From owner-freebsd-ipfw@FreeBSD.ORG Mon Jan 24 10:10:32 2005 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E333016A4FD for ; Mon, 24 Jan 2005 10:10:32 +0000 (GMT) Received: from mail.astrosys.com (ip66-106-58-84.z58-106-66.customer.algx.net [66.106.58.84]) by mx1.FreeBSD.org (Postfix) with ESMTP id 32FD743D2F for ; Mon, 24 Jan 2005 10:10:07 +0000 (GMT) (envelope-from tdunlap@astrosys.com) Received: from globalvoxbdc ([192.168.0.113]) by mail.astrosys.com (8.13.1/8.13.1) with ESMTP id j0LLeqHc004315 for ; Fri, 21 Jan 2005 16:40:52 -0500 From: "Thomas Dunlap" To: Date: Fri, 21 Jan 2005 16:40:57 -0500 Organization: ASTRO Systems, Inc. Message-ID: <00a201c50001$e4189230$7100a8c0@globalvox.net> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook, Build 10.0.4510 Importance: Normal X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1409 X-astrosys-MailScanner-Information: Please contact the ISP for more information X-astrosys-MailScanner: Found to be clean X-MailScanner-From: tdunlap@astrosys.com Subject: Newbie Assistance X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 24 Jan 2005 10:10:33 -0000 Greetings, I am new to FreeBSD and need to get some assistance in making ipfw NAT rules. Rather than bother everyone with a ton of questions I would like to request assistance in finding a good documentation source to self-teach. Thanks From owner-freebsd-ipfw@FreeBSD.ORG Mon Jan 24 11:02:41 2005 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id AE00F16A4CE for ; Mon, 24 Jan 2005 11:02:41 +0000 (GMT) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id 998A743D41 for ; Mon, 24 Jan 2005 11:02:41 +0000 (GMT) (envelope-from owner-bugmaster@freebsd.org) Received: from freefall.freebsd.org (peter@localhost [127.0.0.1]) by freefall.freebsd.org (8.13.1/8.13.1) with ESMTP id j0OB2eIC019417 for ; Mon, 24 Jan 2005 11:02:40 GMT (envelope-from owner-bugmaster@freebsd.org) Received: (from peter@localhost) by freefall.freebsd.org (8.13.1/8.13.1/Submit) id j0OB2eSq019411 for ipfw@freebsd.org; Mon, 24 Jan 2005 11:02:40 GMT (envelope-from owner-bugmaster@freebsd.org) Date: Mon, 24 Jan 2005 11:02:40 GMT Message-Id: <200501241102.j0OB2eSq019411@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: peter set sender to owner-bugmaster@freebsd.org using -f From: FreeBSD bugmaster To: ipfw@FreeBSD.org Subject: Current problem reports assigned to you X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 24 Jan 2005 11:02:41 -0000 Current FreeBSD problem reports Critical problems Serious problems S Submitted Tracker Resp. Description ------------------------------------------------------------------------------- o [2003/04/22] kern/51274 ipfw ipfw2 create dynamic rules with parent nu f [2003/04/24] kern/51341 ipfw ipfw rule 'deny icmp from any to any icmp o [2003/12/11] kern/60154 ipfw ipfw core (crash) o [2004/03/03] kern/63724 ipfw IPFW2 Queues dont t work f [2004/03/25] kern/64694 ipfw [ipfw] UID/GID matching in ipfw non-funct o [2004/11/13] kern/73910 ipfw [ipfw] serious bug on forwarding of packe o [2004/11/19] kern/74104 ipfw ipfw2/1 conflict not detected or reported o [2004/12/25] i386/75483 ipfw ipfw count does not count 8 problems total. Non-critical problems S Submitted Tracker Resp. Description ------------------------------------------------------------------------------- a [2001/04/13] kern/26534 ipfw Add an option to ipfw to log gid/uid of w o [2002/12/10] kern/46159 ipfw ipfw dynamic rules lifetime feature o [2003/02/11] kern/48172 ipfw ipfw does not log size and flags o [2003/03/10] kern/49086 ipfw [patch] Make ipfw2 log to different syslo o [2003/04/09] bin/50749 ipfw ipfw2 incorrectly parses ports and port r o [2003/08/26] kern/55984 ipfw [patch] time based firewalling support fo o [2003/12/30] kern/60719 ipfw ipfw: Headerless fragments generate cryp o [2004/08/03] kern/69963 ipfw ipfw: install_state warning about already o [2004/09/04] kern/71366 ipfw "ipfw fwd" sometimes rewrites destination 9 problems total. From owner-freebsd-ipfw@FreeBSD.ORG Wed Jan 26 14:45:12 2005 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id AE84516A4CE for ; Wed, 26 Jan 2005 14:45:12 +0000 (GMT) Received: from wproxy.gmail.com (wproxy.gmail.com [64.233.184.203]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0EFFA43D54 for ; Wed, 26 Jan 2005 14:45:12 +0000 (GMT) (envelope-from ogurhan@gmail.com) Received: by wproxy.gmail.com with SMTP id 58so58157wri for ; Wed, 26 Jan 2005 06:45:08 -0800 (PST) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:reply-to:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:references; b=W42JH2nagFaYhJLBAiZofp9u+OE6O+9sdEWV12QWu2H3pkaEaVibkVSuAgfSC1vMPxFPcv1ueGDxHhNHaOZbn0XVHmivP9tzGF4NkOeGn2MlNwnawKD8+jX7alUgLz9fD28RpmgmUnt3lCnB80pjRMkuEPp1HuvDNazhpNTJiW0= Received: by 10.54.47.54 with SMTP id u54mr139079wru; Wed, 26 Jan 2005 06:45:08 -0800 (PST) Received: by 10.54.48.32 with HTTP; Wed, 26 Jan 2005 06:45:08 -0800 (PST) Message-ID: Date: Wed, 26 Jan 2005 17:45:08 +0300 From: Onur Gurhan To: freebsd-ipfw@freebsd.org In-Reply-To: Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit References: Subject: Need some Unix help Please! X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: Onur Gurhan List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 26 Jan 2005 14:45:12 -0000 Hello, I need some help with Ipfw if you could be so kind, I'm having some difficulty setting up the port forwarding at my office and was wondering if your could help me out... here's how the network is: we have and internal regular "office" network.. with their own DSL using a dsl modem as a router..they use static IP's and use the DSL gateway.. then there's a secondary Internet connection which is a dedicated Sattelite Dish with a static IP for our webserver. Here's the dilemma: I'm using a Dual proc G5 Xserve running OS 10.3.7 as the firewall/NAT/DHCP only a few VIP's get to use the sat dish for net. so most of it's bandwidth is dedicated to our server for hosting our site.. the problem i'm facing is configuring the port forwarding.. the Xserve has 2 nic's... en0 is 84.11.14.5 which is the Static IP for the WAN en1 is 192.168.0.3 the LAN/router/gateway IP.... the webserver is 192.168.0.11 basically: when people type "84.11.14.5" and (whatever DNS we attach to it later) into their web browser.. they should recieve the webpage hosted on 192.168.0.11. I want to forward ports 80 and 22. sounds simple enough.. maybe i'm just missing something... I scoured the net and found a small "port forwarding" guide... in which u edit the natd.plist file... but it didn't work out for me... here's the link: http://www.labo-apple.com/en/articles/os+x+server/s+x+server-277 the NAT worked.. when i have the interface set to en1. so it was working internally only.. i couldn't reach the internet and no one from the internet could reach it either..set to en0 the internet NAT'ing worked but then the webserver didn't work... If your could help I would really appreciate it, I'm really in a Jam Thank you, Onur Gurhan From owner-freebsd-ipfw@FreeBSD.ORG Fri Jan 28 16:02:45 2005 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E252616A4CE for ; Fri, 28 Jan 2005 16:02:45 +0000 (GMT) Received: from out-1.mail.amis.net (out-1.mail.amis.net [212.18.32.4]) by mx1.FreeBSD.org (Postfix) with ESMTP id D8B0C43D49 for ; Fri, 28 Jan 2005 16:02:44 +0000 (GMT) (envelope-from matej.puntar@guest.arnes.si) Received: from localhost (in-4.mail.amis.net [212.18.32.23]) by out-1.mail.amis.net (Postfix) with ESMTP id 7D17E5B51A5 for ; Fri, 28 Jan 2005 17:02:43 +0100 (CET) Received: from in-4.mail.amis.net ([127.0.0.1]) by localhost (in-4.mail.amis.net [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 60923-02 for ; Fri, 28 Jan 2005 17:02:41 +0100 (CET) Received: from piranha.amis.net (piranha.amis.net [212.18.32.3]) by in-4.mail.amis.net (Postfix) with ESMTP id B19864ADB20 for ; Fri, 28 Jan 2005 17:02:41 +0100 (CET) Received: from [10.0.0.2] (cpe-213-157-234-39.ftth.amis.net [213.157.234.39]) by piranha.amis.net (Postfix) with ESMTP id 7D860FD89 for ; Fri, 28 Jan 2005 17:02:41 +0100 (CET) Message-ID: <41FA6221.6030808@guest.arnes.si> Date: Fri, 28 Jan 2005 17:02:41 +0100 From: Matej Puntar User-Agent: Mozilla Thunderbird 1.0 (Windows/20041206) X-Accept-Language: en-us, en MIME-Version: 1.0 To: freebsd-ipfw@freebsd.org