| Author |
Message |
Robert Melson
Guest
|
 Posted:
Fri Dec 02, 2005 9:22 am Post subject:
Firewall novice question |
|
|
Just activated ipfw on FreeBSD 5.4 without major problems, have a minimal -
but working - ruleset, that I'd like to expand. My question is this: I know
you can block an ip address or a range of addresses or even a block of ip
addresses (as in ip/mask). All well and good. Is it possible to substitute
a domain, such as example.com, in the rules? Say I want to block all incoming
traffic from example.com, can I write a rule on the order of:
deny all from example.com to me in via <interface>
If I can't do this, I can live with it, but it would surely be convenient.
Thanks for any replies.
Bob Melson
--
Robert G. Melson | Rio Grande MicroSolutions | El Paso, Texas
-----
"One of the greatest delusions in the world is the hope that the evils in this world are to be cured by legislation." Thomas Reed
----- |
|
| Back to top |
|
 |
Guest
|
| Posted:
Fri Dec 02, 2005 5:21 pm Post subject:
Re: Firewall novice question |
|
|
In comp.security.unix Robert Melson <melsonr@aragorn.rgmhome.net> wrote:
| Quote: | Just activated ipfw on FreeBSD 5.4 without major problems, have a minimal -
but working - ruleset, that I'd like to expand. My question is this: I know
you can block an ip address or a range of addresses or even a block of ip
addresses (as in ip/mask). All well and good. Is it possible to substitute
a domain, such as example.com, in the rules? Say I want to block all incoming
traffic from example.com, can I write a rule on the order of:
deny all from example.com to me in via <interface
If I can't do this, I can live with it, but it would surely be convenient.
Thanks for any replies.
Bob Melson
|
I'm not sure if you can or can't, never having used it myself, but it's
not a very good idea. After all, you effectively let whatever DNS server
you use configure your firewall, and DNS is not known for its security.
Far better to use dig, whois and so on.
Joachim
P.S. On a side note: WTF is that other reply supposed to be about? |
|
| Back to top |
|
|
jpd
Guest
|
| Posted:
Fri Dec 02, 2005 5:21 pm Post subject:
Re: Firewall novice question |
|
|
["Followup-To:" header set to comp.unix.bsd.freebsd.misc.]
Begin <OERjf.3436$Hk1.2530@newsread1.news.pas.earthlink.net>
On 2005-12-02, Robert Melson <melsonr@aragorn.rgmhome.net> wrote:
[snip: freebsd 5.4, ipfw]
| Quote: | Say I want to block all incoming traffic from example.com, can I
write a rule on the order of:
deny all from example.com to me in via <interface
|
This is actually documented in the canonical resource: the reference
manual page, ipfw(8), which I've quoted here for your convenience:
<quote from="ipfw(8)">
[...in the section on constructing rules...]
ip-addr:
A host or subnet address specified in one of the following ways:
numeric-ip | hostname
Matches a single IPv4 address, specified as dotted-quad
or a hostname. Hostnames are resolved at the time the
rule is added to the firewall list.
addr/masklen
Matches all addresses with base addr (specified as a dot-
ted quad or a hostname) and mask width of masklen bits.
As an example, 1.2.3.4/25 will match all IP numbers from
1.2.3.0 to 1.2.3.127 .
addr:mask
Matches all addresses with base addr (specified as a dot-
ted quad or a hostname) and the mask of mask, specified
as a dotted quad. As an example, 1.2.3.4:255.0.255.0
will match 1.*.3.*. This form is advised only for non-
contiguous masks. It is better to resort to the
addr/masklen format for contiguous masks, which is more
compact and less error-prone.
</quote>
So your rule will be resolved to deny the ip address of example.com when
it is loaded. Note that unless you have high traffic considerations, it
is usually better to return the apropriate ICMP or TCP error condition
instead of just dropping packets, which causes retries and timeouts.
--
j p d (at) d s b (dot) t u d e l f t (dot) n l .
This message was originally posted on Usenet in plain text.
Any other representation, additions, or changes do not have my
consent and may be a violation of international copyright law. |
|
| Back to top |
|
|
Dom
Guest
|
|
| Back to top |
|
|
Robert Melson
Guest
|
| Posted:
Sat Dec 03, 2005 7:33 am Post subject:
Re: Firewall novice question |
|
|
In article <4390d998$0$31220$892e7fe2@authen.yellow.readfreenews.net>,
Dom <invalid@invalid.invalid> writes:
Haven't installed it. What does it do for me in this instance?
