From owner-freebsd-questions@FreeBSD.ORG Wed Jun 16 05:35:43 2004 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9951116A4CE for ; Wed, 16 Jun 2004 05:35:43 +0000 (GMT) Received: from bilbo.otenet.gr (bilbo.otenet.gr [195.170.0.13]) by mx1.FreeBSD.org (Postfix) with ESMTP id BEC5343D53 for ; Wed, 16 Jun 2004 05:35:42 +0000 (GMT) (envelope-from keramida@ceid.upatras.gr) Received: from gothmog.gr (patr530-a114.otenet.gr [212.205.215.114]) i5G5ZRm9030075; Wed, 16 Jun 2004 08:35:30 +0300 Received: from gothmog.gr (gothmog [127.0.0.1]) by gothmog.gr (8.12.11/8.12.11) with ESMTP id i5G5ZQQm021727; Wed, 16 Jun 2004 08:35:26 +0300 (EEST) (envelope-from keramida@ceid.upatras.gr) Received: (from giorgos@localhost) by gothmog.gr (8.12.11/8.12.11/Submit) id i5G5ZQq4021726; Wed, 16 Jun 2004 08:35:26 +0300 (EEST) (envelope-from keramida@ceid.upatras.gr) Date: Wed, 16 Jun 2004 08:35:26 +0300 From: Giorgos Keramidas To: "Reuben A. Popp" Message-ID: <20040616053526.GA21650@gothmog.gr> References: <200406151832.10733.gobinau@digitalcelt.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <200406151832.10733.gobinau@digitalcelt.net> cc: freebsd-questions@freebsd.org Subject: Re: ipfw question X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 16 Jun 2004 05:35:43 -0000 On 2004-06-15 18:31, "Reuben A. Popp" wrote: > I was tinkering around trying to get my firewall set the way I wanted > it, but seem to be running into an issue. I know that I have logging > set in the kernel and in rc.conf, as well as in my ruleset, but for > some odd reason, the firewall is not logging connections to the > services I wanted watched (ftp, ssh, web, etc). That's because your ruleset uses the following rule: # Allow TCP through if setup succeeded ipfw add 1200 pass tcp from any to any established before any of the other rules are reached. This lets every TCP packet through without logging and you never get a chance of picking out what to log or what to block :) A simplified version of your ruleset could be this one. Notice that I've removed all explicit rule numbers. IPFW does a pretty good job at automatically numbering the rules and you don't have too many rules for it to work. On the other hand, having hardcoded numbers means that you might miss some "reordering" of the rules and waste hours upon hours trying to find out why it doesn't work like it's supposed to. Not a good possibility... Anyway, here's a ruleset very similar to yours: # # Part 1. Semi-standard stuff copied from rc.firewall. # # Flush the existing ruleset echo "Flushing the existing ruleset, stand by..." ipfw -f flush # Only allow lo0 to send packets as 127.0.0.1 ipfw add pass all from 127.0.0.1/32 to 127.0.0.1/32 via lo0 ipfw add deny all from any to 127.0.0.0/8 ipfw add deny ip from 127.0.0.0/8 to any # Stop RFC1918 nets on the outside interface ipfw add deny all from 10.0.0.0/8 to any via em0 ipfw add deny all from 172.16.0.0/12 to any via em0 ipfw add deny all from 192.168.0.0/16 to any via em0 # Stop draft-manning-dsua-03.txt (1 May 2000) nets (includes RESERVED-1, # DHCP auto-configuration, NET-TEST, MULTICAST (class D), and class E) # on the outside interface ipfw add deny all from 0.0.0.0/8 to any via $em0 ipfw add deny all from 169.254.0.0/16 to any via $em0 ipfw add deny all from 192.0.2.0/24 to any via $em0 ipfw add deny all from 224.0.0.0/4 to any via $em0 ipfw add deny all from 240.0.0.0/4 to any via $em0 # # Part 2. Local rules that allow and log selected TCP services. # # Pass all ICMP messages through. # Make sure they're rate-limited by setting `net.inet.icmp.icmplim' add allow icmp from any to any # First of all state checking. This will allow through any packet # that is marked as "legitimate" by one of the following rules. ipfw add check state ipfw add deny tcp from any to any established # Allow DNS or NTP sessions that originate from us. ipfw add allow udp from any to any 53,123 out keep-state # Add all TCP connections that originate from us ipfw add allow tcp from any to any out setup keep-state # Pass and log all incoming ftp-data connections. ipfw add allow tcp from any 20 to any in setup keep-state # Pass and log all incoming connections to: ftp, ssh, mail and www. ipfw add allow tcp from any to any 21,22,25,80,443 to in setup keep-state AFAIK, anything else can be blocked without stopping you from doing your real work. - Giorgos