Content-Type: text/plain; charset=ISO-8859-2; format=flowed Content-Transfer-Encoding: 7bit X-Virus-Scanned: by amavisd-new at amis.net X-Spam-Status: No, hits=-5.513 required=5 tests=ALL_TRUSTED, AWL, BAYES_00, DNS_FROM_RFC_WHOIS X-Spam-Level: Subject: ipfw pipes and queues test X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 28 Jan 2005 16:02:46 -0000 Hello I have just updated my firewall rules. I added some pipes and queues and it looks like its working. But how do I test it and see if it realy works. Thanks From owner-freebsd-ipfw@FreeBSD.ORG Sat Jan 29 13:51:27 2005 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E4E0716A4CF; Sat, 29 Jan 2005 13:51:27 +0000 (GMT) Received: from 61-24-96-6.rev.home.ne.jp (61-24-96-6.rev.home.ne.jp [61.24.96.6]) by mx1.FreeBSD.org (Postfix) with SMTP id 318DE43D48; Sat, 29 Jan 2005 13:51:23 +0000 (GMT) (envelope-from CoreyalpholQ7gWw@safe-mail.net) Message-ID: From: "Debbie" To: "Debbie" Date: Sat, 29 Jan 2005 19:44:24 +0600 MIME-Version: 1.0 Content-Type: text/plain; format=flowed; charset=iso-8859-15 Content-Transfer-Encoding: 7Bit X-Content-Filtered-By: Mailman/MimeDel 2.1.1 cc: ipfw@freebsd.org cc: isp@freebsd.org cc: investoralert@freebsd.org Subject: Breaking News X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 29 Jan 2005 13:51:28 -0000 http://www.ez-rate.info/1/ I didn't love dancing for two hours. From owner-freebsd-ipfw@FreeBSD.ORG Sat Jan 29 20:52:30 2005 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 16F2316A4CE for ; Sat, 29 Jan 2005 20:52:29 +0000 (GMT) Received: from smtp-vbr2.xs4all.nl (smtp-vbr2.xs4all.nl [194.109.24.22]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1893143D31 for ; Sat, 29 Jan 2005 20:52:29 +0000 (GMT) (envelope-from gmeijer@palmweb.nl) Received: from guus (simoon.xs4all.nl [213.84.111.205]) by smtp-vbr2.xs4all.nl (8.12.11/8.12.11) with SMTP id j0TKqR6q044784 for ; Sat, 29 Jan 2005 21:52:27 +0100 (CET) (envelope-from gmeijer@palmweb.nl) Message-ID: <084c01c50644$d5e87010$9600000a@guus> From: "Gerard Meijer" To: Date: Sat, 29 Jan 2005 21:55:16 +0100 MIME-Version: 1.0 X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2900.2180 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180 X-Virus-Scanned: by XS4ALL Virus Scanner Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.1 Subject: ipfw statefull ruleset problem X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 29 Jan 2005 20:52:30 -0000 Hi everyone, First of all, I'm not very experienced with ipfw, so if this is a stupid = question, I'm sorry. I have a question regarding my statefull ipfw ruleset. I have the = following rules: ---begin--- $cmd 00015 check-state #www $cmd 00200 allow tcp from any to any 80 out via $pif setup keep-state #mail $cmd 00231 allow tcp from any to any 110 out via $pif setup keep-state #ftp $cmd 00283 allow tcp from any to any 21 out via $pif setup keep-state # Allow in standard www function because I have apache server $cmd 00400 allow tcp from any to me 80 in via $pif setup limit src-addr = 2 # Allow in FTP $cmd 00410 allow tcp from any to me 21 in via $pif setup limit src-addr = 2 # Allow in mail $cmd 00420 allow tcp from any to me 110 in via $pif ---end--- (there are more rules, but these are the ones that it's about) The problem that I'm having is that I can't check mail, and can't FTP = and see a lot of: ipfw: 299 Deny TCP [my-server-ip]:80 [some-ip]:[some-port-other-than-80] = out via em0 messages in my logfile. When I try to check mail I see in my log: ipfw: 299 Deny TCP [my-server-ip]:110 = [my-home-pc-ip]:[some-port-other-than-110] out via em0 What happens (I think, as far as I understand ipfw), there is an = connection setup on port 21/80/110 (ftp/http/mail), which is allowed by = the rules. A dynamic rules is created, but then the other computer = switches ports. The check-state command checks for a dynamic rule, but = the port doesn't match anymore and so it doesn't find a dynamic rule and = the other rules also don't apply, since they only allow connection = initialization. Am I correct? I can solve all this by putting in the rule: # $cmd 00020 allow tcp from any to any established