Date: Thu, 20 Dec 2007 12:38:12 +0200 From: Tuomo Latto <djv@iki.fi> To: freebsd-security@freebsd.org Subject: Re: IPFW: Blocking me out. How to debug? Message-ID: <476A4614.9000106@iki.fi> In-Reply-To: <200712200639.lBK6dQnw002982@seuraava.iki.fi> References: <20071213081155.ABBC813C4D5@mx1.freebsd.org> <20071213110009.GB986@in-addr.com> <20071213183957.B348013C469@mx1.freebsd.org> <20071217065144.83F6013C447@mx1.freebsd.org> <47664621.50909@iki.fi> <200712200639.lBK6dQnw002982@seuraava.iki.fi>
next in thread | previous in thread | raw e-mail | index | archive | help
W. D. wrote: > At 03:49 12/17/2007, Tuomo Latto wrote: >> W. D. wrote: >>> How do I tell which rule is blocking me out? SSH *is* working, >>> but others are not. >> It all depends on what you mean by "blocking you out" and "others". > > I've been banging my head against this for the past few > days. I don't get it. To be fair, you never actually said what exactly your problem is or what it is you are trying to achieve. That makes it very difficult to help. > My understanding of the way this is supposed to work is > that: > > # HTTP & HTTPS: > add allow tcp from any to any https in setup > add allow tcp from any to any http in setup > > should let initial HTTP & HTTPS requests through, Yes, *into* your box. On to the lap of a listening server there. > and that: > > # Allow established connections: > add allow tcp from any to any established > > should allow connections that are "setup" to > continue. Do I need a "check-state" or "keep-state" > statement somewhere? Not for TCP. TCP state can be deduced from the status bits in packets. TCP stack will take care of any false "established" packets. "setup Matches TCP packets that have the SYN bit set but no ACK bit. This is the short form of ``tcpflags syn,!ack''." > I don't understand what is wrong with the last rule: > > # Deny and log everything else: > add deny log all from any to any > > My understanding is that anything that doesn't match > the previous rules will match this one and hence > be logged and denied. Is this not correct? Yes. It blocks everything else. There is nothing wrong with it. See /var/log/security for logged packets. The problem is that the allow rules are not working as you would expect. You could see if dropping out the "in setup" in HTTP/HTTPS rules makes any difference. But seriously, I don't know what you are *trying* to do, I only see what you are *doing*, so it is difficult to say anything. Just so you know, I'm hardly an expert myself. -- Tuomo ... When in doubt, mumble..
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?476A4614.9000106>