Date: Sun, 23 Dec 2007 06:04:02 -0800 (PST) From: Nash Nipples <trashy_bumper@yahoo.com> To: freebsd-security@freebsd.org Subject: Re: IPFW: Blocking me out. How to debug? Message-ID: <644350.78923.qm@web36310.mail.mud.yahoo.com>
next in thread | raw e-mail | index | archive | help
Dear W.D.=0A=0Aoh come on. i have the same problem. cut and paste logic:=0A=
=0A#!/bin/sh=0A#1. count packets=0A#2. allow everything on lo0 (loopback)=
=0A#3. slow down and deny packets to buffer overflow enabled daemons=0A#3.5=
to list all the buffer overflow enabled daemons use this sockstat -46ul=0A=
#4. allow everything in and out on the Ethernet interface fxp0. Remember - =
wires are long things!=0A#5. switch sshd to a different port like 55 and us=
e keys to authenticate =0A#6. do ipfw show every morning=0A#7. do ipfw zero=
every evening or as often as your boss wants that=0A#8. learn how to modif=
y this script quickly just to plumb all the other things that leak=0A#9. yo=
u cant block yourself out if you run this script with a trailing '&' e.g. s=
h /etc/ipfw.rules &=0A#TODO: write a program that sends bills to customers=
=0A#BUGS: it cant smile=0A=0Acmd=3D"/sbin/ipfw"=0Aext1=3D"fxp0"=0Agentlepor=
ts=3D"21,25,514"=0A=0A#accounting=0A#i need these figures to see how bad th=
ings are going=0A$cmd 100 count ip from any to any in via lo0=0A$cmd 110 co=
unt ip from any to any out via lo0=0A$cmd 120 count ip from any to any in v=
ia $ext1=0A=0A=0A=0A$cmd 130 count ip from any to any out via $ext1=0A=0A#i=
f counters below grow too high u are screwed=0A #this counter should not v=
ary much comparing to the next one=0A$cmd 210 count icmp from any to any ou=
t via $ext1 =0A #if there is an obvious difference someone's digging holes=
in the yard=0A $cmd 220 count icmp from any to any in via $ext1 =0A #to=
o much of dns.=0A$cmd 230 count ip from any to any 53 out via $ext1=0A$cmd =
240 count ip from any to any 53 in via $ext1=0A=0A#if counters below grow t=
oo high you have screwed someone else=0A#oh yes. someone's got mail.=0A$cmd=
300 count ip from any to any 25 out via $ext1=0A#which way did it go=0A$cm=
d 310 count ip from any to any 25 via lo0=0A=0A#policy=0A$cmd 1000 allow al=
l from any to any via lo0=0A/sbin/ipfw add 1110 pipe 1 ip from any to me $g=
entleports in via $ext1=0A/sbin/ipfw pipe 1 config bw 1Kbit/s queue 1Kbytes=
=0A=0A$cmd 1120 deny ip from any to me $gentleports in via $ext1=0A$cmd 113=
0 allow all from any to any via ext1=0A#you will wonder but the next rule s=
till has a match=0A$cmd 1140 deny log all from any to any=0A=0AI'm sorry bu=
t i cant draw pretty pictures to make it any more obvious=0A=0ANash=0A=0A=
=0A----- Original Message ----=0AFrom: W. D. <WD@US-Webmasters.com>=0ATo: F=
reeBSD-Security@FreeBSD.org=0ACc: Ian Smith <info@plot.uz>=0ASent: Friday, =
December 21, 2007 9:30:11 AM=0ASubject: Re: IPFW: Blocking me out. How to =
debug?=0A=0A=0AAt 05:45 12/20/2007, Ian Smith, wrote:=0A=0AThanks for your =
reply Ian. This is the kind of =0Ainformation I am looking for.=0A=0A=0A>F=
irstly, this really belongs over on freebsd-net@ if not =0A>freebsd-questio=
ns@, but anyway ..=0A=0AI'll be glad to move it there if you would like. I=
=0Afigured that since IPFW/Firewalls are security=0Arelated, that FreeBSD-S=
