Date: 01 Jul 2002 22:02:12 +0100 From: Stacey Roberts <sroberts@dsl.pipex.com> To: FreeBSD-Questions <freebsd-questions@freebsd.org> Subject: ipfw -tN l hangs on output? Message-ID: <1025557333.352.9.camel@Demon.Strobe.org>
next in thread | raw e-mail | index | archive | help
--=-MMEyLlX4KGVsg26bo/co Content-Type: text/plain Content-Transfer-Encoding: quoted-printable Hello, I'm kind worried about this (error?) I'm noticing on one of my boxes here. Whenever I run ipfw -tN l at the command prompt, the output hangs at exactly the same point in the firewall rules: # ipfw -tN l 00002 Mon Jul 1 21:52:34 2002 deny udp from any to any router in recv sis0 00500 check-state 00501 deny tcp from any to any established 00502 deny ip from any to any frag 00600 allow tcp from any to any http keep-state out xmit sis0 setup00601 allow tcp from any to any https keep-state out xmit sis0 setup 00610 allow tcp from any to <-- Hung at this point The only way to break out of this is to hit ^c. Can anyone help with this, please? Here's the full firewall rule set I use: # cat fwrules # Define firewall command fwcmd=3D"/sbin/ipfw" # Flush rules list on start $fwcmd -f flush # Set Device variable parameters oif=3D"sis0" odns1=3D"<snip>" # ISP dns server 1 odns2=3D"<snip>" # ISP dns server 2 # Start of rules $fwcmd add 00002 deny udp from any to any 520 in via $oif # CONTROL SECTION # Using check-state statements to match bi-directional traffic # flow between source / destination using protocol/IP/port/sequence number # The dynamic rule has a limited lifetime, controlled by a set # of sysctl(8) variables. This lifetime is refreshed each time a # matching packet is matched in the dynamic table # Allow packet through if it has previously been added to # the dynamic rules table by an allow keep-state statement $fwcmd add 00500 check-state # Deny late-arriving packets to prevent catching & logging by # rules 800 or 900 $fwcmd add 00502 deny all from any to any frag # Deny ACK packets that are not matched in dynamic rule table $fwcmd add 00501 deny tcp from any to any established # OUTBOUND SECTION # Interrogate outbound packets originating from private lan=20 # Upon rule-match, its keep-state option creates dynamic rule # Allow out www traffic $fwcmd add 00600 allow tcp from any to any 80 out via $oif setup keep-state $fwcmd add 00601 allow tcp from any to any 443 out via $oif setup keep-state # Allow out access to ISP dns servers $fwcmd add 00610 allow tcp from any to $odns1 53 out via $oif setup keep-state $fwcmd add 00611 allow udp from any to $odns1 53 out via $oif keep-state $fwcmd add 00615 allow tcp from any to $odns2 53 out via $oif setup keep-state $fwcmd add 00616 allow udp from any to $odns2 53 out via $oif keep-state # Allow out access to Internet Domain name server $fwcmd add 00618 allow tcp from any to any 53 out via $oif setup keep-state=20 $fwcmd add 00619 allow udp from any to any 53 out via $oif setup keep-state # Allow out send & get e-mail function $fwcmd add 00630 allow tcp from any to any 25,110 out via $oif setup keep-state # Allow out & in FreeBSD maintenance functions (make install & CVSUP) $fwcmd add 00640 allow tcp from any to any out via $oif setup keep-state uid root $fwcmd add 00641 allow tcp from any to any in via $oif setup keep-state uid root $fwcmd add 00642 allow udp from me to any 33435-33500 out via $oif keep-state $fwcmd add 00643 allow icmp from any to me icmptype 3,11 in via $oif limit src-addr 2 # Allow out ping function $fwcmd add 00650 allow icmp from any to any out via $oif keep-state # Allow FTP control channel $fwcmd add 00671 allow tcp from any to any 21 out via $oif setup keep-state # Allow FTP data channel in $fwcmd add 00672 allow tcp from any to any 20 in via $oif setup keep-state # Allow out SSH $fwcmd add 00680 allow tcp from any to any 22 out via $oif setup keep-state # Allow out TELNET $fwcmd add 00690 allow tcp from any to any 23 out via $oif setup keep-state # Allow out Network Time Protocol (NTP) queries $fwcmd add 00694 allow tcp from any to any 123 out via $oif setup keep-state $fwcmd add 00695 allow udp from any to any 123 out via $oif keep-state # Allow out TIME $fwcmd add 00696 allow tcp from any to any 37 out via $oif setup keep-state $fwcmd add 00697 allow udp from any to any 37 out via $oif keep-state # Allow out IDENT $fwcmd add 00700 allow tcp from any to any 113 out via $oif setup keep-state $fwcmd add 00701 allow udp from