From owner-freebsd-questions Tue Jan 22 17: 4:52 2002 Delivered-To: freebsd-questions@freebsd.org Received: from smnolde.com (att-98-60-141.atl.mediaone.net [24.98.60.141]) by hub.freebsd.org (Postfix) with ESMTP id DC17137B400 for ; Tue, 22 Jan 2002 17:04:46 -0800 (PST) Received: from bsd ([192.168.10.7]) by smnolde.com with esmtp (Exim 3.30 #1) id 16TBqJ-000PPp-00; Tue, 22 Jan 2002 20:04:47 -0500 Date: Tue, 22 Jan 2002 20:04:46 -0500 (EST) From: Scott Nolde To: Ray Kohler Cc: Subject: Re: Some questions about ipfw In-Reply-To: <0e9d45329001712FE6@Mail6.mgfairfax.rr.com> Message-ID: <20020122200126.A48937-100000@bsd.smnolde.com> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Thus sayeth the previous author: >Date: Tue, 22 Jan 2002 19:33:06 -0500 >From: Ray Kohler >To: freebsd-questions@FreeBSD.ORG >Subject: Some questions about ipfw > >I have a protect-this-client-only firewall set up here, >and I'm not sure that my rules are good. It's very simple: > >ipfw add allow ip from any to any via lo0 >ipfw add allow tcp from me to any keep-state >ipfw add allow udp from me to any keep-state >ipfw add allow icmp from me to any keep-state >ipfw add allow icmp from any to me icmptype 3 >ipfw add deny log ip from any to any > >(No, I'm not using rc.firewall and not running natd.) I >intend to let anything out and nothing in that isn't part >of an established connection (and of course the ICMP type 3 packets). Perhaps you should use rc.firewall. firewall_type="CLIENT" is a good start. >I have 3 questions: > >1) Why does the rc.firewall script use "setup" and "established" rules >for tcp instead of keep-state like it does for udp? Setup will allow the SYN packet through and established lets the rest of the session's packets through. >2) Are these tules sufficient for my purpose? You have essentially allowd your computer to send, but not receive. >3) I'm having trouble fetching ports even with >FETCH_CMD= fetch -p set in make.conf. Eventually I get the file, >but not until after a lot of servers are tried. In my logs I see a lot of: > >Jan 22 18:19:47 B1M1X9 /kernel: ipfw: 600 Deny TCP 199.232.41.9:20167 24.163.113.25:1039 in via rl0 >Jan 22 18:19:49 B1M1X9 /kernel: ipfw: 600 Deny TCP 130.94.149.162:21 24.163.113.25:1032 in via rl0 >Jan 22 18:19:59 B1M1X9 /kernel: ipfw: 600 Deny TCP 199.232.41.9:20167 24.163.113.25:1039 in via rl0 >Jan 22 18:20:23 B1M1X9 /kernel: ipfw: 600 Deny TCP 199.232.41.9:20167 24.163.113.25:1039 in via rl0 > >where the "from" IPs belong to the about a dozen ftp servers I've tried, >and the packet arrives a few minutes after fetch has given up on that server. >(Why are these servers contacting me anyway when I'm using passive >ftp, anyway?) This is a normal response after instituting the rules you've set forth. > >Thanks to all for reading such a long post. > np >Ray Kohler Scott Nolde GPG Key 0xD869AB48 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message