Bob Melson
--
Robert G. Melson | Rio Grande MicroSolutions | El Paso, Texas
-----
"One of the greatest delusions in the world is the hope that the evils in this world are to be cured by legislation." Thomas Reed
----- |
|
| Back to top |
|
|
Dom
Guest
|
| Posted:
Sat Dec 03, 2005 7:51 am Post subject:
Re: Firewall novice question |
|
|
You can proxy web traffic through it and block on numerous criteria
other than ip. For instance you could set up the firewall like this:
squid: 192.168.0.13
allow tcp from 192.168.0.13 to any 80 keep-state
deny tcp from 192.168.0.0/24 to any 80
Now, all web traffic will be forced to use the squid proxy to reach the
web. You can have a look at the manual to find out what criteria you can
filter on. It's easy to set up and kinda fun to toy with. It's got http
anonymizer features and all kinds of other stuff. Warning: proxies will
screw up NTLM authentication. |
|
| Back to top |
|
|
Robert Melson
Guest
|
| Posted:
Sat Dec 03, 2005 9:22 am Post subject:
Re: Firewall novice question |
|
|
In article <4390fa35$0$30070$892e7fe2@authen.yellow.readfreenews.net>,
Dom <invalid@invalid.invalid> writes:
| Quote: | You can proxy web traffic through it and block on numerous criteria
other than ip. For instance you could set up the firewall like this:
squid: 192.168.0.13
allow tcp from 192.168.0.13 to any 80 keep-state
deny tcp from 192.168.0.0/24 to any 80
Now, all web traffic will be forced to use the squid proxy to reach the
web. You can have a look at the manual to find out what criteria you can
filter on. It's easy to set up and kinda fun to toy with. It's got http
anonymizer features and all kinds of other stuff. Warning: proxies will
screw up NTLM authentication.
|
Ah, so. Thanks, I'll take a look. I had visualized it as something of a
load balancer for webservers and little else.
My principal reason for starting this thread is that my webserver is being
plagued with xmlrpc exploits, among other things. Fortunately, all have been
stopped by access rules in my httpd.conf, but I'm becoming annoyed and would
just as soon stop the attempts at the door, so to speak, rather than have'em
get as far as the webserver.
Thanks again.
Bob Melson
--
Robert G. Melson | Rio Grande MicroSolutions | El Paso, Texas
-----
"One of the greatest delusions in the world is the hope that the evils in this world are to be cured by legislation." Thomas Reed
----- |
|
| Back to top |
|
|
Dom
Guest
|
| Posted:
Sat Dec 03, 2005 9:22 am Post subject:
Re: Firewall novice question |
|
|
It would help to reverse-proxy the web server through squid. That way,
attackers will be attacking the proxy and not the web server. |
|
| Back to top |
|
|
Volker Birk
Guest
|
| Posted:
Thu Dec 08, 2005 9:22 am Post subject:
Re: Firewall novice question |
|
|
In comp.security.firewalls Robert Melson <melsonr@aragorn.rgmhome.net> wrote:
| Quote: | deny all from example.com to me in via <interface
If I can't do this, I can live with it, but it would surely be convenient.
|
This is a misunderstanding. A domain is not a region in the network or
something like that. It's just a name space.
Yours,
VB.
--
"Ich bin ein freier Mensch und werde jetzt von meinen Freiheitsrechten
Gebrauch machen - und zwar ausgiebig - natürlich nur in dem Rahmen, den
Otto Schily mir noch zur Verfügung stellt."
Wolfgang Clement am 10.10.05 als Noch-Superminister |
|
| Back to top |
|
|
Robert Melson
Guest
|
| Posted:
Thu Dec 08, 2005 9:22 am Post subject:
Re: Firewall novice question |
|
|
In article <4397bedd@news.uni-ulm.de>,
Volker Birk <bumens@dingens.org> writes:
| Quote: | In comp.security.firewalls Robert Melson <melsonr@aragorn.rgmhome.net> wrote:
deny all from example.com to me in via <interface
If I can't do this, I can live with it, but it would surely be convenient.
This is a misunderstanding. A domain is not a region in the network or
something like that. It's just a name space.
Yours,
VB.
|
Volker,
Yeah. I had not thought things through when I posted my initial query. I
appreciate you taking the time to post your reply, but have come to realize
that what I'd _like_ to do is just not possible. Best I can hope for is either
ipaddr/mask or ipaddr:netmask.
Thanks for taking the time to read and reply, I appreciate it.
Freundliche gruesse aus Texas
(Current home of the Luftwaffe Air Defense School)
Bob Melson
--
Robert G. Melson | Rio Grande MicroSolutions | El Paso, Texas
-----
"One of the greatest delusions in the world is the hope that the evils in this world are to be cured by legislation." Thomas Reed
----- |
|
| Back to top |
|
|
|
|
|
|
FAQ
Memberlist
Register
Profile
Log in to check your private messages
Log in