Date: Thu, 18 May 2000 10:39:00 -0400 From: "Crist J. Clark" <cjc@cc942873-a.ewndsr1.nj.home.com> To: Gabriel Ambuehl <gabriel_ambuehl@buz.ch> Cc: freebsd-security@FreeBSD.ORG Subject: Re: ipfw: HTTP(S) is working but everything else doesn't... Message-ID: <20000518103900.A64244@cc942873-a.ewndsr1.nj.home.com> In-Reply-To: <1574492519.20000518151205@buz.ch>; from gabriel_ambuehl@buz.ch on Thu, May 18, 2000 at 03:12:05PM %2B0200 References: <1574492519.20000518151205@buz.ch>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, May 18, 2000 at 03:12:05PM +0200, Gabriel Ambuehl wrote:
> [I sent this already to -questions but it kept unanswered. I surely
> know how mls are working but some advice couldn't hurt ;-)]
> Hello,
> my ipfw is driving me nuts. I want to allow SMTP (both incoming and
> outgoing), POP3, HTTP, HTTPS and DNS (well, FTP should work as well
> but that one has got it's own problems because of that FTP-data thingy)
> for the firewall box itself and all boxes which use it as gateway [1].
> Everything beside this should be rejected. To accomplish this, I
> wanted to use the following ruleset:
> 00100 allow ip from any to any via lo0
> 00200 deny ip from any to 127.0.0.0/8
> 00300 allow tcp from any to any established
> 00400 allow ip from any to any frag
> 00500 allow tcp from any to any 25 setup
> 00600 allow udp from any to any 53
> 00700 allow udp from any 53 to any 53
> 00800 allow tcp from any to any 80 setup
> 00900 allow tcp from any to any 443 setup
> 01000 allow tcp from any to any 21 setup
> 01100 allow tcp from any to any 110 setup
> 01200 allow tcp from any to any 22 setup
> 01300 allow udp from any to any 22
> # DHCP, I need this during development phase, it's going to be kicked out in production
> 01400 allow tcp from any to any 546 setup
> 01500 allow udp from any to any 546
> 65535 deny ip from any to any
>
> but this isn't working as expected. HTTP and HTTPS both work as they
> should. DNS doesn't work at all, neither SMTP nor POP (meaning: I
> can't connect to the server from outside or to outside servers from
> the box itself). And the most strange thing (or atleast does this seem
> to me this way) is happening with ssh: first, ssh (PuTTY) takes over a minute
> to show me a login prompt (connecting to the box from outside) and
> then, when I try to login, I can type without any problems, but as
> soon as I hit enter, the ssh client exits and the server reports
> |sshd[645]: fatal: Timeout before authentication for 10.2.2.150.
^^^^^^^^^^
I doubt this is the problem, but I just want to check. Is this gateway
also doing NAT?
> What's going on wrong here?
Try the suggestion of logging some of those rules.
--
Crist J. Clark cjclark@home.com
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20000518103900.A64244>