Skip site navigation (1)Skip section navigation (2) 
Date:      Thu, 5 Aug 2004 04:27:23 +1000 (EST)
From:      Ian Smith <smithi@nimnet.asn.au>
To:        Srot BULL <pwd8jmr22w@me.point.ne.jp>
Cc:        freebsd-questions@freebsd.org
Subject:   Re: IPFW - Allowed but Denied is shown in my logs
Message-ID:  <Pine.BSF.3.96.1040805035553.3887L-100000@gaia.nimnet.asn.au>
In-Reply-To: <20040804120103.2F9B316A4CF@hub.freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help 
On Wed, 4 Aug 2004 freebsd-questions-request@freebsd.org wrote:
 > Message: 11
 > From: Srot BULL <pwd8jmr22w@me.point.ne.jp>

 > > Giorgos Keramidas wrote: 
 > > Show us the full ruleset.  Otherwise we're just guessing...
 > > 
 > My apologies, below is my complete ruleset:

[..]

 > #* Deny ident *#
 > $CMD 00315 deny tcp from any to any in via $IFN

I think perhaps you meant:

  $CMD 00315 deny tcp from any to any 113 in via $IFN

as yours denied all remaining TCP, making some rules below irrelevant,
including allows for www, ssh etc if you ever wanted to enable these.

You'd also likely do better using reset rather than deny - assuming this
rule really was meant to block ident - to avoid timeout delays on mail. 

 > #* Deny all Netbios service. 137=name, 138=datagram, 139=session *#
 > #* Netbios is MS/Windows sharing services. *#
 > #* Block MS/Windows hosts2 name server requests 81 *#
 > $CMD 00320 deny tcp from any to any 137 in via $IFN
 > $CMD 00321 deny tcp from any to any 138 in via $IFN
 > $CMD 00322 deny tcp from any to any 139 in via $IFN
 > $CMD 00323 deny tcp from any to any 81 in via $IFN

None of these or any other tcp .. in via $IFN rules below are ever seen.

[..]
 > #* Deny ACK packets that did not match the dynamic rule table *#
 > $CMD 00332 deny tcp from any to any established in via $IFN

That rule is also not seen ..

[..]
 > #* Reject & Log all incoming connections from the outside *#
 > $CMD 00499 deny log all from any to any in via $IFN

.. nor that one, for TCP packets ..

 > My basis for my rulesets are taken from:
 > http://freebsd.a1poweruser.com:6088/FBSD_firewall/

Cheers, Ian

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.3.96.1040805035553.3887L-100000>