[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [cobalt-users] How to configure IPFWADM on Qube2
- Subject: Re: [cobalt-users] How to configure IPFWADM on Qube2
- From: Ould <ouldm@xxxxxxxxxxxxxxxxxxx>
- Date: Mon Nov 20 03:33:01 2000
- List-id: Mailing list for users to share thoughts on Cobalt products. <cobalt-users.list.cobalt.com>
Hi,
I'm again wondering for script like that you sending me including Forwarding and
Masquerading (they are the main subjects I want to do).
Thanks
Mike Vanecek wrote:
> On Wed, 15 Nov 2000 15:25:01 -0600, "Rodolfo J. Paiz \(E-mail\)"
> <rpaiz@xxxxxxxxxxxxxx> wrote:
>
> :>> I want to configurate Cobalt Qube II as firewall for my local
> :>> network. It does not support ipchains but IPFWADM.
> :>> Where I can find an appropriate scrip to do this. Actually,
> :>> when any attempt to define rules and configure firewall using
> :>> Qube interface administration fails.
> :>
> :>By now, we're certain that the entire IP Firewall portion of the
> :>Qube GUI is broken. At least five of us have done everything but
> :>rub massage oil on the damn thing, and it simply does not work.
> :>
> :>There is speculation that the GUI inserts malformed rules into
> :>the ipfwadm interface (without using the "/m" that would denote
> :>masquerading) but I've been unable to verify this.
> :>
> :>We'd all appreciate some input from Cobalt on this. It's a total
> :>failure on a very publicized but massively broken "feature."
> :>
> :>Jeff (Lovell)? Anyone? HELP...
>
> I no longer use the gui interface but have now written my ow
>
> /etc/rc.d/init.d/ipfilters
>
> script that I use and modify as needed. Once you get the hang of it, it is
> quite easy. I use the -o option to turn on logging on some of my rules, but am
> very disappointed that the log messages are incomplete with regard to ports.
> Still, a ipfwadm -I -len gives me an overview of what is happening with my
> filters. I am thinking about installing something else that might give me more
> information.
>
> Anyone know why ipfwadm does not include the ports in the match log?
>
> I guess I could install port sentry which would give me more information
> (correct?)? Anyone run port sentry on a Qube2 without difficulty?
>
> Sample ipfilters (I do NOT use forward or masquerade so do not copy these
> directly if you do):
>
> [admin@vanecek admin]$ cd /etc/rc.d/init.d
> [admin@vanecek init.d]$ cat ipfilters
> #!/bin/sh
>
> # This script sets the IP filtering rules
> # This file is edited automatically by the Cobalt admin
> # interface. Any changes made here may be overwritten.
>
> # 0 = off; 1 = filter only; 2 = masq only; 3 = masq+filter
> MODE=1
> EXTERNAL_INTERFACE="eth0"
> IPADDR="xxx.xxx.xxx.xxx" <---- removed
> CLASS_A="10.0.0.0/8"
> CLASS_B="172.16.0.0/12"
> CLASS_C="192.168.0.0/16"
> CLASS_D_MULTICAST="224.0.0.0/4"
> BROADCAST_DEST="255.255.255.255"
> BROADCAST_SRC="0.0.0.0"
> LOOPBACK="127.0.0.0/8"
>
> # Flush all existing state
> /sbin/ipfwadm -F -f
> /sbin/ipfwadm -I -f
> /sbin/ipfwadm -O -f
>
> #Set the default policy
> /sbin/ipfwadm -F -p deny
> /sbin/ipfwadm -I -p accept
> /sbin/ipfwadm -O -p accept
>
> # The rules will be slightly different depending on
> # if masquerading is on or not.
