From owner-freebsd-questions  Fri Oct 12  9:31:35 2001
Delivered-To: freebsd-questions@freebsd.org
Received: from blacklamb.mykitchentable.net (ekgr-dsl2-116.citlink.net [207.173.226.116])
	by hub.freebsd.org (Postfix) with ESMTP id 9BB6137B408
	for <questions@freebsd.org>; Fri, 12 Oct 2001 09:31:31 -0700 (PDT)
Received: from bigdaddy (bigdaddy [192.168.1.3])
	by blacklamb.mykitchentable.net (Postfix) with SMTP id C32B8EE623
	for <questions@freebsd.org>; Fri, 12 Oct 2001 09:31:22 -0700 (PDT)
Message-ID: <00df01c1533b$4f32cdf0$0301a8c0@bigdaddy>
From: "Drew Tomlinson" <drew@mykitchentable.net>
To: <questions@freebsd.org>
Subject: How to Allow Incoming Traffic Through Firewall?
Date: Fri, 12 Oct 2001 09:31:13 -0700
MIME-Version: 1.0
Content-Type: text/plain;
	charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 5.50.4522.1200
X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200
Sender: owner-freebsd-questions@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-questions.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-questions>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-questions>
X-Loop: FreeBSD.ORG

I'm trying to refine my firewall rules.  I have followed the examples
at www.onlamp.com and then attempted to add my own rules as needed.
I've included my rules at the bottom.

Basically, I want to allow everything out and everything back in that
was initiated from my private network.  I also want to allow incoming
traffic to my mail server (smtp & imap), web server,  and ssh.  I know
the man page indicates that filtering on port numbers is not a good
idea so I am also open to other ways of allowing certain traffic.

I'm using telnet to test rule 505.  The assumption is that if this
rule works, then the others in the 500 series will work.  But when I
attempt to telnet, the packets get denied as per this log entry:

Oct 12 09:27:55 blacksheep /kernel: ipfw: 610 Deny TCP
192.168.10.1:1027 192.168.10.2:23 in via ed1

OK, I understand why rule 610 is denying the packet but why isn't rule
505 allowing it?  What am I missing?  And is there a better way to
accomplish allowing web, mail, etc. traffic?

Thanks for your help!

Drew

--------------------------
Here are my rules:

# Allow local traffic
  add 00400 allow ip from any to any via ed0

#   Allow specific incoming traffic

    # SSH
    add 00500 allow tcp from any to any 22

    # Telnet (for testing)
    add 00505 allow tcp from any to any 23

    # SMTP
    add 00510 allow tcp from any to any 25

    # HTTP
    add 00520 allow tcp from any to any 80

    # IMAP
    add 00530 allow tcp from any to any 143

# Allow outgoing traffic and incoming traffic from connections
# initiated from private network.

  # TCP traffic

    # Checks dynamic rule set
    add 00600 check-state

    # Denies packet with RST or ACK bits set.
    add 00610 deny log logamount 0 tcp from any to any in established

    # Create dynamic rule
    add 00620 allow tcp from any to any out setup keep-state

  # All Other traffic
    add 00700 allow ip from any to any out keep-state

# Default deny rule
  add 65500 deny log logamount 0 ip from any to any



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message