Date: Wed, 25 Aug 2004 14:36:33 +0100 From: Philip Payne <philip.payne@uk.mci.com> To: Dmitry Zadvornykh <foot@binbank.ru>, freebsd-questions@freebsd.org Subject: RE: Trouble with ipfw :( help! Message-ID: <A0A204EE2E51BC41BCDE3C1DD86D35ED0254399C@gblon1exch06.uk.mcilink.com>
next in thread | raw e-mail | index | archive | help
Hi, <SNIP> > > #ipfw list > 00100 allow ip from any to any via lo0 > 00200 deny ip from any to 127.0.0.0/8 > 00300 deny ip from 127.0.0.0/8 to any > 00400 allow icmp from any to any > 00500 allow tcp from any to any established > 00600 allow ip from any to any frag > 00700 allow ip from me to any setup > 00800 allow tcp from any to me dst-port 25,110,995,143,993 setup > 00900 allow tcp from any to me dst-port 500,600 setup > 01000 allow tcp from any to me dst-port 22,32222 setup > 01100 allow udp from me to any dst-port 53 keep-state > 09999 allow log ip from any to any > 65500 deny log ip from any to any > 65535 deny ip from any to any > I assume the idea is that you allow the ports you want with the line: 00800 allow tcp from any to me dst-port 25,110,995,143,993 setup and then the sessions with: 00500 allow tcp from any to any established Now, I haven't used this approach myself so I can't guarantee it will work. The "setup" keyword allows any packets with SYN but no ACK. The "established" keyword will allow any packets with RST and ACK bits set. So, in theory the sessions you want should be able to pass, couldn't tell you why they're not. However, I don't believe this is as secure as using dynamic rules as you will accept any packet with those bits set, not packets on the ports you have allowed to "setup". So, a different approach you could remove the line: 00500 allow tcp from any to any established And change 800 from: 00800 allow tcp from any to me dst-port 25,110,995,143,993 setup TO: 00800 allow tcp from any to me dst-port 25,110,995,143,993 setup keep-state This would create a dynamic rule allowing TCP on the right port between the source address & your server. To allow further traffic on that dynamic rules you need a line something like 00050 check-state This is an approach I have used for sometime and it works fine. I hope its of use. Thanks, Phil.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?A0A204EE2E51BC41BCDE3C1DD86D35ED0254399C>