> # Filters only
> # Begin rules
> # Refuse spoofed packets
> /sbin/ipfwadm -I -a deny -W $EXTERNAL_INTERFACE -S $IPADDR -o
>
> # Refuse packets claiming to be private network
> /sbin/ipfwadm -I -a deny -W $EXTERNAL_INTERFACE -S $CLASS_A -o
> /sbin/ipfwadm -I -a deny -W $EXTERNAL_INTERFACE -S $CLASS_B -o
> /sbin/ipfwadm -I -a deny -W $EXTERNAL_INTERFACE -S $CLASS_C -o
> /sbin/ipfwadm -I -a deny -W $EXTERNAL_INTERFACE -S $CLASS_D_MULTICAST -o
>
> # Refuse loopback packets
> /sbin/ipfwadm -I -a deny -W $EXTERNAL_INTERFACE -S $LOOPBACK -o
>
> # Refuse malformed broadcast packets
> /sbin/ipfwadm -I -a deny -W $EXTERNAL_INTERFACE -S $BROADCAST_DEST -o
> /sbin/ipfwadm -I -a deny -W $EXTERNAL_INTERFACE -D $BROADCAST_SRC -o
>
> # Refuse coba packets
> /sbin/ipfwadm -I -a deny -W $EXTERNAL_INTERFACE -S xxx.xxx.31.236
>
> # Refuse specific ports
> /sbin/ipfwadm -I -W $EXTERNAL_INTERFACE -a deny -P tcp -D 0.0.0.0/0 1:19 -o
> /sbin/ipfwadm -I -W $EXTERNAL_INTERFACE -a deny -P udp -D 0.0.0.0/0 1:19 -o
> /sbin/ipfwadm -I -W $EXTERNAL_INTERFACE -a deny -P tcp -D 0.0.0.0/0 24 -o
>
> and so on.
>
> Sample check:
>
> [admin@vanecek init.d]$ ipfwadm -I -len
> IP firewall input rules, default policy: accept
> pkts bytes type prot opt tosa tosx ifname ifaddress source
> destination ports
> 0 0 deny all ---o 0xFF 0x00 eth0 0.0.0.0 xxx.xxx.26.245
> 0.0.0.0/0 n/a
> 0 0 deny all ---o 0xFF 0x00 eth0 0.0.0.0 10.0.0.0/8
> 0.0.0.0/0 n/a
> 0 0 deny all ---o 0xFF 0x00 eth0 0.0.0.0 172.16.0.0/12
> 0.0.0.0/0 n/a
> 0 0 deny all ---o 0xFF 0x00 eth0 0.0.0.0 192.168.0.0/16
> 0.0.0.0/0 n/a
> 0 0 deny all ---o 0xFF 0x00 eth0 0.0.0.0 224.0.0.0/4
> 0.0.0.0/0 n/a
> 0 0 deny all ---o 0xFF 0x00 eth0 0.0.0.0 127.0.0.0/8
> 0.0.0.0/0 n/a
> 0 0 deny all ---o 0xFF 0x00 eth0 0.0.0.0 255.255.255.255
> 0.0.0.0/0 n/a
> 0 0 deny all ---o 0xFF 0x00 eth0 0.0.0.0 0.0.0.0/0
> 0.0.0.0 n/a
> 93 16230 deny all ---- 0xFF 0x00 eth0 0.0.0.0 xxx.xxx.31.236
> 0.0.0.0/0 n/a
> 0 0 deny tcp ---o 0xFF 0x00 eth0 0.0.0.0 0.0.0.0/0
> 0.0.0.0/0 * -> 1:19
> 0 0 deny udp ---o 0xFF 0x00 eth0 0.0.0.0 0.0.0.0/0
> 0.0.0.0/0 * -> 1:19
>
> etc.
>
> Sample output from my /var/log/messages
>
> Nov 17 21:31:29 vanecek kernel: IP fw-in deny eth0 UDP xxx.xxx.31.236:0
> xxx.xxx.31.255:0 L=0 S=0x00 I=0 F=0x0000 T=0
> <-------------- Notice the port information is missing in the log message
> Nov 17 23:45:27 vanecek last message repeated 2 times
> Nov 18 01:53:37 vanecek last message repeated 2 times
> Nov 18 03:57:01 vanecek last message repeated 2 times
> Nov 18 06:00:52 vanecek last message repeated 2 times
>
> HTH, MIke.
>
> _______________________________________________
> cobalt-users mailing list
> cobalt-users@xxxxxxxxxxxxxxx
> To Subscribe or Unsubscribe, please go to:
> http://list.cobalt.com/mailman/listinfo/cobalt-users