[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: ipfw vs ipchains
On Mon, Feb 04, 2002 at 06:53:44PM +0200, antonio at nambu.uem.mz wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Do you know what the IPSTEALTH does? I got it from someone
> and thought that it was needed to have it work as a firewall.
$ grep -2 STEALTH /usr/src/sys/i386/conf/LINT
# IPDIVERT enables the divert IP sockets, used by `ipfw divert''
#
# IPSTEALTH enables code to support stealth forwarding (i.e., forwarding
# packets without touching the ttl). This can be useful to hide firewalls
# from traceroute and similar tools.
>
> Cheers,
>
>
>
> > On Mon, Feb 04, 2002 at 04:26:14PM +0000, Antonio Godinho wrote:
> > > I have used this way in FreeBSD, but I compiled the kernel with :
> > >
> > > options IPFIREWALL
> > > options IPFIREWALL_FORWARD
> > > options IPDIVERT
> > > options IPSTEALTH
> > >
> > > Is there any problem with that?
> >
> > Nope, the two you definitely ened are IPFIREWALL and IPDIVERT.
> >
> > As it happens I'm just playing with ipfilter now, I might post some
> > notes later...
> >
> > >
> > > Cheers,
> > >
> > >
> > >
> > > > On Sat, Feb 02, 2002 at 01:12:18PM +0100, Didier Kasole wrote:
> > > > > what is the equivalent using ipfw on freeBSD box?
> > > >
> > > > One way is as follows:
> > > >
> > > > (in /etc/rc.conf)
> > > >
> > > > natd_enable="YES"
> > > > natd_interface="xl0" -- or whatever your 'outside'
> > > > interface is firewall_enable="YES" firewall_type="OPEN"
> > > >
> > > > Plus compile your kernel with:
> > > >
> > > > options IPFIREWALL
> > > > options IPFIREWALL_VERBOSE
> > > > options IPFIREWALL_DEFAULT_TO_ACCEPT
> > > > options IPDIVERT
> > > >
> > > > The second and third are optional: VERBOSE allows logging, and
> > > > DEFAULT_TO_ACCEPT makes it harder to lock yourself out of the
> > > > machine by flushing the firewall rules and leaving DENY ALL.
> > > >
> > > > This only works for ethernet uplinks; if you are running ppp as
> > > > your uplink, use the nat flags to ppp instead (not pppd)
> > > >
> > > > The second way is to use ipfilter which has a separate NAT
> > > > configuration. I have not used it, but it has the advantage of
> > > > being compatible with ipfilter under Solaris. See 'man ipf' and
> > > > for more documentation, go to http://freshmeat.net/ and search on
> > > > 'ipfilter'
> > > >
> > > > B.
> > > >
> > > > -----
> > > > This is the afnog mailing list, managed by Majordomo 1.94.5
> > > >
> > > > To send a message to this list, e-mail afnog at afnog.org
> > > > To send a request to majordomo, e-mail majordomo at afnog.org and put
> > > > your request in the body of the message (i.e use "help" for help)
> > > >
> > > > This list is maintained by owner-afnog at afnog.org
> > > >
> > >
> > >
> > >
> > > Antonio Godinho
> > > B.Sc., MCP, MCP+Internet, MCSE, CCNA
> > > Address:Av. Julius Nyerere 947 3rd floor esq
> > > Maputo - Mozambique
> > > Phone : 258-82-300392
> > > e-mail : ANTONIO at nambu.uem.mz
> > >
> > >
> > >
>
>
>
> -----BEGIN PGP SIGNATURE-----
> Version: PGP 5.5.5 -- QDPGP 2.12
> Comment: http://community.wow.net/grt/qdpgp.html
>
> iQA/AwUBPF6geCN9iWWR27GKEQJDTACg8CE7JQf8W1TMpWNjDOj7HYKxjsUAnjr2
> J20fh1Zl17GVScIwSd2NR4YP
> =VHPy
> -----END PGP SIGNATURE-----
> Antonio Godinho
> B.Sc.,
> MCP, MCP+Internet, MCSE (Microsoft Certified Systems Engineer)
> CCNA (Cisco Certified Network Associate)
> Tel. +258-1-490860
> Cell +258-82-300392
>
>
-----
This is the afnog mailing list, managed by Majordomo 1.94.5
To send a message to this list, e-mail afnog at afnog.org
To send a request to majordomo, e-mail majordomo at afnog.org and put
your request in the body of the message (i.e use "help" for help)
This list is maintained by owner-afnog at afnog.org