From owner-freebsd-questions Fri Dec 6 0:27:34 2002 Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3479037B404 for ; Fri, 6 Dec 2002 00:27:32 -0800 (PST) Received: from mail.duth.gr (mail.duth.gr [192.108.114.110]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5491C43EBE for ; Fri, 6 Dec 2002 00:27:30 -0800 (PST) (envelope-from bigbrother@bonbon.net) Received: from bigb3server.bbcluster.gr (b9-149.xan.duth.gr [193.92.211.149]) by mail.duth.gr (8.12.6/8.12.6) with ESMTP id gB68RPh6085827 (version=TLSv1/SSLv3 cipher=EDH-DSS-DES-CBC3-SHA bits=168 verify=NO) for ; Fri, 6 Dec 2002 10:27:26 +0200 (EET) (envelope-from bigbrother@bonbon.net) Received: from bigb3server.bbcluster.gr (localhost.bbcluster.gr [127.0.0.1]) by bigb3server.bbcluster.gr (8.12.3/8.12.3) with ESMTP id gB68RIqe020760 for ; Fri, 6 Dec 2002 10:27:20 +0200 (EET) (envelope-from bigbrother@bonbon.net) Received: from localhost (bigbrother@localhost) by bigb3server.bbcluster.gr (8.12.3/8.12.3/Submit) with ESMTP id gB68RFWa020757 for ; Fri, 6 Dec 2002 10:27:18 +0200 (EET) X-Authentication-Warning: bigb3server.bbcluster.gr: bigbrother owned process doing -bs Date: Fri, 6 Dec 2002 10:27:12 +0200 (EET) From: "BigBrother (BigB3)" X-X-Sender: bigbrother@bigb3server.bbcluster.gr To: questions@FreeBSD.ORG Subject: Re: ipfw firewall help In-Reply-To: Message-ID: <20021206101835.Q10707-100000@bigb3server.bbcluster.gr> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 >ipfw add 108 allow tcp from any to xx.250.227.0/22 20,21,25,80,110 via >bge0 > >#Outbound from inside >ipfw add 109 check-state >ipfw add 110 allow tcp from xx.250.224.0/22 via bge0 keep-state >ipfw add 111 allow udp from xx.250.224.0/22 via bge0 keep-state >ipfw add 112 allow tcp from any to any established setup >#Machine specific ports >#Server NEWS 1 >ipfw add 120 allow tcp from any to xx.250.227.2 53 via bge0 >ipfw add 121 allow tcp from any to xx.250.227.3 53 via bge0 >ipfw add 122 allow tcp from any to xx.250.227.4 53 via bge0 >ipfw add 123 allow udp from any to xx.250.227.2 via bge0 >ipfw add 124 allow udp from any to xx.250.227.3 via bge0 >ipfw add 125 allow udp from any to xx.240.227.4 via bge0 >#Deny all after above allows - here we go >ipfw add 400 deny tcp from any to xx.250.227.0/22 via bge0 >ipfw add 410 deny udp from any to xx.250.227.0/22 via bge0 > > >Goal is if we're on any of the 227 subnetted machines and wish to do >anything on the internet that we be allowed to do so, such as ftp, >telnet, >browse the web, etc. 1)General tip when using firewalls, especially if you are having problems.. ALWAYS log the denied packets....so in ruleset 400 you should put a log statement. 2) When using firewall always remember that packets are usually two way packets..which means somebody connectes to your port and your port sends a reply. So rule 108 should also include a 'keep state' option or it should be immediately followed byt a ipfw add 108 allow tcp from xx.250.227.0/22 20,21,25,80,110 to any via bge 3) Your problem is located on a missing rule. You have rules for the 224 subnet but not for the 227 for outgoing... So you should also include a line ipfw add 113 allow all from xx.250.227.0/22 via bge keep-state 4) Also whatever is not specifically writen with 2 rules (one incoming and other outgoing) it should have a keep-state option. For example rule 120 it has only the incoming connection to 53. You dont allow the outgoing. So prefereably you should i) make two rules for it ii) use a keep-state directive Regards, BigB - --- We are being monitored..but there is a solution... Use PGP for signing and encrypting emails!!!! Download my public key at http://www.us.pgp.net -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (FreeBSD) iD8DBQE98F9jGe/V3CxAyHoRAn+sAJ0X65d6o/+YrI1iLMq+mHvDxtCrdACffrMb Uz0a1/8Z6fgUOuspgXeOjVk= =Dh2k -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message