Date: 01 Jul 2002 22:02:12 +0100 From: Stacey Roberts <sroberts@dsl.pipex.com> To: FreeBSD-Questions <freebsd-questions@freebsd.org> Subject: ipfw -tN l hangs on output? Message-ID: <1025557333.352.9.camel@Demon.Strobe.org>
next in thread | raw e-mail | index | archive | help
--=-MMEyLlX4KGVsg26bo/co
Content-Type: text/plain
Content-Transfer-Encoding: quoted-printable
Hello,
I'm kind worried about this (error?) I'm noticing on one of my
boxes here. Whenever I run ipfw -tN l at the command prompt, the output
hangs at exactly the same point in the firewall rules:
# ipfw -tN l
00002 Mon Jul 1 21:52:34 2002 deny udp from any to any router in recv
sis0
00500 check-state
00501 deny tcp from any to any established
00502 deny ip from any to any frag
00600 allow tcp from any to any http keep-state out xmit sis0
setup00601 allow tcp from any to any https keep-state out xmit sis0
setup
00610 allow tcp from any to <-- Hung at this point
The only way to break out of this is to hit ^c. Can anyone help with
this, please?
Here's the full firewall rule set I use:
# cat fwrules
# Define firewall command
fwcmd=3D"/sbin/ipfw"
# Flush rules list on start
$fwcmd -f flush
# Set Device variable parameters
oif=3D"sis0"
odns1=3D"<snip>" # ISP dns server 1
odns2=3D"<snip>" # ISP dns server 2
# Start of rules
$fwcmd add 00002 deny udp from any to any 520 in via $oif
# CONTROL SECTION
# Using check-state statements to match bi-directional traffic
# flow between source / destination using protocol/IP/port/sequence
number
# The dynamic rule has a limited lifetime, controlled by a set
# of sysctl(8) variables. This lifetime is refreshed each time a
# matching packet is matched in the dynamic table
# Allow packet through if it has previously been added to
# the dynamic rules table by an allow keep-state statement
$fwcmd add 00500 check-state
# Deny late-arriving packets to prevent catching & logging by
# rules 800 or 900
$fwcmd add 00502 deny all from any to any frag
# Deny ACK packets that are not matched in dynamic rule table
$fwcmd add 00501 deny tcp from any to any established
# OUTBOUND SECTION
# Interrogate outbound packets originating from private lan=20
# Upon rule-match, its keep-state option creates dynamic rule
# Allow out www traffic
$fwcmd add 00600 allow tcp from any to any 80 out via $oif setup
keep-state
$fwcmd add 00601 allow tcp from any to any 443 out via $oif setup
keep-state
# Allow out access to ISP dns servers
$fwcmd add 00610 allow tcp from any to $odns1 53 out via $oif setup
keep-state
$fwcmd add 00611 allow udp from any to $odns1 53 out via $oif keep-state
$fwcmd add 00615 allow tcp from any to $odns2 53 out via $oif setup
keep-state
$fwcmd add 00616 allow udp from any to $odns2 53 out via $oif keep-state
# Allow out access to Internet Domain name server
$fwcmd add 00618 allow tcp from any to any 53 out via $oif setup
keep-state=20
$fwcmd add 00619 allow udp from any to any 53 out via $oif setup
keep-state
# Allow out send & get e-mail function
$fwcmd add 00630 allow tcp from any to any 25,110 out via $oif setup
keep-state
# Allow out & in FreeBSD maintenance functions (make install & CVSUP)
$fwcmd add 00640 allow tcp from any to any out via $oif setup keep-state
uid root
$fwcmd add 00641 allow tcp from any to any in via $oif setup keep-state
uid root
$fwcmd add 00642 allow udp from me to any 33435-33500 out via $oif
keep-state
$fwcmd add 00643 allow icmp from any to me icmptype 3,11 in via $oif
limit src-addr 2
# Allow out ping function
$fwcmd add 00650 allow icmp from any to any out via $oif keep-state
# Allow FTP control channel
$fwcmd add 00671 allow tcp from any to any 21 out via $oif setup
keep-state
# Allow FTP data channel in
$fwcmd add 00672 allow tcp from any to any 20 in via $oif setup
keep-state
# Allow out SSH
$fwcmd add 00680 allow tcp from any to any 22 out via $oif setup
keep-state
# Allow out TELNET
$fwcmd add 00690 allow tcp from any to any 23 out via $oif setup
keep-state
# Allow out Network Time Protocol (NTP) queries
$fwcmd add 00694 allow tcp from any to any 123 out via $oif setup
keep-state
$fwcmd add 00695 allow udp from any to any 123 out via $oif keep-state
# Allow out TIME
$fwcmd add 00696 allow tcp from any to any 37 out via $oif setup
keep-state
$fwcmd add 00697 allow udp from any to any 37 out via $oif keep-state
# Allow out IDENT
$fwcmd add 00700 allow tcp from any to any 113 out via $oif setup
keep-state