ecurity would be the most=0Aappropriate place.=0A=0A=0A>On Thu, 20 Dec 2007=
, W. D. wrote:=0A>=0A> > At 03:49 12/17/2007, Tuomo Latto wrote:=0A> > >W. =
D. wrote:=0A> > >> How do I tell which rule is blocking me out? SSH *is* w=
orking,=0A> > >> but others are not.=0A> > >=0A> > >It all depends on what =
you mean by "blocking you out" and=0A "others".=0A>=0A>True; it's not reall=
y clear what you're trying to do, whether this is=0A a=0A>single server wit=
h a single net interface with no NAT or what, but=0A based=0A>on your prese=
nt rules I'll have to make that assumption.=0A=0AOK, sorry. I guess I just=
assumed that it would be obvious =0Athat this is a Web server. ("Never as=
sume anything, my good =0Afellow" - Sherlock Holmes). =0A=0ABy the way, it=
is/will be running Plesk server management=0Asoftware, if it matters:=0Aht=
tp://www.swsoft.com/en/products/plesk/reqs/=0A=0AAlso, this server is on an=
internal LAN before I subject=0Ait to the wild, untamed, InterWeb, with it=
s dangerous=0Ainternets darting back and forth inside all of the tubes.=0A=
=0A=0A> > >> # Loopback:=0A> > >> # Allow anything on the l=
ocal loopback:=0A> > >> add allow all from any to any via lo0=0A> >=
>> add deny ip from any to 127.0.0.0/8=0A> > >> add deny i=
p from 127.0.0.0/8 to any=0A>=0A>Meaning, these rules are ok and not the pr=
oblem. Ignore Mr. Nipples.=0A=0AWith a name like that, it's hard to take h=
im seriously. ;^)=0A=0A=0A>=0A> > >> # Allow established connectio=
ns:=0A> > >> add allow tcp from any to any established=0A>=0A>That'=
s ok. It may help you in debugging what's happening to use:=0A>=0A> allow=
[log] tcp from any to any in established=0A> allow [log] tcp from any to =
any out established=0A=0AI assume here that "[log]" means to insert "log" f=
or=0Adebugging like this:=0A=0A allow log tcp from any to any in establish=
ed=0A allow log tcp from any to any out established=0A =0Arather than inc=
luding the square brackets, "[" & "]",=0Acorrect?=0A=0AI have done that and=
have included my latest ruleset=0Abelow.=0A=0A=0A=0A>and really, using 'an=
y to any' without specifying on which interfaces=0A or=0A>whether 'any' is =
your box or the outside world is a bit too general,=0A but=0A>moving on .. =
=0A=0AOK. What should I do? I only plan on having one=0AEthernet interfac=
e. What would be more secure?=0A=0A=0A=0A> > >> # Deny fragmented =
packets:=0A> > >> add deny ip from any to any frag=0A=0A> > >> =
# Show pings:=0A> > >> add count icmp from any to any icmptypes=
8 in=0A> > >=0A>=0A>That's inbound ping requests. Don't forget that 'inbo=
und' means=0A coming=0A>into the firewall, not necessarily from the outside=
world. Your own=0A>ping requests _from_ this box also have to both come i=
n, and go out. =0A=0AHmmm. OK. Outbound Ping will be rarely used, but sho=
uld=0Abe allowed. Isn't that included in the next rule?=0A=0A=0A> > >> =
# Allow pings, ping replies, and host unreach:=0A> > >> add al=
low icmp from any to any icmptypes 0,8,3=0A> > >=0A>=0A>Add icmptype 11 as =
well if you want traceroutes to work ..=0A>=0A> > >> # Allow UDP tr=
aceroutes:=0A> > >> add allow udp from any to any 33434-34458 in=0A=
> > >> add allow udp from any 33434-34458 to any out=0A> > >=0A>=0A=
>Ok, though udp rules are often better done statefully. See below.=0A>=0A>=
