From owner-freebsd-questions Wed Dec 6 6:25:41 2000 From owner-freebsd-questions@FreeBSD.ORG Wed Dec 6 06:25:34 2000 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from freeze.org (www.bellnetworks.net [208.177.187.234]) by hub.freebsd.org (Postfix) with ESMTP id 743FC37B400 for ; Wed, 6 Dec 2000 06:25:33 -0800 (PST) Received: (from jim@localhost) by freeze.org (8.9.3/8.9.3) id JAA21506; Wed, 6 Dec 2000 09:25:31 -0500 (EST) (envelope-from jim) X-Authentication-Warning: www.bellnetworks.net: Processed from queue /var/spool/alt_queue X-Authentication-Warning: www.bellnetworks.net: Processed by jim with -C /web/siteinfo/freeze/mail/sendmail.cf Date: Wed, 6 Dec 2000 09:25:29 -0500 (EST) From: Jim Freeze X-Sender: jim@www.bellnetworks.net To: Edwin Groothuis Cc: freebsd-questions@freebsd.org Subject: Re: Can no longer ssh In-Reply-To: <20001206150418.B32018@d9168.upc-d.chello.nl> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG On Wed, 6 Dec 2000, Edwin Groothuis wrote: > I'm interested in the other lines. > Also, put a "log" statement on lines which you see which rules are > denying everything. ipfw show 00150 196 21948 allow ip from any to any via lo0 00200 0 0 deny ip from any to 127.0.0.0/8 00300 0 0 deny ip from 192.168.0.0/24 to any in recv vx0 00400 0 0 deny ip from 24.9.218.0/24 to any in recv xl0 00500 0 0 deny ip from 172.16.0.0/12 to any via vx0 00600 0 0 deny ip from any to 172.16.0.0/12 via vx0 00700 0 0 deny ip from 10.0.0.0/8 to any via vx0 00800 0 0 deny ip from any to 10.0.0.0/8 via vx0 00900 0 0 deny log logamount 100 ip from 0.0.0.0/8 to any via vx0 01000 0 0 deny log logamount 100 ip from any to 0.0.0.0/8 via vx0 01100 0 0 deny log logamount 100 ip from 169.254.0.0/16 to any via vx0 01200 0 0 deny log logamount 100 ip from any to 169.254.0.0/16 via vx0 01300 0 0 deny log logamount 100 ip from 192.0.2.0/24 to any via vx0 01400 0 0 deny log logamount 100 ip from any to 192.0.2.0/24 via vx0 01500 0 0 deny log logamount 100 ip from 224.0.0.0/4 to any via vx0 01600 0 0 deny log logamount 100 ip from any to 224.0.0.0/4 via vx0 01700 0 0 deny log logamount 100 ip from 240.0.0.0/4 to any via vx0 01800 9 3184 deny log logamount 100 ip from any to 240.0.0.0/4 via vx0 01900 12551 8317971 allow tcp from any to any established 02000 0 0 allow ip from any to any frag 02100 0 0 allow tcp from any to 24.9.218.175 80 setup 02200 3150 151200 allow tcp from any to any 80 setup 02300 0 0 allow tcp from any to any 25 setup 02400 0 0 allow tcp from any 20 to any 1024-65535 setup 02500 0 0 deny log logamount 100 tcp from any to any 21 in recv vx0 setup 02600 5 220 allow log logamount 100 tcp from any to any 22 in recv vx0 setup 02700 0 0 allow log logamount 100 tcp from 157.95.47.22 to 24.9.218.175 22 setup 02800 0 0 allow log logamount 100 tcp from any to any 22 in recv vx0 setup 02900 0 0 reset tcp from any to any 113 in recv vx0 setup 03000 6 264 deny log logamount 100 tcp from any to any in recv vx0 setup 03100 10 440 allow tcp from any to any setup 03200 138 9742 allow udp from any to 24.5.116.15 53 03300 146 10300 allow udp from any to 24.5.116.17 53 03400 2 304 allow udp from 24.5.116.15 53 to any 03500 26 4162 allow udp from 24.5.116.17 53 to any 03600 293 71884 allow