From owner-freebsd-questions@FreeBSD.ORG Wed Aug 4 12:05:37 2004 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A94CF16A4CF for ; Wed, 4 Aug 2004 12:05:37 +0000 (GMT) Received: from kane.otenet.gr (kane.otenet.gr [195.170.0.27]) by mx1.FreeBSD.org (Postfix) with ESMTP id 44F4F43D53 for ; Wed, 4 Aug 2004 12:05:32 +0000 (GMT) (envelope-from keramida@ceid.upatras.gr) Received: from orion.daedalusnetworks.priv (aris.bedc.ondsl.gr [62.103.39.226])i74C5R0Q015048; Wed, 4 Aug 2004 15:05:29 +0300 Received: from orion.daedalusnetworks.priv (orion [127.0.0.1]) i74B6BBv004463; Wed, 4 Aug 2004 14:06:11 +0300 (EEST) (envelope-from keramida@ceid.upatras.gr) Received: (from keramida@localhost)i74B691v004462; Wed, 4 Aug 2004 14:06:09 +0300 (EEST) (envelope-from keramida@ceid.upatras.gr) Date: Wed, 4 Aug 2004 14:06:09 +0300 From: Giorgos Keramidas To: Srot BULL Message-ID: <20040804110609.GA4366@orion.daedalusnetworks.priv> References: <41109ABF.4090904@me.point.ne.jp> <20040804103848.GA31620@orion.daedalusnetworks.priv> <4110C905.4080108@me.point.ne.jp> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <4110C905.4080108@me.point.ne.jp> cc: freebsd-questions@freebsd.org Subject: Re: IPFW - Allowed but Denied is shown in my logs X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 04 Aug 2004 12:05:37 -0000 On 2004-08-04 20:31, Srot BULL wrote: >>On 2004-08-04 17:13, Srot BULL wrote: >>>Why are the above firewall logs telling me that it has denied my TCP >>>packets and yet I am not experiencing some problems in my emails and >>>access to the internet through port 80. [...] >> >> Giorgos Keramidas wrote: >> Show us the full ruleset. Otherwise we're just guessing... > # Flush out EVERYTHING first before starting > ipfw -q -f flush > CMD="ipfw -q add" > IFN="rl0" > $CMD 00010 allow all from any to any via lo0 > $CMD 00015 check-state > $CMD 00099 allow tcp from any to any 6088 out via $IFN setup keep-state > $CMD 00110 allow tcp from any to x.x.x.x 53 out via $IFN setup keep-state > $CMD 00111 allow udp from any to x.x.x.x 53 out via $IFN keep-state > $CMD 00112 allow tcp from any to x.x.x.x 53 out via $IFN setup keep-state > $CMD 00113 allow udp from any to x.x.x.x 53 out via $IFN keep-state > $CMD 00114 allow tcp from any to x.x.x.x 53 out via $IFN setup keep-state > $CMD 00115 allow udp from any to x.x.x.x 53 out via $IFN keep-state > $CMD 00120 allow udp from any to x.x.x.x 67 out via $IFN keep-state > $CMD 00200 allow tcp from any to any 80 out via $IFN setup keep-state > $CMD 00201 allow tcp from any to any 2628 out via $IFN setup keep-state > $CMD 00202 allow tcp from any to any 1863 out via $IFN setup keep-state > $CMD 00203 allow udp from any to any 1863 out via $IFN setup keep-state > $CMD 00220 allow tcp from any to any 443 out via $IFN setup keep-state > $CMD 00230 allow tcp from any to any 25 out via $IFN setup keep-state > $CMD 00231 allow tcp from any to any 110 out via $IFN setup keep-state > $CMD 00240 allow tcp from me to any out via $IFN setup keep-state uid root Hmm. I'm not sure if this is a good idea, but it's unrelated to the denied packets you're seeing :-/ > $CMD 00250 allow icmp from any to any out via $IFN keep-state > $CMD 00260 allow tcp from any to any 37 out via $IFN setup keep-state > $CMD 00270 allow tcp from any to any 119 out via $IFN setup keep-state > $CMD 00280 allow tcp from any to any 22 out via $IFN setup keep-state > $CMD 00290 allow tcp from any to any 43 out via $IFN setup keep-state > $CMD 00299 deny log all from any to any out via $IFN > $CMD 00300 deny all from 192.168.0.0/16 to any in via $IFN > $CMD 00301 deny all from 172.16.0.0/12 to any in via $IFN > $CMD 00302 deny all from 10.0.0.0/8 to any in via $IFN You might want to also deny incoming packets from these addresses, or fall back to the default firewall rule -- whatever that rule is ("deny log all" in your case). > $CMD 00305 deny all from 169.254.0.0/16 to any in via $IFN Hmmm, what is this address block supposed to be here for? > #reserved for doc's# > $CMD 00307 deny all from 204.152.64.0/23 to any in via $IFN And this one? > #* Deny ident *# > $CMD 00315 deny tcp from any to any in via $IFN A better approach that will avoid forcing everyone to wait until their connections times out is to reply with an RST packet, which is the standard way TCP would reply if no auth/ident service was running at all. > #* Deny any late arriving packets *# > $CMD 00330 deny all from any to any frag in via $IFN Fragments are not late-arriving packets ;-) > #* Reject & Log all incoming connections from the outside *# > $CMD 00499 deny log all from any to any in via $IFN This one is redundant, since it will only do the same as the one below: > # Everything else is denied by default > # DENY and LOG all packets that fell through to see what they are > $CMD 00999 deny log all from any to any > My basis for my rulesets are taken from: > http://freebsd.a1poweruser.com:6088/FBSD_firewall/ AFAIK, the author of the page is a reader of the list too. I can't find anything wrong with the syntax of your rules. The only weird thing I noticed were the two hard-wired address blocks I mentioned above. Perhaps the author of the initial ruleset can help you more ;) - Giorgos