From owner-freebsd-questions Fri Oct 12 13: 1:22 2001 Delivered-To: freebsd-questions@freebsd.org Received: from moutvdom00.kundenserver.de (moutvdom00.kundenserver.de [195.20.224.149]) by hub.freebsd.org (Postfix) with ESMTP id 15FF737B407 for ; Fri, 12 Oct 2001 13:01:15 -0700 (PDT) Received: from [195.20.224.220] (helo=mrvdom04.kundenserver.de) by moutvdom00.kundenserver.de with esmtp (Exim 2.12 #2) id 15s8Uc-00003c-00 for freebsd-questions@freebsd.org; Fri, 12 Oct 2001 22:01:14 +0200 Received: from 213-196-88-166.hosts.streamgate.de ([213.196.88.166] helo=mistered) by mrvdom04.kundenserver.de with smtp (Exim 2.12 #2) id 15s8Uc-0006lR-00 for freebsd-questions@FreeBSD.ORG; Fri, 12 Oct 2001 22:01:14 +0200 From: "Jonas Sonntag" To: Subject: IPFW question Date: Fri, 12 Oct 2001 22:03:07 +0200 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="US-ASCII" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2910.0) X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4807.1700 In-Reply-To: <20011009034032.K350@blossom.cjclark.org> Importance: Normal Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG hi list looks better now, but i still have a serious problem ;) with my current rules, everything for the internet works fine. no more messages from natd. :) connections from the outside can communicate without problems on the allowed ports. only my lan is (again) disconnectet from the net. here are the rules: fwcmd="/sbin/ipfw" $fwcmd -f flush #lan $fwcmd add divert natd all from any to any via rl0 $fwcmd add allow all from any to any via lo0 $fwcmd add allow all from any to any via xl0 # inet $fwcmd add allow all from me to any via rl0 $fwcmd add allow tcp from any to me established via rl0 $fwcmd add allow tcp from any to me 21 setup via rl0 $fwcmd add allow tcp from any to me 22 setup via rl0 $fwcmd add allow tcp from any to me 80 setup via rl0 $fwcmd add allow udp from 213.196.65.2 53 to me $fwcmd add allow udp from 213.196.64.2 53 to me $fwcmd add allow icmp from any to any $fwcmd add deny log ip from any to any i don't understand why the lan cannot connect any more, name resolving works fine, but http, ftp and so on fail to connect. i thougt by 'allow all from me to any' and 'allow tcp from any to me established' at least this should work. please help, i'm stuck for two days now :( js > -----Ursprungliche Nachricht----- > Von: Crist J. Clark [mailto:cristjc@earthlink.net] > Gesendet: Dienstag, 9. Oktober 2001 12:41 > An: Jonas Sonntag > Cc: Jonathan Chen; freebsd-questions@FreeBSD.ORG > Betreff: Re: rpc.statd: invalid hostname to sm_stat: ^X?y?.... + IPFW > questions > > > On Tue, Oct 09, 2001 at 11:24:18AM +0200, Jonas Sonntag wrote: > > > Some script kiddie is attempting to overflow your portmapper. Why have > > > you got it running attached to the 'Net? > > > > i thought it to be closed !? > > I don't see a rule for it. Do you? Where is rpc.statd's port blocked? > > > this is my current ipfw config where rl0 is the outside > interface and xl0 > > connects the lan: > > > > 00100 3281039 2395988201 divert 8668 ip from any to any via rl0 > > 00200 5418 235058 allow ip from any to any via lo0 > > 00300 12328087 9850315840 allow ip from any to any via xl0 > > 00400 2 96 deny tcp from any to me 25 via rl0 setup > > 00500 0 0 deny tcp from any to me 53 via rl0 setup > > 00600 2 96 deny tcp from any to me 110 via rl0 setup > > 00700 10 600 deny tcp from any to me 111 via rl0 setup > > 00800 8 384 deny tcp from any to me 139 via rl0 setup > > 00900 0 0 deny tcp from any to me 587 via rl0 setup > > 01000 3280075 2395948580 allow ip from any to any via rl0 > > 65535 490 312763 deny ip from any to any > > > > should i change rules for 111? or is there other ports the > portmapper uses? > > You don't actually need to consult the portmapper to use an RPC > service. You can guess or brute force at what port a given service is > listening on. > > > btw, i'd like to use this config for the rl0 interface: > > Right, this is in the right direction. You want to explicitly pass > what you allow and deny all else by default. > > > $fwcmd add allow all from 192.168.0.0/24 to any via rl0 > > This rule doesn't make a lot of sense if it is coming after your > divert(4) rule (which I assume it is?). All traffic leaving your LAN > has already had the source address NAT'ed when this rule is hit. > > > $fwcmd add allow tcp from any to me 1-65535 established via rl0 > > I don't really understand the point of explicitly telling it to pass > all possible port numbers. > > > $fwcmd add allow tcp from any to me 21 setup via rl0 > > $fwcmd add allow tcp from any to me 22 setup via rl0 > > $fwcmd add allow tcp from any to me 80 setup via rl0 > > $fwcmd add allow icmp from any to any > > $fwcmd add deny log ip from any to any > > I don't see a rule that ever passes anything leaving the system. In > addition, for the same reason NAT'ed traffic leaving your system will > never match that first rule, NAT'ed traffic entering on rl0 will never > match any of these. > > > but when i activate this set of rules, syslog keeps saying: > > > > natd[182]: failed to write packet back (Permission denied) > > last message repeated 87 times > > > > ...and so on and the lan is disconnectet from the internet until i > > reload with the *deny-some-ports-and-allow-the-rest-config* > > Which would be expected from these rules. > -- > Crist J. Clark cjclark@alum.mit.edu > cjclark@jhu.edu > cjc@freebsd.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message