From owner-freebsd-questions Mon Oct 21 18:56:19 2002 Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 58BBB37B404 for ; Mon, 21 Oct 2002 18:56:16 -0700 (PDT) Received: from darkpossum.medill.northwestern.edu (darkpossum.medill.northwestern.edu [129.105.51.23]) by mx1.FreeBSD.org (Postfix) with ESMTP id 44A1843E6E for ; Mon, 21 Oct 2002 18:56:15 -0700 (PDT) (envelope-from possum@darkpossum.medill.northwestern.edu) Received: from darkpossum.medill.northwestern.edu (2d30ffc1ee241b6ab4b50c9e48679bcd@localhost.medill.northwestern.edu [127.0.0.1]) by darkpossum.medill.northwestern.edu (8.12.6/8.12.6) with ESMTP id g9M1khqV000501; Mon, 21 Oct 2002 20:46:43 -0500 (CDT) (envelope-from possum@darkpossum.medill.northwestern.edu) Received: (from possum@localhost) by darkpossum.medill.northwestern.edu (8.12.6/8.12.6/Submit) id g9M1kVXs000500; Mon, 21 Oct 2002 20:46:31 -0500 (CDT) Date: Mon, 21 Oct 2002 20:46:31 -0500 From: Redmond Militante To: Dan Pelleg Cc: freebsd-questions@freebsd.org Subject: Re: need help with ipfw rules Message-ID: <20021022014631.GA477@darkpossum> Reply-To: Redmond Militante References: <15796.42740.862970.400286@gs166.sp.cs.cmu.edu> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="d6Gm4EdcadzBjdND" Content-Disposition: inline In-Reply-To: <15796.42740.862970.400286@gs166.sp.cs.cmu.edu> User-Agent: Mutt/1.4i X-Sender: redmond@darkpossum.medill.northwestern.edu X-URL: http://darkpossum.medill.northwestern.edu/modules.php?name=Content&pa=showpage&pid=1 X-DSS-PGP-Fingerprint: F9E7 AFEA 0209 B164 7F83 E727 5213 FAFA 1511 7836 X-Tofu: The other white meat substitute. Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG --d6Gm4EdcadzBjdND Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 hi thanks for responding On Mon, Oct 21, 2002 at 09:16:36PM -0400, Dan Pelleg expatiated with great = perspicuity: >=20 > > hi all > >=20 > > my apologies, this could get long as i'm including the text of various > > config files: > >=20 > > i've been trying to learn ipfw. i've recompiled a kernel with the > > following options >=20 >=20 > > ipfw add allow ip from any to any > typo =20 > Do you really want to allow everything in, or is this just a typo? > If this rule is really in effect, the rest of the rules are > not doing anything. >=20 > > ipfw add allow ip from 127.0.0.1 to 127.0.0.1 vua lo0 >=20 > I'm assuming "vua" is a typo - should be "via". > typo again =20 > > ipfw add allow udp from any to any 53 > > ipfw add check-state >=20 > You're not letting DNS replies to come back. You are allowing the queries > to go *out*, but when the remote server's reply packets hit the firewall > they have port 53 on the *source* address, not on the destination. > So they don't match that rule anymore and are discarded. >=20 > What you probably want instead is: > ipfw add allow udp from any to any 53 keep-state >=20 > i changed this line. boots up fine. webserver, ssh, nfs, mail, etc. work.= there's only one problem i noticed right off the bat - it looks like ftp = users can authenticate fine, but when their ftp client tries to bring up a = list of files in their ftp directories, it hangs at 'getting file list...' any ideas on how to fix? thanks redmond=20 > Another point: you're not using the "divert" rule for natd, > and I see you have NAT enabled in your rc.conf. This is likely to > be a problem later (well, you'll just not have NAT). >=20 > A very good resource for this is /etc/rc.firewall. Just try > to follow what the "CLIENT", "SIMPLE" and "OPEN" targets > do, or even let them run, then output the generated ruleset > and use it as the skeleton of your own ruleset. >=20 > Another useful debugging tool is "ipfw show" - typed repeatedly to watch > which counters increased and so to know which rules were hit. > Once you get into stateful filtering, you'll want "ipfw -d show". >=20 > Having said that, good ol' tcpdump is always handy to have around. > Just fire up "tcpdump -ni XXX" with XXX for your external interface > and see what's going out and what's coming in. Once you start > firewalling for a network, a "tcpdump -ni III" with III being > the internal interface becomes useful as well, either in itself > or in addition to the external-watching tcpdump. >=20 > -- > Dan Pelleg >=20 >=20 >=20 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (FreeBSD) iD8DBQE9tK3rFNjun16SvHYRAnSNAJ9RPPcFelXQwS3R7ELFN+A8UdEWDwCgsJWS 3TUBFhcGrtRa9eCIrhrnv0w=3D =3D07L+ -----END PGP SIGNATURE----- --d6Gm4EdcadzBjdND Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (FreeBSD) iD8DBQE9tK32FNjun16SvHYRArjaAJ4qvmPoLiNQh7iyNleDt5odagLZsQCcDPV5 33PDawW50BMxVnyM+oukyLY= =MoxY -----END PGP SIGNATURE----- --d6Gm4EdcadzBjdND-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message