similar to: tripwire port broken?

Hey Guys, today I upgraded to 4.8-RELEASE-p15. As usual I set IPFIREWALL to default accept in my kernel config file. Config & make weren't complaining so, installed the kernel, reboot and there it was: >IP packet filtering initialized, divert disabled, rule-based forwarding enabled, default to deny, logging disabled Another rebuild didn't work out so... I reviewed

Hi all, I'm just setup a new freebsd to be a ftp server. ftp-ing from localhost was success, but when i was trying to ftp from other ip, got result "Connection closed by remote host." Kernel already configure with firewall (with options FIREWALL_DEFAULT_TO_ACCEPT). rc.conf file already contain "firewall_type=open". What could be the problem? I can seem to solve this

Hi all: I have strange probelm with rc.conf. I set up ipfw (compiled into kernel) on freebsd-5.4 and it doesn't seem to load ipfw rulesets (it uses default ruleset 65335 locking out everything). I have to do "sh /etc/ipfw.rules" in order to load the rulesets, once I did that, I can access the box from remote locations here is my rc.conf: host# more /etc/rc.conf

Hi there, Is there some way to configure ipfw to do traffic normalizing ("scrubbing", as in ipf for OpenBSD)? Is there any tool to do it for FreeBSD firewalling? I've heard that ipf was ported on current, anything else? TIA, /Dorin. __________________________________ Do you Yahoo!? Yahoo! Mail SpamGuard - Read only the mail you want. http://antispam.yahoo.com/tools

Hello, I noticed that after enabling firewall in my kernel (5.3-release), my dmesg now gives me this: ipfw2 initialized, divert disabled, rule-based forwarding disabled, default to accept, logging limited to 5 packets/entry by default On 5.2.1, I used to get this: ipfw2 initialized, divert disabled, rule-based forwarding enabled, default to accept, logging disabled If both cases, I am

Hi peeps, After compiling ipfw into the new 6.2 kernel, and typing "ipfw list", all I get is: "65535 deny ip from any to any" From reading the docs, this might indicate that this is the default rule. (I am certainly protected this way--but can't be very productive ;^) ) By the way, when I run "man ipfw" I get nothing. Using this instead:

I have a grown list of IPs that I am "deny ip from ###.### to any". Infected machines, hackers, etc.. Is there a way to have this list outside of rc.firewall and just read it in?

Hi, I am using IPFW on FreeBSD 4.11 I am facing two problems: - SSH sessions timeout after a while - When I run "/sbin/ipfw -q -f flush" in the rules script all connection get reset (and I am thrown out of the box). Is this standard functioning of ipfw or do I need to change any configuration? Thanks, Siddhartha

Dear All. I want to use 'not' for 2 addresses (for both) in ipfw2 rule. The only way that looks like what I need is # ipfw add count from IP1 to not IP2,IP3 But does this rule indeed makes what I want? Does it count all packets destined to addresses other then IP2 AND IP3?! No other syntax works. For example more logically correct not IP2 AND not IP3 or even not { IP2 or IP3 } are

I'm forwarding this to security@, as I'm getting no replies on ipfw@. Hope it's relevant enough for you :( ---Original Message----- From: owner-freebsd-ipfw@freebsd.org [mailto:owner-freebsd-ipfw@freebsd.org] On Behalf Of Erik Paulsen Skålerud Sent: Wednesday, May 28, 2003 1:02 AM To: ipfw@freebsd.org Subject: Question about logging. Sorry for asking this, It's probably been

Hi, i've set the outside ip for the jail..It works.. When i try to ssh to jail'ed system from the main system (in which is created jail) the connection is successful, but when i try to connect to jailed system from anywhere else i get this message: ssh: connect to host IP_NUMBER port 22: Operation timed out What can be wrong here? How to solve this problem?

Hi, in the kernel I have these lines: [...] device miibus # MII bus support device rl device ed options IPFIREWALL #firewall options IPFIREWALL_VERBOSE #enable logging to syslogd(8) options IPFIREWALL_VERBOSE_LIMIT=0 #limit verbosity options IPDIVERT #divert sockets options DUMMYNET

There is an issue with the new Kerberos 1.5. It does not currently support building static libraries. I'm willing to leave the port at 1.4.3 until MIT fixes the static library build. OTOH, if folks want 1.5, without static library support, the 1.5 port is ready to commit. I may update the port to build 1.5 if static libraries are not wanted and build 1.4.3 if they are wanted. Static

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ============================================================================= FreeBSD-SA-04:01.mksnap_ffs Security Advisory The FreeBSD Project Topic: mksnap_ffs clears file system options Category: core Module: mksnap_ffs Announced:

I'm not a master of the internet RFCs, but I do believe icmp messages have different types. Now to enable traceroute for IPFW, I might put in a rule like this: ipfw add pass icmp from any to me However, how would I make a rule to limit icmp messages to just those used by traceroute? Can the messages be distinguished as such? A dynamic rule that exists only for the duration of a traceroute

Hello Everyone! It has been my pleasure and privilege to serve as the FreeBSD Security Officer for the past 3+ years. With the crucial support of the FreeBSD Security Team members, a lot has been accomplished: hundreds of security issues have been researched and tracked, with some resulting in security advisories and patches; software in the Ports Collection are updated more quickly

We're being ping-flooded by the Nachi worm, which probes subnets for systems to attack by sending 92-byte ping packets. Unfortunately, IPFW doesn't seem to have the ability to filter packets by length. Assuming that I stick with IPFW, what's the best way to stem the tide? --Brett Glass

Well, after working through the various options it looked like MPD would be my best bet here. I've got it sort of working, but there's obviously some tweaky I'm missing here. Recap of the scenario: Full class C of static IPs segmented into 3 networks. Outside, DMZ, Inside. Trying to get remote Windows users through securely to the Inside. Remote users have dynamic IPs.

I have a FreeBSD box acting as a firewall and NAT gateway I would like to set it up to transparently pass IPSec packets -- I have an IPSec VPN client running on another machine, connecting to a remote network. Is there a way to do this? I can't find any hints in the man pages.

Anyone seen this before? ----- Forwarded message from ips at shaw.ca ----- X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on doctor.nl2k.ab.ca X-Spam-Level: * X-Spam-Status: No, score=1.0 required=5.0 tests=RCVD_IN_BACKSCATTER autolearn=no version=3.3.2 X-Original-To: root at doctor.nl2k.ab.ca Delivered-To: root at doctor.nl2k.ab.ca X-Virus-Scanned: amavisd-new at doctor.nl2k.ab.ca