Date: Sun, 28 Mar 1999 12:23:46 -0800 From: Dean <dean@thegrid.net> To: Noor Dawod <noor@NetVision.net.il>, freebsd-security@freebsd.org Subject: Re: ipfw behavior, is it normal? Message-ID: <4.1.19990328120848.009ab150@mail.thegrid.net> In-Reply-To: <Pine.GSO.4.05.9903281416150.20028-100000@nvt.netvision.net .il>
next in thread | previous in thread | raw e-mail | index | archive | help
At 02:23 PM 3/28/99 +0200, you wrote: > My current ipfw rules are: > >----------------------------------------------------------------- >00100 allow ip from any to any via lo0 >00200 allow ip from [machine-a-ip] to [server-ip] via xl0 >00300 allow ip from [machine-b-ip] to [server-ip] via xl0 >00400 allow ip from any to [server-ip] 80 in via xl0 >00500 allow ip from any to [server-ip] 21 in via xl0 >65000 allow ip from any to any >65535 deny ip from any to any >----------------------------------------------------------------- > > 00200 and 00300 seem redundant because of rule 65000. But this is where >all the problem lies. If I understand right the ipfw rules, if I remove >line 65000 from the rules table, then I can still do all ip-related >actions from [machine-a] and [machine-b], which their ip numbers are >listed in 00200 and 00300. But, once I remove line 65000, I cannot do any >ip-related actions on the [server], and even WWW/FTP services are not >served as well. > > What am I missing here, and why the 65000 line MUST be there so that I >could access [server] from [machine-a] and [machine-b] ? Rule 65000 makes all the other rules before it redundant. This ruleset (if you remove line 65000) will only allow connections from machine a and b to the server. Plus http and ftp connections from anywhere to the server. Is xl0 you 'inside' interface or 'outside' interface? Make sure you've got the right ip addresses for machine a and b. Is the firewall running on the server or some other machine? Dean ------------------------------------------------------------------------------- A train stops at a tarin station, a bus stops at a bus staion. On my desk, I have a workstation.... ------------------------------------------------------------------------------- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4.1.19990328120848.009ab150>