Skip site navigation (1)Skip section navigation (2) 
Date:      Fri, 06 Aug 2004 14:24:06 +0900
From:      SrotBULL <pwd8jmr22w@me.point.ne.jp>
To:        freebsd-questions@freebsd.org
Subject:   Re: IPFW - Allowed but Denied is shown in my logs
Message-ID:  <411315F6.2000304@me.point.ne.jp>
In-Reply-To: <Pine.BSF.3.96.1040805035553.3887L-100000@gaia.nimnet.asn.au>
References:  <Pine.BSF.3.96.1040805035553.3887L-100000@gaia.nimnet.asn.au>
next in thread | previous in thread | raw e-mail | index | archive | help 
Ian Smith wrote:

 > On Wed, 4 Aug 2004 freebsd-questions-request@freebsd.org wrote:
 >  > Message: 11
 >  > From: Srot BULL <pwd8jmr22w@me.point.ne.jp>
 >
 >  > > Giorgos Keramidas wrote:  > > Show us the full ruleset. 
Otherwise we're just guessing...
 >  > >  > My apologies, below is my complete ruleset:
 >
 > [..]
 >
 >  > #* Deny ident *#
 >  > $CMD 00315 deny tcp from any to any in via $IFN
 > I think perhaps you meant:
 >   $CMD 00315 deny tcp from any to any 113 in via $IFN
 >
 > as yours denied all remaining TCP, making some rules below irrelevant,
 > including allows for www, ssh etc if you ever wanted to enable these.
 >
 > You'd also likely do better using reset rather than deny - assuming this
 > rule really was meant to block ident - to avoid timeout delays on mail.
 >  > #* Deny all Netbios service. 137=name, 138=datagram, 139=session *#
 >  > #* Netbios is MS/Windows sharing services. *#
 >  > #* Block MS/Windows hosts2 name server requests 81 *#
 >  > $CMD 00320 deny tcp from any to any 137 in via $IFN
 >  > $CMD 00321 deny tcp from any to any 138 in via $IFN
 >  > $CMD 00322 deny tcp from any to any 139 in via $IFN
 >  > $CMD 00323 deny tcp from any to any 81 in via $IFN
 >
 > None of these or any other tcp .. in via $IFN rules below are ever seen.
 >
 > [..]
 >  > #* Deny ACK packets that did not match the dynamic rule table *#
 >  > $CMD 00332 deny tcp from any to any established in via $IFN
 >
 > That rule is also not seen ..
 >
 > [..]
 >  > #* Reject & Log all incoming connections from the outside *#
 >  > $CMD 00499 deny log all from any to any in via $IFN
 >
 > .. nor that one, for TCP packets ..
 >
 >  > My basis for my rulesets are taken from:
 >  > http://freebsd.a1poweruser.com:6088/FBSD_firewall/
 >
 > Cheers, Ian


Thank you for your advices...
I will get myself a fairly dedicated time infront of my pc to better 
understand things.
You have a nice day...

SrotBULL

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?411315F6.2000304>