Date: Fri, 29 Jan 1999 23:10:10 -0600 From: john@dexter.starfire.mn.org (John Lind) To: dan@dpcsys.com (Dan Busarow) Cc: freebsd-questions@FreeBSD.ORG Subject: Re: Fwd: Re: ipfw question Message-ID: <Mutt.19990129231010.john@dexter.starfire.mn.org> In-Reply-To: <Pine.BSF.3.96.990129163348.17117A-100000@java.dpcsys.com>; from Dan Busarow on Jan 29, 1999 16:36:18 -0800 References: <Mutt.19990129173115.john@dexter.starfire.mn.org> <Pine.BSF.3.96.990129163348.17117A-100000@java.dpcsys.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Dan Busarow writes: > On Fri, 29 Jan 1999, John Lind wrote: > > We have two subnets routed to a Cisco 675 (aDSL). The 657 is > > 137.192.130.30. The FreeBSD box is 137.192.130.29 on that net, > > and the other NIC is 137.192.130.22 on the internal or "protected" > > net. The netmask on both nets is 255.255.255.248. > > > > The system we are most trying to protect on the internal net is a > > UnixWare system (good grief, I hope that they aren't doing something > > weird with TCP that's causing all this!), which is at IP 137.192.130.20. > > When I use the "open" ruleset, I have full access to that system > > (and so does every one else). Just for reference, that's > > > > 00100 allow ip from any to any via lo0 > > 00200 deny ip from any to 127.0.0.0/8 > > 65000 allow ip from any to any > > 65535 deny ip from any to any > > > > Since I have full access from anywhere on the Internet to the internal > > systems with this ruleset, I know that IP forwarding is working. > > > > When I try to do any filtering at all, I loose all access to the UnixWare > > system. The ultimate goal is to have Web access to that system, but > > to restrict access for everything else to a few selected IP's. The > > following ruleset isn't nearly that complicated -- I've stripped it > > 'way down -- my understanding is that this SHOULD allow Web access > > to this system, and nothing else, but instead, I get nothing at all. > > I have a test script that installs this, and then if I don't break out > > of it, it installs the "open" set again, and as soon as "open" gets > > reinstalled, the web accesses that were hanging all proceed. > > > > 00100 allow ip from any to any via lo0 > > 00200 deny ip from any to 127.0.0.0/8 > > 01000 allow tcp from any to any established > > 01200 allow tcp from any to 137.192.130.20 80 setup > > 01300 allow tcp from 137.192.130.16/29 to any setup > > Try changing the /29 to /28 > You aren't letting setup out via 137.192.130.29 and so he can't forward > the packets. OK. I first tried adding 1010 allow tcp from 139.192.130.29 to any setup because it seemed to be more nearly exactly what was called for, and that did nothing, so then I tried exactly what you suggested, and now the system is unreachable to me -- don't know what happened -- I'll ask someone near the system to reboot it and see if I can figure out What Went Wrong. Thanks for your response! > > 01410 allow tcp from any to any 25 setup > > 01420 allow tcp from any to any 53 setup > > 01421 allow udp from any to any 53 > > 01430 allow icmp from any to any > > > > I've tried replacing 01200 with "to 137.192.130.20 80" (no "setup"), > > and with simply "to 137.192.130.20" (no port, just for testing) and it > > works the same. I also tried port 23 and tested with telnet, with the > > same results -- it just hangs until the script times out and restores > > open access. > > > > When I do a netstat -n, I always see the connection state as "ESTABLISHED" > > which tells me, it should be working!!! > > Dan > -- > Dan Busarow 949 443 4172 > Dana Point Communications, Inc. dan@dpcsys.com > Dana Point, California 83 09 EF 59 E0 11 89 B4 8D 09 DB FD E1 DD 0C 82 > -- John Lind, Starfire Consulting Services E-mail: john@starfire.MN.ORG USnail: PO Box 17247, Mpls MN 55417 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Mutt.19990129231010.john>