But I learned that that is not the right way to do this in a statefull = ruleset, because the dynamic rules don't have any use in this way. So = what is the right way to solve this? Thanks a lot in advance! From owner-freebsd-ipfw@FreeBSD.ORG Sat Jan 29 21:27:44 2005 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3918716A4CE for ; Sat, 29 Jan 2005 21:27:44 +0000 (GMT) Received: from smtp.doruk.net.tr (smtp.doruk.net.tr [212.58.5.248]) by mx1.FreeBSD.org (Postfix) with ESMTP id 00FDF43D1D for ; Sat, 29 Jan 2005 21:27:43 +0000 (GMT) (envelope-from vahric@doruk.net.tr) Received: from smtp.doruk.net.tr (root@localhost) by smtp.doruk.net.tr (8.13.1/8.13.1) with SMTP id j0TLQkjg097142 for ; Sat, 29 Jan 2005 23:26:46 +0200 (EET) (envelope-from vahric@doruk.net.tr) Message-Id: <200501292126.j0TLQkjg097142@smtp.doruk.net.tr> Received: from VAHOXP (vahric.doruk.net.tr [212.58.13.17]) by smtp.doruk.net.tr (8.13.1/8.13.1) with ESMTP id j0TLQkTK097137; Sat, 29 Jan 2005 23:26:46 +0200 (EET) (envelope-from vahric@doruk.net.tr) From: "Vahric MUHTARYAN" To: "'Gerard Meijer'" , Date: Sat, 29 Jan 2005 23:27:50 +0200 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Mailer: Microsoft Office Outlook, Build 11.0.5510 In-Reply-To: <084c01c50644$d5e87010$9600000a@guus> X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180 Thread-Index: AcUGRI/MRJ1hFUUPSTS7Hl1KArjkgAABCN5g Subject: RE: ipfw statefull ruleset problem X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 29 Jan 2005 21:27:44 -0000 Use like this intip="your machine ip address" int="yourinterfacefor example fxp0 for intel" ${fwcmd} add 400 drop all from any to any frag ${fwcmd} add 500 check-state ${fwcmd} add 600 deny tcp from any to any established ${fwcmd} add 1100 pass tcp from any to ${intip} 21 in via ${int} setup keep-state ${fwcmd} add 1204 pass tcp from ${intip} 20 to any out via ${int} setup keep-state Bye ... -----Original Message----- From: owner-freebsd-ipfw@freebsd.org [mailto:owner-freebsd-ipfw@freebsd.org] On Behalf Of Gerard Meijer Sent: Saturday, January 29, 2005 10:55 PM To: freebsd-ipfw@freebsd.org Subject: ipfw statefull ruleset problem Hi everyone, First of all, I'm not very experienced with ipfw, so if this is a stupid question, I'm sorry. I have a question regarding my statefull ipfw ruleset. I have the following rules: ---begin--- $cmd 00015 check-state #www $cmd 00200 allow tcp from any to any 80 out via $pif setup keep-state #mail $cmd 00231 allow tcp from any to any 110 out via $pif setup keep-state #ftp $cmd 00283 allow tcp from any to any 21 out via $pif setup keep-state # Allow in standard www function because I have apache server $cmd 00400 allow tcp from any to me 80 in via $pif setup limit src-addr 2 # Allow in FTP $cmd 00410 allow tcp from any to me 21 in via $pif setup limit src-addr 2 # Allow in mail $cmd 00420 allow tcp from any to me 110 in via $pif ---end--- (there are more rules, but these are the ones that it's about) The problem that I'm having is that I can't check mail, and can't FTP and see a lot of: ipfw: 299 Deny TCP [my-server-ip]:80 [some-ip]:[some-port-other-than-80] out via em0 messages in my logfile. When I try to check mail I see in my log: ipfw: 299 Deny TCP [my-server-ip]:110 [my-home-pc-ip]:[some-port-other-than-110] out via em0 What happens (I think, as far as I understand ipfw), there is an connection setup on port 21/80/110 (ftp/http/mail), which is allowed by the rules. A dynamic rules is created, but then the other computer switches ports. The check-state command checks for a dynamic rule, but the port doesn't match anymore and so it doesn't find a dynamic rule and the other rules also don't apply, since they only allow connection initialization. Am I correct? I can solve all this by putting in the rule: # $cmd 00020 allow tcp from any to any established But I learned that that is not the right way to do this in a statefull ruleset, because the dynamic rules don't have any use in this way. So what is the right way to solve this? Thanks a lot in advance! _______________________________________________ freebsd-ipfw@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" From owner-freebsd-ipfw@FreeBSD.ORG Sat Jan 29 22:02:56 2005 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id DE8A816A51E for ; Sat, 29 Jan 2005 22:02:55 +0000 (GMT) Received: from smtp-vbr12.xs4all.nl (smtp-vbr12.xs4all.nl [194.109.24.32]) by mx1.FreeBSD.org (Postfix) with ESMTP id 610EF43D48 for ; Sat, 29 Jan 2005 22:02:55 +0000 (GMT) (envelope-from gmeijer@palmweb.nl) Received: from guus (simoon.xs4all.nl [213.84.111.205]) by smtp-vbr12.xs4all.nl (8.12.11/8.12.11) with SMTP id j0TM2lPp012264; Sat, 29 Jan 2005 23:02:47 +0100 (CET) (envelope-from gmeijer@palmweb.nl) Message-ID: <094d01c5064e$b0010600$9600000a@guus> From: "Gerard Meijer" To: "Vahric MUHTARYAN" , References: <200501292126.j0TLQkjg097142@smtp.doruk.net.tr> Date: Sat, 29 Jan 2005 23:05:47 +0100 MIME-Version: 1.0 Content-Type: text/plain; format=flowed; charset="iso-8859-1"; reply-type=original Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2900.2180 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180 X-Virus-Scanned: by XS4ALL Virus Scanner Subject: Re: ipfw statefull ruleset problem X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 29 Jan 2005 22:02:56 -0000 Do you mean that I should change 'allow' to 'pass'? What exactly does pass? Thanks! ----- Original Message ----- From: "Vahric MUHTARYAN" To: "'Gerard Meijer'" ; Sent: Saturday, January 29, 2005 10:27 PM Subject: RE: ipfw statefull ruleset problem > Use like this > > intip="your machine ip address" > int="yourinterfacefor example fxp0 for intel" > > ${fwcmd} add 400 drop all from any to any frag > ${fwcmd} add 500 check-state > ${fwcmd} add 600 deny tcp from any to any established > ${fwcmd} add 1100 pass tcp from any to ${intip} 21 in via ${int} setup > keep-state > ${fwcmd} add 1204 pass tcp from ${intip} 20 to any out via ${int} setup > keep-state > > Bye ... > > -----Original Message----- > From: owner-freebsd-ipfw@freebsd.org > [mailto:owner-freebsd-ipfw@freebsd.org] > On Behalf Of Gerard Meijer > Sent: Saturday, January 29, 2005 10:55 PM > To: freebsd-ipfw@freebsd.org > Subject: ipfw statefull ruleset problem > > Hi everyone, > > First of all, I'm not very experienced with ipfw, so if this is a stupid > question, I'm sorry. > > I have a question regarding my statefull ipfw ruleset. I have the > following > rules: > > ---begin--- > $cmd 00015 check-state > > #www > $cmd 00200 allow tcp from any to any 80 out via $pif setup keep-state > > #mail > $cmd 00231 allow tcp from any to any 110 out via $pif setup keep-state > > #ftp > $cmd 00283 allow tcp from any to any 21 out via $pif setup keep-state > > # Allow in standard www function because I have apache server > $cmd 00400 allow tcp from any to me 80 in via $pif setup limit src-addr 2 > > # Allow in FTP > $cmd 00410 allow tcp from any to me 21 in via $pif setup limit src-addr 2 > > # Allow in mail > $cmd 00420 allow tcp from any to me 110 in via $pif > ---end--- > (there are more rules, but these are the ones that it's about) > > The problem that I'm having is that I can't check mail, and can't FTP and > see a lot of: > > ipfw: 299 Deny TCP [my-server-ip]:80 [some-ip]:[some-port-other-than-80] > out > via em0 > > messages in my logfile. > > When I try to check mail I see in my log: > > ipfw: 299 Deny TCP [my-server-ip]:110 > [my-home-pc-ip]:[some-port-other-than-110] out via em0 > > What happens (I think, as far as I understand ipfw), there is an > connection > setup on port 21/80/110 (ftp/http/mail), which is allowed by the rules. A > dynamic rules is created, but then the other computer switches ports. The > check-state command checks for a dynamic rule, but the port doesn't match > anymore and so it doesn't find a dynamic rule and the other rules also > don't > apply, since they only allow connection initialization. Am I correct? > > I can solve all this by putting in the rule: > > # $cmd 00020 allow tcp from any to any established > > But I learned that that is not the right way to do this in a statefull > ruleset, because the dynamic rules don't have any use in this way. So what > is the right way to solve this? > > Thanks a lot in advance! > _______________________________________________ > freebsd-ipfw@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw > To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" > > > _______________________________________________ > freebsd-ipfw@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw > To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" > From owner-freebsd-ipfw@FreeBSD.ORG Sat Jan 29 22:22:46 2005 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1C70C16A4CE for ; Sat, 29 Jan 2005 22:22:46 +0000 (GMT) Received: from smtp.doruk.net.tr (smtp.doruk.net.tr [212.58.5.248]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3360743D1F for ; Sat, 29 Jan 2005 22:22:45 +0000 (GMT) (envelope-from vahric@doruk.net.tr) Received: from smtp.doruk.net.tr (root@localhost) by smtp.doruk.net.tr (8.13.1/8.13.1) with SMTP id j0TMLnOj016406 for ; Sun, 30 Jan 2005 00:21:49 +0200 (EET) (envelope-from vahric@doruk.net.tr) Message-Id: <200501292221.j0TMLnOj016406@smtp.doruk.net.tr> Received: from VAHOXP (vahric.doruk.net.tr [212.58.13.17]) by smtp.doruk.net.tr (8.13.1/8.13.1) with ESMTP id j0TMLnvZ016401; Sun, 30 Jan 2005 00:21:49 +0200 (EET) (envelope-from vahric@doruk.net.tr) From: "Vahric MUHTARYAN" To: "'Gerard Meijer'" , Date: Sun, 30 Jan 2005 00:22:55 +0200 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Mailer: Microsoft Office Outlook, Build 11.0.5510 In-Reply-To: <094d01c5064e$b0010600$9600000a@guus> X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180 Thread-Index: AcUGTlmTH4MFiGFjQWyM9CY12So/RAAAU2gw Subject: RE: ipfw statefull ruleset problem X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 29 Jan 2005 22:22:46 -0000 No no , 400 will drop all fragmanted packages 500 will provide you state check 600 will deny all established ( Because we don't want any established packets past from firewall we want to check all packates state and also did it 500 ) 1100 will allow ftp connection to your ip address 1204 allow your machine turn to client for data transfer Pls see active ftp from this address : http://slacksite.com/other/ftp.html For pop3 connection and for smtp connection use those . ${fwcmd} add 1000 pass tcp from any to ${intip} 110 in via ${int} setup keep-state With this you can make a pop3 connection ...... ${fwcmd} add 1001 pass tcp from any to ${intip} 25 in via ${int} setup keep-state With this you can make a smtp connection to your server Vahric -----Original Message----- From: Gerard Meijer [mailto:gmeijer@palmweb.nl] Sent: Sunday, January 30, 2005 12:06 AM To: Vahric MUHTARYAN; freebsd-ipfw@freebsd.org Subject: Re: ipfw statefull ruleset problem Do you mean that I should change 'allow' to 'pass'? What exactly does pass? Thanks! ----- Original Message ----- From: "Vahric MUHTARYAN" To: "'Gerard Meijer'" ; Sent: Saturday, January 29, 2005 10:27 PM Subject: RE: ipfw statefull ruleset problem > Use like this > > intip="your machine ip address" > int="yourinterfacefor example fxp0 for intel" > > ${fwcmd} add 400 drop all from any to any frag > ${fwcmd} add 500 check-state > ${fwcmd} add 600 deny tcp from any to any established > ${fwcmd} add 1100 pass tcp from any to ${intip} 21 in via ${int} setup > keep-state > ${fwcmd} add 1204 pass tcp from ${intip} 20 to any out via ${int} setup > keep-state > > Bye ... > > -----Original Message----- > From: owner-freebsd-ipfw@freebsd.org > [mailto:owner-freebsd-ipfw@freebsd.org] > On Behalf Of Gerard Meijer > Sent: Saturday, January 29, 2005 10:55 PM > To: freebsd-ipfw@freebsd.org > Subject: ipfw statefull ruleset problem > > Hi everyone, > > First of all, I'm not very experienced with ipfw, so if this is a stupid > question, I'm sorry. > > I have a question regarding my statefull ipfw ruleset. I have the > following > rules: > > ---begin--- > $cmd 00015 check-state > > #www > $cmd 00200 allow tcp from any to any 80 out via $pif setup keep-state > > #mail > $cmd 00231 allow tcp from any to any 110 out via $pif setup keep-state > > #ftp > $cmd 00283 allow tcp from any to any 21 out via $pif setup keep-state > > # Allow in standard www function because I have apache server > $cmd 00400 allow tcp from any to me 80 in via $pif setup limit src-addr 2 > > # Allow in FTP > $cmd 00410 allow tcp from any to me 21 in via $pif setup limit src-addr 2 > > # Allow in mail > $cmd 00420 allow tcp from any to me 110 in via $pif > ---end--- > (there are more rules, but these are the ones that it's about) > > The problem that I'm having is that I can't check mail, and can't FTP and > see a lot of: > > ipfw: 299 Deny TCP [my-server-ip]:80 [some-ip]:[some-port-other-than-80] > out > via em0 > > messages in my logfile. > > When I try to check mail I see in my log: > > ipfw: 299 Deny TCP [my-server-ip]:110 > [my-home-pc-ip]:[some-port-other-than-110] out via em0 > > What happens (I think, as far as I understand ipfw), there is an > connection > setup on port 21/80/110 (ftp/http/mail), which is allowed by the rules. A > dynamic rules is created, but then the other computer switches ports. The > check-state command checks for a dynamic rule, but the port doesn't match > anymore and so it doesn't find a dynamic rule and the other rules also > don't > apply, since they only allow connection initialization. Am I correct? > > I can solve all this by putting in the rule: > > # $cmd 00020 allow tcp from any to any established > > But I learned that that is not the right way to do this in a statefull > ruleset, because the dynamic rules don't have any use in this way. So what > is the right way to solve this? > > Thanks a lot in advance! > _______________________________________________ > freebsd-ipfw@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw > To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" > > > _______________________________________________ > freebsd-ipfw@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw > To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" > From owner-freebsd-ipfw@FreeBSD.ORG Sat Jan 29 22:34:41 2005 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E67DA16A4CE for ; Sat, 29 Jan 2005 22:34:41 +0000 (GMT) Received: from smtp-vbr5.xs4all.nl (smtp-vbr5.xs4all.nl [194.109.24.25]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3FAD843D1F for ; Sat, 29 Jan 2005 22:34:41 +0000 (GMT) (envelope-from gmeijer@palmweb.nl) Received: from guus (simoon.xs4all.nl [213.84.111.205]) by smtp-vbr5.xs4all.nl (8.12.11/8.12.11) with SMTP id j0TMYLgG045956; Sat, 29 Jan 2005 23:34:22 +0100 (CET) (envelope-from gmeijer@palmweb.nl) Message-ID: <096c01c50653$1c660f30$9600000a@guus> From: "Gerard Meijer" To: "Vahric MUHTARYAN" , References: <200501292221.j0TMLnQ3016409@smtp.doruk.net.tr> Date: Sat, 29 Jan 2005 23:37:26 +0100 MIME-Version: 1.0 Content-Type: text/plain; format=flowed; charset="iso-8859-1"; reply-type=original Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2900.2180 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180 X-Virus-Scanned: by XS4ALL Virus Scanner Subject: Re: ipfw statefull ruleset problem X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 29 Jan 2005 22:34:42 -0000 Okay, I understand. But that doesn't solve the problem, right? I think that what you say is more or less the same as what I have: you say: 500 check-state i have: 00015 check-state you say: 1100 pass tcp from any to ${intip} 21 in via ${int} setup keep-state i have: 00410 allow tcp from any to me 21 in via $pif setup limit src-addr 2 The rule I don't have is your 1204. Outbound through port 20. I don't know why you have that one. My problem is that the initialization goes okay, but then the the other pc seems to switch ports and the connection is denied. I think I just understand you wrong. Sorry for that. I really appreciate your help, but can you explain what is different in the rules you have and that I have and why yours should work and mine don't? Thanks! ----- Original Message ----- From: "Vahric MUHTARYAN" To: "'Gerard Meijer'" ; Sent: Saturday, January 29, 2005 11:22 PM Subject: RE: ipfw statefull ruleset problem > No no , > > 400 will drop all fragmanted packages > 500 will provide you state check > 600 will deny all established ( Because we don't want any established > packets past from firewall we want to check all packates state and also > did > it 500 ) > 1100 will allow ftp connection to your ip address > 1204 allow your machine turn to client for data