From owner-freebsd-security Sun Mar 28 12:28:31 1999 Delivered-To: freebsd-security@freebsd.org Received: from smtp.thegrid.net (smtp.thegrid.net [209.162.1.11]) by hub.freebsd.org (Postfix) with SMTP id 3236614CF7 for ; Sun, 28 Mar 1999 12:28:26 -0800 (PST) (envelope-from dean@thegrid.net) Received: (qmail 23031 invoked from network); 28 Mar 1999 20:28:06 -0000 Received: from pop.thegrid.net (209.162.1.5) by smtp.thegrid.net with SMTP; 28 Mar 1999 20:28:06 -0000 Received: from zippy (lax-ts5-h2-47-226.ispmodems.net [209.162.47.226]) by pop.thegrid.net (8.9.1a/8.9.1) with SMTP id MAA12725; Sun, 28 Mar 1999 12:28:05 -0800 (PST) Message-Id: <4.1.19990328120848.009ab150@mail.thegrid.net> X-Sender: i289861@mail.thegrid.net X-Mailer: QUALCOMM Windows Eudora Pro Version 4.1 Date: Sun, 28 Mar 1999 12:23:46 -0800 To: Noor Dawod , freebsd-security@freebsd.org From: Dean Subject: Re: ipfw behavior, is it normal? In-Reply-To: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org At 02:23 PM 3/28/99 +0200, you wrote: > My current ipfw rules are: > >----------------------------------------------------------------- >00100 allow ip from any to any via lo0 >00200 allow ip from [machine-a-ip] to [server-ip] via xl0 >00300 allow ip from [machine-b-ip] to [server-ip] via xl0 >00400 allow ip from any to [server-ip] 80 in via xl0 >00500 allow ip from any to [server-ip] 21 in via xl0 >65000 allow ip from any to any >65535 deny ip from any to any >----------------------------------------------------------------- > > 00200 and 00300 seem redundant because of rule 65000. But this is where >all the problem lies. If I understand right the ipfw rules, if I remove >line 65000 from the rules table, then I can still do all ip-related >actions from [machine-a] and [machine-b], which their ip numbers are >listed in 00200 and 00300. But, once I remove line 65000, I cannot do any >ip-related actions on the [server], and even WWW/FTP services are not >served as well. > > What am I missing here, and why the 65000 line MUST be there so that I >could access [server] from [machine-a] and [machine-b] ? Rule 65000 makes all the other rules before it redundant. This ruleset (if you remove line 65000) will only allow connections from machine a and b to the server. Plus http and ftp connections from anywhere to the server. Is xl0 you 'inside' interface or 'outside' interface? Make sure you've got the right ip addresses for machine a and b. Is the firewall running on the server or some other machine? Dean ------------------------------------------------------------------------------- A train stops at a tarin station, a bus stops at a bus staion. On my desk, I have a workstation.... ------------------------------------------------------------------------------- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message