similar to: connection limit with ipfw

Hi all: I have strange probelm with rc.conf. I set up ipfw (compiled into kernel) on freebsd-5.4 and it doesn't seem to load ipfw rulesets (it uses default ruleset 65335 locking out everything). I have to do "sh /etc/ipfw.rules" in order to load the rulesets, once I did that, I can access the box from remote locations here is my rc.conf: host# more /etc/rc.conf

Hi peeps, After compiling ipfw into the new 6.2 kernel, and typing "ipfw list", all I get is: "65535 deny ip from any to any" From reading the docs, this might indicate that this is the default rule. (I am certainly protected this way--but can't be very productive ;^) ) By the way, when I run "man ipfw" I get nothing. Using this instead:

Hi. On my FreeBSD 4.8 configured IPFW2+IPF+IPNAT and I use them all: - IPFW - traffic accounting, shaping, balancing and filtering; - IPFilter - policy routing; - IPNAT - masquerading. I want to know, how IP-packets flow through all of this components? What's the path? incoming: IPFW Layer2 -> IPFW&Dummynet -> IPNAT -> IPFilter ? outgoing: IPFW Layer2 ->

Dear W.D. Do you understand that by adding the rules into kernel space numbered from zero to sixty five thousand five hundred thirty four you may alter the behavior of the rule number sixty five thousand five hundred thirty five can you please define and list the goals you are trying to achieve by altering default rule in the terms you can both explain and understand. ----- Original Message

Hi, I am using IPFW on FreeBSD 4.11 I am facing two problems: - SSH sessions timeout after a while - When I run "/sbin/ipfw -q -f flush" in the rules script all connection get reset (and I am thrown out of the box). Is this standard functioning of ipfw or do I need to change any configuration? Thanks, Siddhartha

Hi, I think this is worth a note. It was generally said the decision between deny and reject (aka unreach) could be taken lightly - and most people seem to prefer "deny", which complicates things for an attacker, because packets just vanish without any report and tasks timeout. But from my viewpoint, this argument falls into the category "security by obscurity", and I found

>> 3. I'm intrested in blocking kazaa/P2P trafic with IPFW any help in this issue you could possibly block connections at known p2p ports. deny tcp from any to any 6699 step but most of the newer protocols use dynamic ports and in turn, are configurable. so ipfw isn't exactly ideal on it's own for this. -r. -----Original Message----- From: Pons [mailto:pons@gmx.li] Sent:

Hi I'm having a problem with ipfw, I think. For some reason it denies packets randomly for example: PING 196.14.239.2 (196.14.239.2): 56 data bytes ping: sendto: Permission denied ping: sendto: Permission denied 64 bytes from 196.14.239.2: icmp_seq=2 ttl=63 time=0.258 ms 64 bytes from 196.14.239.2: icmp_seq=3 ttl=63 time=0.233 ms 64 bytes from 196.14.239.2: icmp_seq=4 ttl=63

This note is essentially a request for a reality check. I use IPFW & natd on the box that provides the interface between my home networks and the Internet; the connection is (static) residential DSL. I configured IPFW to accept & log all SSH "setup" requests, and use natd to forward such requests to an internal machine that only accepts public key authentication; that

I've been using ipfw for a while to create a router with NAT and packet filtering, but have never combined it with stateful filtering, instead using things like "established" to accept incoming TCP packets which are part of a conversation initiated from the "inside". I'd like to move to using keep-state/check-state to get tighter filtering and also to allow outgoing

Hello, i hope this is the right list! I tried making a firewall for my laptop..it wasn't as terribly difficult as i thought it would be but i'm not sure if i forgot anything. And things can always be done better :) I'm not sure what i should've put under incoming connections... what i have put there now is pretty useless because the default is to deny, but should i accept any

Hi, I'm using kernel FreeBSD 10.0-BETA3 #2 r257635 kernel. I am trying to add port number to ipfw tables. But there is something strange : Problem is easily repeatable. #ipfw table 1 flush #ipfw table 1 add 4899 #ipfw table 1 list ::/0 0 #ipfw table 1 flush #ipfw table 1 add 10.2.3.01 ( not 10.0.0.1, the last 1 has 0 as prefix ) #ipfw table 1 list ::/0 0 #ipfw table 1 delete ::/0

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ============================================================================= FreeBSD-SA-05:13.ipfw Security Advisory The FreeBSD Project Topic: ipfw packet matching errors with address tables Category: core Module: netinet

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ============================================================================= FreeBSD-SA-05:13.ipfw Security Advisory The FreeBSD Project Topic: ipfw packet matching errors with address tables Category: core Module: netinet

[ -netters, please Cc me or security@ with replies. ] I'm running into trouble integrating dynamic racoon-based IPSec into a network with ipfw and natd. I need to be able to allow VPN access from any address from authenticated clients. I've got the dynamic VPN working, with racoon negotiating SAs and installing SPs, but the problem is that I can't tell whether an incoming packet on

>Date: Sun, 23 Dec 2007 06:04:02 -0800 (PST) >From: Nash Nipples <trashy_bumper@yahoo.com> >To: freebsd-security@freebsd.org >Subject: Re: IPFW: Blocking me out. How to debug? > >Dear W.D. > >oh come on. i have the same problem. Which problem are we talking about? cut and paste problem. >cut and paste logic: > >#!/bin/sh >#1. count packets >#2.

Hi, I have a system with a 4.11 Kernel. Unless I'm doing something very wrong, there seems to be something odd with ipfw. Take the following rules: ipfw add 00280 allow tcp from any to any 22 out via bge0 setup keep- state ipfw add 00299 deny log all from any to any out via bge0 ipfw add 0430 allow log tcp from any to me 22 in via bge0 setup limit src-addr 2 ipfw add 00499 deny log

-- On Friday, November 21, 2003 12:48 PM -0800 "David Wolfskill - david@catwhisker.org" <+freebsd-security+openmacnews+0459602105.david#catwhisker.org@spamgourmet.com> wrote: David, thanks for your reply! >> i've been struggling with setting appropriate rules for an SMTP-server >> behind by NAT'd firewall. > > OK.... <snip> > >>

Hi, Is it possible to integrate SNORT with IPFW. I have an entire network behind an IPFW BRIDGE. Just need IDS capability enabled for the network. Just an hint is enough. Any other way I can achieve this in IPFW. -Sunil Sunder Raj

Hi all: Did any one use ipfw with CARP before? is there anything specific about ipfw configurations working with CARP? I have two servers and they configured with CARP. they are working fine except i can't turn on ipfw. I have the exact same configuration except ip addresses; those same rule sets of ipfw work on one server but not on another. Thanks all