> >> # Allow DNS with name server=0A> > >> add allow udp f=
rom any to any domain out=0A> > >> add allow udp from any domain to=
any in=0A> > >Nope.=0A>=0A>You want to watch out here. This allows udp pa=
ckets from any address=0A>with source port 53 to connect with any open udp =
port on your system,=0A>and allows the responses as well. It's a simple ma=
tter using such as=0A>netcat to source packets from port 53. =0A=0AShould I=
restrict it by specifically stating the service?=0AHow can I be safe? Wha=
t would the rule look like? =0A=0A=0A>I gather from this that you're not ru=
nning a DNS server yourself, but=0A>using upstream server/s? In that case =
a stateful rule is safer:=0A=0AAgain, I apologize for not being clear. I w=
ill be running=0ADNS on this box for the domains being hosted. So, it will=
=0Abe polled whenever a request for a hosted domain is needed.=0A=0A=0A=0A>=
allow udp from me to any 53 keep-state =0A>=0A>which allows after the ret=
urn packets but denies connections not=0A>initiated from your box. =0A>=0A>=
> >> # SSH=0A> > >> # Note that /etc/hosts.allow has rest=
rictions=0A> > >> # on which IP addresses are allowed.=0A> > >> =
#=0A> > >> # Allow SSH:=0A> > >> add allow tcp from a=
ny to any ssh in setup=0A> > >=0A>=0A>By 'ssh working', I guess you mean ss=
h connections to this box from=0A>elsewhere, rather than ssh connections fr=
om this box? Not clear.=0A=0ASorry! I am using SSH into this box, since i=
t is easier to=0Acut and paste for editing and configuration.=0A=0AI can't =
really see a situation where I would normally need to SSH=0Aoutbound, can y=
ou? I use the Windoze boxes for that.=0A=0A=0A> > >> # HTTP & HTTP=
S:=0A> > >> add allow tcp from any to any https in setup=0A> > >> =
add allow tcp from any to any http in setup=0A> > >=0A>=0A>So, you h=
ave a webserver running on this box, listening on ports 80=0A and=0A>443? =
You've verified with 'netstat -finet -a' that this is the case?=0A=0AYes:=
=0A=0A# netstat -finet -a=0AActive Internet connections (including servers)=
=0AProto Recv-Q Send-Q Local Address Foreign Address =0A (s=
tate)=0Atcp4 0 0 192.168.1.109.ssh 192.168.1.107.3502 =
=0A ESTABLISHED=0Atcp4 0 52 192.168.1.109.ssh 192.168.1.107=
.2266 =0A ESTABLISHED=0Atcp4 0 0 *.poppassd *.* =
=0A LISTEN=0Atcp4 0 0 *.ftp =
*.* =0A LISTEN=0Atcp4 0 0 *.smtps =
*.* =0A LISTEN=0Atcp4 0 0 *.smtp =
*.* =0A LISTEN=0Atcp4 0 0 localhost.l=
ocald.3000 *.* =0A LISTEN=0Atcp4 0 0 *.pop3s=
*.* =0A LISTEN=0Atcp4 0 0 *.p=
op3 *.* =0A LISTEN=0Atcp4 0 0 =
*.imaps *.* =0A LISTEN=0Atcp4 0 =
0 *.imap *.* =0A LISTEN=0Atcp4 0=
0 *.8443 *.* =0A LISTEN=0Atcp4 =
0 0 *.8880 *.* =0A LISTEN=0Atcp4=
0 0 *.3306 *.* =0A LISTEN=0A=
tcp4 0 0 localhost.locald.8005 *.* =0A LISTE=
N=0Atcp4 0 0 *.9008 *.* =0A L=
ISTEN=0Atcp4 0 0 *.8009 *.* =
=0A LISTEN=0Atcp46 0 0 *.https *.* =
=0A LISTEN=0Atcp46 0 0 *.http *.* =
=0A LISTEN=0Atcp4 0 0 *.9080 *.* =
=0A LISTEN=0Atcp4 0 0 *.8180 *.* =
=0A LISTEN=0Atcp4 0 0 localhost.locald.postg *=
.* =0A LISTEN=0Atcp4 0 0 localhost.locald.rnd=
c *.* =0A LISTEN=0Atcp4 0 0 localhost.locald=
.domai *.* =0A LISTEN=0Atcp4 0 0 192.168.1.10=
9.domain *.* =0A LISTEN=0Atcp4 0 0 *.ssh =
*.* =0A LISTEN=0Audp4 0 0 192.=
168.1.109.24889 ns1.ournameserver.net.53=0Audp4 0 0 *.51750 =
