Date: Wed, 6 Dec 2000 09:25:29 -0500 (EST) From: Jim Freeze <jim@freeze.org> To: Edwin Groothuis <mavetju@chello.nl> Cc: freebsd-questions@freebsd.org Subject: Re: Can no longer ssh Message-ID: <Pine.BSF.4.21.0012060919410.21359-100000@www.bellnetworks.net> In-Reply-To: <20001206150418.B32018@d9168.upc-d.chello.nl>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, 6 Dec 2000, Edwin Groothuis wrote:
> I'm interested in the other lines.
> Also, put a "log" statement on lines which you see which rules are
> denying everything.
ipfw show
00150 196 21948 allow ip from any to any via lo0
00200 0 0 deny ip from any to 127.0.0.0/8
00300 0 0 deny ip from 192.168.0.0/24 to any in recv vx0
00400 0 0 deny ip from 24.9.218.0/24 to any in recv xl0
00500 0 0 deny ip from 172.16.0.0/12 to any via vx0
00600 0 0 deny ip from any to 172.16.0.0/12 via vx0
00700 0 0 deny ip from 10.0.0.0/8 to any via vx0
00800 0 0 deny ip from any to 10.0.0.0/8 via vx0
00900 0 0 deny log logamount 100 ip from 0.0.0.0/8 to any via
vx0
01000 0 0 deny log logamount 100 ip from any to 0.0.0.0/8 via
vx0
01100 0 0 deny log logamount 100 ip from 169.254.0.0/16 to any
via vx0
01200 0 0 deny log logamount 100 ip from any to 169.254.0.0/16
via vx0
01300 0 0 deny log logamount 100 ip from 192.0.2.0/24 to any via
vx0
01400 0 0 deny log logamount 100 ip from any to 192.0.2.0/24 via
vx0
01500 0 0 deny log logamount 100 ip from 224.0.0.0/4 to any via
vx0
01600 0 0 deny log logamount 100 ip from any to 224.0.0.0/4 via
vx0
01700 0 0 deny log logamount 100 ip from 240.0.0.0/4 to any via
vx0
01800 9 3184 deny log logamount 100 ip from any to 240.0.0.0/4 via
vx0
01900 12551 8317971 allow tcp from any to any established
02000 0 0 allow ip from any to any frag
02100 0 0 allow tcp from any to 24.9.218.175 80 setup
02200 3150 151200 allow tcp from any to any 80 setup
02300 0 0 allow tcp from any to any 25 setup
02400 0 0 allow tcp from any 20 to any 1024-65535 setup
02500 0 0 deny log logamount 100 tcp from any to any 21 in recv
vx0 setup
02600 5 220 allow log logamount 100 tcp from any to any 22 in recv
vx0 setup
02700 0 0 allow log logamount 100 tcp from 157.95.47.22 to
24.9.218.175 22 setup
02800 0 0 allow log logamount 100 tcp from any to any 22 in recv
vx0 setup
02900 0 0 reset tcp from any to any 113 in recv vx0 setup
03000 6 264 deny log logamount 100 tcp from any to any in recv vx0
setup
03100 10 440 allow tcp from any to any setup
03200 138 9742 allow udp from any to 24.5.116.15 53
03300 146 10300 allow udp from any to 24.5.116.17 53
03400 2 304 allow udp from 24.5.116.15 53 to any
03500 26 4162 allow udp from 24.5.116.17 53 to any
03600 293 71884 allow udp from any to any 137-139 via xl0
03700 0 0 allow udp from any 123 to any 123 via vx0
03800 0 0 allow udp from any 123 to any via xl0
03900 0 0 allow udp from any to any 123 via xl0
04000 0 0 allow udp from any to any 33434-33523 out xmit vx0
04100 0 0 allow icmp from any to any via xl0
04200 0 0 allow icmp from any to any out xmit vx0 icmptype 8
04300 0 0 allow icmp from any to any in recv vx0 icmptype 0
04400 4 224 allow icmp from any to any via vx0 icmptype 3,4,11,12
04500 4 336 deny icmp from any to any
63000 0 0 deny ip from any to 0.0.0.255:0.0.0.255 in recv vx0
64000 0 0 deny log logamount 100 udp from any to any 137-139 via
vx0
65000 1 46 deny log logamount 100 ip from any to any via vx0
65100 0 0 deny log logamount 100 tcp from any to any in recv vx0
setup
65200 0 0 allow tcp from any to any setup
65300 0 0 allow udp from any 53 to 24.9.218.175
65400 0 0 allow udp from 24.9.218.175 to any 53
65500 0 0 allow udp from any 123 to 24.9.218.175
65500 0 0 allow udp from 24.9.218.175 to any 123
65535 10 805 deny ip from any to any
my rc.firewall is:
elif [ "${firewall_type}" = "simple" ]; then
# set these to your outside interface network and netmask and ip
oif="vx0"
onet="24.9.218.0"
omask="255.255.255.0"
oip="24.9.218.175"
# set these to your inside interface network and netmask and ip
iif="xl0"
inet="192.168.0.0"
imask="255.255.255.0"
iip="192.168.0.1"
# My ISP's DNS servers
dns1="24.5.116.15"
dns2="24.5.116.17"
# Stop spoofing
$fwcmd add deny all from ${inet}:${imask} to any in via ${oif}
$fwcmd add deny all from ${onet}:${omask} to any in via ${iif}
# Stop RFC1918 nets on the outside interface
#$fwcmd add deny all from 192.168.0.0:255.255.0.0 to any via ${oif}
#$fwcmd add deny all from any to 192.168.0.0:255.255.0.0 via ${oif}
$fwcmd add deny all from 172.16.0.0:255.240.0.0 to any via ${oif}
$fwcmd add deny all from any to 172.16.0.0:255.240.0.0 via ${oif}