transfer > > Pls see active ftp from this address : http://slacksite.com/other/ftp.html > > For pop3 connection and for smtp connection use those . > > ${fwcmd} add 1000 pass tcp from any to ${intip} 110 in via ${int} setup > keep-state > > With this you can make a pop3 connection ...... > > ${fwcmd} add 1001 pass tcp from any to ${intip} 25 in via ${int} setup > keep-state > > With this you can make a smtp connection to your server > > Vahric > > -----Original Message----- > From: Gerard Meijer [mailto:gmeijer@palmweb.nl] > Sent: Sunday, January 30, 2005 12:06 AM > To: Vahric MUHTARYAN; freebsd-ipfw@freebsd.org > Subject: Re: ipfw statefull ruleset problem > > Do you mean that I should change 'allow' to 'pass'? What exactly does > pass? > > Thanks! > ----- Original Message ----- > From: "Vahric MUHTARYAN" > To: "'Gerard Meijer'" ; > Sent: Saturday, January 29, 2005 10:27 PM > Subject: RE: ipfw statefull ruleset problem > > >> Use like this >> >> intip="your machine ip address" >> int="yourinterfacefor example fxp0 for intel" >> >> ${fwcmd} add 400 drop all from any to any frag >> ${fwcmd} add 500 check-state >> ${fwcmd} add 600 deny tcp from any to any established >> ${fwcmd} add 1100 pass tcp from any to ${intip} 21 in via ${int} setup >> keep-state >> ${fwcmd} add 1204 pass tcp from ${intip} 20 to any out via ${int} setup >> keep-state >> >> Bye ... >> >> -----Original Message----- >> From: owner-freebsd-ipfw@freebsd.org >> [mailto:owner-freebsd-ipfw@freebsd.org] >> On Behalf Of Gerard Meijer >> Sent: Saturday, January 29, 2005 10:55 PM >> To: freebsd-ipfw@freebsd.org >> Subject: ipfw statefull ruleset problem >> >> Hi everyone, >> >> First of all, I'm not very experienced with ipfw, so if this is a stupid >> question, I'm sorry. >> >> I have a question regarding my statefull ipfw ruleset. I have the >> following >> rules: >> >> ---begin--- >> $cmd 00015 check-state >> >> #www >> $cmd 00200 allow tcp from any to any 80 out via $pif setup keep-state >> >> #mail >> $cmd 00231 allow tcp from any to any 110 out via $pif setup keep-state >> >> #ftp >> $cmd 00283 allow tcp from any to any 21 out via $pif setup keep-state >> >> # Allow in standard www function because I have apache server >> $cmd 00400 allow tcp from any to me 80 in via $pif setup limit src-addr 2 >> >> # Allow in FTP >> $cmd 00410 allow tcp from any to me 21 in via $pif setup limit src-addr 2 >> >> # Allow in mail >> $cmd 00420 allow tcp from any to me 110 in via $pif >> ---end--- >> (there are more rules, but these are the ones that it's about) >> >> The problem that I'm having is that I can't check mail, and can't FTP and >> see a lot of: >> >> ipfw: 299 Deny TCP [my-server-ip]:80 [some-ip]:[some-port-other-than-80] >> out >> via em0 >> >> messages in my logfile. >> >> When I try to check mail I see in my log: >> >> ipfw: 299 Deny TCP [my-server-ip]:110 >> [my-home-pc-ip]:[some-port-other-than-110] out via em0 >> >> What happens (I think, as far as I understand ipfw), there is an >> connection >> setup on port 21/80/110 (ftp/http/mail), which is allowed by the rules. A >> dynamic rules is created, but then the other computer switches ports. The >> check-state command checks for a dynamic rule, but the port doesn't match >> anymore and so it doesn't find a dynamic rule and the other rules also >> don't >> apply, since they only allow connection initialization. Am I correct? >> >> I can solve all this by putting in the rule: >> >> # $cmd 00020 allow tcp from any to any established >> >> But I learned that that is not the right way to do this in a statefull >> ruleset, because the dynamic rules don't have any use in this way. So >> what >> is the right way to solve this? >> >> Thanks a lot in advance! >> _______________________________________________ >> freebsd-ipfw@freebsd.org mailing list >> http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw >> To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" >> >> >> _______________________________________________ >> freebsd-ipfw@freebsd.org mailing list >> http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw >> To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" >> > >