From owner-freebsd-ipfw@FreeBSD.ORG Sat Jun 19 07:55:53 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C2E1416A4CE for ; Sat, 19 Jun 2004 07:55:53 +0000 (GMT) Received: from pathfinder.roks.biz (roks.biz [82.207.80.37]) by mx1.FreeBSD.org (Postfix) with ESMTP id 915DF43D48 for ; Sat, 19 Jun 2004 07:55:50 +0000 (GMT) (envelope-from padla@roks.biz) Received: from admin.office.roks.biz (admin.office.roks.biz [192.168.100.103]) by pathfinder.roks.biz (8.12.11/8.12.11) with ESMTP id i5J7tWeN013137; Sat, 19 Jun 2004 10:55:32 +0300 (EEST) (envelope-from padla@pathfinder.roks.biz) Received: from admin.office.roks.biz (localhost.roks.biz [127.0.0.1]) i5J7tXOY000735; Sat, 19 Jun 2004 10:55:33 +0300 (EEST) (envelope-from padla@admin.office.roks.biz) Received: (from padla@localhost) by admin.office.roks.biz (8.12.11/8.12.11/Submit) id i5J7tWwd000734; Sat, 19 Jun 2004 10:55:32 +0300 (EEST) (envelope-from padla) Date: Sat, 19 Jun 2004 10:55:32 +0300 From: quetzal@roks.biz To: Robert Downes Message-ID: <20040619075532.GA690@roks.biz> Mail-Followup-To: quetzal@roks.biz, Robert Downes , "freebsd-ipfw@freebsd.org" References: <200406182122.2239016.6@btsoftware.com> <40D355DA.3040707@lineone.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <40D355DA.3040707@lineone.net> User-Agent: Mutt/1.4.2.1i cc: "freebsd-ipfw@freebsd.org" Subject: Re: Blocked outbound traffic - what is it? X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 19 Jun 2004 07:55:54 -0000 On Friday, 18 June 2004 at 21:51:38 +0100, Robert Downes wrote: > > # Deny ACK packets that did not match the dynamic rule table > $cmd 332 deny tcp from any to any established in recv $pif > > # Allow traffic in from ISP's DHCP server. This rule must contain > # the IP address of your ISP's DHCP server as it's the only > # authorized source to send this packet type. > # Only necessary for cable or DSL configurations. > # This rule is not needed for 'user ppp' type connection to > # the public internet. This is the same IP address you captured > # and used in the outbound section. > #$cmd 360 allow udp from xx.70.207.54 to any 68 in via $pif keep-state > > # Allow in standard www function because I have apache server > #$cmd 370 allow tcp from any to me 80 in via $pif setup limit src-addr 2 > > # Allow in secure FTP, Telnet, and SCP from public Internet > #$cmd 380 allow tcp from any to me 22 in via $pif setup limit src-addr 2 > > # Allow in non-secure Telnet session from public Internet > # labeled non-secure because ID & PW are passed over public > # internet as clear text. > # Delete this sample group if you do not have telnet server enabled. > #$cmd 390 allow tcp from any to me 23 in via $pif setup limit src-addr 2 > > # Allow in secure FTP, Telnet, and SCP from public Internet > #$cmd 380 allow tcp from any to me 22 in via $pif setup limit src-addr 2 > > # Allow in icmp responces > $cmd 390 allow icmp from any to any icmptypes 0,3,11,12 in recv $pif > > # Reject & Log all unauthorized incoming connections from the public > internet > $cmd 400 deny log all from any to any in recv $pif > > # Reject & Log all unauthorized out going connections to the public internet > $cmd 450 deny log all from any to any out xmit $pif > > # This is skipto location for outbound stateful rules > $cmd 800 divert natd ip from any to any out xmit $pif > $cmd 801 allow ip from any to any > > # Everything else is denied by default > # deny and log all packets that fell through to see what they are > $cmd 999 deny log all from any to any > > > > ################ End of IPFW rules file > ############################### Hi, Robert. You dont need to worry about trojans. By logic of your rules, I think that this packets are blocked becouse of the ending lifetime of some dynamic rules. See net.inet.ip.fw.dyn_fin_lifetime and net.inet.ip.fw.dyn_rst_lifetime in man ipfw(8) and you probably understand what i am talking about. Also you can try tcpdump to trace what occurs during the final phase of tcp session. Best regards and sorry for my english Nikolay Pavlov.