From owner-freebsd-questions Tue Jan 22 16:30:34 2002 Delivered-To: freebsd-questions@freebsd.org Received: from Mail6.mgfairfax.rr.com (fe6.southeast.rr.com [24.93.67.53]) by hub.freebsd.org (Postfix) with ESMTP id AC26337B41D for ; Tue, 22 Jan 2002 16:29:53 -0800 (PST) Received: from there ([24.163.113.25]) by Mail6.mgfairfax.rr.com with Microsoft SMTPSVC(5.5.1877.687.68); Tue, 22 Jan 2002 19:29:53 -0500 Content-Type: text/plain; charset="iso-8859-1" From: Ray Kohler To: freebsd-questions@FreeBSD.ORG Subject: Some questions about ipfw Date: Tue, 22 Jan 2002 19:33:06 -0500 X-Mailer: KMail [version 1.3.2] MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Message-ID: <0e9d45329001712FE6@Mail6.mgfairfax.rr.com> Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG I have a protect-this-client-only firewall set up here, and I'm not sure that my rules are good. It's very simple: ipfw add allow ip from any to any via lo0 ipfw add allow tcp from me to any keep-state ipfw add allow udp from me to any keep-state ipfw add allow icmp from me to any keep-state ipfw add allow icmp from any to me icmptype 3 ipfw add deny log ip from any to any (No, I'm not using rc.firewall and not running natd.) I intend to let anything out and nothing in that isn't part of an established connection (and of course the ICMP type 3 packets). I have 3 questions: 1) Why does the rc.firewall script use "setup" and "established" rules for tcp instead of keep-state like it does for udp? 2) Are these tules sufficient for my purpose? 3) I'm having trouble fetching ports even with FETCH_CMD= fetch -p set in make.conf. Eventually I get the file, but not until after a lot of servers are tried. In my logs I see a lot of: Jan 22 18:19:47 B1M1X9 /kernel: ipfw: 600 Deny TCP 199.232.41.9:20167 24.163.113.25:1039 in via rl0 Jan 22 18:19:49 B1M1X9 /kernel: ipfw: 600 Deny TCP 130.94.149.162:21 24.163.113.25:1032 in via rl0 Jan 22 18:19:59 B1M1X9 /kernel: ipfw: 600 Deny TCP 199.232.41.9:20167 24.163.113.25:1039 in via rl0 Jan 22 18:20:23 B1M1X9 /kernel: ipfw: 600 Deny TCP 199.232.41.9:20167 24.163.113.25:1039 in via rl0 where the "from" IPs belong to the about a dozen ftp servers I've tried, and the packet arrives a few minutes after fetch has given up on that server. (Why are these servers contacting me anyway when I'm using passive ftp, anyway?) Thanks to all for reading such a long post. -- Ray Kohler Lewis's Law of Travel: The first piece of luggage out of the chute doesn't belong to anyone, ever. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message