udp from any to any 137-139 via xl0 03700 0 0 allow udp from any 123 to any 123 via vx0 03800 0 0 allow udp from any 123 to any via xl0 03900 0 0 allow udp from any to any 123 via xl0 04000 0 0 allow udp from any to any 33434-33523 out xmit vx0 04100 0 0 allow icmp from any to any via xl0 04200 0 0 allow icmp from any to any out xmit vx0 icmptype 8 04300 0 0 allow icmp from any to any in recv vx0 icmptype 0 04400 4 224 allow icmp from any to any via vx0 icmptype 3,4,11,12 04500 4 336 deny icmp from any to any 63000 0 0 deny ip from any to 0.0.0.255:0.0.0.255 in recv vx0 64000 0 0 deny log logamount 100 udp from any to any 137-139 via vx0 65000 1 46 deny log logamount 100 ip from any to any via vx0 65100 0 0 deny log logamount 100 tcp from any to any in recv vx0 setup 65200 0 0 allow tcp from any to any setup 65300 0 0 allow udp from any 53 to 24.9.218.175 65400 0 0 allow udp from 24.9.218.175 to any 53 65500 0 0 allow udp from any 123 to 24.9.218.175 65500 0 0 allow udp from 24.9.218.175 to any 123 65535 10 805 deny ip from any to any my rc.firewall is: elif [ "${firewall_type}" = "simple" ]; then # set these to your outside interface network and netmask and ip oif="vx0" onet="24.9.218.0" omask="255.255.255.0" oip="24.9.218.175" # set these to your inside interface network and netmask and ip iif="xl0" inet="192.168.0.0" imask="255.255.255.0" iip="192.168.0.1" # My ISP's DNS servers dns1="24.5.116.15" dns2="24.5.116.17" # Stop spoofing $fwcmd add deny all from ${inet}:${imask} to any in via ${oif} $fwcmd add deny all from ${onet}:${omask} to any in via ${iif} # Stop RFC1918 nets on the outside interface #$fwcmd add deny all from 192.168.0.0:255.255.0.0 to any via ${oif} #$fwcmd add deny all from any to 192.168.0.0:255.255.0.0 via ${oif} $fwcmd add deny all from 172.16.0.0:255.240.0.0 to any via ${oif} $fwcmd add deny all from any to 172.16.0.0:255.240.0.0 via ${oif} $fwcmd add deny all from 10.0.0.0:255.0.0.0 to any via ${oif} $fwcmd add deny all from any to 10.0.0.0:255.0.0.0 via ${oif} # Stop draft-manning-dsua-01.txt nets on the outside interface ${fwcmd} add deny log all from 0.0.0.0/8 to any via ${oif} ${fwcmd} add deny log all from any to 0.0.0.0/8 via ${oif} ${fwcmd} add deny log all from 169.254.0.0/16 to any via ${oif} ${fwcmd} add deny log all from any to 169.254.0.0/16 via ${oif} ${fwcmd} add deny log all from 192.0.2.0/24 to any via ${oif} ${fwcmd} add deny log all from any to 192.0.2.0/24 via ${oif} ${fwcmd} add deny log all from 224.0.0.0/4 to any via ${oif} ${fwcmd} add deny log all from any to 224.0.0.0/4 via ${oif} ${fwcmd} add deny log all from 240.0.0.0/4 to any via ${oif} ${fwcmd} add deny log all from any to 240.0.0.0/4 via ${oif} # Allow TCP through if setup succeeded $fwcmd add pass tcp from any to any established # Allow IP fragments to pass through ${fwcmd} add pass all from any to any frag ### TCP SETUP RULES # Allow access to our WWW $fwcmd add pass tcp from any to ${oip} 80 setup # Allow LAN users WWW access #${fwcmd} add pass tcp from any to ${iip} 80 setup # HTTP - Allow access to our web server ${fwcmd} add pass tcp from any to any 80 setup # Allow setup of incoming email #$fwcmd add pass tcp from any to ${oip} 25 setup # SMTP - Allow access to