From owner-freebsd-questions@FreeBSD.ORG Fri Aug 6 05:24:51 2004 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id CAAFA16A4CE for ; Fri, 6 Aug 2004 05:24:51 +0000 (GMT) Received: from mail.oisca.org (mail.oisca.org [164.46.152.13]) by mx1.FreeBSD.org (Postfix) with ESMTP id E7AAA43D1D for ; Fri, 6 Aug 2004 05:24:50 +0000 (GMT) (envelope-from pwd8jmr22w@me.point.ne.jp) Received: from [192.168.1.35] (165.191.192.61.tokyo.bflets.alpha-net.ne.jp [61.192.191.165]) (authenticated (0 bits)) by mail.oisca.org (8.12.11/8.11.3) with ESMTP id i765OmJk029117 for ; Fri, 6 Aug 2004 14:24:49 +0900 Message-ID: <411315F6.2000304@me.point.ne.jp> Date: Fri, 06 Aug 2004 14:24:06 +0900 From: SrotBULL User-Agent: Mozilla Thunderbird 0.7.2 (X11/20040802) X-Accept-Language: en-us, en MIME-Version: 1.0 To: freebsd-questions@freebsd.org References: In-Reply-To: Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Subject: Re: IPFW - Allowed but Denied is shown in my logs X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: pwd8jmr22w@me.point.ne.jp List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 06 Aug 2004 05:24:51 -0000 Ian Smith wrote: > On Wed, 4 Aug 2004 freebsd-questions-request@freebsd.org wrote: > > Message: 11 > > From: Srot BULL > > > > Giorgos Keramidas wrote: > > Show us the full ruleset. Otherwise we're just guessing... > > > > My apologies, below is my complete ruleset: > > [..] > > > #* Deny ident *# > > $CMD 00315 deny tcp from any to any in via $IFN > I think perhaps you meant: > $CMD 00315 deny tcp from any to any 113 in via $IFN > > as yours denied all remaining TCP, making some rules below irrelevant, > including allows for www, ssh etc if you ever wanted to enable these. > > You'd also likely do better using reset rather than deny - assuming this > rule really was meant to block ident - to avoid timeout delays on mail. > > #* Deny all Netbios service. 137=name, 138=datagram, 139=session *# > > #* Netbios is MS/Windows sharing services. *# > > #* Block MS/Windows hosts2 name server requests 81 *# > > $CMD 00320 deny tcp from any to any 137 in via $IFN > > $CMD 00321 deny tcp from any to any 138 in via $IFN > > $CMD 00322 deny tcp from any to any 139 in via $IFN > > $CMD 00323 deny tcp from any to any 81 in via $IFN > > None of these or any other tcp .. in via $IFN rules below are ever seen. > > [..] > > #* Deny ACK packets that did not match the dynamic rule table *# > > $CMD 00332 deny tcp from any to any established in via $IFN > > That rule is also not seen .. > > [..] > > #* Reject & Log all incoming connections from the outside *# > > $CMD 00499 deny log all from any to any in via $IFN > > .. nor that one, for TCP packets .. > > > My basis for my rulesets are taken from: > > http://freebsd.a1poweruser.com:6088/FBSD_firewall/ > > Cheers, Ian Thank you for your advices... I will get myself a fairly dedicated time infront of my pc to better understand things. You have a nice day... SrotBULL