From owner-freebsd-security Thu May 18 7: 5: 9 2000 Delivered-To: freebsd-security@freebsd.org Received: from adm.sci-nnov.ru (adm.sci-nnov.ru [195.122.226.2]) by hub.freebsd.org (Postfix) with ESMTP id 003EB37BC69 for ; Thu, 18 May 2000 07:04:56 -0700 (PDT) (envelope-from vlad@sandy.ru) Received: from anonymous.sandy.ru (anonymous.sandy.ru [195.122.226.40]) by adm.sci-nnov.ru (8.9.3/Dmiter-4.1) with ESMTP id RAA09067; Thu, 18 May 2000 17:50:27 +0400 (MSD) Date: Thu, 18 May 2000 17:50:29 +0400 From: Vladimir Dubrovin X-Mailer: The Bat! (v1.41) Reply-To: Vladimir Dubrovin Organization: Sandy Info X-Priority: 3 (Normal) Message-ID: <11743.000518@sandy.ru> To: Gabriel Ambuehl Cc: freebsd-security@freebsd.org Subject: Re: ipfw: HTTP(S) is working but everything else doesn't... In-reply-To: <1574492519.20000518151205@buz.ch> References: <1574492519.20000518151205@buz.ch> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hello Gabriel Ambuehl, You've missed allow udp from any 53 to any same thing with other UDP's In fact it's better configure allow udp from any 1024-65535,53 to any 53 allow udp from any 53 to any 1024-65535 because otherwise all your network is opened from any UDP attack with source port 53. 18.05.00 17:12, you wrote: ipfw: HTTP(S) is working but everything else doesn't...; G> [I sent this already to -questions but it kept unanswered. I surely G> know how mls are working but some advice couldn't hurt ;-)] G> Hello, G> my ipfw is driving me nuts. I want to allow SMTP (both incoming and G> outgoing), POP3, HTTP, HTTPS and DNS (well, FTP should work as well G> but that one has got it's own problems because of that FTP-data thingy) G> for the firewall box itself and all boxes which use it as gateway [1]. G> Everything beside this should be rejected. To accomplish this, I G> wanted to use the following ruleset: G> 00100 allow ip from any to any via lo0 G> 00200 deny ip from any to 127.0.0.0/8 G> 00300 allow tcp from any to any established G> 00400 allow ip from any to any frag G> 00500 allow tcp from any to any 25 setup G> 00600 allow udp from any to any 53 G> 00700 allow udp from any 53 to any 53 G> 00800 allow tcp from any to any 80 setup G> 00900 allow tcp from any to any 443 setup G> 01000 allow tcp from any to any 21 setup G> 01100 allow tcp from any to any 110 setup G> 01200 allow tcp from any to any 22 setup G> 01300 allow udp from any to any 22 G> # DHCP, I need this during development phase, it's going to be kicked out in production G> 01400 allow tcp from any to any 546 setup G> 01500 allow udp from any to any 546 G> 65535 deny ip from any to any G> but this isn't working as expected. HTTP and HTTPS both work as they G> should. DNS doesn't work at all, neither SMTP nor POP (meaning: I G> can't connect to the server from outside or to outside servers from G> the box itself). And the most strange thing (or atleast does this seem G> to me this way) is happening with ssh: first, ssh (PuTTY) takes over a minute G> to show me a login prompt (connecting to the box from outside) and G> then, when I try to login, I can type without any problems, but as G> soon as I hit enter, the ssh client exits and the server reports G> |sshd[645]: fatal: Timeout before authentication for 10.2.2.150. G> What's going on wrong here? G> [1] Meaning the box acts as some kind of bastion host for the entire G> net behind it. I know this isn't the optimum but as we can't setup enough G> of those boxes (supplier ran out of them :-(( it has to offer those G> services as well. G> Best regards, G> Gabriel G> Best regards, G> Gabriel G> To Unsubscribe: send mail to majordomo@FreeBSD.org G> with "unsubscribe freebsd-security" in the body of the message +=-=-=-=-=-=-=-=-=+ |Vladimir Dubrovin| Sandy, ISP | Sandy CSS chief | Customers Support Service dept http://www.sandy.ru Nizhny Novgorod, Russia +=-=-=-=-=-=-=-=-=+ http://www.security.nnov.ru To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message