Skip site navigation (1)Skip section navigation (2) 
Date:      Tue, 10 Jul 2001 20:23:58 -0400 (EDT)
From:      Francisco Reyes <lists@natserv.com>
To:        Dru <genisis@istar.ca>
Cc:        FreeBSD Security List <freebsd-security@FreeBSD.ORG>
Subject:   Re: Cant ping/nslookup
Message-ID:  <20010710201436.B22560-100000@zoraida.natserv.net>
In-Reply-To: <20010710071252.D345-100000@x1-6-00-50-ba-de-36-33.kico1.on.home.com>
next in thread | previous in thread | raw e-mail | index | archive | help 
On Tue, 10 Jul 2001, Dru wrote:

> Hi Francisco,
>
> I don't see any rules to allow UDP.

I have some rules. I thought I would only include the "deny" clauses to
show that they all had the "log" option yet nothing was coming up on
/var/log/security.


> There's a step-by-step article on
> what's required here:
> http://www.onlamp.com/pub/a/bsd/2001/05/09/FreeBSD_Basics.html?page=2

Looked at but didn't see anything which helped me solve the problem.
There was one thing in the article which helped
though. I didn't know about "ipfw show". I had always used "ipfw list".
Also the man page doesn't explain/mention "ipfw show".

By using "ipfw zero" and then trying some operations I noticed something
rather strange. None of the deny rules where hit, yet traffic fails.

For example:
ipfw zero
ipfw show (after I ran a ping using an IP address on the client)
00100 0   0 allow ip from any to any via lo0
00200 0   0 deny log logamount 50 ip from any to 127.0.0.0/8
00300 0   0 deny log logamount 50 ip from 127.0.0.0/8 to any
00400 0   0 allow log logamount 50 tcp from any to 160.79.54.10
00500 0   0 allow log logamount 50 tcp from any to 160.79.2.2
00600 0   0 allow log logamount 50 tcp from any to 216.223.192.21
00700 0   0 allow log logamount 50 tcp from 160.79.54.10 to any
00800 0   0 allow log logamount 50 tcp from 160.79.2.2 to any
00900 0   0 allow log logamount 50 tcp from 216.223.192.21 to any
01000 0   0 allow log logamount 50 udp from any to 160.79.54.10
01100 0   0 allow log logamount 50 udp from any to 160.79.2.2
01200 0   0 allow log logamount 50 udp from any to 216.223.192.21
01300 0   0 allow log logamount 50 udp from 160.79.54.10 to any
01400 0   0 allow log logamount 50 udp from 160.79.2.2 to any
01500 0   0 allow log logamount 50 udp from 216.223.192.21 to any
01600 2 214 allow log logamount 50 udp from any to 192.168.10.255
01700 4 240 allow icmp from any to any via fxp0
01800 4 240 allow icmp from any to any icmptype 8
01900 0   0 allow icmp from any to any icmptype 0
02000 0   0 allow icmp from any to any icmptype 3,4,11,12
02100 0   0 deny log logamount 50 ip from 192.168.10.0/24 to any in recv
ed0
02200 0   0 deny log logamount 50 ip from 66.114.65.0/24 to any in recv
fxp0
02300 0   0 deny log logamount 50 ip from any to 10.0.0.0/8 via ed0
02400 0   0 deny log logamount 50 ip from any to 172.16.0.0/12 via ed0
02500 0   0 deny log logamount 50 ip from any to 0.0.0.0/8 via ed0
02600 0   0 deny log logamount 50 ip from any to 169.254.0.0/16 via ed0
02700 0   0 deny log logamount 50 ip from any to 192.0.2.0/24 via ed0
02800 0   0 deny log logamount 50 ip from any to 224.0.0.0/4 via ed0
02900 0   0 deny log logamount 50 ip from any to 240.0.0.0/4 via ed0
03000 0   0 divert 8668 ip from any to any via ed0
03100 0   0 deny log logamount 50 ip from 10.0.0.0/8 to any via ed0
03200 0   0 deny log logamount 50 ip from 172.16.0.0/12 to any via ed0
03300 0   0 deny log logamount 50 ip from 0.0.0.0/8 to any via ed0
03400 0   0 deny log logamount 50 ip from 169.254.0.0/16 to any via ed0
03500 0   0 deny log logamount 50 ip from 192.0.2.0/24 to any via ed0
03600 0   0 deny log logamount 50 ip from 224.0.0.0/4 to any via ed0
03700 0   0 deny log logamount 50 ip from 240.0.0.0/4 to any via ed0
03800 0   0 allow tcp from any to any 80
03900 0   0 allow tcp from any to any 110
04000 0   0 allow tcp from any to any 53
04100 0   0 allow udp from any to any 53
04200 0   0 allow tcp from any to any established
04300 0   0 allow ip from any to any frag
04400 0   0 allow tcp from any to 66.114.65.147 25 setup
04500 0   0 allow tcp from any to 66.114.65.147 53 setup
04600 0   0 allow udp from any to 66.114.65.147 53
04700 0   0 allow udp from 66.114.65.147 53 to any
04800 0   0 allow tcp from any to 66.114.65.147 80 setup
04900 0   0 allow tcp from any to any 22
05000 0   0 deny log logamount 50 tcp from any to any in recv ed0 setup
05100 0   0 allow tcp from any to any setup
05200 0   0 allow udp from 66.114.65.147 to any 53 keep-state
05300 0   0 allow udp from 66.114.65.147 to any 123 keep-state
05400 0   0 deny log logamount 50 ip from any to any
65535 0   0 deny ip from any to any


Notice that NONE of the deny rules were hit, yet my ping timed out.

