similar to: ipfw question

[ -netters, please Cc me or security@ with replies. ] I'm running into trouble integrating dynamic racoon-based IPSec into a network with ipfw and natd. I need to be able to allow VPN access from any address from authenticated clients. I've got the dynamic VPN working, with racoon negotiating SAs and installing SPs, but the problem is that I can't tell whether an incoming packet on

I've been using ipfw for a while to create a router with NAT and packet filtering, but have never combined it with stateful filtering, instead using things like "established" to accept incoming TCP packets which are part of a conversation initiated from the "inside". I'd like to move to using keep-state/check-state to get tighter filtering and also to allow outgoing

hi i have a problem with my icmp, i have a router that performs nat. i cannot ping to internet hosts from more than one stations situated behind NAT at once. if i want to ping from another station i have to stop the ping that was initiated from the first host, and after a few seconds i can ping from another station.i've checked firewll and i have no ipfw rules that could stop icmp traffic.

Hello, I have configured jail for users with sshd ftpd and auth. I started this jail on IP 127.0.0.10(there is an alias on lo0 interface), there was not any bigger problem to start it. But i have a problem with internet in this jail. I can log in to this jail through ssh or ftpd but i can't connect to the internet. I try to set up some kind of nat but it doesn't work. Can anybody help me

First of all, I'd like to send a big "thank you" to all the folks who have helped me get this far. Now on to the next problem. Here's my current network setup: The Big I ---+--- FreeBSD FW --- * (10.0.0.253) ---- PC (10.0.0.1) | +--- Laptop (public IP) natd is set up with the following rules: redirect_port udp 10.0.0.253:10000-20000 10000-20000

I hope this isn't too off topic, but I'd like a quick solution to a problem. I have a small network behind a NAT firewall (FreeBSD of course) and I'd like to block/redirect all traffic from the internal network to the local mail server (same box as firewall) in order to prevent direct smtp requests to the outside world (mainly virus/trokan programs). I think I have it right in this

Hi, I plan to connect to remote Asterisk that will terminate calls to ISDN primary channel. I'd certainly like to secure this type of service, so would kindly ask for any advice on how to secure this authentication as much as reasonably possible. Since there is long IP route I guess VPN will take too much additional bandwidth... Regards, Robert.

Hello R users I have question about the time involved in list assignment. Consider the following code snippet(see below). The first line creates a reader object, which is the interface to 1MM key-value pairs (serialized R objects) spanning 50 files (a total of 50MB). rhsqstart initiates the reading and I loop, reading each key-value pair using rhsqnextKVR. If this returns NULL, we switch to the

Hi Guys I have been taking a close look at some networking opportunities which are being frustrated by the limits which are imposed by NAT. In particular the constraints impose by the embargo on double NATing have an impact for a project I am working on. Has anyone ever seen anything which I would conceptually describe as a reverse NAT proxy? What I want to be able to do is to be able to create

Hi, I have a system with a 4.11 Kernel. Unless I'm doing something very wrong, there seems to be something odd with ipfw. Take the following rules: ipfw add 00280 allow tcp from any to any 22 out via bge0 setup keep- state ipfw add 00299 deny log all from any to any out via bge0 ipfw add 0430 allow log tcp from any to me 22 in via bge0 setup limit src-addr 2 ipfw add 00499 deny log

I will shortly be replacing a couple of proprietary VPN boxes with a FreeBSD solution. Section 10.10 of the Handbook has a detailed description of how to do this. However I remember a lot of discussion about a year ago about whether the gif interface was necessary to set up VPNs like this or whether it was just a convenience, for "getting the routing right". A number of people said

Hi All, I have an asterisk box on my DMZ, and I'm using a PF for my firewall, I can make a call but some reasons I have a dead air. Any Ideas? below are my rules... ext_if = "bce0" int_if = "bce1" altitude = "172.16.1.0/24" #### machines #### vbox = "172.16.1.1" uci = "172.16.1.4" voices = "203.172.x.1" ipc =

Hello, I've been using samba to share files on a Redhat server within a windows NT domain. Recently, security policies in the domain have changed, and security signatures are required for the LanManServer and Rdr services. Now that this has been deployed, I get an error when I try to connect to the SMB shares on the Redhat server from Windows hosts saying "account is not authorized to log

hi all, i've been struggling with setting appropriate rules for an SMTP-server behind by NAT'd firewall. it's not that there is too little info on the web -- or here, for that matter -- there's scads of it for seemingly endless configs/req'ts -- none that seem to be exactly my own. bottom line: i'm a bit confused, and looking for some experienced advice. my goals (for

Hi. I am running SAMBA 2.0.7 on HP-UX 11.00 and HP-UX 10.20. I have tried adding the MultipleUsersOnConnection registry key onto my Microsoft Windows NT Server 4 Terminal Server Edition servers, running with Service Pack 6. After I make this change in the registry and reboot my WTS servers all my samba connections from the servers are still being made with one process instead of being split

Hi. On my FreeBSD 4.8 configured IPFW2+IPF+IPNAT and I use them all: - IPFW - traffic accounting, shaping, balancing and filtering; - IPFilter - policy routing; - IPNAT - masquerading. I want to know, how IP-packets flow through all of this components? What's the path? incoming: IPFW Layer2 -> IPFW&Dummynet -> IPNAT -> IPFilter ? outgoing: IPFW Layer2 ->

This note is essentially a request for a reality check. I use IPFW & natd on the box that provides the interface between my home networks and the Internet; the connection is (static) residential DSL. I configured IPFW to accept & log all SSH "setup" requests, and use natd to forward such requests to an internal machine that only accepts public key authentication; that

Dear All, We are seeing the following warning messages in event logs on PCs that are accessing a Samba server (Solaris 2.7, samba 2.0.6):- 03/03/04/2001,14:44:04,Rdr,Warning,None,3025,N/A,CIS-C033-04,A write-behind operation has failed to the remote server ilex. The data contains the amount requested to write and the amount actually written. What does this message actually mean? Does it

I'm trying to use pf + ftp-proxy n a 6.1-PRERELEASE machine. I have this line on inetd.conf: ftp-proxy stream tcp nowait root /usr/libexec/ftp-proxy ftp-proxy -n And this lines on pf.conf: rdr on $int_if proto tcp from any to any port ftp -> 127.0.0.1 port ftp-proxy pass in quick on $ext_if inet proto tcp from any port ftp-data to $ext_if:0 user proxy flags S/SA keep

>> 3. I'm intrested in blocking kazaa/P2P trafic with IPFW any help in this issue you could possibly block connections at known p2p ports. deny tcp from any to any 6699 step but most of the newer protocols use dynamic ports and in turn, are configurable. so ipfw isn't exactly ideal on it's own for this. -r. -----Original Message----- From: Pons [mailto:pons@gmx.li] Sent: