From owner-freebsd-security Mon Jun 11 11: 8:29 2001 Delivered-To: freebsd-security@freebsd.org Received: from pltdpop4.ptld.uswest.net (ptldpop4.ptld.uswest.net [198.36.160.4]) by hub.freebsd.org (Postfix) with SMTP id AADEA37B40D for ; Mon, 11 Jun 2001 11:08:05 -0700 (PDT) (envelope-from randyd@active-c.com) Received: (qmail 33238 invoked by alias); 11 Jun 2001 18:08:05 -0000 Delivered-To: fixup-freebsd-security@FreeBSD.org@fixme Received: (qmail 33226 invoked by uid 0); 11 Jun 2001 18:08:04 -0000 Received: from unknown (HELO whatever) (63.229.139.185) by ptldpop4.ptld.uswest.net with SMTP; 11 Jun 2001 18:08:04 -0000 From: "Randy Danielson" To: "FreeBSD Security" Subject: IPFW question - connections to port 80 out are being denied Date: Mon, 11 Jun 2001 11:04:44 -0700 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2910.0) Importance: Normal X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hello, FreeBSD 4.3-stable, Intel 486 DX2-66 I have been working setting up a firewall using IPFW. I have several machines behind the firewall that need to have access to the net. My main issue is I do not understand why I am getting so many deny messages in my logs. Here are some of the errors I am getting: Jun 11 09:07:56 active-c /kernel: ipfw: 10000 Deny TCP 63.229.139.185:1290 64.242.116.9:80 out via fxp1 Jun 11 09:07:57 active-c /kernel: ipfw: 10000 Deny TCP 63.229.139.185:1284 64.242.116.7:80 out via fxp1 Jun 11 09:08:05 active-c /kernel: ipfw: 10000 Deny TCP 63.229.139.185:1289 64.242.116.9:80 out via fxp1 Jun 11 09:08:05 active-c /kernel: ipfw: 10000 Deny TCP 63.229.139.185:1288 64.242.116.7:80 out via fxp1 Jun 11 09:08:07 active-c /kernel: ipfw: 10000 Deny TCP 63.229.139.185:1287 64.242.116.7:80 out via fxp1 Jun 11 09:08:07 active-c /kernel: ipfw: 10000 Deny TCP 63.229.139.185:1285 64.242.116.7:80 out via fxp1 Jun 11 09:08:15 active-c /kernel: ipfw: 10000 Deny TCP 63.229.139.185:1284 64.242.116.7:80 out via fxp1 Jun 11 09:08:15 active-c /kernel: ipfw: 10000 Deny TCP 63.229.139.185:1290 64.242.116.9:80 out via fxp1 Jun 11 09:08:32 active-c /kernel: ipfw: 10000 Deny TCP 63.229.139.185:1289 64.242.116.9:80 out via fxp1 Jun 11 09:08:32 active-c /kernel: ipfw: 10000 Deny TCP 63.229.139.185:1288 64.242.116.7:80 out via fxp1 Jun 11 09:08:35 active-c /kernel: ipfw: 10000 Deny TCP 63.229.139.185:1287 64.242.116.7:80 out via fxp1 Jun 11 09:08:36 active-c /kernel: ipfw: 10000 Deny TCP 63.229.139.185:1380 64.242.116.7:80 out via fxp1 Jun 11 09:08:36 active-c /kernel: ipfw: 10000 Deny TCP 63.229.139.185:1285 64.242.116.7:80 out via fxp1 Jun 11 09:08:47 active-c /kernel: ipfw: 10000 Deny TCP 63.229.139.185:1378 64.242.116.7:80 out via fxp1 Jun 11 09:08:47 active-c /kernel: ipfw: 10000 Deny TCP 63.229.139.185:1379 64.242.116.7:80 out via fxp1 Jun 11 09:08:51 active-c /kernel: ipfw: 10000 Deny TCP 63.229.139.185:1284 64.242.116.7:80 out via fxp1 Jun 11 09:08:52 active-c /kernel: ipfw: 10000 Deny TCP 63.229.139.185:1290 64.242.116.9:80 out via fxp1 It would appear that my firewall machine is trying to make connections going out to port 80 on several different IP addresses and it is being denied. The part that confuses me is that I am able to browse the web from machines behind the firewall and I have rules that allow making connections out and then established connections to come back in. So what is going on? Here is my current rule set (if you notice anything I have done that leaves me vulnerable please let me know): 00101 divert 8668 ip from any to any via fxp1 00200 allow ip from any to any via lo0 00300 deny ip from any to 127.0.0.0/8 00400 deny ip from 127.0.0.0/8 to any 00500 deny log logamount 100 ip from 192.168.0.0/24 to any in recv fxp1 00501 deny log logamount 100 ip from 63.229.139.144:255.255.255.148 to any in recv fxp0 01000 allow ip from any to any via fxp0 01200 allow tcp from any to 63.229.139.185 80 01201 allow tcp from 63.229.139.185 80 to any 01202 allow tcp from 63.229.139.185 80 to any out xmit fxp1 02000 allow tcp from 198.36.160.1 53 to any in recv fxp1 02010 allow tcp from 204.147.80.5 53 to any in recv fxp1 02020 allow udp from 198.36.160.1 53 to any in recv fxp1 02030 allow udp from 204.147.80.5 53 to any in recv fxp1 02100 allow icmp from 198.36.160.1 to any in recv fxp1 02110 allow icmp from 204.147.80.5 to any in recv fxp1 02200 allow ip from 63.229.139.185 to 198.36.160.1 02210 allow ip from 63.229.139.185 to 198.36.160.2 02220 allow ip from 63.229.139.185 to 198.36.160.3 02230 allow ip from 63.229.139.185 to 198.36.160.4 02240 allow ip from 63.229.139.185 to 198.36.160.5 02250 allow ip from 198.36.160.1 to 63.229.139.185 02260 allow ip from 198.36.160.2 to 63.229.139.185 02270 allow ip from 198.36.160.3 to 63.229.139.185 02280 allow ip from 198.36.160.4 to 63.229.139.185 02290 allow ip from 198.36.160.5 to 63.229.139.185 02291 allow tcp from any to 207.225.159.6 119 out 02291 allow tcp from any to 207.225.159.8 119 out 02400 allow ip from 63.229.139.185 to 64.173.56.98 02500 allow tcp from 64.173.56.98 20 to 192.168.0.2 03000 check-state 03100 allow tcp from any to any in established 03200 allow tcp from any to any keep-state out setup 03500 allow udp from any to any out 10000 deny log logamount 100 ip from any to any 65535 deny ip from any to any Thanks in advance for any assistance. Randy To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message