Date: Mon, 17 Dec 2007 00:51:39 -0600 From: "W. D." <WD@US-Webmasters.com> To: freebsd-security@freebsd.org Subject: IPFW: Blocking me out. How to debug? Message-ID: <20071217065144.83F6013C447@mx1.freebsd.org> In-Reply-To: <20071213183957.B348013C469@mx1.freebsd.org> References: <20071213081155.ABBC813C4D5@mx1.freebsd.org> <20071213110009.GB986@in-addr.com> <20071213183957.B348013C469@mx1.freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
How do I tell which rule is blocking me out? SSH *is* working,
but others are not.
###############################################################
# ipfw.rules
# ipfw firewall ruleset
# Location: /etc/ipfw.rules
# 2007 Dec 16 21:41
# By default, everything is denied access. You
# need to specifically allow something for it
# to work.
# Loopback:
# Allow anything on the local loopback:
add allow all from any to any via lo0
add deny ip from any to 127.0.0.0/8
add deny ip from 127.0.0.0/8 to any
# Allow established connections:
add allow tcp from any to any established
# Deny fragmented packets:
add deny ip from any to any frag
# Show pings:
add count icmp from any to any icmptypes 8 in
# Allow pings, ping replies, and host unreach:
add allow icmp from any to any icmptypes 0,8,3
# Allow UDP traceroutes:
add allow udp from any to any 33434-34458 in
add allow udp from any 33434-34458 to any out
# Allow DNS with name server
add allow udp from any to any domain out
add allow udp from any domain to any in
# SSH
# Note that /etc/hosts.allow has restrictions
# on which IP addresses are allowed.
#
# Allow SSH:
add allow tcp from any to any ssh in setup
# HTTP & HTTPS:
add allow tcp from any to any https in setup
add allow tcp from any to any http in setup
# Mail: SMTP & IMAP:
add allow tcp from any to any smtp in setup
add allow tcp from any to any imap in setup
# FTP:
add allow tcp from any to any ftp in setup
add allow tcp from any to any ftp\-data in setup
add allow tcp from any ftp\-data to any setup out
# Allow NTP in and out
add allow udp from any ntp to 128.252.19.1 ntp out
add allow udp from 128.252.19.1 ntp to any ntp in
# Deny and log everything else:
add deny log all from any to any
###############################################################
I tested the syntax using:
ipfw -n /etc/ipfw.rules
I've got logging working:
/etc/rc.conf:
Make certain you have an entry similar to:
# Log exceptions:
firewall_logging="YES"
/etc/syslog.conf:
# Log ipfw events to their own log file:
!ipfw
*.* /var/log/ipfw/ipfw.log
In the kernel config file, is a limit of 10 too small?
options IPFIREWALL # Required for IPFW
options IPFIREWALL_VERBOSE # Optional - logging
options IPFIREWALL_VERBOSE_LIMIT=10 # Optional - don't get too many log entries
options IPDIVERT # Needed for natd
Any help on this would be greatly appreciated.
Start Here to Find It Fast!™ -> http://www.US-Webmasters.com/best-start-page/
$8.77 Domain Names -> http://domains.us-webmasters.com/
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20071217065144.83F6013C447>