From owner-freebsd-hackers Sun Mar 28 6:13:49 1999 Delivered-To: freebsd-hackers@freebsd.org Received: from cs.Technion.AC.IL (csa.cs.technion.ac.il [132.68.32.1]) by hub.freebsd.org (Postfix) with ESMTP id 8EDD715690 for ; Sun, 28 Mar 1999 06:13:40 -0800 (PST) (envelope-from nadav@cs.technion.ac.il) Received: from csd.csa (csd.cs.technion.ac.il [132.68.32.8]) by cs.Technion.AC.IL (8.9.0/8.9.0) with SMTP id QAA26044; Sun, 28 Mar 1999 16:15:00 +0200 (IST) Received: from localhost by csd.csa (SMI-8.6/SMI-SVR4) id QAA28826; Sun, 28 Mar 1999 16:14:56 +0200 Date: Sun, 28 Mar 1999 16:14:56 +0200 (IST) From: Nadav Eiron X-Sender: nadav@csd To: Remy Nonnenmacher Cc: ru@ucb.crimea.ua, noor@NetVision.net.il, freebsd-hackers@FreeBSD.ORG Subject: Re: ipfw behavior, is it normal? In-Reply-To: <199903281409.QAA22122@rt2.synx.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-hackers@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG On Sun, 28 Mar 1999, Remy Nonnenmacher wrote: > On 28 Mar, Ruslan Ermilov wrote: > > Hi! > > > > You've screwed your rules up ;-) > > Rules 400 and 500 are `allow tcp', I suppose. > > Send us your _real_ rules first. > > > > I think these *ARE* the real rules. Anyway, 'IP' matches all packets.. > > [check...check....] > > Yes. > > Noor, First, this type of questions should go to questions@freebsd.org. Second, your rules allow only unidirectional traffic: without 65000, server cannot send its replies to whoever is trying to access it. Furthermore, if rule 500 is designed to allow ftp traffic, it's not enough. ftp uses two ports, and unless it's in passive mode, is practicaly impossible to let it through a packet filter without leaving it completely open (as your rule 65000 does). I think you have to do some reading on how to set up a packet filter... > > What is the FBSD version used ? > Doing routing ? bridging ? > Is the filtering machine the [server] ? > > > > > > On Sun, Mar 28, 1999 at 02:23:57PM +0200, Noor Dawod wrote: > >> > >> Hi.. > >> > >> Like many others have done before me, this is my first message to this > >> mailing list and I hope not the last. I've been dealing with FreeBSD for > >> quite some time now, and I cannot still understand why few ipfw rules > >> don't work for me. I would like to share it with youand maybe get some > >> help on it. > >> > >> My current ipfw rules are: > >> > >> ----------------------------------------------------------------- > >> 00100 allow ip from any to any via lo0 > >> 00200 allow ip from [machine-a-ip] to [server-ip] via xl0 > >> 00300 allow ip from [machine-b-ip] to [server-ip] via xl0 > >> 00400 allow ip from any to [server-ip] 80 in via xl0 > >> 00500 allow ip from any to [server-ip] 21 in via xl0 > >> 65000 allow ip from any to any > >> 65535 deny ip from any to any > >> ----------------------------------------------------------------- > >> > >> 00200 and 00300 seem redundant because of rule 65000. But this is where > >> all the problem lies. If I understand right the ipfw rules, if I remove > >> line 65000 from the rules table, then I can still do all ip-related > >> actions from [machine-a] and [machine-b], which their ip numbers are > >> listed in 00200 and 00300. But, once I remove line 65000, I cannot do any > >> ip-related actions on the [server], and even WWW/FTP services arenot > >> served as well. > >> > >> What am I missing here, and why the 65000 line MUST be there so that I > >> could access [server] from [machine-a] and [machine-b] ? > >> > >> I apologize if this is not the place to ask such questions, and would > >> like to be told where to send it instead. > >> > >> Thanks for your time and efforts. > >> > >> Noor > > > > Nadav To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message