From owner-freebsd-security@FreeBSD.ORG Thu Dec 20 10:38:11 2007 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 358C916A469 for ; Thu, 20 Dec 2007 10:38:11 +0000 (UTC) (envelope-from djv@iki.fi) Received: from gw02.mail.saunalahti.fi (gw02.mail.saunalahti.fi [195.197.172.116]) by mx1.freebsd.org (Postfix) with ESMTP id BECA313C455 for ; Thu, 20 Dec 2007 10:38:10 +0000 (UTC) (envelope-from djv@iki.fi) Received: from [192.168.1.5] (a91-153-148-73.elisa-laajakaista.fi [91.153.148.73]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by gw02.mail.saunalahti.fi (Postfix) with ESMTP id B0A98176031 for ; Thu, 20 Dec 2007 12:38:08 +0200 (EET) Message-ID: <476A4614.9000106@iki.fi> Date: Thu, 20 Dec 2007 12:38:12 +0200 From: Tuomo Latto User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.9) Gecko/20071031 Thunderbird/2.0.0.9 Mnenhy/0.7.5.666 MIME-Version: 1.0 To: freebsd-security@freebsd.org References: <20071213081155.ABBC813C4D5@mx1.freebsd.org> <20071213110009.GB986@in-addr.com> <20071213183957.B348013C469@mx1.freebsd.org> <20071217065144.83F6013C447@mx1.freebsd.org> <47664621.50909@iki.fi> <200712200639.lBK6dQnw002982@seuraava.iki.fi> In-Reply-To: <200712200639.lBK6dQnw002982@seuraava.iki.fi> X-Enigmail-Version: 0.95.5 Content-Type: text/plain; charset=ISO-8859-15 Content-Transfer-Encoding: 7bit Subject: Re: IPFW: Blocking me out. How to debug? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 20 Dec 2007 10:38:11 -0000 W. D. wrote: > At 03:49 12/17/2007, Tuomo Latto wrote: >> W. D. wrote: >>> How do I tell which rule is blocking me out? SSH *is* working, >>> but others are not. >> It all depends on what you mean by "blocking you out" and "others". > > I've been banging my head against this for the past few > days. I don't get it. To be fair, you never actually said what exactly your problem is or what it is you are trying to achieve. That makes it very difficult to help. > My understanding of the way this is supposed to work is > that: > > # HTTP & HTTPS: > add allow tcp from any to any https in setup > add allow tcp from any to any http in setup > > should let initial HTTP & HTTPS requests through, Yes, *into* your box. On to the lap of a listening server there. > and that: > > # Allow established connections: > add allow tcp from any to any established > > should allow connections that are "setup" to > continue. Do I need a "check-state" or "keep-state" > statement somewhere? Not for TCP. TCP state can be deduced from the status bits in packets. TCP stack will take care of any false "established" packets. "setup Matches TCP packets that have the SYN bit set but no ACK bit. This is the short form of ``tcpflags syn,!ack''." > I don't understand what is wrong with the last rule: > > # Deny and log everything else: > add deny log all from any to any > > My understanding is that anything that doesn't match > the previous rules will match this one and hence > be logged and denied. Is this not correct? Yes. It blocks everything else. There is nothing wrong with it. See /var/log/security for logged packets. The problem is that the allow rules are not working as you would expect. You could see if dropping out the "in setup" in HTTP/HTTPS rules makes any difference. But seriously, I don't know what you are *trying* to do, I only see what you are *doing*, so it is difficult to say anything. Just so you know, I'm hardly an expert myself. -- Tuomo ... When in doubt, mumble..