Date: Thu, 20 Dec 2007 01:59:17 -0800 (PST) From: Nash Nipples <trashy_bumper@yahoo.com> To: freebsd-security@freebsd.org Subject: Re: IPFW: Blocking me out. How to debug? Message-ID: <921476.70553.qm@web36312.mail.mud.yahoo.com>
next in thread | raw e-mail | index | archive | help
Dear W.D. =0ADo you understand that by adding the rules into kernel space n=
umbered from zero to sixty five thousand five hundred thirty four=0Ayou may=
alter the behavior of the rule number sixty five thousand five hundred thi=
rty five =0Acan you please define and list the goals you are trying to achi=
eve by altering default rule in the terms you can both explain and understa=
nd.=0A=0A----- Original Message ----=0AFrom: W. D. <WD@US-Webmasters.com>=
=0ATo: freebsd-security@freebsd.org=0ACc: Tuomo Latto <djv@iki.fi>=0ASent: =
Thursday, December 20, 2007 8:39:16 AM=0ASubject: Re: IPFW: Blocking me out=
.. How to debug?=0A=0A=0AAt 03:49 12/17/2007, Tuomo Latto wrote:=0A>W. D. w=
rote:=0A>> How do I tell which rule is blocking me out? SSH *is* working,=
=0A>> but others are not.=0A>=0A>It all depends on what you mean by "blocki=
ng you out" and "others".=0A>=0A>=0A>Did you try *reading* your fw config?=
=0A>=0A>> # Loopback:=0A>> # Allow anything on the local lo=
opback:=0A>> add allow all from any to any via lo0=0A>> add=
deny ip from any to 127.0.0.0/8=0A>> add deny ip from 127.0.0.0/8 =
to any=0A>Nope.=0A>> # Allow established connections:=0A>> =
add allow tcp from any to any established=0A>Nope.=0A>> # Deny frag=
mented packets:=0A>> =0A add deny ip from any to any frag=0A>Nope.=
=0A>> # Show pings:=0A>> add count icmp from any to any icm=
ptypes 8 in=0A>Nope.=0A>> # Allow pings, ping replies, and host unr=
each:=0A>> add allow icmp from any to any icmptypes 0,8,3=0A>Nope.=
=0A>> # Allow UDP traceroutes:=0A>> add allow udp from any =
to any 33434-34458 in=0A>> add allow udp from any 33434-34458 to an=
y out=0A>Nope.=0A>> # Allow DNS with name server=0A>> add a=
llow udp from any to any domain out=0A>> add allow udp from any dom=
ain to any in=0A>Nope.=0A>> # SSH=0A>> =0A # Note that /etc=
/hosts.allow has restrictions=0A>> # on which IP addresses are all=
owed.=0A>> #=0A>> # Allow SSH:=0A>> add allow tcp f=
rom any to any ssh in setup=0A>Nope, but this explains SSH working.=0A>> =
# HTTP & HTTPS:=0A>>; add allow tcp from any to any https in s=
etup=0A>> add allow tcp from any to any http in setup=0A>Nope.=0A>>=
# Mail: SMTP & IMAP:=0A>> add allow tcp from any to any sm=
tp in setup=0A>> add allow tcp from any to any imap in setup=0A>Nop=
e.=0A>> # FTP:=0A>>; add allow tcp from any to=0A any ftp in=
setup=0A>> add allow tcp from any to any ftp\-data in setup=0A>> =
add allow tcp from any ftp\-data to any setup out=0A>Nope.=0A>> =
# Allow NTP in and out=0A>> add allow udp from any ntp to 128.2=
52.19.1 ntp out=0A>> add allow udp from 128.252.19.1 ntp to any ntp=
in=0A>Nope.=0A>> # Deny and log everything else:=0A>> add =
deny log all from any to any=0A>Bingo!=0A>=0A>=0A>"ipfw -a list" may also h=
elp (packet counts).=0A=0AI've been banging my head against this for the pa=
st few=0Adays. I don't get it. =0A=0AMy understanding of the way this is =
supposed to work is=0Athat:=0A=0A # HTTP & HTTPS:=0A add allow tcp from a=
ny to any https in setup=0A =0A add allow tcp from any to any http in setup=
=0A=0Ashould let initial HTTP & HTTPS requests through,=0Aand that:=0A=0Ath=
