Date: Thu, 25 Dec 2003 10:33:56 +1030 From: "Rob" <listone@deathbeforedecaf.net> To: "Drew Robertson" <the_brothel@hotmail.com>, <freebsd-questions@freebsd.org> Subject: Re: IPFW Rule set question... Message-ID: <011401c3ca7a$975c1100$a4b826cb@goo> References: <BAY99-F62TzOLkM1U5l00021e76@hotmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Just a very quick suggestion - when you get an initial connection that closes almost immediately, it is usually TCP wrappers rather than a firewall. Have you checked /etc/hosts.allow? ----- Original Message ----- From: "Drew Robertson" <the_brothel@hotmail.com> Subject: IPFW Rule set question... > > Hi everyone, > > Thanks to those who take the time to read and reply to these emails. > > I have a strange issue regarding my firewall (IPFW)... > > I have enabled SSH, TELNET and FTP on my freeBSD 4.8 box at home... it is > dual homed, 2 NICs one for the internal LAN one running my cable modem. > Everything works fine on the internal side. > > When accessing the box using any of those apps from work, the system looks > to briefly connect and then returns a "Connection Lost" or "Connection > closed by remote host error". > > The command setup to allow in access is as follows... > > 820 allow log tcp from any to me 22 limit src-addr 4 in recv tl0 setup > 830 allow log tcp from any to me 23 limit src-addr 4 in recv tl0 setup > > when this didn't work I added another command at the start of the ruleset to > just let everything in from a particular IP address range... > > 202 allow ip from 203.10.10.0/24 to any > > however this produced the same error... > > It wasn't until I allowed all from any to any that I was able to connect... > > When checking out the security log, it tells me that rule 820 is allowing > access to my computer at home... > > > Ruleset is attached completely below > > /sbin/ipfw -q -f flush > > # Set rules command prefix > # The -q option on the command is for quite mode. > # Do not display rules as they load. Remove during development to see. > cmd="/sbin/ipfw -q add" > > # Set defaults > oif="tl0" # Nic card to cable modem public internet > connection > odns1="203.2.75.132" # ISP's dns server IP address > > $cmd 00200 divert natd all from any to any via $oif > > > ######## control section ############################################ > # Start of IPFW advanced Stateful Filtering using "dynamic" rules. > # The check-state statement behavior is to match bi-directional packet > traffic > # flow between source and destination using protocol/IP/port/sequence > number. > # The dynamic rule has a limited lifetime which is controlled by a set of > # sysctl(8) variables. The lifetime is refreshed every time a matching > # packet is found in the dynamic table. > > # Allow the packet through if it has previous been added to the > # the "dynamic" rules table by an allow keep-state statement. > > $cmd 00202 allow log all from 203.10.10.0/24 to any > $cmd 00203 allow log all from any to any via tun0 > > $cmd 00400 check-state > > > # SAMBA File/Printer Sharing on Internal LAN > $cmd 0410 allow log tcp from 192.168.1.0/24 to 192.168.1.0/24 > $cmd 0411 allow log udp from 192.168.1.0/24 to 192.168.1.0/24 > > # Run all private LAN xl0 packet traffic through the dynamic rules > # table so the IP address are in sync with Natd. > $cmd 00500 allow log all from any to any via sis0 keep-state > > # Deny all fragments as bogus packets > $cmd 00530 deny log all from any to any frag in via $oif > > # Deny ACK packets that did not match the dynamic rule table > $cmd 00540 deny log tcp from any to any established in via $oif > > ######## outbound section ############################################ > # Interrogate packets originating from behind the firewall, private net. > # Upon a rule match, it's keep-state option will create a dynamic rule. > > # Allow out non-secure standard http function > $cmd 00600 allow log tcp from any to any 80 out via $oif setup keep-state > > # Allow out secure www function https over TLS SSL > $cmd 00601 allow log tcp from any to any 443 out via $oif setup keep-state > > # Allow out access to my ISP's Domain name server. > $cmd 00610 allow log tcp from any to $odns1 53 out via $oif setup > keep-state > $cmd 00611 allow log udp from any to $odns1 53 out via $oif keep-state > > # Allow out send & get email function > $cmd 00630 allow log tcp from any to any 25,110 out via $oif setup > keep-state > > # Allow out & in FBSD (make install & CVSUP) functions > # Basically give user id [ROOT] "GOD" privileges. > $cmd 00640 allow log tcp from me to any out via $oif setup keep-state uid > root > > ######## inbound section ############################################ > # Interrogate packets originating from in front of the firewall, public net. > > # Allow in www http access to my apache server > #$cmd 00800 allow log tcp from any to any 80 in via $oif setup keep-state > limit src-addr 4 > > # Allow TCP FTP control channel in & data channel out > $cmd 00810 allow log tcp from any to me 21 in via $oif setup keep-state > limit src-addr 4 > $cmd 00811 allow log tcp from any 20 to any 1024-49151 out via $oif setup > keep limit src-addr 4 > > # Allow in ssh function > $cmd 00820 allow log tcp from any to me 22 in via $oif setup keep-state > limit src-addr 4 > > # Allow in Telnet > $cmd 00830 allow log tcp from any to me 23 in via $oif setup keep-state > limit src-addr 4 > > > Thanks. > > D > > _________________________________________________________________ > ninemsn Premium transforms your e-mail with colours, photos and animated > text. Click here http://ninemsn.com.au/premium/landing.asp > > _______________________________________________ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.org" >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?011401c3ca7a$975c1100$a4b826cb>