From owner-freebsd-questions@FreeBSD.ORG Mon Jul 18 03:38:47 2005 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id AFDA016A41C for ; Mon, 18 Jul 2005 03:38:47 +0000 (GMT) (envelope-from glenn@antimatter.net) Received: from cobalt.antimatter.net (cobalt.antimatter.net [69.55.224.239]) by mx1.FreeBSD.org (Postfix) with ESMTP id 722A343D46 for ; Mon, 18 Jul 2005 03:38:47 +0000 (GMT) (envelope-from glenn@antimatter.net) Received: from glenn-mobile.antimatter.net (cpe-66-27-86-22.san.res.rr.com [66.27.86.22]) (authenticated bits=0) by cobalt.antimatter.net (8.13.4/8.13.4) with ESMTP id j6I3cg1X006261 (version=TLSv1/SSLv3 cipher=DES-CBC3-SHA bits=168 verify=NO); Sun, 17 Jul 2005 20:38:43 -0700 Message-Id: <6.1.0.6.2.20050717202710.04300cc0@cobalt.antimatter.net> X-Sender: lists@cobalt.antimatter.net X-Mailer: QUALCOMM Windows Eudora Version 6.1.0.6 Date: Sun, 17 Jul 2005 20:35:26 -0700 To: Jim Campbell , freebsd-questions@freebsd.org From: Glenn Dawson In-Reply-To: <42DB1F87.3030206@charter.net> References: <42DB1F87.3030206@charter.net> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Cc: Subject: Re: Newbie IPFW Questions X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 18 Jul 2005 03:38:47 -0000 At 08:18 PM 7/17/2005, Jim Campbell wrote: >I have a machine set up as a classroom to learn about FreeBSD. It is >running 4.11 primarily because anything later can't see my hard drive. > >As background, my FBSD machine has an address of 192.168.1.110. It is >situated behind a hardware firewall (a Linksys router). $pif is vr0. > >I'm having problems setting up IPFW to communicate with an Onion router. >The puzzling part is that I am able to use the Onion router but my >/var/log/security file says that some of the packets are being dropped. > >Following is what I hope are the pertinent lines from my /etc/ipfw.rules >file: > >$cmd 00225 allow tcp from me to any 9001-9033 out via $pif setup keep-state >$cmd 00299 deny log all from me to any out via $pif >$cmd 00332 deny log tcp from any to me established in via $pif > >Next is an excerpt from the /var/log/security file: > >Jul 17 21:49:58 JimsP1G /kernel: ipfw: 299 Deny TCP 192.168.1.110:2218 >128.148.34.133:9001 out via vr0 >Jul 17 21:49:59 JimsP1G /kernel: ipfw: 299 Deny TCP 192.168.1.110:4959 >131.175.189.134:9001 out via vr0 >Jul 17 21:50:18 JimsP1G /kernel: ipfw: 332 Deny TCP 128.148.34.133:9001 >192.168.1.110:2218 in via vr0 >Jul 17 21:50:29 JimsP1G /kernel: ipfw: 332 Deny TCP 131.175.189.134:9030 >192.168.1.110:4566 in via vr0 > >Now my questions. First, why isn't rule 225 allowing all the packets out >to the Onion router? It seems to me that ipfw should allow all packets >in the port range 9001-9033 out or none. Rule 225 will only match packets used to setup the tcp session, once it's established you need another rule that will allow the established session to function. Rule 299 is denying everything from leaving your machine except for the packets allowed by rule 225. >Next, the two inbound packets should be returning in response to an >outbound packet. Why are they being dropped? Are they exceeding some >timeout? Rule 332 is denying all established traffic from entering your machine. So, while rule 225 allows you to establish a tcp session with another system on ports 9001-9033, once the session is established, rule 225 no longer applies and rule 332 is then throwing all those packets away. -Glenn >Thanks in advance. > >Jim Campbell > > > > >_______________________________________________ >freebsd-questions@freebsd.org mailing list >http://lists.freebsd.org/mailman/listinfo/freebsd-questions >To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.org"