*.*=0Audp4 0 0 localhost.locald.domai *.*=0Audp4=
0 0 192.168.1.109.domain *.*=0Audp4 0 0 *.syslog=
*.*=0A=0A=0A=0A=0A>=0A> > >> # Mail: SMTP & IMAP:=0A=
> > >> add allow tcp from any to any smtp in setup=0A> > >> =
add allow tcp from any to any imap in setup=0A> > >=0A>=0A>You're running =
SMTP and IMAP servers, verified as above?=0A>=0A>You see, this also allows =
you (as 'any') to connect to any outside=0A SMTP=0A>server too. It really =
helps to differentiate connections into your=0A box=0A>from those you're ma=
king to outside boxes, which these don't do.=0A> =0A>Have a close look at t=
he 'simple' section in rc.firewall. =0A=0AI have scanned various versions =
of "rc.firewall". I kinda understand=0Awhat is going on, but there are so =
many places that seem anti-intuitive=0Ato me.=0A=0AAlso, what are the diffe=
rences between running a script and loading=0Athese rules on bootup? =0A=0A=
=0A=0A>There are=0A>advantages to running a script such as that rather than=
rules in a=0A file,=0A>like variable substitution, at least while getting =
it all working=0A right. =0A=0AI have mixed feelings about variables. I gu=
ess they make=0Ait easier if you change a network card or IP addresses--you=
=0Aonly have to do it in one place. =0A=0AHowever, a search and replace co=
mmand doesn't take much=0Atime at all. Also, they add a level of complexit=
y to=0Aa situation that (to me) is complex enough already.=0AAnd, I wonder =
if by not using variables, I can save a=0Afew microseconds when processing =
traffic. ;^)=0A=0A=0A=0A> > >> # FTP:=0A>; > >> add allow t=
cp from any to any ftp in setup=0A> > >> add allow tcp from any to =
any ftp\-data in setup=0A> > >> add allow tcp from any ftp\-data to=
any setup out=0A> > >=0A>=0A>Mmm, I prefer using and enforcing FTP passive=
mode, but YMMV.=0A=0AHow would I do that? This guy doesn't think it's eve=
n =0Apossible:=0Ahttp://tinyurl.com/2z6ynr=0A =0A=0A> > >> # Allow =
NTP in and out=0A> > >> add allow udp from any ntp to 128.252.19.1 =
ntp out=0A> > >> add allow udp from 128.252.19.1 ntp to any ntp in=
=0A> > >=0A>=0A>Unless running a time service for other boxes, something li=
ke:=0A>=0A> allow udp from me to any ntp keep-state # or to a specific ser=
ver=0A=0AWell, I think that since NTP is such a minimal user=0Aof resources=
, that I would like to rely on this=0Abox for the correct time. That way, =
I don't have=0Ato bug the stratum 1 boxes. Shall I use my original?=0A=0A=
=0A>=0A> > >> # Deny and log everything else:=0A> > >> add =
deny log all from any to any=0A> > >Bingo!=0A>=0A>Ok, so you got rid of int=
erface 'all', great.=0A=0AIs this better?=0A=0A add deny log ip from any t=
o any=0A =0AIf so, I just don't understand this. Here is what the=0A"Fine=
Manual" says:=0A=0A =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=0A protocol: =
[not] protocol-name | protocol-number=0A An IP protocol specified by numbe=
r or name (for a complete list=0A see /etc/protocols), or one of the follo=
wing keywords:=0A=0A ip4 | ipv4=0A Matches IPv4 packets.=0A=0A i=
p6 | ipv6=0A Matches IPv6 packets.=0A=0A ip | all=0A Match=
es any packet.=0A =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=0A =
=0AAccording to this, "ip" and "all" are synonymous. Criminy!=0AWhat am I =
