From owner-freebsd-stable Mon Aug 10 15:40:12 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id PAA11100 for freebsd-stable-outgoing; Mon, 10 Aug 1998 15:40:12 -0700 (PDT) (envelope-from owner-freebsd-stable@FreeBSD.ORG) Received: from infowest.com (infowest.com [204.17.177.10]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id PAA11089; Mon, 10 Aug 1998 15:40:06 -0700 (PDT) (envelope-from agifford@infowest.com) Received: from infowest.com (eq.net [207.49.60.250]) by infowest.com (8.8.8/8.8.8) with ESMTP id QAA02081; Mon, 10 Aug 1998 16:39:38 -0600 (MDT) Message-ID: <35CF769F.68C80A22@infowest.com> Date: Mon, 10 Aug 1998 16:39:27 -0600 From: "Aaron D. Gifford" X-Mailer: Mozilla 4.05 [en] (X11; U; FreeBSD 2.2.7-STABLE i386) MIME-Version: 1.0 To: questions@FreeBSD.ORG, stable@FreeBSD.ORG Subject: ipfw problem??? Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-stable@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG Hello, Something's weird with my ipfw setup. It seems to work perfectly as I expected except for this tiny bit of weirdness. My ipfw setup lets me ping and traceroute and telnet to my heart's content EXCEPT when the remote address is within the same class C address space as my own dynamically assigned IP number. Then I get "sendto: Permission denied." errors left and right. Why is this? I checked my netmask via 'netstat -in' and sure enough, my netmask is 255.255.255.255. What's going on here? Looking at the output of 'ipfw -at list' shows me that the packets are hitting the FINAL deny statement. But when I ping/traceroute/telnet to other addresses, everything works just fine. I'm running 2.2.7-STABLE as of July 25th. I've included my /etc/rc.firewall script below that shows my configuration, but I really don't think this is an ipfw config problem. Puzzled, Aaron out. ---------/etc/rc.firewall---------- # Is the ipfw_mod module already loaded: mod=`/usr/bin/modstat -n ipfw_mod | /usr/bin/grep ipfw_mod | /usr/bin/awk '{print $8;}'` if [ "X${mod}" != "Xipfw_mod" ]; then # Load the ipfw kernel module /sbin/modload /lkm/ipfw_mod.o fi # Flush out the list before we begin. /sbin/ipfw -f flush # Learn what IP address our ISP has assigned (we dial out on tun0): ip=`/usr/bin/netstat -in | /usr/bin/perl -ne 'print $1 if( /^tun0\s+[0-9]+\s+[0-9\.]+\s+([0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3})\s+/ );'` # My external interface: extern="tun0" # My loopback interface: loop="lo0" # Deny obviously spoofed packets: /sbin/ipfw add deny log all from 127.0.0.1 to any via ${extern} /sbin/ipfw add deny log all from ${ip} to any in via ${extern} /sbin/ipfw add deny log all from 192.168.0.0:255.255.0.0 to any /sbin/ipfw add deny log all from 172.16.0.0:255.240.0.0 to any /sbin/ipfw add deny log all from 10.0.0.0:255.0.0.0 to any # Pass normal localhost traffic: /sbin/ipfw add pass all from 127.0.0.1 to 127.0.0.1 via ${loop} /sbin/ipfw add pass all from ${ip} to 127.0.0.1 via ${loop} /sbin/ipfw add pass all from 127.0.0.1 to ${ip} via ${loop} /sbin/ipfw add pass all from ${ip} to ${ip} via ${loop} # Deny everything else via the loopback: /sbin/ipfw add deny all from any to any via ${loop} # Pass established TCP connections: /sbin/ipfw add pass tcp from any to ${ip} in via ${extern} established /sbin/ipfw add pass tcp from ${ip} to any out via ${extern} established # Pass outgoing new TCP session setup packets: /sbin/ipfw add pass tcp from ${ip} to any setup # Deny all other TCP connection setup attempts: /sbin/ipfw add deny log tcp from any to any setup # Pass outgoing DNS queries: /sbin/ipfw add pass udp from ${ip} to any 53 out via ${extern} # Pass incoming DNS replies: # (This sure is ugly! It allows someone to do a udp portscan from port 53.) /sbin/ipfw add pass udp from any 53 to ${ip} in via ${extern} # Pass outgoing NTP queries: /sbin/ipfw add pass udp from ${ip} to any 123 out via ${extern} # Pass incoming NTP replies: # (This sure is ugly! It allows someone to do a udp portscan from port 123.) /sbin/ipfw add pass udp from any 123 to ${ip} in via ${extern} # Pass any UDP we decide to send (ala ping): /sbin/ipfw add pass udp from ${ip} to any out via ${extern} # Pass outgoing ICMP packets: /sbin/ipfw add pass icmp from ${ip} to any out via ${extern} # Pass incoming ICMP packets: /sbin/ipfw add pass icmp from any to ${ip} in via ${extern} # Toast EVERYTHING else: /sbin/ipfw add deny log all from any to any To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message