From owner-freebsd-security Thu Jun 7 10: 8: 2 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail1.home.nl (mail1.home.nl [213.51.129.225]) by hub.freebsd.org (Postfix) with ESMTP id EA6E237B403 for ; Thu, 7 Jun 2001 10:07:55 -0700 (PDT) (envelope-from nascar24@home.nl) Received: from windows ([213.51.193.168]) by mail1.home.nl (InterMail vM.4.01.03.00 201-229-121) with SMTP id <20010607170754.GTWI22865.mail1.home.nl@windows> for ; Thu, 7 Jun 2001 19:07:54 +0200 Message-ID: <02de01c0ef74$79397f70$0900a8c0@windows> From: "Marcel Dijk" To: References: <009e01c0ef55$da422340$9201a8c0@home.net><1569370004.20010607180037@mail.spbnit.ru><0e4001c0ef5c$034299e0$241da8c0@ke.balt.net><20010607190013.4a57045e.nikolaj@mail.spbnit.ru><02ab01c0ef6b$b1002610$0900a8c0@windows> <42123753718.20010607201244@sandy.ru> Subject: Re: IPFW rules > ports still open! Date: Thu, 7 Jun 2001 19:08:29 +0200 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.00.2919.6700 Disposition-Notification-To: "Marcel Dijk" X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2919.6700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org > If your address lies in 192.168.0.0/16 then first two rules allows to > access it. In IPFW rules are checked one-by-one before first matching > rule is found. You should add exclusive rules for you IP prior you > open whole network. No, I mean that with these rules I can't connect to for example my sshd. But I have openend the port with rule #615 & 625. And if I uncomment rule 575 & 600 all my ports are open. Marcel > Otherwise check > > IPFIREWALL_DEFAULT_TO_ACCEPT > > kernel option. > > --07.06.2001 20:05, you wrote IPFW rules > ports still open! to freebsd-security@FreeBSD.ORG; > > M> Hello, > > M> i have tried to make a good firewall but I have some problems. This is my > M> rc.firewall.rules file. > > M> add 500 allow all from 192.168.0.0/16 to any > M> add 525 allow all from any to 192.168.0.0/16 > > M> #add 575 allow ip from any to MY_IP > M> #add 600 allow ip from MY_IP to any > > M> add 615 allow tcp from any to MY_IP 22,5618,10000 > M> add 625 allow tcp from MY_IP to any > > M> add 650 allow udp from any to MY_IP > M> add 700 allow udp from MY_IP to any > > M> add 800 allow icmp from any to MY_IP > M> add 750 allow icmp from MY_IP to any > > M> (MY_IP is my internet IP address. I have blocked it for abvious reasons) > > M> The problem is that I can't access the services that I have allowed. For > M> example I can't access the service that's behind port 22 on MY_IP. > M> Why is this? If I allow IP from any to MY_IP and allow ip from MY_IP to any > M> all ports are open. And that;s just what I don't want. > > M> I hope you guys fill me and can help me. > > M> Thanks, I can't seem to solve this one. > > M> Marcel > > > M> To Unsubscribe: send mail to majordomo@FreeBSD.org > M> with "unsubscribe freebsd-security" in the body of the message > > > -- > Vladimir Dubrovin Service Center Coordinator > http://www.sandy.ru SANDY, ISP > http://www.security.nnov.ru Nizhny Novgorod, Russia > > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message