missing here?=0A =0A=0A=0A> > >"ipfw -a list" may also help (packet counts=
).=0A>=0A>It's only a short ruleset, it may help us if you show the output =
of=0A say=0A>'ipfw -t show' (or ipfw -at list, same thing), if you're still=
having=0A>problems, but see below re 'inness' and 'outness'.=0A>=0A> > I'v=
e been banging my head against this for the past few=0A> > days. I don't g=
et it. =0A> > =0A> > My understanding of the way this is supposed to work =
is=0A> > that:=0A> > =0A> > # HTTP & HTTPS:=0A>; > add allow tcp from an=
y to any https in setup=0A> > add allow tcp from any to any http in setup=
=0A> > =0A> > should let initial HTTP & HTTPS requests through,=0A> > and t=
hat:=0A> > =0A> > # Allow established connections:=0A> > add allow tcp fr=
om any to any established=0A>=0A>Not quite. Looks like you're allowing htt=
p/https setup packets in=0A (ie,=0A>into the firewall) but not letting them=
out (of the firewall, to the=0A>webserver). For example in the 'simple' r=
uleset mentioned, we have:=0A>=0A> # Allow access to our WWW=0A> =
${fwcmd} add pass tcp from any to ${oip} 80 setup=0A>=0A> # Reje=
ct&Log all setup of incoming connections from the=0A outside=0A> ${f=
wcmd} add deny log tcp from any to any in via ${oif} setup=0A>=0A> #=
Allow setup of any other TCP connection=0A> ${fwcmd} add pass tcp f=
rom any to any setup=0A=0AI really don't get the above rule. Isn't it sayi=
ng that=0A*any* kind of TCP connection can come in or go out initially?=0A=
=0A=0A=0A>Note there's no 'in' or 'out' on the port 80 rule, so this allows=
the=0A>packets on both the in and out pass of the firewall. Also, the IP =
is=0A>specified as our IP - 'me' will do fine if it's just this box. =0A=0A=
In my set, should I include some "out" rules like this:=0A=0A add allow tc=
p from any to any https out setup=0A add allow tcp from any to any http ou=
t setup=0A =0A=0A>=0A> > should allow connections that are "setup" to =0A> =
> continue. Do I need a "check-state" or "keep-state"=0A> > statement some=
where?=0A>=0A>No, though you can use stateful TCP rules if you want to, in =
which=0A case=0A>you'll want to DENY established connections. Personally I=
find=0A relying=0A>on the TCP state established by using 'setup' and 'esta=
blished' fine=0A for=0A>TCP, but tend to use keep-state for UDP and some IC=
MP rules. =0A=0AThat sounds reasonable.=0A=0A=0A> > I don't understand what=
is wrong with the last rule:=0A> > =0A> > # Deny and log everything else=
:=0A> > add deny log all from any to any=0A> > =0A> > My understanding is=
that anything that doesn't match=0A> > the previous rules will match this =
one and hence=0A> > be logged and denied. Is this not correct?=0A>=0A>That=
's correct. Aren't you seeing any? Try show rather than tell.=0A=0AShowin=
g:=0A=0A# ipfw -a -S -N -t list=0A00100 688 173384 Thu Dec 20 15:32:17 20=
07 set 0 allow log logamount=0A 10 ip from any to any via lo0=0A00200 0 =
0 set 0 deny log logamount 10=0A ip from any =
to 127.0.0.0/8=0A00300 0 0 set 0 deny log =
logamount 10=0A ip from 127.0.0.0/8 to any=0A00400 4344 1712050 Fri Dec 21 =
00:23:37 2007 set 0 allow log logamount=0A 10 tcp from any to any establish=
ed=0A00500 0 0 set 0 deny log logamount 10=
=0A ip from any to any frag=0A00600 4 240 Wed Dec 19 23:05:31 2007 s=
