From owner-freebsd-questions@FreeBSD.ORG Wed Aug 4 11:31:19 2004 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1D2BC16A4CE for ; Wed, 4 Aug 2004 11:31:19 +0000 (GMT) Received: from mta1p.point.ne.jp (mta1.point.ne.jp [210.188.175.70]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1F9D843D60 for ; Wed, 4 Aug 2004 11:31:18 +0000 (GMT) (envelope-from pwd8jmr22w@me.point.ne.jp) Received: from vc5.point.ne.jp ([211.1.103.132]) by mta1p.point.ne.jp with ESMTP id <20040804113116.XNBS2195.mta1p@vc5.point.ne.jp>; Wed, 4 Aug 2004 20:31:16 +0900 Received: from fvc1-p.point.ne.jp (fvc1.point.ne.jp [210.188.175.76]) by vc5.point.ne.jp (Scanmail) with ESMTP id 27FF92EFC2; Wed, 4 Aug 2004 20:31:16 +0900 (JST) Received: from [192.168.0.2] ([210.141.251.247]) by fvc1-p.point.ne.jp with ESMTP id <20040804113115.WPBL13867.fvc1-p@[210.141.251.247]>; Wed, 4 Aug 2004 20:31:15 +0900 Message-ID: <4110C905.4080108@me.point.ne.jp> Date: Wed, 04 Aug 2004 20:31:17 +0900 From: Srot BULL User-Agent: Mozilla Thunderbird 0.7.2 (X11/20040801) X-Accept-Language: en-us, en MIME-Version: 1.0 To: Giorgos Keramidas References: <41109ABF.4090904@me.point.ne.jp> <20040804103848.GA31620@orion.daedalusnetworks.priv> In-Reply-To: <20040804103848.GA31620@orion.daedalusnetworks.priv> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit cc: freebsd-questions@freebsd.org Subject: Re: IPFW - Allowed but Denied is shown in my logs X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: pwd8jmr22w@me.point.ne.jp List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 04 Aug 2004 11:31:19 -0000 > On 2004-08-04 17:13, Srot BULL wrote: >>This is found in my /etc/ipfw.rules >>### Allow out non-secure standard www function ### >>$CMD 00200 allow tcp from any to any 80 out via $IFN setup keep-state >>### Allow out send & get email function ### >>$CMD 00230 allow tcp from any to any 25 out via $IFN setup keep-state >>$CMD 00231 allow tcp from any to any 110 out via $IFN setup keep-state >>### deny and log everything else that's trying to get out. ### >>### This rule enforces the block all by default logic. ### >>$CMD 00299 deny log all from any to any out via $IFN > >>Why are the above firewall logs telling me that it has denied my TCP >>packets and yet I am not experiencing some problems in my emails and >>access to the internet through port 80. [...] > > Giorgos Keramidas wrote: > Show us the full ruleset. Otherwise we're just guessing... > My apologies, below is my complete ruleset: # Flush out EVERYTHING first before starting ipfw -q -f flush # Set rules command prefix CMD="ipfw -q add" IFN="rl0" # No restrictions on Loopback Interface # $CMD 00010 allow all from any to any via lo0 #* Allow the packet through if it has previous been added to the *# #* the "dynamic" rules table by a allow keep-state statement. *# $CMD 00015 check-state #* Interface facing Public internet (Outbound Section) *# #* Interrogate session start requests originating from behind the *# #* firewall on the private network or from this gateway server *# #* destine for the public internet. *# #*** Temporary OPENINGS ***# $CMD 00099 allow tcp from any to any 6088 out via $IFN setup keep-state #* Allow out access to ISP's DNS. *# $CMD 00110 allow tcp from any to x.x.x.x 53 out via $IFN setup keep-state $CMD 00111 allow udp from any to x.x.x.x 53 out via $IFN keep-state $CMD 00112 allow tcp from any to x.x.x.x 53 out via $IFN setup keep-state $CMD 00113 allow udp from any to x.x.x.x 53 out via $IFN keep-state $CMD 00114 allow tcp from any to x.x.x.x 53 out via $IFN setup keep-state $CMD 00115 allow udp from any to x.x.x.x 53 out via $IFN keep-state #* Allow out access to my ISP's DHCP server for cable/DSL configurations. *# $CMD 00120 allow udp from any to x.x.x.x 67 out via $IFN keep-state #* Allow out non-secure standard www function *# $CMD 00200 allow tcp from any to any 80 out via $IFN setup keep-state #* Allow out connection for my Dictionary *# $CMD 00201 allow tcp from any to any 2628 out via $IFN setup keep-state #* Allow out connection for MSN Protocol *# $CMD 00202 allow tcp