Date: Thu, 20 Dec 2007 00:39:16 -0600 From: "W. D." <WD@US-Webmasters.com> To: freebsd-security@freebsd.org Cc: Tuomo Latto <djv@iki.fi> Subject: Re: IPFW: Blocking me out. How to debug? Message-ID: <20071220063926.4B2D113C457@mx1.freebsd.org> In-Reply-To: <47664621.50909@iki.fi> References: <20071213081155.ABBC813C4D5@mx1.freebsd.org> <20071213110009.GB986@in-addr.com> <20071213183957.B348013C469@mx1.freebsd.org> <20071217065144.83F6013C447@mx1.freebsd.org> <47664621.50909@iki.fi>
next in thread | previous in thread | raw e-mail | index | archive | help
At 03:49 12/17/2007, Tuomo Latto wrote: >W. D. wrote: >> How do I tell which rule is blocking me out? SSH *is* working, >> but others are not. > >It all depends on what you mean by "blocking you out" and "others". > > >Did you try *reading* your fw config? > >> # Loopback: >> # Allow anything on the local loopback: >> add allow all from any to any via lo0 >> add deny ip from any to 127.0.0.0/8 >> add deny ip from 127.0.0.0/8 to any >Nope. >> # Allow established connections: >> add allow tcp from any to any established >Nope. >> # Deny fragmented packets: >> add deny ip from any to any frag >Nope. >> # Show pings: >> add count icmp from any to any icmptypes 8 in >Nope. >> # Allow pings, ping replies, and host unreach: >> add allow icmp from any to any icmptypes 0,8,3 >Nope. >> # Allow UDP traceroutes: >> add allow udp from any to any 33434-34458 in >> add allow udp from any 33434-34458 to any out >Nope. >> # Allow DNS with name server >> add allow udp from any to any domain out >> add allow udp from any domain to any in >Nope. >> # SSH >> # Note that /etc/hosts.allow has restrictions >> # on which IP addresses are allowed. >> # >> # Allow SSH: >> add allow tcp from any to any ssh in setup >Nope, but this explains SSH working. >> # HTTP & HTTPS: >> add allow tcp from any to any https in setup >> add allow tcp from any to any http in setup >Nope. >> # Mail: SMTP & IMAP: >> add allow tcp from any to any smtp in setup >> add allow tcp from any to any imap in setup >Nope. >> # FTP: >> add allow tcp from any to any ftp in setup >> add allow tcp from any to any ftp\-data in setup >> add allow tcp from any ftp\-data to any setup out >Nope. >> # Allow NTP in and out >> add allow udp from any ntp to 128.252.19.1 ntp out >> add allow udp from 128.252.19.1 ntp to any ntp in >Nope. >> # Deny and log everything else: >> add deny log all from any to any >Bingo! > > >"ipfw -a list" may also help (packet counts). I've been banging my head against this for the past few days. I don't get it. =20 My understanding of the way this is supposed to work is that: # HTTP & HTTPS: add allow tcp from any to any https in setup add allow tcp from any to any http in setup should let initial HTTP & HTTPS requests through, and that: # Allow established connections: add allow tcp from any to any established should allow connections that are "setup" to=20 continue. Do I need a "check-state" or "keep-state" statement somewhere? I don't understand what is wrong with the last rule: # Deny and log everything else: add deny log all from any to any My understanding is that anything that doesn't match the previous rules will match this one and hence be logged and denied. Is this not correct? Again, I am having a great deal of difficulty understanding why these rules don't work as expected. I've scoured the 'Net and printed out just about every coherent ruleset out there. Besides adding the "log" keyword on all of the rules, these are the debugging tools I have been using: ipfw disable firewall ipfw -f flush ipfw enable firewall /etc/rc.d/ipfw start ipfw -a -S -N -t list ipfw list =20 tail -f /var/log/ipfw/ipfw.log tcpdump -i nve0 'proto \tcp && port http' Could anyone please throw this tired dog a bone? Start Here to Find It Fast!=99 ->= http://www.US-Webmasters.com/best-start-page/ $8.77 Domain Names -> http://domains.us-webmasters.com/
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20071220063926.4B2D113C457>