Date: Wed, 13 Oct 2004 08:41:44 -0700 (PDT) From: Dave McCammon <davemac11@yahoo.com> To: David Banning <david@skytracker.ca> Cc: questions@freebsd.org Subject: Re: ipfw - denying all - what port for OE Message-ID: <20041013154144.16125.qmail@web41412.mail.yahoo.com> In-Reply-To: <20041013050424.GA87540@skytrackercanada.com>
next in thread | previous in thread | raw e-mail | index | archive | help
--- David Banning <david@skytracker.ca> wrote: > My server is my desktop. My ipfw rules follow. > Whenever I take > out line 12000 is runs fine. When I put it back in I > can't run > OE. > > 01000 allow tcp from any to any 10060 > 01040 allow tcp from any to any 22 > 10100 allow tcp from any to any 80 > 10200 allow tcp from any to any 10080 > 10300 allow tcp from any to any 3128 > 10400 allow tcp from any to any 8180 > 10600 allow tcp from any to any 8025 > 10700 allow tcp from any to any 110 > 10800 allow tcp from any to any 25 > 10810 allow tcp from any to any 109 > 10820 allow tcp from any to any 106 > 11001 allow tcp from any to any 389 > 11002 allow tcp from any to any 636 > 11003 allow tcp from any to any 379 > 11004 allow tcp from any to any 390 > 11005 allow tcp from any to any 3268 > 11006 allow tcp from any to any 3269 > 11007 allow tcp from any to any 143 > 11008 allow tcp from any to any 993 > 11009 allow tcp from any to any 995 > 11010 allow tcp from any to any 119 > 11011 allow tcp from any to any 563 > 11012 allow tcp from any to any 443 > 11013 allow tcp from any to any 465 > 11015 allow tcp from any to any 625 > 11016 allow tcp from any to any 135 > 11017 allow tcp from any to any 935 > 12000 deny tcp from 209.188.66.29 to any > I may be assuming alot here with the info you have given but.... Correct me if I'm wrong but I'm assuming 209.188.66.29 is your machine and it has the services running and, your ipfw setup in your kernel has IPFIREWALL_DEFAULT_TO_ACCEPT. With that setup, OE will work without rule 12000 because the client-to-server packets match rule 10700 and server-to-client will match the last rule (65535 in #ipfw show). With rule 12000 inserted, client-to-server packets match rule 10700 but server-to-client get blocked by 12000. You may try adding: 01050 allow tcp from any to any established and add to the end of the rest of the "allow" rules "setup" example: 01000 allow tcp from any to me 10060 setup or try rewriting your rules to use dynamic rules. example: 01050 check-state 01000 allow tcp from any to me 10060 setup keep-state 01040 allow tcp from any to me 22 setup keep-state 10100 allow tcp from any to me 80 setup keep-state 10200 allow tcp from any to me 10080 setup keep-state ..... (last rule) 50000 deny ip from any to any Now, if your setup doesn't match what I outlined above, please send your output of (as root) #ipfw show . With this output we can better help you adjust your ruleset. You may want to also include your /etc/rc.conf file and what firewall options your have in your kernel config. _______________________________ Do you Yahoo!? Declare Yourself - Register online to vote today! http://vote.yahoo.com
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20041013154144.16125.qmail>