any to any 113 out via $oif keep-state # Allow out WHOIS $fwcmd add 00712 allow tcp from any to any 43 out via $oif setup keep-state $fwcmd add 00713 allow udp from any to any 43 out via $oif keep-state # Allow out WHOIS++ $fwcmd add 00715 allow tcp from any to any 63 out via $oif setup keep-state $fwcmd add 00716 allow udp from any to any 63 out via $oif keep-state # Allow out FINGER=20 $fwcmd add 00720 allow tcp from any to any 79 out via $oif setup keep-state $fwcmd add 00721 allow udp from any to any 79 out via $oif keep-state # Allow out NNTP=20 $fwcmd add 00725 allow tcp from any to any 119 out via $oif setup keep-state $fwcmd add 00726 allow udp from any to any 119 out via $oif keep-state # Allow out GOPHER $fwcmd add 00730 allow tcp from any to any 70 out via $oif setup keep-state $fwcmd add 00731 allow udp from any to any 70 out via $oif keep-state # INBOUND SECTION # Interrogate packets originating from outside # Statements here allow public requests for services # Allow in WWW #$fwcmd add 00800 allow tcp from any to any 80 in via $oif setup keep-state # Deny & log all attempts to connect over httpd $fwcmd add 00800 deny log tcp from any to any 80 in via $oif setup keep-state # Allow TCP FTP control channel in and data channel out $fwcmd add 00810 allow tcp from any to me 21 in via $oif setup keep-state $fwcmd add 00811 allow tcp from any 20 to any 1024-49151 out via $oif setup keep-state=20 # CATCH-ALL SECTION # Send RESET to all IDENT packets $fwcmd add 00840 reset tcp from any to me 113 in via $oif # Stop and LOG spoofing attack attempts $fwcmd add 00850 deny log ip from me to me in via $oif # Stop and LOG ping echo attacks $fwcmd add 00860 deny log icmp from any to me icmptype 0,8 in via $oif # Reject and LOG all setup of incoming connections from outside $fwcmd add 00900 deny log all from any to any in via $oif # All else is denied by default $fwcmd add 00910 deny log logamount 500 ip from any to any # I'd be happy to provide any further info / log output should you guys need it. Thanks in advance Stacey --=20 Stacey Roberts B.Sc. (HONS) Computer Science Network Systems Engineer --=-MMEyLlX4KGVsg26bo/co Content-Type: application/pgp-signature; name=signature.asc Content-Description: This is a digitally signed message part -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Content-Type: text/plain Content-Transfer-Encoding: quoted-printable Hello, I'm kind worried about this (error?) I'm noticing on one of my boxes here. Whenever I run ipfw -tN l at the command prompt, the output hangs at exactly the same point in the firewall rules: # ipfw -tN l 00002 Mon Jul 1 21:52:34 2002 deny udp from any to any router in recv sis0 00500 check-state 00501 deny tcp from any to any established 00502 deny ip from any to any frag 00600 allow tcp from any to any http keep-state out xmit sis0 setup00601 allow tcp from any to any https keep-state out xmit sis0 setup 00610 allow tcp from any to <-- Hung at this point The only way to break out of this is to hit ^c. Can anyone help with this, please? Here's the full firewall rule set I use: # cat fwrules # Define firewall command fwcmd=3D"/sbin/ipfw" # Flush rules list on start $fwcmd -f flush # Set Device variable parameters oif=3D"sis0" odns1=3D"<snip>" # ISP dns server 1 odns2=3D"<snip>" # ISP dns server 2 # Start of rules $fwcmd add 00002 deny udp from any to any 520 in via $oif # CONTROL SECTION # Using check-state statements to match bi-directional traffic # flow between source / destination using protocol/IP/port/sequence number # The dynamic rule has a limited lifetime, controlled by a set # of sysctl(8) variables. This lifetime is refreshed each time a # matching packet is matched in the dynamic table # Allow packet through if it has previously been added to # the dynamic rules table by an allow keep-state statement $fwcmd add 00500 check-state # Deny late-arriving packets to prevent catching & logging by # rules 800 or 900 $fwcmd add 00502 deny all from any to any frag # Deny ACK packets that are not matched in dynamic rule table $fwcmd add 00501 deny tcp from any to any established # OUTBOUND SECTION # Interrogate outbound packets originating from private lan=20 # Upon rule-match, its keep-state option creates dynamic rule # Allow out www traffic $fwcmd add 00600 allow tcp from any to any 80 out via $oif setup keep-state $fwcmd add 00601 allow tcp from any to any 443 out via $oif setup keep-state # Allow out access to ISP dns servers $fwcmd add 00610 allow tcp from any to $odns1 53 out via $oif setup keep-state $fwcmd add 00611 allow udp from any to $odns1 53 out via $oif keep-state $fwcmd add 00615 allow tcp from any to $odns2 53 out via $oif setup keep-state $fwcmd add 00616 allow udp from any to $odns2 53 out via $oif keep-state # Allow out access to Internet Domain name server $fwcmd add 00618 allow tcp from any to any 53 out via $oif setup keep-state=20 $fwcmd add 00619 allow udp from any to any 53 out via $oif setup keep-state # Allow out send & get e-mail function $fwcmd add 00630 allow tcp from any to any 25,110 out via $oif setup keep-state # Allow out & in FreeBSD maintenance functions (make install & CVSUP) $fwcmd add 00640 allow tcp from any to any out via $oif setup keep-state uid root $fwcmd add 00641 allow tcp from any to any in via $oif setup keep-state uid root $fwcmd add 00642 allow udp from me to any 33435-33500 out via $oif keep-state $fwcmd add 00643 allow icmp from any to me icmptype 3,11 in via $oif limit src-addr 2 # Allow out ping function $fwcmd add 00650 allow icmp from any to any out via $oif keep-state # Allow FTP control channel $fwcmd add 00671 allow tcp from any to any 21 out via $oif setup keep-state # Allow FTP data channel in $fwcmd add 00672 allow tcp from any to any 20 in via $oif setup keep-state # Allow out SSH $fwcmd add 00680 allow tcp from any to any 22 out via $oif setup keep-state # Allow out TELNET $fwcmd add 00690 allow tcp from any to any 23 out via $oif setup keep-state # Allow out Network Time Protocol (NTP) queries $fwcmd add 00694 allow tcp from any to any 123 out via $oif setup keep-state $fwcmd add 00695 allow udp from any to any 123 out via $oif keep-state # Allow out TIME $fwcmd add 00696 allow tcp from any to any 37 out via $oif setup keep-state $fwcmd add 00697 allow udp from any to any 37 out via $oif keep-state # Allow out IDENT $fwcmd add 00700 allow tcp from any to any 113 out via $oif setup keep-state $fwcmd add 00701 allow udp from any to any 113 out via $oif keep-state # Allow out WHOIS $fwcmd add 00712 allow tcp from any to any 43 out via $oif setup keep-state $fwcmd add 00713 allow udp from any to any 43 out via $oif keep-state # Allow out WHOIS++ $fwcmd add 00715 allow tcp from any to any 63 out via $oif setup keep-state $fwcmd add 00716 allow udp from any to any 63 out via $oif keep-state # Allow out FINGER=20 $fwcmd add 00720 allow tcp from any to any 79 out via $oif setup keep-state $fwcmd add 00721 allow udp from any to any 79 out via $oif keep-state # Allow out NNTP=20 $fwcmd add 00725 allow tcp from any to any 119 out via $oif setup keep-state $fwcmd add 00726 allow udp from any to any 119 out via $oif keep-state # Allow out GOPHER $fwcmd add 00730 allow tcp from any to any 70 out via $oif setup keep-state $fwcmd add 00731 allow udp from any to any 70 out via $oif keep-state # INBOUND SECTION # Interrogate packets originating from outside # Statements here allow public requests for services # Allow in WWW #$fwcmd add 00800 allow tcp from any to any 80 in via $oif setup keep-state # Deny & log all attempts to connect over httpd $fwcmd add 00800 deny log tcp from any to any 80 in via $oif setup keep-state # Allow TCP FTP control channel in and data channel out $fwcmd add 00810 allow tcp from any to me 21 in via $oif setup keep-state $fwcmd add 00811 allow tcp from any 20 to any 1024-49151 out via $oif setup keep-state=20 # CATCH-ALL SECTION # Send RESET to all IDENT packets $fwcmd add 00840 reset tcp from any to me 113 in via $oif # Stop and LOG spoofing attack attempts $fwcmd add 00850 deny log ip from me to me in via $oif # Stop and LOG ping echo attacks $fwcmd add 00860 deny log icmp from any to me icmptype 0,8 in via $oif # Reject and LOG all setup of incoming connections from outside $fwcmd add 00900 deny log all from any to any in via $oif # All else is denied by default $fwcmd add 00910 deny log logamount 500 ip from any to any # I'd be happy to provide any further info / log output should you guys need it. Thanks in advance Stacey - --=20 Stacey Roberts B.Sc. (HONS) Computer Science Network Systems Engineer -----BEGIN PGP SIGNATURE----- Version: PGP 6.5.8 iQA/AwUBPSDDVPdn4A8qiCO5EQJoKACgk4ebzGcYNXOfiSPt0+4gNjyo7PUAn1SA Bn9y+o9kjD45k3w3TWqtAyTt =nJBQ -----END PGP SIGNATURE----- --=-MMEyLlX4KGVsg26bo/co-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?1025557333.352.9.camel>