Date: Thu, 20 Dec 2007 01:59:17 -0800 (PST) From: Nash Nipples <trashy_bumper@yahoo.com> To: freebsd-security@freebsd.org Subject: Re: IPFW: Blocking me out. How to debug? Message-ID: <921476.70553.qm@web36312.mail.mud.yahoo.com>
next in thread | raw e-mail | index | archive | help
Dear W.D. =0ADo you understand that by adding the rules into kernel space n= umbered from zero to sixty five thousand five hundred thirty four=0Ayou may= alter the behavior of the rule number sixty five thousand five hundred thi= rty five =0Acan you please define and list the goals you are trying to achi= eve by altering default rule in the terms you can both explain and understa= nd.=0A=0A----- Original Message ----=0AFrom: W. D. <WD@US-Webmasters.com>= =0ATo: freebsd-security@freebsd.org=0ACc: Tuomo Latto <djv@iki.fi>=0ASent: = Thursday, December 20, 2007 8:39:16 AM=0ASubject: Re: IPFW: Blocking me out= .. How to debug?=0A=0A=0AAt 03:49 12/17/2007, Tuomo Latto wrote:=0A>W. D. w= rote:=0A>> How do I tell which rule is blocking me out? SSH *is* working,= =0A>> but others are not.=0A>=0A>It all depends on what you mean by "blocki= ng you out" and "others".=0A>=0A>=0A>Did you try *reading* your fw config?= =0A>=0A>> # Loopback:=0A>> # Allow anything on the local lo= opback:=0A>> add allow all from any to any via lo0=0A>> add= deny ip from any to 127.0.0.0/8=0A>> add deny ip from 127.0.0.0/8 = to any=0A>Nope.=0A>> # Allow established connections:=0A>> = add allow tcp from any to any established=0A>Nope.=0A>> # Deny frag= mented packets:=0A>> =0A add deny ip from any to any frag=0A>Nope.= =0A>> # Show pings:=0A>> add count icmp from any to any icm= ptypes 8 in=0A>Nope.=0A>> # Allow pings, ping replies, and host unr= each:=0A>> add allow icmp from any to any icmptypes 0,8,3=0A>Nope.= =0A>> # Allow UDP traceroutes:=0A>> add allow udp from any = to any 33434-34458 in=0A>> add allow udp from any 33434-34458 to an= y out=0A>Nope.=0A>> # Allow DNS with name server=0A>> add a= llow udp from any to any domain out=0A>> add allow udp from any dom= ain to any in=0A>Nope.=0A>> # SSH=0A>> =0A # Note that /etc= /hosts.allow has restrictions=0A>> # on which IP addresses are all= owed.=0A>> #=0A>> # Allow SSH:=0A>> add allow tcp f= rom any to any ssh in setup=0A>Nope, but this explains SSH working.=0A>> = # HTTP & HTTPS:=0A>> add allow tcp from any to any https in s= etup=0A>> add allow tcp from any to any http in setup=0A>Nope.=0A>>= # Mail: SMTP & IMAP:=0A>> add allow tcp from any to any sm= tp in setup=0A>> add allow tcp from any to any imap in setup=0A>Nop= e.=0A>> # FTP:=0A>> add allow tcp from any to=0A any ftp in= setup=0A>> add allow tcp from any to any ftp\-data in setup=0A>> = add allow tcp from any ftp\-data to any setup out=0A>Nope.=0A>> = # Allow NTP in and out=0A>> add allow udp from any ntp to 128.2= 52.19.1 ntp out=0A>> add allow udp from 128.252.19.1 ntp to any ntp= in=0A>Nope.=0A>> # Deny and log everything else:=0A>> add = deny log all from any to any=0A>Bingo!=0A>=0A>=0A>"ipfw -a list" may also h= elp (packet counts).=0A=0AI've been banging my head against this for the pa= st few=0Adays. I don't get it. =0A=0AMy understanding of the way this is = supposed to work is=0Athat:=0A=0A # HTTP & HTTPS:=0A add allow tcp from a= ny to any https in setup=0A =0A add allow tcp from any to any http in setup= =0A=0Ashould let initial HTTP & HTTPS requests through,=0Aand that:=0A=0Ath= ats correct! but you also probably would like firewall to create a dynamic = rule upon match =0Aso keep-state option is required=0A=0A=0A # Allow establ= ished connections:=0A add allow tcp from any to any established=0A=0Avery i= nteresting.