From owner-freebsd-questions@FreeBSD.ORG Fri Oct 17 04:20:51 2008 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id BFF10106568E for ; Fri, 17 Oct 2008 04:20:51 +0000 (UTC) (envelope-from jdc@koitsu.dyndns.org) Received: from QMTA06.westchester.pa.mail.comcast.net (qmta06.westchester.pa.mail.comcast.net [76.96.62.56]) by mx1.freebsd.org (Postfix) with ESMTP id 6C95D8FC16 for ; Fri, 17 Oct 2008 04:20:50 +0000 (UTC) (envelope-from jdc@koitsu.dyndns.org) Received: from OMTA04.westchester.pa.mail.comcast.net ([76.96.62.35]) by QMTA06.westchester.pa.mail.comcast.net with comcast id TWeh1a0020ldTLk56gLdw1; Fri, 17 Oct 2008 04:20:37 +0000 Received: from koitsu.dyndns.org ([69.181.141.110]) by OMTA04.westchester.pa.mail.comcast.net with comcast id TgLo1a0032P6wsM3QgLpHo; Fri, 17 Oct 2008 04:20:50 +0000 X-Authority-Analysis: v=1.0 c=1 a=QycZ5dHgAAAA:8 a=_-Ovp-EjumBSDfBTtocA:9 a=3BfH9M_y6Ott6VrYan8A:7 a=uRw74K4Sj6M-de5pfLQUnOfRrHcA:4 a=EoioJ0NPDVgA:10 a=LY0hPdMaydYA:10 Received: by icarus.home.lan (Postfix, from userid 1000) id 37AC2C9432; Thu, 16 Oct 2008 21:20:48 -0700 (PDT) Date: Thu, 16 Oct 2008 21:20:48 -0700 From: Jeremy Chadwick To: Kalpin Erlangga Silaen Message-ID: <20081017042048.GA11656@icarus.home.lan> References: <48F7F3FD.5090209@muliahost.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <48F7F3FD.5090209@muliahost.com> User-Agent: Mutt/1.5.18 (2008-05-17) Cc: freebsd-questions@freebsd.org Subject: Re: IPFW UID match questions X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 17 Oct 2008 04:20:51 -0000 On Fri, Oct 17, 2008 at 09:10:05AM +0700, Kalpin Erlangga Silaen wrote: > Dear all, > > I tried to implement IPFW rules like below on my shell server: > > /sbin/ipfw -q add 18600 allow tcp from any to personal_ip in > /sbin/ipfw -q add 18650 allow tcp from personal_ip to any out uid kalpin > /sbin/ipfw -q add 18660 allow tcp from personal_ip to any out uid root > /sbin/ipfw -q add 18670 allow tcp from personal_ip to any out uid nobody > /sbin/ipfw -q add 18700 deny tcp from personal_ip to any out > > I hope with this rule, only user kalpin could be use the vhost > personal_ip. Below is brief description > > line 1 will allow all tcp incoming packets into personal_ip > line 2 will allow tcp outgoing packets from personal_ip to anywhere if > match uid kalpin > line 3 same with line 2 if match uid root (to response identd request > from IRC Network if identd run as root) > line 4 same with line 3 if match uid nobody (to response identd request > from IRC Network if identd run as fall into nobody) > line 5 will deny all tcp outgoing packets > > But, IRC Network still could not get ident response from my server. If I > removed line 5, then IRC Network get identd response. My identd process is: > > root 63932 0.0 0.1 3136 1028 ?? Ss 1:46AM 0:00.03 > /usr/local/sbin/oidentd -C /usr/local/etc/oidentd.conf > > Is there anything else should be done to fix this problem? The problem is that you're not allowing incoming connections to personal_ip on TCP port 113 (ident/auth). Add this rule: /sbin/ipfw -q add 18680 allow tcp from personal_ip 113 to any out You can also replace "113" with "auth" or "ident" if you want (see /etc/services). -- | Jeremy Chadwick jdc at parodius.com | | Parodius Networking http://www.parodius.com/ | | UNIX Systems Administrator Mountain View, CA, USA | | Making life hard for others since 1977. PGP: 4BD6C0CB |