$fwcmd add deny all from 10.0.0.0:255.0.0.0 to any via ${oif}
$fwcmd add deny all from any to 10.0.0.0:255.0.0.0 via ${oif}
# Stop draft-manning-dsua-01.txt nets on the outside interface
${fwcmd} add deny log all from 0.0.0.0/8 to any via ${oif}
${fwcmd} add deny log all from any to 0.0.0.0/8 via ${oif}
${fwcmd} add deny log all from 169.254.0.0/16 to any via ${oif}
${fwcmd} add deny log all from any to 169.254.0.0/16 via ${oif}
${fwcmd} add deny log all from 192.0.2.0/24 to any via ${oif}
${fwcmd} add deny log all from any to 192.0.2.0/24 via ${oif}
${fwcmd} add deny log all from 224.0.0.0/4 to any via ${oif}
${fwcmd} add deny log all from any to 224.0.0.0/4 via ${oif}
${fwcmd} add deny log all from 240.0.0.0/4 to any via ${oif}
${fwcmd} add deny log all from any to 240.0.0.0/4 via ${oif}
# Allow TCP through if setup succeeded
$fwcmd add pass tcp from any to any established
# Allow IP fragments to pass through
${fwcmd} add pass all from any to any frag
### TCP SETUP RULES
# Allow access to our WWW
$fwcmd add pass tcp from any to ${oip} 80 setup
# Allow LAN users WWW access
#${fwcmd} add pass tcp from any to ${iip} 80 setup
# HTTP - Allow access to our web server
${fwcmd} add pass tcp from any to any 80 setup
# Allow setup of incoming email
#$fwcmd add pass tcp from any to ${oip} 25 setup
# SMTP - Allow access to sendmail for incoming e-mail
${fwcmd} add pass tcp from any to any 25 setup
# FTP - Allow incoming data channel for outgoing connections,
# Reject&Log all incoming control connections
${fwcmd} add pass tcp from any 20 to any 1024-65535 setup
${fwcmd} add deny log tcp from any to any 21 in via ${oif} setup
# SSH Login - Allow & Log all incoming
${fwcmd} add pass log tcp from any to any 22 in via ${oif} setup
# IDENT - Reset incoming connections
${fwcmd} add reset tcp from any to any 113 in via ${oif} setup
# Reject&Log all setup of incoming connections from the outside
${fwcmd} add deny log tcp from any to any in via ${oif} setup
# Allow setup of any other TCP connection
${fwcmd} add pass tcp from any to any setup
### UDP RULES
# Allow access to our DNS
#$fwcmd add pass tcp from any to ${oip} 53 setup
# DNS - Allow queries out in the world
${fwcmd} add pass udp from any to ${dns1} 53
${fwcmd} add pass udp from any to ${dns2} 53
${fwcmd} add pass udp from ${dns1} 53 to any
${fwcmd} add pass udp from ${dns2} 53 to any
# SMB - Allow local traffic
${fwcmd} add pass udp from any to any 137-139 via ${iif}
# NTP - Allow server-to-server on outside interface, client-to-server
# on inside interface
${fwcmd} add pass udp from any 123 to any 123 via ${oif}
${fwcmd} add pass udp from any 123 to any via ${iif}
${fwcmd} add pass udp from any to any 123 via ${iif}
# TRACEROUTE - Allow outgoing, but not incoming
${fwcmd} add pass udp from any to any 33434-33523 out via ${oif}
### ICMP RULES
# ICMP packets
# Allow all ICMP packets on internal interface
${fwcmd} add pass icmp from any to any via ${iif}
# Allow outgoing pings, but not incoming
${fwcmd} add pass icmp from any to any icmptypes 8 out via ${oif}
${fwcmd} add pass icmp from any to any icmptypes 0 in via ${oif}
# Allow Destination Unreachable, Source Quench, Time Exceeded, and Bad
Header
${fwcmd} add pass icmp from any to any icmptypes 3,4,11,12 via ${oif}
# Deny the rest of them
${fwcmd} add deny icmp from any to any
### MISCELLANEOUS REJECT RULES
# Reject broadcasts from outside interface
${fwcmd} add 63000 deny ip from any to 0.0.0.255:0.0.0.255 in via
${oif}
# Reject&Log SMB connections on outside interface
${fwcmd} add 64000 deny log udp from any to any 137-139 via ${oif}
# Reject&Log all other connections from outside interface
${fwcmd} add 65000 deny log ip from any to any via ${oif}
# Reject&Log all setup of incoming connections from the outside
$fwcmd add deny log tcp from any to any in via ${oif} setup
# Allow setup of any other TCP connection
$fwcmd add pass tcp from any to any setup
# Allow DNS queries out in the world
$fwcmd add pass udp from any 53 to ${oip}
$fwcmd add pass udp from ${oip} to any 53
# Allow NTP queries out in the world
$fwcmd add pass udp from any 123 to ${oip}
$fwcmd add pass udp from ${oip} to any 123
# Everything else is denied as default.
elif [ "${firewall_type}" != "UNKNOWN" -a -r "${firewall_type}" ]; then
$fwcmd ${firewall_type}
fi
====================================================
Jim Freeze
jim@freeze.org
---------------------------------------------------
** http://www.freeze.org **
====================================================
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.21.0012060919410.21359-100000>