et 0 count icmp from any=0A to any icmptypes 8 in=0A00700 8 480 Wed =
Dec 19 23:05:31 2007 set 0 allow log logamount=0A 10 icmp from any to any i=
cmptypes 0,3,8=0A00800 0 0 set 0 allow log=
logamount 10=0A udp from any to any dst-port 33434-34458 in=0A00900 0 =
0 set 0 allow log logamount 10=0A udp from any=
33434-34458 to any out=0A01000 366 24038 Fri Dec 21 00:02:00 2007 set 0=
allow log logamount=0A 10 udp from any to any dst-port domain out=0A01100 =
364 59582 Fri Dec 21 00:02:00 2007 set 0 allow log logamount=0A 10 udp f=
rom any domain to any in=0A01200 1 48 Thu Dec 20 16:49:47 2007 set =
0 allow log logamount=0A 10 tcp from any to any dst-port ssh in setup=0A013=
00 0 0 set 0 allow log logamount 10=0A tcp=
from any to any dst-port https in setup=0A01400 6 288 Thu Dec 20 14=
:43:38 2007 set 0 allow log logamount=0A 10 tcp from any to any dst-port ht=
tp in setup=0A01500 98 6272 Fri Dec 21 00:02:00 2007 set 0 allow log l=
ogamount=0A 10 tcp from any to any dst-port http=0A01600 1 64 Thu D=
ec 20 15:25:01 2007 set 0 allow log logamount=0A 10 tcp from any to any dst=
-port https=0A01700 0 0 set 0 allow log lo=
gamount 10=0A tcp from any to any dst-port smtp in setup=0A01800 0 =
0 set 0 allow log logamount 10=0A tcp from any to =
any dst-port imap in setup=0A01900 43 2064 Wed Dec 19 23:16:18 2007 se=
t 0 allow log logamount=0A 10 tcp from any to any dst-port ftp in setup=0A0=
2000 0 0 set 0 allow log logamount 10=0A t=
cp from any to any dst-port ftp-data in setup=0A02100 0 0 =
set 0 allow log logamount 10=0A tcp from any ftp-data to an=
y setup out=0A02200 100 7600 Thu Dec 20 23:47:00 2007 set 0 allow log l=
ogamount=0A 10 udp from any ntp to navobs1.wustl.edu dst-port ntp out=0A023=
00 100 7600 Thu Dec 20 23:47:00 2007 set 0 allow log logamount=0A 10 ud=
p from navobs1.wustl.edu ntp to any dst-port ntp in=0A02400 2058 226123 Fr=
i Dec 21 00:17:20 2007 set 0 deny log logamount 10=0A ip from any to any=0A=
65535 7 909 Wed Dec 19 22:58:29 2007 set 31 deny ip from any to=0A a=
ny=0A=0ALot of stuff being denied. I think some of that=0Ais my HTTP and H=
TTPS initial requests. What to do?=0A=0A>=0A> > Again, I am having a great=
deal of difficulty=0A> > understanding why these rules don't work as expec=
ted.=0A> > I've scoured the 'Net and printed out just about=0A> > every coh=
erent ruleset out there.=0A> > =0A> > Besides adding the "log" keyword on a=
ll of the rules,=0A> > these are the debugging tools I have been using:=0A>=
> =0A> > ipfw disable firewall=0A> > ipfw -f flush=0A> > ipfw enable=
firewall=0A> > /etc/rc.d/ipfw start=0A> > ipfw -a -S -N -t list=0A> > =
ipfw list =0A> > tail -f /var/log/ipfw/ipfw.log=0A> > tcpdump=
-i nve0 'proto \tcp && port http'=0A netstat -finet -a=0A> > =0A> > C=
ould anyone please throw this tired dog a bone?=0A>=0A>Getting the two-pass=
nature of ipfw understood seems to be your main=0A>difficulty. =0A=0AI wo=
uld definitely agree with you. I am completely lost.=0A=0ABy "two-pass" do=
you mean "in" to the firewall, and then=0A"in" to the webserver, and anoth=
er "two-pass": "out" from the=0Awebserver, and "out" from the firewall?=0A=
=0A=0A>I know it was for me back then. Have a look at the section=0A>in ip=
fw(8) regarding packet flows, and although it sounds trite, RTFM=0A>about 1=
