From owner-freebsd-security@FreeBSD.ORG Mon Dec 17 06:51:44 2007 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id B0E1A16A41B for ; Mon, 17 Dec 2007 06:51:44 +0000 (UTC) (envelope-from WD@US-Webmasters.com) Received: from server1.grabweb.com (split.grabweb.net [67.15.22.16]) by mx1.freebsd.org (Postfix) with ESMTP id 83F6013C447 for ; Mon, 17 Dec 2007 06:51:44 +0000 (UTC) (envelope-from WD@US-Webmasters.com) Received: (qmail 5111 invoked from network); 17 Dec 2007 00:51:43 -0600 Received: from batv-01-192.dsl.netins.net (HELO Sabrina.US-Webmasters.com) (207.199.193.192) by uswdns.net with (DHE-RSA-AES256-SHA encrypted) SMTP; 17 Dec 2007 00:51:43 -0600 X-Mailer: QUALCOMM Windows Eudora Version 7.1.0.9 Date: Mon, 17 Dec 2007 00:51:39 -0600 To: freebsd-security@freebsd.org From: "W. D." In-Reply-To: <20071213183957.B348013C469@mx1.freebsd.org> References: <20071213081155.ABBC813C4D5@mx1.freebsd.org> <20071213110009.GB986@in-addr.com> <20071213183957.B348013C469@mx1.freebsd.org> Mime-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Message-Id: <20071217065144.83F6013C447@mx1.freebsd.org> Subject: IPFW: Blocking me out. How to debug? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 17 Dec 2007 06:51:44 -0000 How do I tell which rule is blocking me out? SSH *is* working, but others are not. ############################################################### # ipfw.rules # ipfw firewall ruleset # Location: /etc/ipfw.rules # 2007 Dec 16 21:41 =20 # By default, everything is denied access. You # need to specifically allow something for it # to work. =20 # Loopback: # Allow anything on the local loopback: add allow all from any to any via lo0 add deny ip from any to 127.0.0.0/8 add deny ip from 127.0.0.0/8 to any =20 # Allow established connections: add allow tcp from any to any established =20 # Deny fragmented packets: add deny ip from any to any frag =20 # Show pings: add count icmp from any to any icmptypes 8 in =20 # Allow pings, ping replies, and host unreach: add allow icmp from any to any icmptypes 0,8,3 =20 # Allow UDP traceroutes: add allow udp from any to any 33434-34458 in add allow udp from any 33434-34458 to any out =20 # Allow DNS with name server add allow udp from any to any domain out add allow udp from any domain to any in =20 # SSH # Note that /etc/hosts.allow has restrictions # on which IP addresses are allowed. # # Allow SSH: add allow tcp from any to any ssh in setup =20 # HTTP & HTTPS: add allow tcp from any to any https in setup add allow tcp from any to any http in setup =20 # Mail: SMTP & IMAP: add allow tcp from any to any smtp in setup add allow tcp from any to any imap in setup =20 # FTP: add allow tcp from any to any ftp in setup add allow tcp from any to any ftp\-data in setup add allow tcp from any ftp\-data to any setup out =20 # Allow NTP in and out add allow udp from any ntp to 128.252.19.1 ntp out add allow udp from 128.252.19.1 ntp to any ntp in =20 # Deny and log everything else: add deny log all from any to any ############################################################### I tested the syntax using: ipfw -n /etc/ipfw.rules I've got logging working: /etc/rc.conf: Make certain you have an entry similar to: # Log exceptions: firewall_logging=3D"YES" /etc/syslog.conf: # Log ipfw events to their own log file: !ipfw *.* /var/log/ipfw/ipfw.log In the kernel config file, is a limit of 10 too small? options IPFIREWALL # Required for IPFW options IPFIREWALL_VERBOSE # Optional - logging options IPFIREWALL_VERBOSE_LIMIT=3D10 # Optional - don't get too= many log entries options IPDIVERT # Needed for natd Any help on this would be greatly appreciated. Start Here to Find It Fast!=99 ->= http://www.US-Webmasters.com/best-start-page/ $8.77 Domain Names -> http://domains.us-webmasters.com/