From owner-freebsd-questions  Wed Oct 17 15:26:51 2001
Delivered-To: freebsd-questions@freebsd.org
Received: from blacklamb.mykitchentable.net (ekgr-dsl2-116.citlink.net [207.173.226.116])
	by hub.freebsd.org (Postfix) with ESMTP id B6CA137B40D
	for <questions@freebsd.org>; Wed, 17 Oct 2001 15:26:20 -0700 (PDT)
Received: from bigdaddy (bigdaddy [192.168.1.3])
	by blacklamb.mykitchentable.net (Postfix) with SMTP
	id 18C8DEE64C; Fri, 12 Oct 2001 21:31:20 -0700 (PDT)
Message-ID: <024701c1539f$e2c65a00$0301a8c0@bigdaddy>
From: "Drew Tomlinson" <drew@mykitchentable.net>
To: "Mike Meyer" <mwm@mired.org>
Cc: <questions@freebsd.org>
References: <15303.23221.294413.552831@guru.mired.org><01ac01c15380$66d46780$0301a8c0@bigdaddy> <15303.40426.817092.645179@guru.mired.org>
Subject: Re: How to Allow Incoming Traffic Through Firewall?
Date: Fri, 12 Oct 2001 21:31:11 -0700
MIME-Version: 1.0
Content-Type: text/plain;
	charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 5.50.4522.1200
X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200
Sender: owner-freebsd-questions@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-questions.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-questions>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-questions>
X-Loop: FreeBSD.ORG

----- Original Message -----
From: "Mike Meyer" <mwm@mired.org>
To: "Drew Tomlinson" <drew@mykitchentable.net>
Cc: <questions@freebsd.org>
Sent: Friday, October 12, 2001 6:50 PM
Subject: Re: How to Allow Incoming Traffic Through Firewall?


> Drew Tomlinson <drew@mykitchentable.net> types:
> > > > was initiated from my private network.  I also want to allow
> > incoming
> > > > traffic to my mail server (smtp & imap), web server,  and ssh.
I
> > know
> > > > the man page indicates that filtering on port numbers is not a
> > good
> > > > idea so I am also open to other ways of allowing certain
traffic.
> > >
> > > Um - what man page says that filtering on port numbers is not a
good
> > > idea? It needs to be fixed.
> >
> > From man ipfw(8):
> >
> >      Note that it may be dangerous to filter on the source IP
address
> > or
> >      source TCP/UDP port because either or both could easily be
> > spoofed.
>
> Note that it says *source* port, not destination port. Filtering on
> the destination port is practically required. Filtering on the
source
> port is a bad idea, but may be required for cases.

Oh, OK.  I missed that one little word.  :)

> > > > OK, I understand why rule 610 is denying the packet but why
isn't
> > rule
> > > > 505 allowing it?  What am I missing?  And is there a better
way to
> > > > accomplish allowing web, mail, etc. traffic?
> > > Because 505 allows traffic from all traffic going to port 23.
Your
> > > telnet session goes from some random port on the initiating
system -
> > > in this case it was 1027 - to port 23 on the remote system. The
> > > initial packet goes out, then comes back bound for that random
> > > port. Since it's not going to port 23, 505 won't allow it
through.
> > I'm sorry I wasn't clear here.  The above example was an
*incoming*
> > telnet session so it was going from port 1027 on the public side
(ed1)
> > to port 23 on the private side (ed0) (unless I'm missing
something).
> > It was a telnet session that I initated from my DSL modem so I
could
> > test incoming connections.
>
> The same argument works in both directions. You are filtering
> connections based on the *destination* port. The telnet connection
in
> question is from port 23 on the server to port 1027 on the client.
So
> the packet opening the connection goes through - whether inbound or
> outbound - but the reply packet is blocked, because it's not going
to
> port 23.

I thought that "add 00620 allow tcp from any to any out setup
keep-state" would allow it but since the connection wasn't initiated
from my private network, the "deny established" rule killed the
packet?

> > > First suggestion - don't set rule numbers in the script. It
makes it
> > > easier to read and follow. My apologies if you added those for
the
> > > discussion.
> > I set the rule numbers per the example on www.onlamp.com.  But
since
> > you're willing to help me, we'll do it your way.  :)  Shall I
leave
> > the rule numbers for discussion?
>
> Sure. Please note that there are people on the list who are much
more
> experienced at this than I am - but there wasn't an answer in the
> digest, so I decided to point out what I saw as obvious things.

And I *really* appreciate that!!!

[...lots of wonderful suggestions snipped...]

Thank you very much.  I will try reworking my rule set tomorrow using
the concepts you've shared.  I really appreciate your time!

Drew


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message