Date: Fri, 06 Dec 2002 09:15:44 -0500 From: Steve Bertrand <iaccounts@northnetworks.ca> To: freebsd-questions@freebsd.org Subject: Re: ipfw firewall help Message-ID: <3DF0B110.7080102@northnetworks.ca> References: <Pine.LNX.4.05.10212052001530.7627-100000@yoda.fdt.net>
next in thread | previous in thread | raw e-mail | index | archive | help
Easiest way I have found to troubleshoot rule problems is to turn on
logging for your deny rules and find out what rule is blocking the
traffic. Just add the 'log' or 'log logamount nn' (where nn is a number
of entries to create). Once you try to connect again, you can then read
/var/log/security and see where the packets are being dropped.
Another good method of troubleshooting is using # tcpdump -i ifaceX
(where ifaceX is the interface the traffic is going through first).
After you verify traffic can get through the first interface, dump the
other interface. You will get results verifying whether the traffic was
able to come in to the interface, and whether it was able to go back out.
You may also want to post to freebsd-ipfw.
Hope this helps!
Steve
>Please forgive me for asking this, I know it's probably been gone over
>numerous times.
>
>I have a network at a colo facility with a freebsd machine and 3 nic's.
>
>Outside nic and the others for the internal networks. I get routed
>3 class C's, and the machine is routing and acting as a gateway perfectly.
>
>We decided to close everything and add as needed (ports).
>
>As far as incoming traffic/ports, etc, everything is perfect. But if I
>get on any of the internal machines and try to browse the web (windows
>update) etc., nothing works.
>
>I'm sure it's something totally simple I'm missing, since it's a colo
>facility it's not like it's an office land and people are there but I need
>the ability to be on a server there and be able to browse, ftp, etc, all
>of which are broken.
>
>Could someone help me figure out what I've done wrong?
>
>Here's the rules I have, the firewall is set to "OPEN" so it runs
>/etc/rc.firewall and adds the 3 generic rulesets, then runs rc.joe which
>I'm showing here:
>
>#Begin Custom ipfw rules to secure network on fxp0
>#We will block at the WAN
>#
>#adam's IP for term svc
>ipfw add 101 allow tcp from xx.xx.xx.xx to any 3389 via bge0
>#sarah's IP for term svc
>ipfw add 102 allow tcp from xx.xx.xx.xx to any 3389 via bge0
>#
>#leave the unix machines alone
>#WWW
>ipfw add 103 allow tcp from any to xx.250.228.0/28 via bge0
>ipfw add 104 allow udp from any to xx.250.228.0/28 via bge0
>#Outside WAN - Router fbsd
>ipfw add 105 allow udp from any to xx.94.245.250 via bge0
>ipfw add 106 allow tcp from any to xx.94.245.250 via bge0
>ipfw add 107 allow tcp from any to xx.250.227.1 ssh via bge0
>#
>#Begin Allows - Universal (FTP, WWW, SMTP, POP3)
>ipfw add 108 allow tcp from any to xx.250.227.0/22 20,21,25,80,110 via
>bge0
>#
>#Outbound from inside
>ipfw add 109 check-state
>ipfw add 110 allow tcp from xx.250.224.0/22 via bge0 keep-state
>ipfw add 111 allow udp from xx.250.224.0/22 via bge0 keep-state
>ipfw add 112 allow tcp from any to any established setup
>#Machine specific ports
>#Server NEWS 1
>ipfw add 120 allow tcp from any to xx.250.227.2 53 via bge0
>ipfw add 121 allow tcp from any to xx.250.227.3 53 via bge0
>ipfw add 122 allow tcp from any to xx.250.227.4 53 via bge0
>ipfw add 123 allow udp from any to xx.250.227.2 via bge0
>ipfw add 124 allow udp from any to xx.250.227.3 via bge0
>ipfw add 125 allow udp from any to xx.240.227.4 via bge0
>#
>#Server WWW6
>ipfw add 130 allow tcp from any to xx.250.227.208 443 via bge0
>#
>#Server SQL 3
>ipfw add 140 allow tcp from any to xx.250.227.13 1433 via bge0
>#
>#Server MARZ
>ipfw add 150 allow tcp from any to xx.250.227.53 1433 via bge0
>#
>#Server Mai
>ipfw add 160 allow tcp from any to xx.250.227.175 8384 via bge0
>
>#Deny all after above allows - here we go
>ipfw add 400 deny tcp from any to xx.250.227.0/22 via bge0
>ipfw add 410 deny udp from any to xx.250.227.0/22 via bge0
>
>
>Goal is if we're on any of the 227 subnetted machines and wish to do
>anything on the internet that we be allowed to do so, such as ftp, telnet,
>browse the web, etc.
>
>These rules are also in effect as rc.firewall sets them:
>
> ${fwcmd} add 100 pass all from any to any via lo0
> ${fwcmd} add 200 deny all from any to 127.0.0.0/8
> ${fwcmd} add 300 deny ip from 127.0.0.0/8 to any
>
># ${fwcmd} add 65000 pass all from any to any
>
>Any help would be greatly appreciated, I know that source packets coming
>in aren't matching the rulesets anylonger or it's something like that.
>
>The area that I've tried to make this work is the
>
>109
>110
>111
>112
>
>But to no avail.
>
>Thanks again,
>
>Joe
>
>
>To Unsubscribe: send mail to majordomo@FreeBSD.org
>with "unsubscribe freebsd-questions" in the body of the message
>
>
>
>
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3DF0B110.7080102>