moving to 5.3 and need help understanding firewalls

Louis LeBlanc FreeBSD at keyslapper.org
Mon Oct 25 09:11:11 PDT 2004 

Hey all.  I'm getting ready (again) to set up my new system with 5.3
RELEASE the moment the ISOs are published.

One thing I need to understand better is the current firewall tool, and
how to get my 4.10 firewall moved over from ipfw to pf.  Seems there
will be a few issues to work out.

Another thing I want to work through is the issue of these hack attempts
that everyone has been seeing from Asian (and a few Canadian) networks.
Most of these attempts work with just the basic accounts, like root,
guest, test, etc., but recently I've seen a few attempt accounts like
nobody, www, operator, and a few userids like oracle, sybase, patrick
john, pamela, backup, etc.  This looks like a trend toward finding
access through an unprivileged account.  I only have a single account
that should be able to log in remotely, but I don't want to provide any
chances to find it (or one that I missed) and break the PW.

A while back, someone named Chris provided the following snippet:
${fwcmd} add 090 pass log tcp from 123.123.123.123/xx to ${ip} 22 setup limit src-addr 4

I found this pretty interesting, but haven't been able to understand it
that well.  I assumed it was a way to shut an IP out if it failed to
complete a login successfully 4 times, but I can't see how this works,
so I'm pretty sure I don't understand it correctly.  Is this maybe a
limit on the concurrent setup requests from a given IP?

I had thought about this one a bit though, and figured that it would be
a simple translation to the external network:
${fwcmd} add pass log tcp from any to ${ip} 22 setup limit src-addr 4
But I never put it in because I don't understand exactly what it will
do.

The ipfw manpage is well written, but I kinda need an idiots guide to
bridge whatever intellectual gap I'm running into.

Any pointers to said "idiots guide" would be appreciated.  Any newbie
level explaination of the above snippet would be just as appreciated, as
would any pointer to any "conversion howto" for the move to pf.

TIA.
Lou
-- 
Louis LeBlanc               FreeBSD at keyslapper.org
Fully Funded Hobbyist, KeySlapper Extrordinaire :)
http://www.keyslapper.org                     Ô¿Ô¬

Green's Law of Debate:
  Anything is possible if you don't know what you're talking about.

More information about the freebsd-questions mailing list