ats correct! but you also probably would like firewall to create a dynamic =
rule upon match =0Aso keep-state option is required=0A=0A=0A # Allow establ=
ished connections:=0A add allow tcp from any to any established=0A=0Avery i=
nteresting.=0A=0A=0Ashould allow connections that are "setup" to =0Acontinu=
e. Do I need a "check-state" or "keep-state"=0Astatement somewhere?=0A=0Ac=
heck-state should be applied to incoming packets only not the dynamically a=
dded ones=0A=0A=0AI don't understand what is wrong with the last rule:=0A=
=0A # Deny and log everything else:=0A add deny log all from any to any=
=0A=0Ait may lead to console lockup and there is no other way to log in unt=
il you have a physical access to the console=0A=0A=0AMy understanding is th=
at anything that doesn't match=0Athe previous rules will match this one and=
hence=0Abe logged and denied. Is this not correct?=0A=0Ayes this is very =
correct. what is recommended is adding a temporary rule=0Athat will allow e=
verything prior to denying everything so you can see in the log files what =
is it literally allowing=0Amaybe your own log files will tell you more than=
mine cat /var/log/security for details=0Abut after all its only a filterin=
g facility don't expect there are some overframed packets marching on the w=
ires and seeking they way in=0A=0A=0AAgain, I am having a great deal of dif=
ficulty=0Aunderstanding why these rules don't work as expected.=0AI've scou=
red the 'Net and printed out just about=0Aevery coherent ruleset out there.=
=0A=0Athis is true to me as well. nothing ever works as expected. it only m=
alfunction when least expected. a good ruleset for starters with little exp=
ectations is the one u can read in the handbook. i cant wait for you to sta=
rt quoting its firewall section http://www.freebsd.org/doc/en_US.ISO8859-1/=
books/handbook/firewalls-ipfw.html=0A=0A=0ABesides adding the "log" keyword=
on all of the rules,=0Athese are the debugging tools I have been=0A using:=
=0A=0A ipfw disable firewall=0A ipfw -f flush=0A ipfw enable firewall=0A=
/etc/rc.d/ipfw start=0A ipfw -a -S -N -t list=0A ipfw list =0A ta=
il -f /var/log/ipfw/ipfw.log=0A tcpdump -i nve0 'proto \tcp && port htt=
p'=0A=0Amaybe that is your way, but not the syslogd way. tail /var/log/secu=
rity or less=0A=0A=0ACould anyone please throw this tired dog a bone?=0A=0A=
to be honest its quiet difficult to read someone else's code but if you def=
ine the goals you are trying to achieve =0A=0Afor example what is this?=0A>=
> add deny ip from any to 127.0.0.0/8=0A>> add deny ip from=
127.0.0.0/8 to any=0A=0A=0A=0A=0AStart Here to Find It Fast!=99 ->=0A http=
://www.US-Webmasters.com/best-start-page/=0A$8.77 Domain Names -> http://do=
mains.us-webmasters.com/=0A=0A_____________________________________________=
__=0Afreebsd-security@freebsd.org mailing list=0Ahttp://lists.freebsd.org/m=
ailman/listinfo/freebsd-security=0ATo unsubscribe, send any mail to=0A "fre=
ebsd-security-unsubscribe@freebsd.org"=0A=0A=0A=0A=0A=0A=0A Looking fo=
r last minute shopping deals? =0AFind them fast with Yahoo! Search.=0A=0A=
=0A __________________________________________________________________=
__________________=0ALooking for last minute shopping deals? =0AFind them =
fast with Yahoo! Search. http://tools.search.yahoo.com/newsearch/category.=
php?category=3Dshopping
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?921476.70553.qm>