From owner-freebsd-questions Mon Feb 21 6:56:27 2000 Delivered-To: freebsd-questions@freebsd.org Received: from sanson.reyes.somos.net (freyes.static.inch.com [216.223.199.224]) by hub.freebsd.org (Postfix) with ESMTP id D90B937BDD5 for ; Mon, 21 Feb 2000 06:56:21 -0800 (PST) (envelope-from fran@reyes.somos.net) Received: from tomasa (tomasa.reyes.somos.net [10.0.0.11]) by sanson.reyes.somos.net (8.9.3/8.9.3) with SMTP id JAA20818; Mon, 21 Feb 2000 09:51:06 -0500 (EST) (envelope-from fran@reyes.somos.net) Message-Id: <200002211451.JAA20818@sanson.reyes.somos.net> From: "Francisco Reyes" To: "Doug Barton" , "Mark Stout" Cc: "freebsd-questions@FreeBSD.ORG" Date: Mon, 21 Feb 2000 09:51:01 -0500 Reply-To: "Francisco Reyes" X-Mailer: PMMail 2000 Professional (2.10.2010) For Windows 98 (4.10.2222) In-Reply-To: <38B0E408.BEBB049D@gorean.org> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Subject: Re: Reading rules in IPFW Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG On Sun, 20 Feb 2000 23:06:48 -0800, Doug Barton wrote: >Mark Stout wrote: >> default "allow ip from any to any" as the last rule. If I make it "deny ip >> from any to any" as the last rule my previous rules that once worked now >> doesn't. Nobody can get in. This seems right. In this type of situation when you don't know what is stopping your packets the best way to troubleshoot it is by logging all packets, checking which rule is stopping your packets and modifying it accordingly. >> 100 add permit log tcp from 209.13.15.0/24 to 209.60.152.2 23 >> 100 add permit log tcp from 206.13.14.0/24 to 209.60.152.2 23 >> 100 add permit log tcp from any to 209.60.152.2 80 As Doug mention it is best not to use the same numbers. Are you using rc.firewall to setup your rules? That method creates the numbers for you. It is also a better approach to use your interface IP/Network IP as a variable instead of manually typing it it. You could make a mistake by typing it manually in which case you would not see error unless you find what you misstyped. >> I allow access to Telnet from any host on network 209.13.14.0 >> I allow access to Telnet from any host on network 209.13.15.0 Having Telnet is a bad thing if you already know your network/computer(s) have been hacked. They could be getting your passwords. Get SSH. Also in your rules make sure no Telnet info is getting out by specifically mentioning the "out" card in a via statement. Something like: # Stop RFC1918 nets on the outside interface $fwcmd add deny log all from 192.168.0.0:255.255.0.0 to any via ${oif} $fwcmd add deny log all from any to 192.168.0.0:255.255.0.0 via ${oif} $fwcmd add deny log all from 172.16.0.0:255.240.0.0 to any via ${oif} $fwcmd add deny log all from any to 172.16.0.0:255.240.0.0 via ${oif} >> I allow HTTP from anyone >> I allow FTP from anyone >> I then deny Telnet from everyone else Reverse the order and have the deny Telnet via the outside card before you allow it. Since this is your external card you should not have any telnet traffic there. >> The default rule #65535 allows everything else in. Now, where I keep these >> same rules but change 65535 to deny ip from any to any, then nothing is >> allowed in, not HTTP or FTP. As I mentioned earlier log all your rules and see where things are getting stuck. Having the last rule as denying everything is safer than the opposite. Look at your "/etc/rc.conf" and check what type of firewall you define there. That definition is what determines which part of rc.firewall is used. >Also, you're not supposed to change rule 65535, I'm not >even sure you can, or what would happen if you try. I don't even bother to check what that last rule is just make sure you make a rule before it that creates the behavior you need i.e. deny/accept all. For your reference this setting is changed at the kernel level and one can change it's default by changing and recompiling the kernel. Mark, Why do you say your system is been hacked? Do you know the IDs they are using? Did you change all the passwords in particular root? Good luck. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message