$fwcmd add 00701 allow udp from any to any 113 out via $oif keep-state
# Allow out WHOIS
$fwcmd add 00712 allow tcp from any to any 43 out via $oif setup
keep-state
$fwcmd add 00713 allow udp from any to any 43 out via $oif keep-state
# Allow out WHOIS++
$fwcmd add 00715 allow tcp from any to any 63 out via $oif setup
keep-state
$fwcmd add 00716 allow udp from any to any 63 out via $oif keep-state
# Allow out FINGER=20
$fwcmd add 00720 allow tcp from any to any 79 out via $oif setup
keep-state
$fwcmd add 00721 allow udp from any to any 79 out via $oif keep-state
# Allow out NNTP=20
$fwcmd add 00725 allow tcp from any to any 119 out via $oif setup
keep-state
$fwcmd add 00726 allow udp from any to any 119 out via $oif keep-state
# Allow out GOPHER
$fwcmd add 00730 allow tcp from any to any 70 out via $oif setup
keep-state
$fwcmd add 00731 allow udp from any to any 70 out via $oif keep-state
# INBOUND SECTION
# Interrogate packets originating from outside
# Statements here allow public requests for services
# Allow in WWW
#$fwcmd add 00800 allow tcp from any to any 80 in via $oif setup
keep-state
# Deny & log all attempts to connect over httpd
$fwcmd add 00800 deny log tcp from any to any 80 in via $oif setup
keep-state
# Allow TCP FTP control channel in and data channel out
$fwcmd add 00810 allow tcp from any to me 21 in via $oif setup
keep-state
$fwcmd add 00811 allow tcp from any 20 to any 1024-49151 out via $oif
setup keep-state=20
# CATCH-ALL SECTION
# Send RESET to all IDENT packets
$fwcmd add 00840 reset tcp from any to me 113 in via $oif
# Stop and LOG spoofing attack attempts
$fwcmd add 00850 deny log ip from me to me in via $oif
# Stop and LOG ping echo attacks
$fwcmd add 00860 deny log icmp from any to me icmptype 0,8 in via $oif
# Reject and LOG all setup of incoming connections from outside
$fwcmd add 00900 deny log all from any to any in via $oif
# All else is denied by default
$fwcmd add 00910 deny log logamount 500 ip from any to any
#
I'd be happy to provide any further info / log output should you guys
need it.
Thanks in advance
Stacey
--=20
Stacey Roberts B.Sc. (HONS) Computer Science
Network Systems Engineer
--=-MMEyLlX4KGVsg26bo/co
Content-Type: application/pgp-signature; name=signature.asc
Content-Description: This is a digitally signed message part
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Content-Type: text/plain
Content-Transfer-Encoding: quoted-printable
Hello,
I'm kind worried about this (error?) I'm noticing on one of my
boxes here. Whenever I run ipfw -tN l at the command prompt, the output
hangs at exactly the same point in the firewall rules:
# ipfw -tN l
00002 Mon Jul 1 21:52:34 2002 deny udp from any to any router in recv
sis0
00500 check-state
00501 deny tcp from any to any established
00502 deny ip from any to any frag
00600 allow tcp from any to any http keep-state out xmit sis0
setup00601 allow tcp from any to any https keep-state out xmit sis0
setup
00610 allow tcp from any to <-- Hung at this point
The only way to break out of this is to hit ^c. Can anyone help with
this, please?
Here's the full firewall rule set I use:
# cat fwrules
# Define firewall command
fwcmd=3D"/sbin/ipfw"
# Flush rules list on start
$fwcmd -f flush
# Set Device variable parameters
oif=3D"sis0"
odns1=3D"<snip>" # ISP dns server 1
odns2=3D"<snip>" # ISP dns server 2
# Start of rules
$fwcmd add 00002 deny udp from any to any 520 in via $oif
# CONTROL SECTION
# Using check-state statements to match bi-directional traffic
# flow between source / destination using protocol/IP/port/sequence
number
# The dynamic rule has a limited lifetime, controlled by a set
# of sysctl(8) variables. This lifetime is refreshed each time a
# matching packet is matched in the dynamic table
# Allow packet through if it has previously been added to
# the dynamic rules table by an allow keep-state statement
$fwcmd add 00500 check-state
# Deny late-arriving packets to prevent catching & logging by
# rules 800 or 900
$fwcmd add 00502 deny all from any to any frag
# Deny ACK packets that are not matched in dynamic rule table
$fwcmd add 00501 deny tcp from any to any established
# OUTBOUND SECTION
# Interrogate outbound packets originating from private lan=20
# Upon rule-match, its keep-state option creates dynamic rule
# Allow out www traffic
$fwcmd add 00600 allow tcp from any to any 80 out via $oif setup
keep-state
$fwcmd add 00601 allow tcp from any to any 443 out via $oif setup
keep-state
