From owner-freebsd-security@FreeBSD.ORG Mon Dec 17 10:05:02 2007 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 8024316A417 for ; Mon, 17 Dec 2007 10:05:02 +0000 (UTC) (envelope-from djv@iki.fi) Received: from gw03.mail.saunalahti.fi (gw03.mail.saunalahti.fi [195.197.172.111]) by mx1.freebsd.org (Postfix) with ESMTP id 20B8413C45A for ; Mon, 17 Dec 2007 10:05:02 +0000 (UTC) (envelope-from djv@iki.fi) Received: from [192.168.1.5] (a91-153-148-73.elisa-laajakaista.fi [91.153.148.73]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by gw03.mail.saunalahti.fi (Postfix) with ESMTP id 5E08A216A3E for ; Mon, 17 Dec 2007 11:49:24 +0200 (EET) Message-ID: <47664621.50909@iki.fi> Date: Mon, 17 Dec 2007 11:49:21 +0200 From: Tuomo Latto User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.9) Gecko/20071031 Thunderbird/2.0.0.9 Mnenhy/0.7.5.666 MIME-Version: 1.0 To: freebsd-security@freebsd.org References: <20071213081155.ABBC813C4D5@mx1.freebsd.org> <20071213110009.GB986@in-addr.com> <20071213183957.B348013C469@mx1.freebsd.org> <20071217065144.83F6013C447@mx1.freebsd.org> In-Reply-To: <20071217065144.83F6013C447@mx1.freebsd.org> X-Enigmail-Version: 0.95.5 Content-Type: text/plain; charset=ISO-8859-15 Content-Transfer-Encoding: 7bit Subject: Re: IPFW: Blocking me out. How to debug? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 17 Dec 2007 10:05:02 -0000 W. D. wrote: > How do I tell which rule is blocking me out? SSH *is* working, > but others are not. It all depends on what you mean by "blocking you out" and "others". Did you try *reading* your fw config? > # Loopback: > # Allow anything on the local loopback: > add allow all from any to any via lo0 > add deny ip from any to 127.0.0.0/8 > add deny ip from 127.0.0.0/8 to any Nope. > # Allow established connections: > add allow tcp from any to any established Nope. > # Deny fragmented packets: > add deny ip from any to any frag Nope. > # Show pings: > add count icmp from any to any icmptypes 8 in Nope. > # Allow pings, ping replies, and host unreach: > add allow icmp from any to any icmptypes 0,8,3 Nope. > # Allow UDP traceroutes: > add allow udp from any to any 33434-34458 in > add allow udp from any 33434-34458 to any out Nope. > # Allow DNS with name server > add allow udp from any to any domain out > add allow udp from any domain to any in Nope. > # SSH > # Note that /etc/hosts.allow has restrictions > # on which IP addresses are allowed. > # > # Allow SSH: > add allow tcp from any to any ssh in setup Nope, but this explains SSH working. > # HTTP & HTTPS: > add allow tcp from any to any https in setup > add allow tcp from any to any http in setup Nope. > # Mail: SMTP & IMAP: > add allow tcp from any to any smtp in setup > add allow tcp from any to any imap in setup Nope. > # FTP: > add allow tcp from any to any ftp in setup > add allow tcp from any to any ftp\-data in setup > add allow tcp from any ftp\-data to any setup out Nope. > # Allow NTP in and out > add allow udp from any ntp to 128.252.19.1 ntp out > add allow udp from 128.252.19.1 ntp to any ntp in Nope. > # Deny and log everything else: > add deny log all from any to any Bingo! "ipfw -a list" may also help (packet counts). > In the kernel config file, is a limit of 10 too small? You tell us. http://www.defcon1.org/html/NATD-config/firewall-setup/ipfw-2.html -- Tuomo ... She's dead, Jim. Should we bury her or have some fun?