Site Navigation

Date:      Wed, 4 Aug 2004 14:06:09 +0300
From:      Giorgos Keramidas <keramida@ceid.upatras.gr>
To:        Srot BULL <pwd8jmr22w@me.point.ne.jp>
Cc:        freebsd-questions@freebsd.org
Subject:   Re: IPFW - Allowed but Denied is shown in my logs
Message-ID:  <20040804110609.GA4366@orion.daedalusnetworks.priv>
In-Reply-To: <4110C905.4080108@me.point.ne.jp>
References:  <41109ABF.4090904@me.point.ne.jp> <20040804103848.GA31620@orion.daedalusnetworks.priv> <4110C905.4080108@me.point.ne.jp>

---

next in thread | previous in thread | raw e-mail | index | archive | help

---

On 2004-08-04 20:31, Srot BULL <pwd8jmr22w@me.point.ne.jp> wrote:
>>On 2004-08-04 17:13, Srot BULL <pwd8jmr22w@me.point.ne.jp> wrote:
>>>Why are the above firewall logs telling me that it has denied my TCP
>>>packets and yet I am not experiencing some problems in my emails and
>>>access to the internet through port 80. [...]
>>
>> Giorgos Keramidas wrote:
>> Show us the full ruleset.  Otherwise we're just guessing...

> # Flush out EVERYTHING first before starting
> ipfw -q -f flush

> CMD="ipfw -q add"
> IFN="rl0"

> $CMD 00010 allow all from any to any via lo0
> $CMD 00015 check-state
> $CMD 00099 allow tcp from any to any 6088 out via $IFN setup keep-state

> $CMD 00110 allow tcp from any to x.x.x.x   53 out via $IFN setup keep-state
> $CMD 00111 allow udp from any to x.x.x.x   53 out via $IFN       keep-state
> $CMD 00112 allow tcp from any to x.x.x.x   53 out via $IFN setup keep-state
> $CMD 00113 allow udp from any to x.x.x.x   53 out via $IFN       keep-state
> $CMD 00114 allow tcp from any to x.x.x.x   53 out via $IFN setup keep-state
> $CMD 00115 allow udp from any to x.x.x.x   53 out via $IFN       keep-state

> $CMD 00120 allow udp from any to x.x.x.x   67 out via $IFN       keep-state
> $CMD 00200 allow tcp from any to any       80 out via $IFN setup keep-state
> $CMD 00201 allow tcp from any to any     2628 out via $IFN setup keep-state
> $CMD 00202 allow tcp from any to any     1863 out via $IFN setup keep-state
> $CMD 00203 allow udp from any to any     1863 out via $IFN setup keep-state
> $CMD 00220 allow tcp from any to any      443 out via $IFN setup keep-state
> $CMD 00230 allow tcp from any to any       25 out via $IFN setup keep-state
> $CMD 00231 allow tcp from any to any      110 out via $IFN setup keep-state

> $CMD 00240 allow tcp from me to any out via $IFN setup keep-state uid root

Hmm.  I'm not sure if this is a good idea, but it's unrelated to the
denied packets you're seeing :-/

> $CMD 00250 allow icmp from any to any out via $IFN keep-state
> $CMD 00260 allow tcp from any to any       37 out via $IFN setup keep-state
> $CMD 00270 allow tcp from any to any      119 out via $IFN setup keep-state
> $CMD 00280 allow tcp from any to any       22 out via $IFN setup keep-state
> $CMD 00290 allow tcp from any to any       43 out via $IFN setup keep-state

> $CMD 00299 deny log all from any to any out via $IFN

> $CMD 00300 deny all from 192.168.0.0/16 to any in via $IFN
> $CMD 00301 deny all from 172.16.0.0/12 to any in via $IFN
> $CMD 00302 deny all from 10.0.0.0/8 to any in via $IFN

You might want to also deny incoming packets from these addresses, or fall
back to the default firewall rule -- whatever that rule is ("deny log all"
in your case).

> $CMD 00305 deny all from 169.254.0.0/16 to any in via $IFN

Hmmm, what is this address block supposed to be here for?

> #reserved for doc's#
> $CMD 00307 deny all from 204.152.64.0/23 to any in via $IFN

And this one?

> #* Deny ident *#
> $CMD 00315 deny tcp from any to any in via $IFN

A better approach that will avoid forcing everyone to wait until their
connections times out is to reply with an RST packet, which is the standard
way TCP would reply if no auth/ident service was running at all.

> #* Deny any late arriving packets *#
> $CMD 00330 deny all from any to any frag in via $IFN

Fragments are not late-arriving packets ;-)

> #* Reject & Log all incoming connections from the outside *#
> $CMD 00499 deny log all from any to any in via $IFN

This one is redundant, since it will only do the same as the one below:

> # Everything else is denied by default
> # DENY and LOG all packets that fell through to see what they are
> $CMD 00999 deny log all from any to any

> My basis for my rulesets are taken from:
> http://freebsd.a1poweruser.com:6088/FBSD_firewall/

AFAIK, the author of the page is a reader of the list too.  I can't find
anything wrong with the syntax of your rules.  The only weird thing I noticed
were the two hard-wired address blocks I mentioned above.  Perhaps the author
of the initial ruleset can help you more ;)

- Giorgos

---

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20040804110609.GA4366>

Legal Notices | © 1995-2024 The FreeBSD Project. All rights reserved.

Contact