|
Lines 336-343
Link Here
|
| 336 |
method see: <ulink |
336 |
method see: <ulink |
| 337 |
url="http://www.obfuscation.org/ipf/ipf-howto.html#TOC_1"></ulink> |
337 |
url="http://www.obfuscation.org/ipf/ipf-howto.html#TOC_1"></ulink> |
| 338 |
and <ulink |
338 |
and <ulink |
| 339 |
url="http://coombs.anu.edu.au/~avalon/ip-filter.html"></ulink> |
339 |
url="http://coombs.anu.edu.au/~avalon/ip-filter.html"></ulink>. |
| 340 |
.</para> |
340 |
</para> |
| 341 |
|
341 |
|
| 342 |
<para>The IPF FAQ is at <ulink |
342 |
<para>The IPF FAQ is at <ulink |
| 343 |
url="http://www.phildev.net/ipf/index.html"></ulink>.</para> |
343 |
url="http://www.phildev.net/ipf/index.html"></ulink>.</para> |
|
Lines 350-357
Link Here
|
| 350 |
ipfilter_enable="YES"</literal> is used. The loadable |
350 |
ipfilter_enable="YES"</literal> is used. The loadable |
| 351 |
module was created with logging enabled and the <literal>default |
351 |
module was created with logging enabled and the <literal>default |
| 352 |
pass all</literal> options. You do not need to compile IPF into |
352 |
pass all</literal> options. You do not need to compile IPF into |
| 353 |
the &os; kernel just to change the default to <literal>block all |
353 |
the &os; kernel just to change the default to <literal>block |
| 354 |
</literal>, you can do that by just coding a block all rule at |
354 |
all</literal>, you can do that by just coding a block all rule at |
| 355 |
the end of your rule set.</para> |
355 |
the end of your rule set.</para> |
| 356 |
</sect2> |
356 |
</sect2> |
| 357 |
|
357 |
|
|
Lines 521-528
Link Here
|
| 521 |
<title>IPMON</title> |
521 |
<title>IPMON</title> |
| 522 |
<para>In order for <command>ipmon</command> to work properly, the |
522 |
<para>In order for <command>ipmon</command> to work properly, the |
| 523 |
kernel option IPFILTER_LOG must be turned on. This command has |
523 |
kernel option IPFILTER_LOG must be turned on. This command has |
| 524 |
2 different modes that it can be used in. Native mode is the default |
524 |
two different modes that it can be used in. Native mode is the |
| 525 |
mode when you type the command on the command line without the |
525 |
default mode when you type the command on the command line without the |
| 526 |
<option>-D</option> flag.</para> |
526 |
<option>-D</option> flag.</para> |
| 527 |
|
527 |
|
| 528 |
<para>Daemon mode is for when you want to have a continuous |
528 |
<para>Daemon mode is for when you want to have a continuous |
|
Lines 595-605
Link Here
|
| 595 |
<para>To activate the changes to <filename>/etc/syslog.conf |
595 |
<para>To activate the changes to <filename>/etc/syslog.conf |
| 596 |
</filename> you can reboot or bump the syslog task into |
596 |
</filename> you can reboot or bump the syslog task into |
| 597 |
re-reading <filename>/etc/syslog.conf</filename> by running |
597 |
re-reading <filename>/etc/syslog.conf</filename> by running |
| 598 |
<command>/etc/rc.d/syslogd restart</command> (<command> |
598 |
<command>/etc/rc.d/syslogd restart</command> |
| 599 |
kill -HUP <replaceable>PID</replaceable></command> in &os; 4.x. You get the PID (i.e. process |
599 |
(<command>kill -HUP <replaceable>PID</replaceable></command> |
| 600 |
identifier) by listing the tasks with the <command>ps -ax</command> |
600 |
in &os; 4.x. You get the PID (i.e. process identifier) by |
| 601 |
command. Find syslog in the display and the PID is the number |
601 |
listing the tasks with the <command>ps -ax</command> command. |
| 602 |
in the left column).</para> |
602 |
Find syslog in the display and the PID is the number in the |
|
|
603 |
left column).</para> |
| 603 |
|
604 |
|
| 604 |
<para>Do not forget to change <filename>/etc/newsyslog.conf |
605 |
<para>Do not forget to change <filename>/etc/newsyslog.conf |
| 605 |
</filename> to rotate the new log you just created above. |
