From owner-freebsd-questions@FreeBSD.ORG Tue Jun 15 23:30:33 2004 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D322016A4CE for ; Tue, 15 Jun 2004 23:30:33 +0000 (GMT) Received: from woad.digitalcelt.net (woad.digitalcelt.net [65.68.132.170]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4627B43D49 for ; Tue, 15 Jun 2004 23:30:33 +0000 (GMT) (envelope-from gobinau@digitalcelt.net) Received: by woad.digitalcelt.net (Postfix, from userid 1001) id CC284616F; Tue, 15 Jun 2004 18:32:10 -0500 (CDT) From: "Reuben A. Popp" Organization: digitalcelt.net To: freebsd-questions@freebsd.org Date: Tue, 15 Jun 2004 18:31:58 -0500 User-Agent: KMail/1.6.2 MIME-Version: 1.0 Content-Disposition: inline Content-Type: Text/Plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Message-Id: <200406151832.10733.gobinau@digitalcelt.net> Subject: ipfw question X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: gobinau@digitalcelt.net List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 15 Jun 2004 23:30:34 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Good afternoon all, I was tinkering around trying to get my firewall set the way I wanted it, but seem to be running into an issue. I know that I have logging set in the kernel and in rc.conf, as well as in my ruleset, but for some odd reason, the firewall is not logging connections to the services I wanted watched (ftp, ssh, web, etc). I'm enclosing a copy of my ruleset along with this message in case anyone has any ideas. Any help or suggestions would be greatly appreciated. Thanks in advance, Reuben A. Popp My ruleset: #!/bin/sh - # # Setup system for firewall service. # # Suck in the configuration variables. if [ -z "${source_rc_confs_defined}" ]; then if [ -r /etc/defaults/rc.conf ]; then . /etc/defaults/rc.conf source_rc_confs elif [ -r /etc/rc.conf ]; then . /etc/rc.conf fi fi # Flush the existing ruleset echo "Flushing the existing ruleset, stand by..." ipfw -f flush # Setup Loopback ipfw add 100 pass all from any to any via lo0 ipfw add 200 deny all from any to 127.0.0.0/8 ipfw add 300 deny ip from 127.0.0.0/8 to any # Stop RFC1918 nets on the outside interface ipfw add 400 deny all from 10.0.0.0/8 to any via em0 ipfw add 500 deny all from 172.16.0.0/12 to any via em0 ipfw add 600 deny all from 192.168.0.0/16 to any via em0 # Stop draft-manning-dsua-03.txt (1 May 2000) nets (includes RESERVED-1, # DHCP auto-configuration, NET-TEST, MULTICAST (class D), and class E) # on the outside interface ipfw add 700 deny all from 0.0.0.0/8 to any via $em0 ipfw add 800 deny all from 169.254.0.0/16 to any via $em0 ipfw add 900 deny all from 192.0.2.0/24 to any via $em0 ipfw add 1000 deny all from 224.0.0.0/4 to any via $em0 ipfw add 1100 deny all from 240.0.0.0/4 to any via $em0 # Allow TCP through if setup succeeded ipfw add 1200 pass tcp from any to any established # Allow IP fragments to pass through ipfw add 1300 pass all from any to any frag ipfw add 1400 check-state ipfw add 1401 deny tcp from any to any in established ipfw add 1402 allow tcp from any to any out setup keep-state # Allow DNS ipfw add 1403 allow udp from xx.xx.xxx.xxx 53 to any in recv em0 ipfw add 1404 allow udp from xxx.xxx.x.x 53 to any in recv em0 ipfw add 1405 allow udp from xxx.xxx.x.x 53 to any in recv em0 ipfw add 1406 allow udp from any to any out # Allow ftp and log it ipfw add 1407 allow log tcp from any to xx.xx.xxx.xxx 20,21 ipfw add 1408 allow log udp from any to xx.xx.xxx.xxx 20,21 # Allow ssh and log it ipfw add 1409 allow log tcp from any to xx.xx.xxx.xxx 22 # Allow mail and log it ipfw add 1410 allow log tcp from any to xx.xx.xxx.xxx 25 # Allow www and log it ipfw add 1411 allow log tcp from any to xx.xx.xxx.xxx keep-state ipfw add 1412 allow log tcp from any to xx.xx.xxx.xxx 443 keep-state ipfw add 1413 allow log udp from any to xx.xx.xxx.xxx 443 keep-state # Reject&Log all setup of incoming connections from the outside ipfw add 1414 deny log tcp from any to any in via em0 setup # Allow setup of any other TCP connection ipfw add 1415 pass tcp from any to any setup # Allow DNS queries out in the world ipfw add 1416 pass udp from xx.xx.xxx.xxx to any 53 keep-state # Allow NTP queries out in the world ipfw add 1417 pass udp from xx.xx.xxx.xxx to any 123 keep-state -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (FreeBSD) iD8DBQFAz4b5d1N/Kyhy5tIRAqJ9AJ9iEqOXjagPqWalaksbQ+f3NwPjbQCgngUx EQQ6jITdKYJRpN6NWcsakvo= =AwhC -----END PGP SIGNATURE-----