Date: Thu, 18 May 2000 17:50:29 +0400 From: Vladimir Dubrovin <vlad@sandy.ru> To: Gabriel Ambuehl <gabriel_ambuehl@buz.ch> Cc: freebsd-security@freebsd.org Subject: Re: ipfw: HTTP(S) is working but everything else doesn't... Message-ID: <11743.000518@sandy.ru> In-Reply-To: <1574492519.20000518151205@buz.ch> References: <1574492519.20000518151205@buz.ch>
next in thread | previous in thread | raw e-mail | index | archive | help
Hello Gabriel Ambuehl, You've missed allow udp from any 53 to any same thing with other UDP's In fact it's better configure allow udp from any 1024-65535,53 to any 53 allow udp from any 53 to any 1024-65535 because otherwise all your network is opened from any UDP attack with source port 53. 18.05.00 17:12, you wrote: ipfw: HTTP(S) is working but everything else doesn't...; G> [I sent this already to -questions but it kept unanswered. I surely G> know how mls are working but some advice couldn't hurt ;-)] G> Hello, G> my ipfw is driving me nuts. I want to allow SMTP (both incoming and G> outgoing), POP3, HTTP, HTTPS and DNS (well, FTP should work as well G> but that one has got it's own problems because of that FTP-data thingy) G> for the firewall box itself and all boxes which use it as gateway [1]. G> Everything beside this should be rejected. To accomplish this, I G> wanted to use the following ruleset: G> 00100 allow ip from any to any via lo0 G> 00200 deny ip from any to 127.0.0.0/8 G> 00300 allow tcp from any to any established G> 00400 allow ip from any to any frag G> 00500 allow tcp from any to any 25 setup G> 00600 allow udp from any to any 53 G> 00700 allow udp from any 53 to any 53 G> 00800 allow tcp from any to any 80 setup G> 00900 allow tcp from any to any 443 setup G> 01000 allow tcp from any to any 21 setup G> 01100 allow tcp from any to any 110 setup G> 01200 allow tcp from any to any 22 setup G> 01300 allow udp from any to any 22 G> # DHCP, I need this during development phase, it's going to be kicked out in production G> 01400 allow tcp from any to any 546 setup G> 01500 allow udp from any to any 546 G> 65535 deny ip from any to any G> but this isn't working as expected. HTTP and HTTPS both work as they G> should. DNS doesn't work at all, neither SMTP nor POP (meaning: I G> can't connect to the server from outside or to outside servers from G> the box itself). And the most strange thing (or atleast does this seem G> to me this way) is happening with ssh: first, ssh (PuTTY) takes over a minute G> to show me a login prompt (connecting to the box from outside) and G> then, when I try to login, I can type without any problems, but as G> soon as I hit enter, the ssh client exits and the server reports G> |sshd[645]: fatal: Timeout before authentication for 10.2.2.150. G> What's going on wrong here? G> [1] Meaning the box acts as some kind of bastion host for the entire G> net behind it. I know this isn't the optimum but as we can't setup enough G> of those boxes (supplier ran out of them :-(( it has to offer those G> services as well. G> Best regards, G> Gabriel G> Best regards, G> Gabriel G> To Unsubscribe: send mail to majordomo@FreeBSD.org G> with "unsubscribe freebsd-security" in the body of the message +=-=-=-=-=-=-=-=-=+ |Vladimir Dubrovin| Sandy, ISP | Sandy CSS chief | Customers Support Service dept http://www.sandy.ru Nizhny Novgorod, Russia +=-=-=-=-=-=-=-=-=+ http://www.security.nnov.ru To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?11743.000518>