freebsd security - Dec 2007 - IPFW compiled in kernel: Where is it reading the config?

Hi peeps,

After compiling ipfw into the new 6.2 kernel, and typing "ipfw list",
all I get is:

  "65535 deny ip from any to any"

From reading the docs, this might indicate that this is the
default rule.  (I am certainly protected this way--but can't
be very productive ;^)  )

By the way, when I run "man ipfw" I get nothing.  Using this 
instead: http://www.hmug.org/man/8/ipfw.php  How to install 
the man pages?

How do I tell where ipfw is reading its config from?  Is
there a default config file?

The config file locaton that I specify in rc.conf doesn't 
appear to be being used:

   firewall_script="/usr/local/etc/ipfw.rules"

What is the proper name for the ipfw ruleset file?  Some
on the Web say that it is "ipfw.rules".  Other say
it is "rc.firewall"

What is the proper location for the ruleset file?  I see 
all of the following:

   /etc/ipfw.rules
   /usr/local/etc/ipfw.rules

   /etc/rc.firewall
   /usr/local/etc/psa/modules/firewall/rc.firewall

Are line numbers required?  I see some examples that use line 
numbers and some do not.

Is there a program to easily "syntax check" a config/ruleset 
file?

How do I tell if ipfw is running?  "ps aux | grep ipfw"
doesn't show anything.

I would really appreciate very much some help with this.  Many
thanks if you can help.






Start Here to Find It Fast!? -> http://www.US-Webmasters.com/best-start-page/
$8.77 Domain Names -> http://domains.us-webmasters.com/

On Thu, Dec 13, 2007 at 01:44:46AM -0600, W. D. wrote:
> Hi peeps,
> 
> After compiling ipfw into the new 6.2 kernel, and typing "ipfw
list",
> all I get is:
> 
>   "65535 deny ip from any to any"
> 
> From reading the docs, this might indicate that this is the
> default rule.  (I am certainly protected this way--but can't
> be very productive ;^)  )
> 
> By the way, when I run "man ipfw" I get nothing.  Using this 
> instead: http://www.hmug.org/man/8/ipfw.php  How to install 
> the man pages?
> 
> How do I tell where ipfw is reading its config from?  Is
> there a default config file?
> 
> The config file locaton that I specify in rc.conf doesn't 
> appear to be being used:
> 
>    firewall_script="/usr/local/etc/ipfw.rules"
You require

firewall_enable="YES"

in /etc/rc.conf for the rules to be looked at

Also, firewall_script may be the wrong configuration parameter to use.  
firewall_script is expected to be a shell script to configure the 
firewall.  If you just want a file of rules, set firewall_type instead.
e.g.

firewall_type="/etc/rc.firewall.rules"
firewall_enable="YES"

and then put your rules one line at a time into the specified file.  i.e.

add allow ip from any to any via lo0
(etc)

ipfw is a kernel module.  It will not show up in "ps aux".  If
"ipfw list" does not come back with an error message, then it
is likely running.  You can check for the ipfw module using

kldstat

(assuming you did not compile ipfw into a custom kernel)

To check the syntax of a list of rules (note: not a shell script) then
you can use

ipfw -n /path/to/rules/file
>From the man page
     -n      Only check syntax of the command strings, without actually pass-
             ing them to the kernel.

Regards,

Gary

> 
> What is the proper name for the ipfw ruleset file?  Some
> on the Web say that it is "ipfw.rules".  Other say
> it is "rc.firewall"
> 
> What is the proper location for the ruleset file?  I see 
> all of the following:
> 
>    /etc/ipfw.rules
>    /usr/local/etc/ipfw.rules
> 
>    /etc/rc.firewall
>    /usr/local/etc/psa/modules/firewall/rc.firewall
> 
> Are line numbers required?  I see some examples that use line 
> numbers and some do not.
> 
> Is there a program to easily "syntax check" a config/ruleset 
> file?
> 
> How do I tell if ipfw is running?  "ps aux | grep ipfw"
> doesn't show anything.
> 
> I would really appreciate very much some help with this.  Many
> thanks if you can help.
> 
> 
> 
> 
> 
> 
> Start Here to Find It Fast!? ->
http://www.US-Webmasters.com/best-start-page/
> $8.77 Domain Names -> http://domains.us-webmasters.com/
> 
> _______________________________________________
> freebsd-security@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-security
> To unsubscribe, send any mail to
"freebsd-security-unsubscribe@freebsd.org"
> 
>

not sure. i think that on a running kernel it's either a 1 or 0. on a dead
kernel its still 1 or 0. in the source its like digging a hole to china.

bye




     
____________________________________________________________________________________
Looking for last minute shopping deals?  
Find them fast with Yahoo! Search. 
http://tools.search.yahoo.com/newsearch/category.php?category=shopping

W. D. wrote:
> At 03:49 12/17/2007, Tuomo Latto wrote:
>> W. D. wrote:
>>> How do I tell which rule is blocking me out?  SSH *is* working,
>>> but others are not.
>> It all depends on what you mean by "blocking you out" and
"others".
> 
> I've been banging my head against this for the past few
> days.  I don't get it.
To be fair, you never actually said what exactly your problem is
or what it is you are trying to achieve.
That makes it very difficult to help.
> My understanding of the way this is supposed to work is
> that:
> 
>   # HTTP & HTTPS:
>   add allow tcp from any to any https in setup
>   add allow tcp from any to any http in setup
> 
> should let initial HTTP & HTTPS requests through,
Yes, *into* your box. On to the lap of a listening server there.

> and that:
> 
>  # Allow established connections:
>  add allow tcp from any to any established
> 
> should allow connections that are "setup" to 
> continue.  Do I need a "check-state" or "keep-state"
> statement somewhere?
Not for TCP. TCP state can be deduced from the status bits in packets.
TCP stack will take care of any false "established" packets.

"setup   Matches TCP packets that have the SYN bit set but no ACK bit.
         This is the short form of ``tcpflags syn,!ack''."

> I don't understand what is wrong with the last rule:
> 
>   # Deny and log everything else:
>   add deny log all from any to any
> 
> My understanding is that anything that doesn't match
> the previous rules will match this one and hence
> be logged and denied.  Is this not correct?
Yes. It blocks everything else.
There is nothing wrong with it.
See /var/log/security for logged packets.

The problem is that the allow rules are not working as you would expect.
You could see if dropping out the "in setup" in HTTP/HTTPS rules makes
any
difference. But seriously, I don't know what you are *trying* to do,
I only see what you are *doing*, so it is difficult to say anything.

Just so you know, I'm hardly an expert myself.


-- 
Tuomo

... When in doubt, mumble..