From owner-freebsd-security Thu May 18 6:27:22 2000 Delivered-To: freebsd-security@freebsd.org Received: from mail3.iadfw.net (mail3.iadfw.net [209.196.123.3]) by hub.freebsd.org (Postfix) with SMTP id 3C28237B654 for ; Thu, 18 May 2000 06:27:18 -0700 (PDT) (envelope-from moby@pcsn.net) Received: from mobster1 from [205.241.160.67] by mail3.iadfw.net (/\##/\ Smail3.1.30.16 #30.4) with smtp for sender: id ; Thu, 18 May 2000 08:27:11 -0500 (CDT) Reply-To: From: "Mobeen Azhar" To: Subject: RE: ipfw: HTTP(S) is working but everything else doesn't... Date: Thu, 18 May 2000 08:27:06 -0500 Message-ID: <000501bfc0cc$c2b3ae00$9ef105ab@TexasCommerce.com> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook 8.5, Build 4.71.2173.0 In-Reply-To: <1574492519.20000518151205@buz.ch> X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2919.6600 Importance: Normal Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I am not exactly sure what's going wrong, but try removing the deny ip from any to 127.0.0.0/8 rule and see what happens. Also, in the beginning of your rules, you need to allow all local traffic. I don't see anything like that in your rules. --Moby > -----Original Message----- > From: owner-freebsd-security@FreeBSD.ORG > [mailto:owner-freebsd-security@FreeBSD.ORG]On Behalf Of Gabriel Ambuehl > Sent: Thursday, May 18, 2000 0812 > To: freebsd-security@FreeBSD.ORG > Subject: ipfw: HTTP(S) is working but everything else doesn't... > > > [I sent this already to -questions but it kept unanswered. I surely > know how mls are working but some advice couldn't hurt ;-)] > Hello, > my ipfw is driving me nuts. I want to allow SMTP (both incoming and > outgoing), POP3, HTTP, HTTPS and DNS (well, FTP should work as well > but that one has got it's own problems because of that FTP-data thingy) > for the firewall box itself and all boxes which use it as gateway [1]. > Everything beside this should be rejected. To accomplish this, I > wanted to use the following ruleset: > 00100 allow ip from any to any via lo0 > 00200 deny ip from any to 127.0.0.0/8 > 00300 allow tcp from any to any established > 00400 allow ip from any to any frag > 00500 allow tcp from any to any 25 setup > 00600 allow udp from any to any 53 > 00700 allow udp from any 53 to any 53 > 00800 allow tcp from any to any 80 setup > 00900 allow tcp from any to any 443 setup > 01000 allow tcp from any to any 21 setup > 01100 allow tcp from any to any 110 setup > 01200 allow tcp from any to any 22 setup > 01300 allow udp from any to any 22 > # DHCP, I need this during development phase, it's going to be > kicked out in production > 01400 allow tcp from any to any 546 setup > 01500 allow udp from any to any 546 > 65535 deny ip from any to any > > but this isn't working as expected. HTTP and HTTPS both work as they > should. DNS doesn't work at all, neither SMTP nor POP (meaning: I > can't connect to the server from outside or to outside servers from > the box itself). And the most strange thing (or atleast does this seem > to me this way) is happening with ssh: first, ssh (PuTTY) takes > over a minute > to show me a login prompt (connecting to the box from outside) and > then, when I try to login, I can type without any problems, but as > soon as I hit enter, the ssh client exits and the server reports > |sshd[645]: fatal: Timeout before authentication for 10.2.2.150. > What's going on wrong here? > > [1] Meaning the box acts as some kind of bastion host for the entire > net behind it. I know this isn't the optimum but as we can't setup enough > of those boxes (supplier ran out of them :-(( it has to offer those > services as well. > > > Best regards, > Gabriel > > > > > Best regards, > Gabriel > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message