Date: Mon, 13 Apr 2015 11:32:23 -0500 From: "William A. Mahaffey III" <wam@hiwaay.net> To: "FreeBSD Questions !!!!" <freebsd-questions@freebsd.org> Subject: ipfw entries Message-ID: <552BEF97.5060609@hiwaay.net>
next in thread | raw e-mail | index | archive | help
I started using timed on my network to keep various *BSD machines
time-coordinated, NTP for the linux boxen. I have a RPiB+ running
NetBSD-7 as my time server, running ntpd & 'timed -F <itself>'. This box
is the only other BSD box for now, but more to come. I am seeing the
following in my messages file (from earlier this A.M.):
[root@kabini1, /etc, 8:03:32am] 344 % tail -20 /var/log/security ; date
Apr 13 07:44:08 kabini1 last message repeated 4 times
Apr 13 07:44:46 kabini1 kernel: ipfw: 65500 Deny UDP 192.168.0.1:525
192.168.0.255:525 in via re0
Apr 13 07:46:01 kabini1 kernel: ipfw: 65500 Deny P:2 192.168.0.27
224.0.0.22 out via re0
Apr 13 07:46:09 kabini1 last message repeated 3 times
Apr 13 07:48:07 kabini1 last message repeated 4 times
Apr 13 07:48:46 kabini1 kernel: ipfw: 65500 Deny UDP 192.168.0.1:525
192.168.0.255:525 in via re0
Apr 13 07:50:01 kabini1 kernel: ipfw: 65500 Deny P:2 192.168.0.27
224.0.0.22 out via re0
Apr 13 07:50:08 kabini1 last message repeated 3 times
Apr 13 07:52:09 kabini1 last message repeated 4 times
Apr 13 07:52:46 kabini1 kernel: ipfw: 65500 Deny UDP 192.168.0.1:525
192.168.0.255:525 in via re0
Apr 13 07:54:01 kabini1 kernel: ipfw: 65500 Deny P:2 192.168.0.27
224.0.0.22 out via re0
Apr 13 07:54:07 kabini1 last message repeated 3 times
Apr 13 07:56:09 kabini1 last message repeated 4 times
Apr 13 07:56:46 kabini1 kernel: ipfw: 65500 Deny UDP 192.168.0.1:525
192.168.0.255:525 in via re0
Apr 13 07:58:01 kabini1 kernel: ipfw: 65500 Deny P:2 192.168.0.27
224.0.0.22 out via re0
Apr 13 07:58:09 kabini1 last message repeated 3 times
Apr 13 08:00:07 kabini1 last message repeated 4 times
Apr 13 08:00:46 kabini1 kernel: ipfw: 65500 Deny UDP 192.168.0.1:525
192.168.0.255:525 in via re0
Apr 13 08:02:01 kabini1 kernel: ipfw: 65500 Deny P:2 192.168.0.27
224.0.0.22 out via re0
Apr 13 08:02:08 kabini1 last message repeated 3 times
Mon Apr 13 08:03:35 CDT 2015
[root@kabini1, /etc, 8:03:35am] 345 %
I thought I had ifpw rules to allow this traffic, but apparently not. My
rules are:
[root@kabini1, /etc, 11:30:31am] 336 % ipfw show
00100 851096 1539836796 allow ip from any to any via lo0
00200 0 0 deny ip from any to 127.0.0.0/8
00300 0 0 deny ip from 127.0.0.0/8 to any
00400 0 0 deny ip from any to ::1
00500 0 0 deny ip from ::1 to any
00600 0 0 allow ipv6-icmp from :: to ff02::/16
00700 0 0 allow ipv6-icmp from fe80::/10 to fe80::/10
00800 2 152 allow ipv6-icmp from fe80::/10 to ff02::/16
00900 0 0 allow ipv6-icmp from any to any ip6 icmp6types 1
01000 0 0 allow ipv6-icmp from any to any ip6
icmp6types 2,135,136
01100 0 0 check-state
01200 14122906 19461418543 allow tcp from me to any established
01300 1112427 1007602974 allow tcp from me to any setup keep-state
01400 33508 3756508 allow udp from me to any keep-state
01500 124 11672 allow icmp from me to any keep-state
01600 0 0 allow ipv6-icmp from me to any keep-state
01700 0 0 allow udp from 0.0.0.0 68 to 255.255.255.255
dst-port 67 out
01800 0 0 allow udp from any 67 to me dst-port 68 in
01900 0 0 allow udp from any 67 to 255.255.255.255
dst-port 68 in
02000 0 0 allow udp from fe80::/10 to me dst-port 546 in
02100 4 400 allow icmp from any to any icmptypes 8
02200 0 0 allow ipv6-icmp from any to any ip6
icmp6types 128,129
02300 5290 296240 allow icmp from any to any icmptypes 3,4,11
02400 0 0 allow ipv6-icmp from any to any ip6 icmp6types 3
02500 7902577 596794526 allow tcp from 192.168.0.0/24 to me
02600 1303 333232 allow udp from 192.168.0.0/24 513 to
192.168.0.0/24 dst-port 513
65000 9223 1641961 count ip from any to any
65100 758 173995 deny { tcp or udp } from any to any dst-port
111,137,138 in
65200 2983 996998 deny { tcp or udp } from 192.168.0.0/24 to me
65300 0 0 deny ip from any to 255.255.255.255
65400 0 0 deny ip from any to 224.0.0.0/24 in
65500 0 0 deny udp from any to any dst-port 520 in
65500 0 0 deny tcp from any 80,443 to any dst-port
1024-65535 in
65500 5482 470968 deny log logamount 50000 ip from any to any
65535 0 0 deny ip from any to any
[root@kabini1, /etc, 11:30:56am] 337 % uname -a
FreeBSD kabini1.local 9.3-RELEASE-p10 FreeBSD 9.3-RELEASE-p10 #0: Tue
Feb 24 21:28:03 UTC 2015
root@amd64-builder.daemonology.net:/usr/obj/usr/src/sys/GENERIC amd64
[root@kabini1, /etc, 11:31:34am] 338 %
Any clues appreciated & TIA ....
--
William A. Mahaffey III
----------------------------------------------------------------------
"The M1 Garand is without doubt the finest implement of war
ever devised by man."
-- Gen. George S. Patton Jr.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?552BEF97.5060609>