0 times :)=0A>=0A>Cheers, Ian=0A=0ALove the "Fine Manual" --not! Just not =
enough examples for=0Ame to understand everything. Too much abstraction--A=
AArrrrgh!=0A=0AAm using this link, since "man ipfw" doesn't work on 6.2. (=
I dare=0Asomeone to explain to me how to get it to work):=0Ahttp://www.free=
bsd.org/cgi/man.cgi?query=3Dipfw&sektion=3D8=0A=0AThanks for your help, Ian=
. Would appreciate it if you would=0Akick my butt in the proper direction =
again.=0A=0AAny other takers/kickers?=0A=0A=0ALatest grope in the dark:=0A=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=0A# ipfw.rules=0A# ipfw firewall ru=
leset=0A# 2007 Dec 20=0A=0A# By default, everything is denied access. You=
=0A# need to specifically allow something for it=0A# to work.=0A=0A# Loopba=
ck: =0A# Allow anything on the local loopback:=0Aadd allow log all from any=
to any via lo0=0A=0A# Disallow spoofed access to local:=0Aadd deny log ip =
from any to 127.0.0.0/8=0Aadd deny log ip from 127.0.0.0/8 to any=0A=0A# Al=
low established connections:=0Aadd allow log tcp from any to any establishe=
d=0A=0A# Deny fragmented packets:=0Aadd deny log ip from any to any frag=0A=
=0A# Show pings:=0Aadd count icmp from any to any icmptypes 8 in=0A=0A# All=
ow pings, ping replies, and host unreach:=0Aadd allow log icmp from any to =
any icmptypes 0,8,3=0A=0A# Allow UDP traceroutes:=0Aadd allow log udp from =
any to any 33434-34458 in=0Aadd allow log udp from any 33434-34458 to any o=
ut=0A=0A# Allow DNS with name server=0Aadd allow log udp from any to any do=
main out=0Aadd allow log udp from any domain to any in=0A=0A# SSH=0A# Note=
that /etc/hosts.allow has restrictions=0A# on which IP addresses are allo=
wed.=0A#=0A# Allow SSH:=0Aadd allow log tcp from any to any ssh in setup=0A=
=0A# HTTP & HTTPS:=0Aadd allow log tcp from any to any https in setup=0Aadd=
allow log tcp from any to any http in setup=0A=0Aadd allow log tcp from an=
y to any dst-port 80=0Aadd allow log tcp from any to any dst-port 443=0A=0A=
# Mail: SMTP & IMAP:=0Aadd allow log tcp from any to any smtp in setup=0Aad=
d allow log tcp from any to any imap in setup=0A=0A# FTP:=0Aadd allow log t=
cp from any to any ftp in setup=0Aadd allow log tcp from any to any ftp\-da=
ta in setup=0Aadd allow log tcp from any ftp\-data to any setup out=0A=0A# =
Allow NTP in and out=0Aadd allow log udp from any ntp to 128.252.19.1 ntp o=
ut=0Aadd allow log udp from 128.252.19.1 ntp to any ntp in=0A=0A=0A# Deny a=
nd log everything else:=0A# add deny log all from any to any=0Aadd deny log=
ip from any to any=0A=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=0A=0A=0A=0A=
=0A=0AStart Here to Find It Fast!=99 ->=0A http://www.US-Webmasters.com/bes=
t-start-page/=0A$8.77 Domain Names -> http://domains.us-webmasters.com/=0A=
=0A_______________________________________________=0Afreebsd-security@freeb=
sd.org mailing list=0Ahttp://lists.freebsd.org/mailman/listinfo/freebsd-sec=
urity=0ATo unsubscribe, send any mail to=0A "freebsd-security-unsubscribe@f=
reebsd.org"=0A=0A=0A=0A=0A=0A=0A _____________________________________=
_______________________________________________=0ANever miss a thing. Make=
Yahoo your home page. =0Ahttp://www.yahoo.com/r/hs
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?644350.78923.qm>