Date: Sat, 26 Jul 2003 22:02:08 -0700 (PDT) From: Charlie Schluting <charlie@schluting.com> To: freebsd-questions@freebsd.org Subject: ipfw intricacies? Message-ID: <20030726214015.J82922@cheshire.cat.pdx.edu>
next in thread | raw e-mail | index | archive | help
Hi, I have a fbsd box that runs its own firewall.. and tonight I learned my lesson about trying to configure it remotely :) Anyways, I'm trying to find some better documentation. The manpage says nothing about what options it can take in this example: 00903 allow igmp from any to any 00904 allow udp from any to any dst-port 520 I found out that I can allow igmp becuse I just tried it and it worked... and as you can see on the next line, I'm allowing RIP by the port because "allow rip" doesn't work. I have not been able to find a list of commands that it can take, so I was hoping someone had a link :) #2: I converted to stateful filtering. If anyone sees anything wrong with my config, I'd be grateful for some feedback. Basically, I'm trying to allow anything out of this box, and allow anything in below port 1024, with the few exceptions show below. 00100 allow ip from any to any via lo0 00200 deny ip from any to 127.0.0.0/8 00300 deny ip from 127.0.0.0/8 to any 00800 check-state 00900 allow ip from any to any out xmit fxp0 keep-state 00901 allow ip from any to any via fxp0 established 00902 allow pim from any to any 00903 allow igmp from any to any 00904 allow udp from any to any dst-port 520 01001 allow icmp from any to any 01002 allow ip from any to any in dst-port 1-1024 keep-state 01003 allow ip from my.block.0.0/16 to any dst-port 2049 07000 deny tcp from any to any dst-port 6001 08000 deny udp from any to any dst-port 1985 30000 deny log ip from any to any <whining> One weirdness that really drove me crazy was when I tried to keep my allow rule in place like this: [ normal rules go here, without the 30000 deny ] 60000 allow log ip from any to any keep-state My purpose was to log anything that actually hit that rule, and try to figure out what I wasn't covering above (before actually using the 'deny' rule). I put the keep-state on there so I could see what was happening with `ipfw -d show`. BAD idea :) It seems the check-state will skip all other rules and first look for any limit or keep-state rules? Very odd. When I removed the keep-state, it started working as I'd hoped, and rule 60000 was never hit. I really don't fully understand what was happening there. IP filter on my home firewall seemed much simpler for some reason. </whining> --Charlie
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20030726214015.J82922>