Date: Fri, 29 Jan 1999 17:31:15 -0600 From: john@dexter.starfire.mn.org (John Lind) To: freebsd-questions@FreeBSD.ORG Subject: Fwd: Re: ipfw question Message-ID: <Mutt.19990129173115.john@dexter.starfire.mn.org>
next in thread | raw e-mail | index | archive | help
On Thu, 28 Jan 1999, John Lind wrote: > I've built a few firewalls now, and they work fine, but I'm having a problem > with FreeBSD 2.2.7. I have a list of just seven rules that demonstrates > the problem. It is probably something of a "duh!" or no-brain nature, > but I don't have anyone else firewall-literate to run this past. Would > someone with some firewall experience be able to give me a hand? Once > I get beyond this mental block, I don't believe I'll have any more trouble > with this firewall than with past ones I've built. I've been encouraged to post the rules to the list, so I'll describe the situation and do so. We have two subnets routed to a Cisco 675 (aDSL). The 657 is 137.192.130.30. The FreeBSD box is 137.192.130.29 on that net, and the other NIC is 137.192.130.22 on the internal or "protected" net. The netmask on both nets is 255.255.255.248. The system we are most trying to protect on the internal net is a UnixWare system (good grief, I hope that they aren't doing something weird with TCP that's causing all this!), which is at IP 137.192.130.20. When I use the "open" ruleset, I have full access to that system (and so does every one else). Just for reference, that's 00100 allow ip from any to any via lo0 00200 deny ip from any to 127.0.0.0/8 65000 allow ip from any to any 65535 deny ip from any to any Since I have full access from anywhere on the Internet to the internal systems with this ruleset, I know that IP forwarding is working. When I try to do any filtering at all, I loose all access to the UnixWare system. The ultimate goal is to have Web access to that system, but to restrict access for everything else to a few selected IP's. The following ruleset isn't nearly that complicated -- I've stripped it 'way down -- my understanding is that this SHOULD allow Web access to this system, and nothing else, but instead, I get nothing at all. I have a test script that installs this, and then if I don't break out of it, it installs the "open" set again, and as soon as "open" gets reinstalled, the web accesses that were hanging all proceed. 00100 allow ip from any to any via lo0 00200 deny ip from any to 127.0.0.0/8 01000 allow tcp from any to any established 01200 allow tcp from any to 137.192.130.20 80 setup 01300 allow tcp from 137.192.130.16/29 to any setup 01410 allow tcp from any to any 25 setup 01420 allow tcp from any to any 53 setup 01421 allow udp from any to any 53 01430 allow icmp from any to any I've tried replacing 01200 with "to 137.192.130.20 80" (no "setup"), and with simply "to 137.192.130.20" (no port, just for testing) and it works the same. I also tried port 23 and tested with telnet, with the same results -- it just hangs until the script times out and restores open access. When I do a netstat -n, I always see the connection state as "ESTABLISHED" which tells me, it should be working!!! Whatever I'm missing, folks, please clue me in! Thanks. -- John Lind, Starfire Consulting Services E-mail: john@starfire.MN.ORG USnail: PO Box 17247, Mpls MN 55417 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Mutt.19990129173115.john>