From owner-freebsd-questions@FreeBSD.ORG Fri Aug 6 04:54:54 2004 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id DCC9C16A4CE for ; Fri, 6 Aug 2004 04:54:53 +0000 (GMT) Received: from mail.oisca.org (mail.oisca.org [164.46.152.13]) by mx1.FreeBSD.org (Postfix) with ESMTP id 033D643D67 for ; Fri, 6 Aug 2004 04:54:53 +0000 (GMT) (envelope-from pwd8jmr22w@me.point.ne.jp) Received: from [192.168.1.35] (165.191.192.61.tokyo.bflets.alpha-net.ne.jp [61.192.191.165]) (authenticated (0 bits)) by mail.oisca.org (8.12.11/8.11.3) with ESMTP id i764slFn023955; Fri, 6 Aug 2004 13:54:47 +0900 Message-ID: <41130EED.4080401@me.point.ne.jp> Date: Fri, 06 Aug 2004 13:54:05 +0900 From: SrotBULL User-Agent: Mozilla Thunderbird 0.7.2 (X11/20040802) X-Accept-Language: en-us, en MIME-Version: 1.0 To: Giorgos Keramidas References: <41109ABF.4090904@me.point.ne.jp> <20040804103848.GA31620@orion.daedalusnetworks.priv> <4110C905.4080108@me.point.ne.jp> <20040804110609.GA4366@orion.daedalusnetworks.priv> In-Reply-To: <20040804110609.GA4366@orion.daedalusnetworks.priv> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit cc: freebsd-questions@freebsd.org Subject: Re: IPFW - Allowed but Denied is shown in my logs X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: pwd8jmr22w@me.point.ne.jp List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 06 Aug 2004 04:54:54 -0000 Giorgos Keramidas wrote: > On 2004-08-04 20:31, Srot BULL wrote: > >>>On 2004-08-04 17:13, Srot BULL wrote: >>> >>>>Why are the above firewall logs telling me that it has denied my TCP >>>>packets and yet I am not experiencing some problems in my emails and >>>>access to the internet through port 80. [...] >>> >>>Giorgos Keramidas wrote: >>>Show us the full ruleset. Otherwise we're just guessing... > >>$CMD 00240 allow tcp from me to any out via $IFN setup keep-state uid root > Hmm. I'm not sure if this is a good idea, but it's unrelated to the > denied packets you're seeing :-/ I will RTFM about this...Thank you. >>$CMD 00300 deny all from 192.168.0.0/16 to any in via $IFN >>$CMD 00301 deny all from 172.16.0.0/12 to any in via $IFN >>$CMD 00302 deny all from 10.0.0.0/8 to any in via $IFN > You might want to also deny incoming packets from these addresses, or fall > back to the default firewall rule -- whatever that rule is ("deny log all" > in your case). I think I can do this...I guess... >>$CMD 00305 deny all from 169.254.0.0/16 to any in via $IFN > Hmmm, what is this address block supposed to be here for? I am sorry, I only copied this ruleset from the article...I really need to get back in RTFM and read again the article...maybe I missed something. >>#reserved for doc's# >>$CMD 00307 deny all from 204.152.64.0/23 to any in via $IFN > And this one? This one too... > A better approach that will avoid forcing everyone to wait until their > connections times out is to reply with an RST packet, which is the standard > way TCP would reply if no auth/ident service was running at all. I need some reading to understand what you just advised...Thank you. > Fragments are not late-arriving packets ;-) > > >>#* Reject & Log all incoming connections from the outside *# >>$CMD 00499 deny log all from any to any in via $IFN > This one is redundant, since it will only do the same as the one below: OK... >># Everything else is denied by default >># DENY and LOG all packets that fell through to see what they are >>$CMD 00999 deny log all from any to any > > >>My basis for my rulesets are taken from: >>http://freebsd.a1poweruser.com:6088/FBSD_firewall/ > > AFAIK, the author of the page is a reader of the list too. I can't find > anything wrong with the syntax of your rules. The only weird thing I noticed > were the two hard-wired address blocks I mentioned above. Perhaps the author > of the initial ruleset can help you more ;) It was kind enough for the author to drop me an email... and, thank you for your advices too...I will base my rulesets from yours and other peoples' advices, and re-read that article for a better understanding...and maybe I can tune my rulesets more to better fit my system. Have a nice day... SrotBULL