Doing the DNS query does something simmilar:
ipfw zero
ipfw show (after trying nslookup freebsd.org at the client)
00100  0   0 allow ip from any to any via lo0
00200  0   0 deny log logamount 50 ip from any to 127.0.0.0/8
00300  0   0 deny log logamount 50 ip from 127.0.0.0/8 to any
00400  0   0 allow log logamount 50 tcp from any to 160.79.54.10
00500  0   0 allow log logamount 50 tcp from any to 160.79.2.2
00600  0   0 allow log logamount 50 tcp from any to 216.223.192.21
00700  0   0 allow log logamount 50 tcp from 160.79.54.10 to any
00800  0   0 allow log logamount 50 tcp from 160.79.2.2 to any
00900  0   0 allow log logamount 50 tcp from 216.223.192.21 to any
01000 12 780 allow log logamount 50 udp from any to 160.79.54.10
01100  2 138 allow log logamount 50 udp from any to 160.79.2.2
01200  0   0 allow log logamount 50 udp from any to 216.223.192.21
01300  0   0 allow log logamount 50 udp from 160.79.54.10 to any
01400  0   0 allow log logamount 50 udp from 160.79.2.2 to any
01500  0   0 allow log logamount 50 udp from 216.223.192.21 to any
01600  4 428 allow log logamount 50 udp from any to 192.168.10.255
01700  0   0 allow icmp from any to any via fxp0
01800  0   0 allow icmp from any to any icmptype 8
01900  0   0 allow icmp from any to any icmptype 0
02000  0   0 allow icmp from any to any icmptype 3,4,11,12
02100  0   0 deny log logamount 50 ip from 192.168.10.0/24 to any in recv
ed0
02200  0   0 deny log logamount 50 ip from 66.114.65.0/24 to any in recv
fxp0
02300  0   0 deny log logamount 50 ip from any to 10.0.0.0/8 via ed0
02400  0   0 deny log logamount 50 ip from any to 172.16.0.0/12 via ed0
02500  0   0 deny log logamount 50 ip from any to 0.0.0.0/8 via ed0
02600  0   0 deny log logamount 50 ip from any to 169.254.0.0/16 via ed0
02700  0   0 deny log logamount 50 ip from any to 192.0.2.0/24 via ed0
02800  0   0 deny log logamount 50 ip from any to 224.0.0.0/4 via ed0
02900  0   0 deny log logamount 50 ip from any to 240.0.0.0/4 via ed0
03000  0   0 divert 8668 ip from any to any via ed0
03100  0   0 deny log logamount 50 ip from 10.0.0.0/8 to any via ed0
03200  0   0 deny log logamount 50 ip from 172.16.0.0/12 to any via ed0
03300  0   0 deny log logamount 50 ip from 0.0.0.0/8 to any via ed0
03400  0   0 deny log logamount 50 ip from 169.254.0.0/16 to any via ed0
03500  0   0 deny log logamount 50 ip from 192.0.2.0/24 to any via ed0
03600  0   0 deny log logamount 50 ip from 224.0.0.0/4 to any via ed0
03700  0   0 deny log logamount 50 ip from 240.0.0.0/4 to any via ed0
03800  0   0 allow tcp from any to any 80
03900  0   0 allow tcp from any to any 110
04000  0   0 allow tcp from any to any 53
04100  0   0 allow udp from any to any 53
04200  0   0 allow tcp from any to any established
04300  0   0 allow ip from any to any frag
04400  0   0 allow tcp from any to 66.114.65.147 25 setup
04500  0   0 allow tcp from any to 66.114.65.147 53 setup
04600  0   0 allow udp from any to 66.114.65.147 53
04700  0   0 allow udp from 66.114.65.147 53 to any
04800  0   0 allow tcp from any to 66.114.65.147 80 setup
04900  0   0 allow tcp from any to any 22
05000  0   0 deny log logamount 50 tcp from any to any in recv ed0 setup
05100  0   0 allow tcp from any to any setup
05200  0   0 allow udp from 66.114.65.147 to any 53 keep-state
05300  0   0 allow udp from 66.114.65.147 to any 123 keep-state
05400  0   0 deny log logamount 50 ip from any to any
65535  0   0 deny ip from any to any

Again NONE of the deny rules was hit.

I find this strange. I wonder what I am doing wrong.
I also double checked that I have forwarding set.
zoraida:/etc#sysctl -a | grep forwardin
net.inet.ip.forwarding: 1
net.inet.ip.fastforwarding: 0


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010710201436.B22560-100000>