From owner-freebsd-questions@FreeBSD.ORG Wed Dec 24 16:04:04 2003 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6C1A616A4CE for ; Wed, 24 Dec 2003 16:04:04 -0800 (PST) Received: from zim.0x7e.net (zim.0x7e.net [203.38.184.132]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3B6F443D54 for ; Wed, 24 Dec 2003 16:04:01 -0800 (PST) (envelope-from listone@deathbeforedecaf.net) Received: from goo.0x7e.net ([203.38.184.164] helo=goo) by zim.0x7e.net with smtp (Exim 3.36 #1) id 1AZIyr-0005wG-00; Thu, 25 Dec 2003 10:33:57 +1030 Message-ID: <011401c3ca7a$975c1100$a4b826cb@goo> From: "Rob" To: "Drew Robertson" , References: Date: Thu, 25 Dec 2003 10:33:56 +1030 MIME-Version: 1.0 Content-Type: text/plain; charset="Windows-1252" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2800.1106 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106 Subject: Re: IPFW Rule set question... X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 25 Dec 2003 00:04:04 -0000 Just a very quick suggestion - when you get an initial connection that closes almost immediately, it is usually TCP wrappers rather than a firewall. Have you checked /etc/hosts.allow? ----- Original Message ----- From: "Drew Robertson" Subject: IPFW Rule set question... > > Hi everyone, > > Thanks to those who take the time to read and reply to these emails. > > I have a strange issue regarding my firewall (IPFW)... > > I have enabled SSH, TELNET and FTP on my freeBSD 4.8 box at home... it is > dual homed, 2 NICs one for the internal LAN one running my cable modem. > Everything works fine on the internal side. > > When accessing the box using any of those apps from work, the system looks > to briefly connect and then returns a "Connection Lost" or "Connection > closed by remote host error". > > The command setup to allow in access is as follows... > > 820 allow log tcp from any to me 22 limit src-addr 4 in recv tl0 setup > 830 allow log tcp from any to me 23 limit src-addr 4 in recv tl0 setup > > when this didn't work I added another command at the start of the ruleset to > just let everything in from a particular IP address range... > > 202 allow ip from 203.10.10.0/24 to any > > however this produced the same error... > > It wasn't until I allowed all from any to any that I was able to connect... > > When checking out the security log, it tells me that rule 820 is allowing > access to my computer at home... > > > Ruleset is attached completely below > > /sbin/ipfw -q -f flush > > # Set rules command prefix > # The -q option on the command is for quite mode. > # Do not display rules as they load. Remove during development to see. > cmd="/sbin/ipfw -q add" > > # Set defaults > oif="tl0" # Nic card to cable modem public internet > connection > odns1="203.2.75.132" # ISP's dns server IP address > > $cmd 00200 divert natd all from any to any via $oif > > > ######## control section ############################################ > # Start of IPFW advanced Stateful Filtering using "dynamic" rules. > # The check-state statement behavior is to match bi-directional packet > traffic > # flow between source and destination using protocol/IP/port/sequence > number. > # The dynamic rule has a limited lifetime which is controlled by a set of > # sysctl(8) variables. The lifetime is refreshed every time a matching > # packet is found in the dynamic table. > > # Allow the packet through if it has previous been added to the > # the "dynamic" rules table by an allow keep-state statement. > > $cmd 00202 allow log all from 203.10.10.0/24 to any > $cmd 00203 allow log all from any to any via tun0 > > $cmd 00400 check-state > > > # SAMBA File/Printer Sharing on Internal LAN > $cmd 0410 allow log tcp from 192.168.1.0/24 to 192.168.1.0/24 > $cmd 0411 allow log udp from 192.168.1.0/24 to 192.168.1.0/24 > > # Run all private LAN xl0 packet traffic through the dynamic rules > # table so the IP address are in sync with Natd. > $cmd 00500 allow log all from any to any via sis0 keep-state > > # Deny all fragments as bogus packets > $cmd 00530 deny log all from any to any frag in via $oif > > # Deny ACK packets that did not match the dynamic rule table > $cmd 00540 deny log tcp from any to any established in via $oif > > ######## outbound section ############################################ > # Interrogate packets originating from behind the firewall, private net. > # Upon a rule match, it's keep-state option will create a dynamic rule. > > # Allow out non-secure standard http function > $cmd 00600 allow log tcp from any to any 80 out via $oif setup keep-state > > # Allow out secure www function https over TLS SSL > $cmd 00601 allow log tcp from any to any 443 out via $oif setup keep-state > > # Allow out access to my ISP's Domain name server. > $cmd 00610 allow log tcp from any to $odns1 53 out via $oif setup > keep-state > $cmd 00611 allow log udp from any to $odns1 53 out via $oif keep-state > > # Allow out send & get email function > $cmd 00630 allow log tcp from any to any 25,110 out via $oif setup > keep-state > > # Allow out & in FBSD (make install & CVSUP) functions > # Basically give user id [ROOT] "GOD" privileges. > $cmd 00640 allow log tcp from me to any out via $oif setup keep-state uid > root > > ######## inbound section ############################################ > # Interrogate packets originating from in front of the firewall, public net. > > # Allow in www http access to my apache server > #$cmd 00800 allow log tcp from any to any 80 in via $oif setup keep-state > limit src-addr 4 > > # Allow TCP FTP control channel in & data channel out > $cmd 00810 allow log tcp from any to me 21 in via $oif setup keep-state > limit src-addr 4 > $cmd 00811 allow log tcp from any 20 to any 1024-49151 out via $oif setup > keep limit src-addr 4 > > # Allow in ssh function > $cmd 00820 allow log tcp from any to me 22 in via $oif setup keep-state > limit src-addr 4 > > # Allow in Telnet > $cmd 00830 allow log tcp from any to me 23 in via $oif setup keep-state > limit src-addr 4 > > > Thanks. > > D > > _________________________________________________________________ > ninemsn Premium transforms your e-mail with colours, photos and animated > text. Click here http://ninemsn.com.au/premium/landing.asp > > _______________________________________________ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.org" >