# Allow out access to ISP dns servers
$fwcmd add 00610 allow tcp from any to $odns1 53 out via $oif setup
keep-state
$fwcmd add 00611 allow udp from any to $odns1 53 out via $oif keep-state
$fwcmd add 00615 allow tcp from any to $odns2 53 out via $oif setup
keep-state
$fwcmd add 00616 allow udp from any to $odns2 53 out via $oif keep-state
# Allow out access to Internet Domain name server
$fwcmd add 00618 allow tcp from any to any 53 out via $oif setup
keep-state=20
$fwcmd add 00619 allow udp from any to any 53 out via $oif setup
keep-state
# Allow out send & get e-mail function
$fwcmd add 00630 allow tcp from any to any 25,110 out via $oif setup
keep-state
# Allow out & in FreeBSD maintenance functions (make install & CVSUP)
$fwcmd add 00640 allow tcp from any to any out via $oif setup keep-state
uid root
$fwcmd add 00641 allow tcp from any to any in via $oif setup keep-state
uid root
$fwcmd add 00642 allow udp from me to any 33435-33500 out via $oif
keep-state
$fwcmd add 00643 allow icmp from any to me icmptype 3,11 in via $oif
limit src-addr 2
# Allow out ping function
$fwcmd add 00650 allow icmp from any to any out via $oif keep-state
# Allow FTP control channel
$fwcmd add 00671 allow tcp from any to any 21 out via $oif setup
keep-state
# Allow FTP data channel in
$fwcmd add 00672 allow tcp from any to any 20 in via $oif setup
keep-state
# Allow out SSH
$fwcmd add 00680 allow tcp from any to any 22 out via $oif setup
keep-state
# Allow out TELNET
$fwcmd add 00690 allow tcp from any to any 23 out via $oif setup
keep-state
# Allow out Network Time Protocol (NTP) queries
$fwcmd add 00694 allow tcp from any to any 123 out via $oif setup
keep-state
$fwcmd add 00695 allow udp from any to any 123 out via $oif keep-state
# Allow out TIME
$fwcmd add 00696 allow tcp from any to any 37 out via $oif setup
keep-state
$fwcmd add 00697 allow udp from any to any 37 out via $oif keep-state
# Allow out IDENT
$fwcmd add 00700 allow tcp from any to any 113 out via $oif setup
keep-state
$fwcmd add 00701 allow udp from any to any 113 out via $oif keep-state
# Allow out WHOIS
$fwcmd add 00712 allow tcp from any to any 43 out via $oif setup
keep-state
$fwcmd add 00713 allow udp from any to any 43 out via $oif keep-state
# Allow out WHOIS++
$fwcmd add 00715 allow tcp from any to any 63 out via $oif setup
keep-state
$fwcmd add 00716 allow udp from any to any 63 out via $oif keep-state
# Allow out FINGER=20
$fwcmd add 00720 allow tcp from any to any 79 out via $oif setup
keep-state
$fwcmd add 00721 allow udp from any to any 79 out via $oif keep-state
# Allow out NNTP=20
$fwcmd add 00725 allow tcp from any to any 119 out via $oif setup
keep-state
$fwcmd add 00726 allow udp from any to any 119 out via $oif keep-state
# Allow out GOPHER
$fwcmd add 00730 allow tcp from any to any 70 out via $oif setup
keep-state
$fwcmd add 00731 allow udp from any to any 70 out via $oif keep-state
# INBOUND SECTION
# Interrogate packets originating from outside
# Statements here allow public requests for services
# Allow in WWW
#$fwcmd add 00800 allow tcp from any to any 80 in via $oif setup
keep-state
# Deny & log all attempts to connect over httpd
$fwcmd add 00800 deny log tcp from any to any 80 in via $oif setup
keep-state
# Allow TCP FTP control channel in and data channel out
$fwcmd add 00810 allow tcp from any to me 21 in via $oif setup
keep-state
$fwcmd add 00811 allow tcp from any 20 to any 1024-49151 out via $oif
setup keep-state=20
# CATCH-ALL SECTION
# Send RESET to all IDENT packets
$fwcmd add 00840 reset tcp from any to me 113 in via $oif
# Stop and LOG spoofing attack attempts
$fwcmd add 00850 deny log ip from me to me in via $oif
# Stop and LOG ping echo attacks
$fwcmd add 00860 deny log icmp from any to me icmptype 0,8 in via $oif
# Reject and LOG all setup of incoming connections from outside
$fwcmd add 00900 deny log all from any to any in via $oif
# All else is denied by default
$fwcmd add 00910 deny log logamount 500 ip from any to any
#
I'd be happy to provide any further info / log output should you guys
need it.
Thanks in advance
Stacey
- --=20
Stacey Roberts B.Sc. (HONS) Computer Science
Network Systems Engineer
-----BEGIN PGP SIGNATURE-----
Version: PGP 6.5.8
iQA/AwUBPSDDVPdn4A8qiCO5EQJoKACgk4ebzGcYNXOfiSPt0+4gNjyo7PUAn1SA
Bn9y+o9kjD45k3w3TWqtAyTt
=nJBQ
-----END PGP SIGNATURE-----
--=-MMEyLlX4KGVsg26bo/co--
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?1025557333.352.9.camel>