sendmail for incoming e-mail ${fwcmd} add pass tcp from any to any 25 setup # FTP - Allow incoming data channel for outgoing connections, # Reject&Log all incoming control connections ${fwcmd} add pass tcp from any 20 to any 1024-65535 setup ${fwcmd} add deny log tcp from any to any 21 in via ${oif} setup # SSH Login - Allow & Log all incoming ${fwcmd} add pass log tcp from any to any 22 in via ${oif} setup # IDENT - Reset incoming connections ${fwcmd} add reset tcp from any to any 113 in via ${oif} setup # Reject&Log all setup of incoming connections from the outside ${fwcmd} add deny log tcp from any to any in via ${oif} setup # Allow setup of any other TCP connection ${fwcmd} add pass tcp from any to any setup ### UDP RULES # Allow access to our DNS #$fwcmd add pass tcp from any to ${oip} 53 setup # DNS - Allow queries out in the world ${fwcmd} add pass udp from any to ${dns1} 53 ${fwcmd} add pass udp from any to ${dns2} 53 ${fwcmd} add pass udp from ${dns1} 53 to any ${fwcmd} add pass udp from ${dns2} 53 to any # SMB - Allow local traffic ${fwcmd} add pass udp from any to any 137-139 via ${iif} # NTP - Allow server-to-server on outside interface, client-to-server # on inside interface ${fwcmd} add pass udp from any 123 to any 123 via ${oif} ${fwcmd} add pass udp from any 123 to any via ${iif} ${fwcmd} add pass udp from any to any 123 via ${iif} # TRACEROUTE - Allow outgoing, but not incoming ${fwcmd} add pass udp from any to any 33434-33523 out via ${oif} ### ICMP RULES # ICMP packets # Allow all ICMP packets on internal interface ${fwcmd} add pass icmp from any to any via ${iif} # Allow outgoing pings, but not incoming ${fwcmd} add pass icmp from any to any icmptypes 8 out via ${oif} ${fwcmd} add pass icmp from any to any icmptypes 0 in via ${oif} # Allow Destination Unreachable, Source Quench, Time Exceeded, and Bad Header ${fwcmd} add pass icmp from any to any icmptypes 3,4,11,12 via ${oif} # Deny the rest of them ${fwcmd} add deny icmp from any to any ### MISCELLANEOUS REJECT RULES # Reject broadcasts from outside interface ${fwcmd} add 63000 deny ip from any to 0.0.0.255:0.0.0.255 in via ${oif} # Reject&Log SMB connections on outside interface ${fwcmd} add 64000 deny log udp from any to any 137-139 via ${oif} # Reject&Log all other connections from outside interface ${fwcmd} add 65000 deny log ip from any to any via ${oif} # Reject&Log all setup of incoming connections from the outside $fwcmd add deny log tcp from any to any in via ${oif} setup # Allow setup of any other TCP connection $fwcmd add pass tcp from any to any setup # Allow DNS queries out in the world $fwcmd add pass udp from any 53 to ${oip} $fwcmd add pass udp from ${oip} to any 53 # Allow NTP queries out in the world $fwcmd add pass udp from any 123 to ${oip} $fwcmd add pass udp from ${oip} to any 123 # Everything else is denied as default. elif [ "${firewall_type}" != "UNKNOWN" -a -r "${firewall_type}" ]; then $fwcmd ${firewall_type} fi ==================================================== Jim Freeze jim@freeze.org --------------------------------------------------- ** http://www.freeze.org ** ==================================================== To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message