Date: Mon, 10 Aug 1998 16:39:27 -0600 From: "Aaron D. Gifford" <agifford@infowest.com> To: questions@FreeBSD.ORG, stable@FreeBSD.ORG Subject: ipfw problem??? Message-ID: <35CF769F.68C80A22@infowest.com>
next in thread | raw e-mail | index | archive | help
Hello,
Something's weird with my ipfw setup. It seems to work perfectly as I
expected except for this tiny bit of weirdness. My ipfw setup lets me
ping and traceroute and telnet to my heart's content EXCEPT when the
remote address is within the same class C address space as my own
dynamically assigned IP number. Then I get "sendto: Permission denied."
errors left and right. Why is this? I checked my netmask via 'netstat
-in' and sure enough, my netmask is 255.255.255.255. What's going on
here? Looking at the output of 'ipfw -at list' shows me that the
packets are hitting the FINAL deny statement. But when I
ping/traceroute/telnet to other addresses, everything works just fine.
I'm running 2.2.7-STABLE as of July 25th. I've included my
/etc/rc.firewall script below that shows my configuration, but I really
don't think this is an ipfw config problem.
Puzzled,
Aaron out.
---------/etc/rc.firewall----------
# Is the ipfw_mod module already loaded:
mod=`/usr/bin/modstat -n ipfw_mod | /usr/bin/grep ipfw_mod |
/usr/bin/awk '{print $8;}'`
if [ "X${mod}" != "Xipfw_mod" ]; then
# Load the ipfw kernel module
/sbin/modload /lkm/ipfw_mod.o
fi
# Flush out the list before we begin.
/sbin/ipfw -f flush
# Learn what IP address our ISP has assigned (we dial out on tun0):
ip=`/usr/bin/netstat -in | /usr/bin/perl -ne 'print $1 if(
/^tun0\s+[0-9]+\s+[0-9\.]+\s+([0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3})\s+/
);'`
# My external interface:
extern="tun0"
# My loopback interface:
loop="lo0"
# Deny obviously spoofed packets:
/sbin/ipfw add deny log all from 127.0.0.1 to any via ${extern}
/sbin/ipfw add deny log all from ${ip} to any in via ${extern}
/sbin/ipfw add deny log all from 192.168.0.0:255.255.0.0 to any
/sbin/ipfw add deny log all from 172.16.0.0:255.240.0.0 to any
/sbin/ipfw add deny log all from 10.0.0.0:255.0.0.0 to any
# Pass normal localhost traffic:
/sbin/ipfw add pass all from 127.0.0.1 to 127.0.0.1 via ${loop}
/sbin/ipfw add pass all from ${ip} to 127.0.0.1 via ${loop}
/sbin/ipfw add pass all from 127.0.0.1 to ${ip} via ${loop}
/sbin/ipfw add pass all from ${ip} to ${ip} via ${loop}
# Deny everything else via the loopback:
/sbin/ipfw add deny all from any to any via ${loop}
# Pass established TCP connections:
/sbin/ipfw add pass tcp from any to ${ip} in via ${extern} established
/sbin/ipfw add pass tcp from ${ip} to any out via ${extern} established
# Pass outgoing new TCP session setup packets:
/sbin/ipfw add pass tcp from ${ip} to any setup
# Deny all other TCP connection setup attempts:
/sbin/ipfw add deny log tcp from any to any setup
# Pass outgoing DNS queries:
/sbin/ipfw add pass udp from ${ip} to any 53 out via ${extern}
# Pass incoming DNS replies:
# (This sure is ugly! It allows someone to do a udp portscan from port
53.)
/sbin/ipfw add pass udp from any 53 to ${ip} in via ${extern}
# Pass outgoing NTP queries:
/sbin/ipfw add pass udp from ${ip} to any 123 out via ${extern}
# Pass incoming NTP replies:
# (This sure is ugly! It allows someone to do a udp portscan from port
123.)
/sbin/ipfw add pass udp from any 123 to ${ip} in via ${extern}
# Pass any UDP we decide to send (ala ping):
/sbin/ipfw add pass udp from ${ip} to any out via ${extern}
# Pass outgoing ICMP packets:
/sbin/ipfw add pass icmp from ${ip} to any out via ${extern}
# Pass incoming ICMP packets:
/sbin/ipfw add pass icmp from any to ${ip} in via ${extern}
# Toast EVERYTHING else:
/sbin/ipfw add deny log all from any to any
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?35CF769F.68C80A22>