Skip site navigation (1)Skip section navigation (2)
Date:      Mon, 13 Apr 2015 11:32:23 -0500
From:      "William A. Mahaffey III" <wam@hiwaay.net>
To:        "FreeBSD Questions !!!!" <freebsd-questions@freebsd.org>
Subject:   ipfw entries
Message-ID:  <552BEF97.5060609@hiwaay.net>

next in thread | raw e-mail | index | archive | help


I started using timed on my network to keep various *BSD machines 
time-coordinated, NTP for the linux boxen. I have a RPiB+ running 
NetBSD-7 as my time server, running ntpd & 'timed -F <itself>'. This box 
is the only other BSD box for now, but more to come. I am seeing the 
following in my messages file (from earlier this A.M.):


[root@kabini1, /etc, 8:03:32am] 344 % tail -20 /var/log/security ; date
Apr 13 07:44:08 kabini1 last message repeated 4 times
Apr 13 07:44:46 kabini1 kernel: ipfw: 65500 Deny UDP 192.168.0.1:525 
192.168.0.255:525 in via re0
Apr 13 07:46:01 kabini1 kernel: ipfw: 65500 Deny P:2 192.168.0.27 
224.0.0.22 out via re0
Apr 13 07:46:09 kabini1 last message repeated 3 times
Apr 13 07:48:07 kabini1 last message repeated 4 times
Apr 13 07:48:46 kabini1 kernel: ipfw: 65500 Deny UDP 192.168.0.1:525 
192.168.0.255:525 in via re0
Apr 13 07:50:01 kabini1 kernel: ipfw: 65500 Deny P:2 192.168.0.27 
224.0.0.22 out via re0
Apr 13 07:50:08 kabini1 last message repeated 3 times
Apr 13 07:52:09 kabini1 last message repeated 4 times
Apr 13 07:52:46 kabini1 kernel: ipfw: 65500 Deny UDP 192.168.0.1:525 
192.168.0.255:525 in via re0
Apr 13 07:54:01 kabini1 kernel: ipfw: 65500 Deny P:2 192.168.0.27 
224.0.0.22 out via re0
Apr 13 07:54:07 kabini1 last message repeated 3 times
Apr 13 07:56:09 kabini1 last message repeated 4 times
Apr 13 07:56:46 kabini1 kernel: ipfw: 65500 Deny UDP 192.168.0.1:525 
192.168.0.255:525 in via re0
Apr 13 07:58:01 kabini1 kernel: ipfw: 65500 Deny P:2 192.168.0.27 
224.0.0.22 out via re0
Apr 13 07:58:09 kabini1 last message repeated 3 times
Apr 13 08:00:07 kabini1 last message repeated 4 times
Apr 13 08:00:46 kabini1 kernel: ipfw: 65500 Deny UDP 192.168.0.1:525 
192.168.0.255:525 in via re0
Apr 13 08:02:01 kabini1 kernel: ipfw: 65500 Deny P:2 192.168.0.27 
224.0.0.22 out via re0
Apr 13 08:02:08 kabini1 last message repeated 3 times
Mon Apr 13 08:03:35 CDT 2015
[root@kabini1, /etc, 8:03:35am] 345 %


I thought I had ifpw rules to allow this traffic, but apparently not. My 
rules are:

[root@kabini1, /etc, 11:30:31am] 336 % ipfw show
00100   851096  1539836796 allow ip from any to any via lo0
00200        0           0 deny ip from any to 127.0.0.0/8
00300        0           0 deny ip from 127.0.0.0/8 to any
00400        0           0 deny ip from any to ::1
00500        0           0 deny ip from ::1 to any
00600        0           0 allow ipv6-icmp from :: to ff02::/16
00700        0           0 allow ipv6-icmp from fe80::/10 to fe80::/10
00800        2         152 allow ipv6-icmp from fe80::/10 to ff02::/16
00900        0           0 allow ipv6-icmp from any to any ip6 icmp6types 1
01000        0           0 allow ipv6-icmp from any to any ip6 
icmp6types 2,135,136
01100        0           0 check-state
01200 14122906 19461418543 allow tcp from me to any established
01300  1112427  1007602974 allow tcp from me to any setup keep-state
01400    33508     3756508 allow udp from me to any keep-state
01500      124       11672 allow icmp from me to any keep-state
01600        0           0 allow ipv6-icmp from me to any keep-state
01700        0           0 allow udp from 0.0.0.0 68 to 255.255.255.255 
dst-port 67 out
01800        0           0 allow udp from any 67 to me dst-port 68 in
01900        0           0 allow udp from any 67 to 255.255.255.255 
dst-port 68 in
02000        0           0 allow udp from fe80::/10 to me dst-port 546 in
02100        4         400 allow icmp from any to any icmptypes 8
02200        0           0 allow ipv6-icmp from any to any ip6 
icmp6types 128,129
02300     5290      296240 allow icmp from any to any icmptypes 3,4,11
02400        0           0 allow ipv6-icmp from any to any ip6 icmp6types 3
02500  7902577   596794526 allow tcp from 192.168.0.0/24 to me
02600     1303      333232 allow udp from 192.168.0.0/24 513 to 
192.168.0.0/24 dst-port 513
65000     9223     1641961 count ip from any to any
65100      758      173995 deny { tcp or udp } from any to any dst-port 
111,137,138 in
65200     2983      996998 deny { tcp or udp } from 192.168.0.0/24 to me
65300        0           0 deny ip from any to 255.255.255.255
65400        0           0 deny ip from any to 224.0.0.0/24 in
65500        0           0 deny udp from any to any dst-port 520 in
65500        0           0 deny tcp from any 80,443 to any dst-port 
1024-65535 in
65500     5482      470968 deny log logamount 50000 ip from any to any
65535        0           0 deny ip from any to any
[root@kabini1, /etc, 11:30:56am] 337 % uname -a
FreeBSD kabini1.local 9.3-RELEASE-p10 FreeBSD 9.3-RELEASE-p10 #0: Tue 
Feb 24 21:28:03 UTC 2015 
root@amd64-builder.daemonology.net:/usr/obj/usr/src/sys/GENERIC amd64
[root@kabini1, /etc, 11:31:34am] 338 %


Any clues appreciated & TIA ....

-- 

	William A. Mahaffey III

  ----------------------------------------------------------------------

	"The M1 Garand is without doubt the finest implement of war
	 ever devised by man."
                            -- Gen. George S. Patton Jr.




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?552BEF97.5060609>