From owner-freebsd-questions Fri Feb 15 9:22:29 2002 Delivered-To: freebsd-questions@freebsd.org Received: from mail.mango-bay.com (mail.mango-bay.com [208.206.15.12]) by hub.freebsd.org (Postfix) with ESMTP id 61EF337B402 for ; Fri, 15 Feb 2002 09:22:21 -0800 (PST) Received: from barbish ([63.70.155.112]) by mail.mango-bay.com (Post.Office MTA v3.5.3 release 223 ID# 0-52377U2500L250S0V35) with SMTP id com for ; Fri, 15 Feb 2002 12:26:28 -0500 From: "Joe & Fhe Barbish" To: "FBSD" Subject: IPFW check-state rules Date: Fri, 15 Feb 2002 12:22:17 -0500 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2911.0) X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Importance: Normal Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG My FBSD box is a gateway to a small lan of 3 winboxs. I have used a rule set based on the basic established/setup rules for a simple Stateful Filtering firewall. I changed my rules to use advanced Stateful Filtering based on check-state/keep-state. The new rules work fine for every thing originating from the FBSD gateway box, but anything originating from the lan needing internet access does not work and generates this error message Failed to write packet back(permission denied). What am I missing? Below is my rule set, please review. oif="tun0" odns1="208.226.115.111" # ISP's dns server 1 IP address odns2="208.226.115.112" # ISP's dns server 2 IP address oip="110.170.155.117/24" # For testing from standalone pc iif="xl0" # Nic card iip="10.100.100.1/24" # IP address range for LAN Nic card ${fwcmd} add 00010 divert natd all from any to any via ${oif} # Internal gateway housekeeping ${fwcmd} add 00100 allow ip from any to any via lo0 # allow all localhost ${fwcmd} add 00110 allow ip from any to any via xl0 # allow all local LAN ${fwcmd} add 00120 allow ip from any to any via tun1 # allow all dialin call 1 ${fwcmd} add 00130 allow ip from any to any via tun2 # allow all dialin call 2 ${fwcmd} add 00150 deny ip from any to 127.0.0.0/8 # deny use of localhost IP ${fwcmd} add 00155 deny ip from 127.0.0.0/8 to any # deny use of localhost IP ######## outbound section ############################################ ${fwcmd} add 00500 check-state # Allow out www function ${fwcmd} add 00600 allow tcp from ${iip} to any 80 out via ${oif} setup keep-state # Allow out access to my ISP's Domain name server. ${fwcmd} add 00610 allow tcp from me to ${odns1} 53 out via ${oif} setup keep-state ${fwcmd} add 00611 allow udp from me to ${odns1} 53 out via ${oif} keep-state ${fwcmd} add 00615 allow tcp from me to ${odns2} 53 out via ${oif} setup keep-state ${fwcmd} add 00616 allow udp from me to ${odns2} 53 out via ${oif} keep-state # Allow out access to internet Domain name server. ${fwcmd} add 00618 allow tcp from me to any 53 out via ${oif} setup keep-state ${fwcmd} add 00619 allow udp from me to any 53 out via ${oif} keep-state # Allow out email function ${fwcmd} add 00630 allow tcp from me to any 25,110 out via ${oif} setup keep-state # Allow out FBSD CVSUP function ${fwcmd} add 00640 allow tcp from me to any 5999 out via ${oif} setup keep-state # Allow out ping ${fwcmd} add 00650 allow icmp from me to any out via ${oif} keep-state # Allow out FTP ${fwcmd} add 00670 allow tcp from me to any 21 out via ${oif} setup keep-state # Allow out TELNET ${fwcmd} add 00690 allow tcp from me to any 23 out via ${oif} setup keep-state # Allow out Network Time Protocol (NTP) queries ${fwcmd} add 00695 allow udp from me to any 123 out via ${oif} keep-state ######## inbound section ############################################ # Allow in & Log TCP FTP login from public internet ${fwcmd} add 00700 allow log tcp from ${oip} to me 21 in via ${oif} setup keep-state # Allow in ssh function ${fwcmd} add 00710 allow log tcp from ${oip} to me 22 in via ${oif} setup keep-state # Allow in & Log TCP telnet login ${fwcmd} add 00720 allow tcp from ${oip} to me 23 in via ${oif} setup keep-state # Allow in www ${fwcmd} add 00730 allow tcp from ${oip} to me 80 in via ${oif} setup keep-state # This sends a RESET to all ident packets. ${fwcmd} add 00740 reset tcp from any to me 113 in via ${oif} # Stop & log spoofing Attack attempts. # Examine incoming traffic for packets with both a source and destination # IP address in your local domain as per CIAC prevention alert. ${fwcmd} add 00745 deny log ip from me to me in via ${oif} # Reject & Log all setup of incoming connections from the outside ${fwcmd} add 00800 deny log all from any to any in via ${oif} # Everything else is denied by default # deny and log all packets that fell through to see what they are ${fwcmd} add 05000 deny log logamount 500 ip from any to any To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message