from any to any 1863 out via $IFN setup keep-state $CMD 00203 allow udp from any to any 1863 out via $IFN setup keep-state #* Allow out secure www function https over TLS SSL *# $CMD 00220 allow tcp from any to any 443 out via $IFN setup keep-state #* Allow out SEND & GET email function *# $CMD 00230 allow tcp from any to any 25 out via $IFN setup keep-state $CMD 00231 allow tcp from any to any 110 out via $IFN setup keep-state #* Allow out FBSD (make install & CVSUP) functions *# #* Basically give user root "GOD" privileges. *# $CMD 00240 allow tcp from me to any out via $IFN setup keep-state uid root # Allow out ping *# $CMD 00250 allow icmp from any to any out via $IFN keep-state #* Allow out Time *# $CMD 00260 allow tcp from any to any 37 out via $IFN setup keep-state #* Allow out nntp news (IE: news groups) *# $CMD 00270 allow tcp from any to any 119 out via $IFN setup keep-state #* Allow out secure FTP, Telnet, and SCP *# #* This function is using SSH (secure shell) $CMD 00280 allow tcp from any to any 22 out via $IFN setup keep-state #* Allow out whois *# $CMD 00290 allow tcp from any to any 43 out via $IFN setup keep-state #* DENY and LOG everything else thats trying to get out. *# #* This rule enforces the block all by default logic. *# $CMD 00299 deny log all from any to any out via $IFN #* Interface facing Public internet (Inbound Section) *# #* Interrogate packets originating from the public internet *# #* destine for this gateway server or the private network. *# #* Deny all inbound traffic from non-routable reserved address spaces *# #RFC 1918 private IP# $CMD 00300 deny all from 192.168.0.0/16 to any in via $IFN #RFC 1918 private IP# $CMD 00301 deny all from 172.16.0.0/12 to any in via $IFN #RFC 1918 private IP# $CMD 00302 deny all from 10.0.0.0/8 to any in via $IFN #loopback# $CMD 00303 deny all from 127.0.0.0/8 to any in via $IFN #loopback# $CMD 00304 deny all from 0.0.0.0/8 to any in via $IFN $CMD 00305 deny all from 169.254.0.0/16 to any in via $IFN #DHCP auto-config# $CMD 00306 deny all from 192.0.2.0/24 to any in via $IFN #reserved for doc's# $CMD 00307 deny all from 204.152.64.0/23 to any in via $IFN #Class D & E multicast# $CMD 00308 deny all from 224.0.0.0/3 to any in via $IFN #* Deny public pings *# $CMD 00310 deny icmp from any to any in via $IFN #* Deny ident *# $CMD 00315 deny tcp from any to any in via $IFN #* Deny all Netbios service. 137=name, 138=datagram, 139=session *# #* Netbios is MS/Windows sharing services. *# #* Block MS/Windows hosts2 name server requests 81 *# $CMD 00320 deny tcp from any to any 137 in via $IFN $CMD 00321 deny tcp from any to any 138 in via $IFN $CMD 00322 deny tcp from any to any 139 in via $IFN $CMD 00323 deny tcp from any to any 81 in via $IFN #* Deny any late arriving packets *# $CMD 00330 deny all from any to any frag in via $IFN #* Deny ACK packets that did not match the dynamic rule table *# $CMD 00332 deny tcp from any to any established in via $IFN #* Allow traffic in from ISP's DHCP server. *# #* Only necessary for cable or DSL configurations. *# $CMD 00360 allow udp from any to x.x.x.x 67 in via $IFN keep-state #* Allow in standard www function because Apache Server *# #$CMD 00400 allow tcp from any to me 80 in via $IFN setup limit src-addr 2 #* Allow in secure FTP, Telnet, and SCP from public Internet *# #$CMD 00410 allow tcp from any to me 22 in via $IFN setup limit src-addr 2 # Allow in non-secure Telnet session from public Internet *# # labeled non-secure because ID & PW are passed over public *# # internet as clear text. *# #$CMD 00420 allow tcp from any to me 23 in via $IFN setup limit src-addr 2 #* Reject & Log all incoming connections from the outside *# $CMD 00499 deny log all from any to any in via $IFN # Everything else is denied by default # DENY and LOG all packets that fell through to see what they are $CMD 00999 deny log all from any to any My basis for my rulesets are taken from: http://freebsd.a1poweruser.com:6088/FBSD_firewall/ If you find anything wrong with my rulesets please do comment...only if you do not mind... Thanks, Srot BULL