on lo0 all
    > pass out quick on lo0 all
    >
    > Everything seems okay, but the named. Neiher the ISP's nameserver (set by
    > the dhcp) nor the local nameserver works. BIND 9 wrote this to
    > /var/log/messages:
    >
    > Jan 16 13:59:35 server named[1028]: starting BIND 9.3.0 -u named -t
    > /usr/local/named -c /etc/named.conf
    > Jan 16 13:59:35 server named[1028]: could not listen on UDP socket: address
    > in use
    > Jan 16 13:59:35 server named[1028]: creating IPv4 interface re0 failed;
    > interface ignored
    > Jan 16 13:59:35 server named[1028]: could not listen on UDP socket: address
    > in use
    > Jan 16 13:59:35 server named[1028]: creating IPv4 interface lo0 failed;
    > interface ignored
    > Jan 16 13:59:35 server named[1028]: not listening on any interfaces
    > Jan 16 13:59:35 server named[1028]: /etc/named.conf:14: couldn't add command
    > channel 127.0.0.1#953: address in
    > use
    > Jan 16 13:59:35 server named[1028]: could not listen on UDP socket:
    > permission denied
    > Jan 16 13:59:35 server named[1028]: creating IPv4 interface re0 failed;
    > interface ignored
    > Jan 16 13:59:35 server named[1028]: could not listen on UDP socket:
    > permission denied
    > Jan 16 13:59:35 server named[1028]: creating IPv4 interface lo0 failed;
    > interface ignored
    >
    >
    > The rndc doesn't matter, I'm not going to use it, but the neither named can
    > listen on the network and the loopback interface. Could You suggest me any
    > solution for this trouble? Btw, this machine is going to be a web, dns,
    > mail, etc. server and is being tested on an ordinary cable connection,
    > that's why I'm using dhcp.

    First, the named problem does not seem to relate with the firewall
    ruleset - try take the host off line, flush all rules and see if you can
    start named or get the same error.

    For your security, I suggest you use groups to organize the rules and
    write a default action explicitly, first lines:

    block in all
    block out all

    (no quick here). Then split according to interface, first let lo0 loose:

    pass in quick on lo0 all
    pass out quick on lo0 all

    follow with groups for each interface. Groups really helps you tracking
    down filter problems and staying sane. See the ipf-howto. Also be
    consistent using "keep state keep frags" and "flags S" everywhere.

    I see you have tried to setup ftp also in the above ruleset, ftp won't
    work with this, but it really requires understanding of ftp to get it
    right. Maybe keep it simple and remove ftp for a start.

    Cheers, Erik 

    -- 
Ph: +34.666334818                                  web: www.locolomo.org
S/MIME Certificate: http://www.locolomo.org/crt/2004071206.crt
Subject ID:  A9:76:7A:ED:06:95:2B:8D:48:97:CE:F2:3F:42:C8:F2:22:DE:4C:B9
Fingerprint: 4A:E8:63:38:46:F6:9A:5D:B4:DC:29:41:3F:62:D3:0A:73:25:67:C2
_______________________________________________
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.org"
  • Next message: Kris Kennaway: "Re: buildkernel fails with 5.3"

    Relevant Pages

    • Re: Internet Access problems in Fedora Core 4
      ... using the raw ip was to factor out DNS from the troubleshooting. ... set right or your card's interface isn't setup right. ... nameserver <proxy if proxy does dns to you or isp's dns> ... PING 64.233.179.99 56bytes of data. ...
      (comp.os.linux.misc)
    • Re: DNS Registration on a domain controller
      ... We disabled the listening on the wrong interface for the DNS server. ... When only TCP/IP is bound to the NetCard2, domain users can't log in on ... "Register this connection's addresses in DNS" is already uncheck on ...
      (microsoft.public.windows.server.active_directory)
    • Re: Netlogon service problem
      ... loopback interface, it doesn't always work properly and can cause issues. ... Is there a problem here because the DC also has a NIC with a different IP address with the loopback as its DNS server. ... Netlogon will attempt to, and succeed,> reregister later. ...
      (microsoft.public.win2000.active_directory)
    • Re: Question for Ace - Why to not Multi-home a DC
      ... > prevent the public interface addresses from being registered in DNS. ... > records and the GC record, also called the LdapIpAddress and GcIpAddress. ... > Registry value: DnsAvoidRegisterRecords ...
      (microsoft.public.win2000.active_directory)
    • Re: Cisco PIX 501: Cant ping global IP-Adress from NATed IP
      ... on the 'static' statement for the server, add the 'dns' keyword. ... The catch is that the two interfaces cannot have the same IP subnet, ... of the external interface. ... then the PIX wouldn't know which interface to send it towards. ...
      (comp.dcom.sys.cisco)