606 |
</filename> to rotate the new log you just created above. |
|
Lines 708-714
Link Here
|
| 708 |
<programlisting>############# Start of IPF rules script ######################## |
709 |
<programlisting>############# Start of IPF rules script ######################## |
| 709 |
|
710 |
|
| 710 |
oif="dc0" # name of the outbound interface |
711 |
oif="dc0" # name of the outbound interface |
| 711 |
odns="192.0.2.11" # ISP's dns server IP address |
712 |
odns="192.0.2.11" # ISP's DNS server IP address |
| 712 |
myip="192.0.2.7" # my static IP address from ISP |
713 |
myip="192.0.2.7" # my static IP address from ISP |
| 713 |
ks="keep state" |
714 |
ks="keep state" |
| 714 |
fks="flags S keep state" |
715 |
fks="flags S keep state" |
|
Lines 809-815
Link Here
|
| 809 |
<note> |
810 |
<note> |
| 810 |
<para>Warning, when working with the firewall rules, always, |
811 |
<para>Warning, when working with the firewall rules, always, |
| 811 |
always do it from the root console of the system running the |
812 |
always do it from the root console of the system running the |
| 812 |
firewall or you can end up locking your self out.</para> |
813 |
firewall or you can end up locking your self out. Or setup a |
|
|
814 |
cronjob to flush the Firewall rules say every 5 minutes. |
| 815 |
(This might not be acceptable for a corporate firewall, but |
| 816 |
should be for a home firewall.)</para> |
| 813 |
</note> |
817 |
</note> |
| 814 |
</sect2> |
818 |
</sect2> |
| 815 |
|
819 |
|
|
Lines 820-826
Link Here
|
| 820 |
rule wins</quote> logic. For the complete legacy rule syntax |
824 |
rule wins</quote> logic. For the complete legacy rule syntax |
| 821 |
description see the &man.ipf.8; manual page.</para> |
825 |
description see the &man.ipf.8; manual page.</para> |
| 822 |
|
826 |
|
| 823 |
<para><literal>#</literal> is used to mark the start of a comment and may appear at |
827 |
<para>A <literal>#</literal> is used to mark the start of a comment and may appear at |
| 824 |
the end of a rule line or on its own line. Blank lines are |
828 |
the end of a rule line or on its own line. Blank lines are |
| 825 |
ignored.</para> |
829 |
ignored.</para> |
| 826 |
|
830 |
|
|
Lines 1444-1450
Link Here
|
| 1444 |
|
1448 |
|
| 1445 |
<para><acronym>NAT</acronym> rules are loaded by using the <command>ipnat</command> |
1449 |
<para><acronym>NAT</acronym> rules are loaded by using the <command>ipnat</command> |
| 1446 |
command. Typically the <acronym>NAT</acronym> rules are stored |
1450 |
command. Typically the <acronym>NAT</acronym> rules are stored |
| 1447 |
in <filename>/etc/ipnat.rules </filename>. See &man.ipnat.1 |
1451 |
in <filename>/etc/ipnat.rules</filename>. See &man.ipnat.1 |
| 1448 |
for details.</para> |
1452 |
for details.</para> |
| 1449 |
|
1453 |
|
| 1450 |
<para>When changing the <acronym>NAT</acronym> rules after |
1454 |
<para>When changing the <acronym>NAT</acronym> rules after |
|
Lines 1535-1541
Link Here
|
| 1535 |
<title>Enabling IP<acronym>NAT</acronym></title> |
1539 |
<title>Enabling IP<acronym>NAT</acronym></title> |
| 1536 |
|
1540 |
|
| 1537 |
<para>To enable IP<acronym>NAT</acronym> add these statements to |
1541 |
<para>To enable IP<acronym>NAT</acronym> add these statements to |
| 1538 |
<filename>/etc/rc.conf</filename></para> |
1542 |
<filename>/etc/rc.conf</filename>.</para> |
| 1539 |
|
1543 |
|
| 1540 |
<para>To enable your machine to route traffic between |
1544 |
<para>To enable your machine to route traffic between |
| 1541 |
interfaces:</para> |
1545 |
interfaces:</para> |
|
Lines 1561-1572
Link Here
|
| 1561 |
becomes a resource problem that may cause problems with the same |
1565 |
becomes a resource problem that may cause problems with the same |
| 1562 |
port numbers being used many times across many |
1566 |
port numbers being used many times across many |
| 1563 |
