Date: Wed, 09 May 2001 13:46:26 -0700 From: "Crist Clark" <crist.clark@globalstar.com> To: Michael Sharp <msharp@medmail.com> Cc: FreeBSD-security@FreeBSD.ORG Subject: Re: ipfw Message-ID: <3AF9ACA2.712EF7F3@globalstar.com> References: <20010509200335.7680.cpmta@c000.sfo.cp.net>
next in thread | previous in thread | raw e-mail | index | archive | help
Michael Sharp wrote:
>
> expanding on what Noel Fitzpatrick said...
>
> If I do ipfw -f flush I still have rule 65535 deny ip from any to any
The default rule. There is ALWAYS a rule 65535.
> which allows NOTHING in or OUT. I can add DENY chains all day, but I cannot add any ALLOW chains unless I put in rule 65000 allow ip from any to any but this goes at the very top and is the first chain processed ( which allows ANYTHING in ) even if there are DENY chains below it.
Uhhh... Hmmm?
First, what are "chains?" Second, why can you not add pass ("allow") rules?
What is preventing it?
> SO, from /etc/rc.firewall I added IPFIREWALL_DEFAULT_TO_ACCEPT
> to my kernel and recompiled
>
> In /etc/rc.conf, I have firewall_enable="YES" and firewall_type="open"
>
> and still I cannot get rid of that pesky 65535 DENY everything rule that wont let me do anything unless I add " ipfw add allow ip from any to any " which allows everything despite ANY DENY chains.
Still really confused here. Having default deny is generally a Good Thing (tm)
for a working firewall. Since you are specifying 'firewall_type="open"'
you should get a '65000 pass any to any' rule.
Now, if you want to deny specific traffic (the better way to generally
go is explicitly allow what you want an deny all else by default), you just
have to add 'deny' rules _before_ the '65000 pass any to any' rule.
I am wondering if that is the problem here? The rules are processed in
order with in a "match and out" manner. If you want a 'deny' rule to take
effect before your default '65000 pass' rule, you need to stick it in
_before_ rule 65000.
--
Crist J. Clark Network Security Engineer
crist.clark@globalstar.com Globalstar, L.P.
(408) 933-4387 FAX: (408) 933-4926
The information contained in this e-mail message is confidential,
intended only for the use of the individual or entity named above. If
the reader of this e-mail is not the intended recipient, or the employee
or agent responsible to deliver it to the intended recipient, you are
hereby notified that any review, dissemination, distribution or copying
of this communication is strictly prohibited. If you have received this
e-mail in error, please contact postmaster@globalstar.com
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3AF9ACA2.712EF7F3>