Date: Sat, 29 Jan 2005 23:37:26 +0100 From: "Gerard Meijer" <gmeijer@palmweb.nl> To: "Vahric MUHTARYAN" <vahric@doruk.net.tr>, <freebsd-ipfw@freebsd.org> Subject: Re: ipfw statefull ruleset problem Message-ID: <096c01c50653$1c660f30$9600000a@guus> References: <200501292221.j0TMLnQ3016409@smtp.doruk.net.tr>
next in thread | previous in thread | raw e-mail | index | archive | help
Okay, I understand. But that doesn't solve the problem, right? I think that what you say is more or less the same as what I have: you say: 500 check-state i have: 00015 check-state you say: 1100 pass tcp from any to ${intip} 21 in via ${int} setup keep-state i have: 00410 allow tcp from any to me 21 in via $pif setup limit src-addr 2 The rule I don't have is your 1204. Outbound through port 20. I don't know why you have that one. My problem is that the initialization goes okay, but then the the other pc seems to switch ports and the connection is denied. I think I just understand you wrong. Sorry for that. I really appreciate your help, but can you explain what is different in the rules you have and that I have and why yours should work and mine don't? Thanks! ----- Original Message ----- From: "Vahric MUHTARYAN" <vahric@doruk.net.tr> To: "'Gerard Meijer'" <gmeijer@palmweb.nl>; <freebsd-ipfw@freebsd.org> Sent: Saturday, January 29, 2005 11:22 PM Subject: RE: ipfw statefull ruleset problem > No no , > > 400 will drop all fragmanted packages > 500 will provide you state check > 600 will deny all established ( Because we don't want any established > packets past from firewall we want to check all packates state and also > did > it 500 ) > 1100 will allow ftp connection to your ip address > 1204 allow your machine turn to client for data transfer > > Pls see active ftp from this address : http://slacksite.com/other/ftp.html > > For pop3 connection and for smtp connection use those . > > ${fwcmd} add 1000 pass tcp from any to ${intip} 110 in via ${int} setup > keep-state > > With this you can make a pop3 connection ...... > > ${fwcmd} add 1001 pass tcp from any to ${intip} 25 in via ${int} setup > keep-state > > With this you can make a smtp connection to your server > > Vahric > > -----Original Message----- > From: Gerard Meijer [mailto:gmeijer@palmweb.nl] > Sent: Sunday, January 30, 2005 12:06 AM > To: Vahric MUHTARYAN; freebsd-ipfw@freebsd.org > Subject: Re: ipfw statefull ruleset problem > > Do you mean that I should change 'allow' to 'pass'? What exactly does > pass? > > Thanks! > ----- Original Message ----- > From: "Vahric MUHTARYAN" <vahric@doruk.net.tr> > To: "'Gerard Meijer'" <gmeijer@palmweb.nl>; <freebsd-ipfw@freebsd.org> > Sent: Saturday, January 29, 2005 10:27 PM > Subject: RE: ipfw statefull ruleset problem > > >> Use like this >> >> intip="your machine ip address" >> int="yourinterfacefor example fxp0 for intel" >> >> ${fwcmd} add 400 drop all from any to any frag >> ${fwcmd} add 500 check-state >> ${fwcmd} add 600 deny tcp from any to any established >> ${fwcmd} add 1100 pass tcp from any to ${intip} 21 in via ${int} setup >> keep-state >> ${fwcmd} add 1204 pass tcp from ${intip} 20 to any out via ${int} setup >> keep-state >> >> Bye ... >> >> -----Original Message----- >> From: owner-freebsd-ipfw@freebsd.org >> [mailto:owner-freebsd-ipfw@freebsd.org] >> On Behalf Of Gerard Meijer >> Sent: Saturday, January 29, 2005 10:55 PM >> To: freebsd-ipfw@freebsd.org >> Subject: ipfw statefull ruleset problem >> >> Hi everyone, >> >> First of all, I'm not very experienced with ipfw, so if this is a stupid >> question, I'm sorry. >> >> I have a question regarding my statefull ipfw ruleset. I have the >> following >> rules: >> >> ---begin--- >> $cmd 00015 check-state >> >> #www >> $cmd 00200 allow tcp from any to any 80 out via $pif setup keep-state >> >> #mail >> $cmd 00231 allow tcp from any to any 110 out via $pif setup keep-state >> >> #ftp >> $cmd 00283 allow tcp from any to any 21 out via $pif setup keep-state >> >> # Allow in standard www function because I have apache server >> $cmd 00400 allow tcp from any to me 80 in via $pif setup limit src-addr 2 >> >> # Allow in FTP >> $cmd 00410 allow tcp from any to me 21 in via $pif setup limit src-addr 2 >> >> # Allow in mail >> $cmd 00420 allow tcp from any to me 110 in via $pif >> ---end--- >> (there are more rules, but these are the ones that it's about) >> >> The problem that I'm having is that I can't check mail, and can't FTP and >> see a lot of: >> >> ipfw: 299 Deny TCP [my-server-ip]:80 [some-ip]:[some-port-other-than-80] >> out >> via em0 >> >> messages in my logfile. >> >> When I try to check mail I see in my log: >> >> ipfw: 299 Deny TCP [my-server-ip]:110 >> [my-home-pc-ip]:[some-port-other-than-110] out via em0 >> >> What happens (I think, as far as I understand ipfw), there is an >> connection >> setup on port 21/80/110 (ftp/http/mail), which is allowed by the rules. A >> dynamic rules is created, but then the other computer switches ports. The >> check-state command checks for a dynamic rule, but the port doesn't match >> anymore and so it doesn't find a dynamic rule and the other rules also >> don't >> apply, since they only allow connection initialization. Am I correct? >> >> I can solve all this by putting in the rule: >> >> # $cmd 00020 allow tcp from any to any established >> >> But I learned that that is not the right way to do this in a statefull >> ruleset, because the dynamic rules don't have any use in this way. So >> what >> is the right way to solve this? >> >> Thanks a lot in advance! >> _______________________________________________ >> freebsd-ipfw@freebsd.org mailing list >> http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw >> To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" >> >> >> _______________________________________________ >> freebsd-ipfw@freebsd.org mailing list >> http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw >> To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" >> > >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?096c01c50653$1c660f30$9600000a>