<acronym>NAT</acronym>ed LAN PC's, causing collisions. There |
1567 |
<acronym>NAT</acronym>ed LAN PC's, causing collisions. There |
| 1564 |
are 2 ways to relieve this resource problem.</para> |
1568 |
are two ways to relieve this resource problem.</para> |
| 1565 |
|
1569 |
|
| 1566 |
<sect3> |
1570 |
<sect3> |
| 1567 |
<title>Assigning Ports to Use</title> |
1571 |
<title>Assigning Ports to Use</title> |
| 1568 |
<!-- What does it mean ? Is there something missing ?--> |
1572 |
<!-- What does it mean ? Is there something missing ?--> |
| 1569 |
<para>XXXBLAH</para> |
1573 |
<!-- XXXBLAH <- Apparently you can't start a sect |
|
|
1574 |
with a <programlisting> tag ?--> |
| 1575 |
<para>A normal NAT rule would look like:</para> |
| 1570 |
|
1576 |
|
| 1571 |
<programlisting>map dc0 192.168.1.0/24 -> 0.32</programlisting> |
1577 |
<programlisting>map dc0 192.168.1.0/24 -> 0.32</programlisting> |
| 1572 |
|
1578 |
|
|
Lines 1672-1683
Link Here
|
| 1672 |
|
1678 |
|
| 1673 |
<programlisting>map dc0 10.0.10.0/29 -> 0/32 proxy port 21 ftp/tcp</programlisting> |
1679 |
<programlisting>map dc0 10.0.10.0/29 -> 0/32 proxy port 21 ftp/tcp</programlisting> |
| 1674 |
|
1680 |
|
| 1675 |
<para>This rule handles the FTP traffic from the gateway.</para> |
1681 |
<para>This rule handles the FTP traffic from the gateway:</para> |
| 1676 |
|
1682 |
|
| 1677 |
<programlisting>map dc0 0.0.0.0/0 -> 0/32 proxy port 21 ftp/tcp</programlisting> |
1683 |
<programlisting>map dc0 0.0.0.0/0 -> 0/32 proxy port 21 ftp/tcp</programlisting> |
| 1678 |
|
1684 |
|
| 1679 |
<para>This rule handles all non-FTP traffic from the internal |
1685 |
<para>This rule handles all non-FTP traffic from the internal |
| 1680 |
LAN.</para> |
1686 |
LAN:</para> |
| 1681 |
|
1687 |
|
| 1682 |
|
1688 |
|
|
Lines 1701-1707
Link Here
|
| 1701 |
<acronym>NAT</acronym> FTP proxy is used.</para> |
1707 |
<acronym>NAT</acronym> FTP proxy is used.</para> |
| 1702 |
|
1708 |
|
| 1703 |
<para>Without the FTP Proxy you will need the following three |
1709 |
<para>Without the FTP Proxy you will need the following three |
| 1704 |
rules</para> |
1710 |
rules:</para> |
| 1705 |
|
1711 |
|
| 1706 |
<programlisting># Allow out LAN PC client FTP to public Internet |
1712 |
<programlisting># Allow out LAN PC client FTP to public Internet |
| 1707 |
# Active and passive modes |
1713 |
# Active and passive modes |
|
Lines 1724-1737
Link Here
|
| 1724 |
logged coming in on port 21. The <acronym>NAT</acronym> |
1730 |
logged coming in on port 21. The <acronym>NAT</acronym> |
| 1725 |
FTP/proxy appears to remove its temp rules prematurely, |
1731 |
FTP/proxy appears to remove its temp rules prematurely, |
| 1726 |
before receiving the response from the remote FTP server |
1732 |
before receiving the response from the remote FTP server |
| 1727 |
acknowledging the close. Posted problem report to ipf |
1733 |
acknowledging the close. A problem report was posted to the |
| 1728 |
mailing list.</para> |
1734 |
IPF mailing list.</para> |
| 1729 |
|
1735 |
|
| 1730 |
<para>Solution is to add filter rule like this one to get rid |
1736 |
<para>The solution is to add filter rule like this one to get rid |
| 1731 |
of these unwanted log messages or do nothing and ignore FTP |
1737 |
of these unwanted log messages or do nothing and ignore FTP |
| 1732 |
inbound error messages in your log. Not like you do FTP |
1738 |
inbound error messages in your log. Most people don't do |
| 1733 |
session to the public Internet all the time, so this is not |
1739 |
outbound FTP too often.</para> |
| 1734 |
a big deal.</para> |
|
|
| 1735 |
|
1740 |
|
| 1736 |
<programlisting>Block in quick on rl0 proto tcp from any to any port = 21</programlisting> |
1741 |
<programlisting>Block in quick on rl0 proto tcp from any to any port = 21</programlisting> |
| 1737 |
</sect3> |
1742 |
</sect3> |