=0A=0A=0Ashould allow connections that are "setup" to =0Acontinu= e. Do I need a "check-state" or "keep-state"=0Astatement somewhere?=0A=0Ac= heck-state should be applied to incoming packets only not the dynamically a= dded ones=0A=0A=0AI don't understand what is wrong with the last rule:=0A= =0A # Deny and log everything else:=0A add deny log all from any to any= =0A=0Ait may lead to console lockup and there is no other way to log in unt= il you have a physical access to the console=0A=0A=0AMy understanding is th= at anything that doesn't match=0Athe previous rules will match this one and= hence=0Abe logged and denied. Is this not correct?=0A=0Ayes this is very = correct. what is recommended is adding a temporary rule=0Athat will allow e= verything prior to denying everything so you can see in the log files what = is it literally allowing=0Amaybe your own log files will tell you more than= mine cat /var/log/security for details=0Abut after all its only a filterin= g facility don't expect there are some overframed packets marching on the w= ires and seeking they way in=0A=0A=0AAgain, I am having a great deal of dif= ficulty=0Aunderstanding why these rules don't work as expected.=0AI've scou= red the 'Net and printed out just about=0Aevery coherent ruleset out there.= =0A=0Athis is true to me as well. nothing ever works as expected. it only m= alfunction when least expected. a good ruleset for starters with little exp= ectations is the one u can read in the handbook. i cant wait for you to sta= rt quoting its firewall section http://www.freebsd.org/doc/en_US.ISO8859-1/= books/handbook/firewalls-ipfw.html=0A=0A=0ABesides adding the "log" keyword= on all of the rules,=0Athese are the debugging tools I have been=0A using:= =0A=0A ipfw disable firewall=0A ipfw -f flush=0A ipfw enable firewall=0A= /etc/rc.d/ipfw start=0A ipfw -a -S -N -t list=0A ipfw list =0A ta= il -f /var/log/ipfw/ipfw.log=0A tcpdump -i nve0 'proto \tcp && port htt= p'=0A=0Amaybe that is your way, but not the syslogd way. tail /var/log/secu= rity or less=0A=0A=0ACould anyone please throw this tired dog a bone?=0A=0A= to be honest its quiet difficult to read someone else's code but if you def= ine the goals you are trying to achieve =0A=0Afor example what is this?=0A>= > add deny ip from any to 127.0.0.0/8=0A>> add deny ip from= 127.0.0.0/8 to any=0A=0A=0A=0A=0AStart Here to Find It Fast!=99 ->=0A http= ://www.US-Webmasters.com/best-start-page/=0A$8.77 Domain Names -> http://do= mains.us-webmasters.com/=0A=0A_____________________________________________= __=0Afreebsd-security@freebsd.org mailing list=0Ahttp://lists.freebsd.org/m= ailman/listinfo/freebsd-security=0ATo unsubscribe, send any mail to=0A "fre= ebsd-security-unsubscribe@freebsd.org"=0A=0A=0A=0A=0A=0A=0A Looking fo= r last minute shopping deals? =0AFind them fast with Yahoo! Search.=0A=0A= =0A __________________________________________________________________= __________________=0ALooking for last minute shopping deals? =0AFind them = fast with Yahoo! Search. http://tools.search.yahoo.com/newsearch/category.= php?category=3Dshopping
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?921476.70553.qm>