From owner-freebsd-security Wed May 9 15: 3:51 2001 Delivered-To: freebsd-security@freebsd.org Received: from warp.belcom.net.ua (warp.belcom.net.ua [62.244.33.129]) by hub.freebsd.org (Postfix) with ESMTP id 5AC9637B422 for ; Wed, 9 May 2001 15:03:34 -0700 (PDT) (envelope-from say@belcom.net.ua) Received: from warp.belcom.net.ua (say@warp.belcom.net.ua [62.244.33.129]) by warp.belcom.net.ua (8.11.3/8.11.3) with ESMTP id f49M2d408801; Thu, 10 May 2001 01:02:52 +0300 (EEST) (envelope-from say@belcom.net.ua) Date: Thu, 10 May 2001 01:02:37 +0300 (EEST) From: Alexander Suvorov To: Michael Sharp Cc: FreeBSD-security@FreeBSD.ORG Subject: Re: Ip filtering with ipfw In-Reply-To: <20010509160500.7232.cpmta@c000.sfo.cp.net> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On 9 May 2001, Michael Sharp wrote: > I am very new to FreeBSD, and have some questions about ipfw > I compiled: options IPFIREWALL > into my kernel, and added: firewall_enable="YES" in /etc/rc.conf > on reboot, I see ipfiltering initializing and the default policy is to deny. After reboot, I do: ipfw list and get this: > > 00100 allow ip from any to any via lo0 > 00200 deny ip from any to 127.0.0.0/8 > 00300 deny ip from 127.0.0.0/8 to any > 65000 allow ip from any to any > 65535 deny ip from any to any > > which I am assuming is the defaults. Now, to keep it simple, I have a router between my internal machine ( 192.168.1.3 ) and the Internet and I set the router to allow only port 113 in to 192.168.1.3 > > ifconfig reveals that my ethernet card is on x10 > > I added to ipfw: > > ipfw add allow tcp from 199.163.7.34 to 192.168.1.3 in via x10 > ipfw add deny all from any to 192.168.1.3 0-1023 in via x10 > > 199.163.7.34 is the ip of a DALnet IRC server that checks identd > My thinking here was I only wanted 199.163.7.34 to get a identd responce on 113 and block all the others from getting a responce on 113. However, all the OTHER DALnet servers are getting a responce from 113 ( not just 199.163.7.34 ) and when I ran nmap from a friends box, it showed 113 open. > > What am I missing? First, if you want to pass only identd requests, you must specify a port in ipfw rule: ipfw add allow tcp from 199.163.7.34 to 192.168.1.3 auth in via x10 Second, you can't use port-specific rules with 'all' protocol field. Instead use rules such as follows: ipfw add deny tcp from any to 192.168.1.3 0-1023 in via x10 ipfw add deny udp from any to 192.168.1.3 0-1023 in via x10 -- Alexander Suvorov say@belcom.net.ua Belcom ISP Belaya Tserkov, Ukraine To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message