From owner-freebsd-questions Fri Oct 12 14: 4: 4 2001 Delivered-To: freebsd-questions@freebsd.org Received: from guru.mired.org (okc-65-31-203-60.mmcable.com [65.31.203.60]) by hub.freebsd.org (Postfix) with SMTP id 4F2BE37B408 for ; Fri, 12 Oct 2001 14:03:55 -0700 (PDT) Received: (qmail 8892 invoked by uid 100); 12 Oct 2001 21:03:49 -0000 From: Mike Meyer MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Message-ID: <15303.23221.294413.552831@guru.mired.org> Date: Fri, 12 Oct 2001 16:03:49 -0500 To: "Drew Tomlinson" Cc: questions@freebsd.org Subject: Re: How to Allow Incoming Traffic Through Firewall? In-Reply-To: <55894395@toto.iv> X-Mailer: VM 6.90 under 21.1 (patch 14) "Cuyahoga Valley" XEmacs Lucid X-face: "5Mnwy%?j>IIV\)A=):rjWL~NB2aH[}Yq8Z=u~vJ`"(,&SiLvbbz2W`;h9L,Yg`+vb1>RG% *h+%X^n0EZd>TM8_IB;a8F?(Fb"lw'IgCoyM.[Lg#r\ Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Drew Tomlinson types: > I'm trying to refine my firewall rules. I have followed the examples > at www.onlamp.com and then attempted to add my own rules as needed. > I've included my rules at the bottom. > > Basically, I want to allow everything out and everything back in that > was initiated from my private network. I also want to allow incoming > traffic to my mail server (smtp & imap), web server, and ssh. I know > the man page indicates that filtering on port numbers is not a good > idea so I am also open to other ways of allowing certain traffic. Um - what man page says that filtering on port numbers is not a good idea? It needs to be fixed. > I'm using telnet to test rule 505. The assumption is that if this > rule works, then the others in the 500 series will work. But when I > attempt to telnet, the packets get denied as per this log entry: > > Oct 12 09:27:55 blacksheep /kernel: ipfw: 610 Deny TCP > 192.168.10.1:1027 192.168.10.2:23 in via ed1 > > OK, I understand why rule 610 is denying the packet but why isn't rule > 505 allowing it? What am I missing? And is there a better way to > accomplish allowing web, mail, etc. traffic? Because 505 allows traffic from all traffic going to port 23. Your telnet session goes from some random port on the initiating system - in this case it was 1027 - to port 23 on the remote system. The initial packet goes out, then comes back bound for that random port. Since it's not going to port 23, 505 won't allow it through. First suggestion - don't set rule numbers in the script. It makes it easier to read and follow. My apologies if you added those for the discussion. Second suggestion - your setup is basically - upside down? inside out? backwards? Strange, in any case. You normally used the "established" rule to allow packets through for established connections, as the rest of the rules will prevent unwanted connections from being setup at all. The problem with the way you've done it is that it - if it worked as you intended - it would allow intruders to reach *all* your internal machines on any of the ports you're allowing. I'm sure that's not your intention, right? Third suggestion - you need to set up nat if you're going to use 192.168 addresses. People normally block any traffic from such an address at their firewall, because it's usually someone trying to spoof their internal addresses. Letting them leak out is considered bad form. Fourth suggestion: read through /etc/rc.firewall; it contains examples of firealls of various types, along with comments about what's really going on. That includes examples of setting up nat and allowing access to internal servers. Sixth suggestion: If you're serious about this, get the Chapman and Zwicky book mentioned in that file. Both are very sharp, have been doing this for a long time - Brent made a living doing nothing else until the firewall-in-a-box products showed up - and write well. http://www.mired.org/home/mwm/ Q: How do you make the gods laugh? A: Tell them your plans. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message