Skip site navigation (1)Skip section navigation (2)
Date:      Mon, 21 Feb 2000 09:51:01 -0500
From:      "Francisco Reyes" <fran@reyes.somos.net>
To:        "Doug Barton" <Doug@gorean.org>, "Mark Stout" <mcs@vpm.com>
Cc:        "freebsd-questions@FreeBSD.ORG" <freebsd-questions@FreeBSD.ORG>
Subject:   Re: Reading rules in IPFW
Message-ID:  <200002211451.JAA20818@sanson.reyes.somos.net>
In-Reply-To: <38B0E408.BEBB049D@gorean.org>

next in thread | previous in thread | raw e-mail | index | archive | help
On Sun, 20 Feb 2000 23:06:48 -0800, Doug Barton wrote:

>Mark Stout wrote:
>> default "allow ip from any to any" as the last rule.  If I make it "deny ip
>> from any to any" as the last rule my previous rules that once worked now
>> doesn't.  Nobody can get in.  This seems right.

In this type of situation when you don't know what is stopping
your packets the best way to troubleshoot it is by logging all
packets, checking which rule is stopping your packets and
modifying it accordingly.

>>   100 add permit log tcp from 209.13.15.0/24 to 209.60.152.2 23
>>   100 add permit log tcp from 206.13.14.0/24 to 209.60.152.2 23
>>   100 add permit log tcp from any to 209.60.152.2 80

As Doug mention it is best not to use the same numbers.
Are you using rc.firewall to setup your rules?
That method creates the numbers for you.

It is also a better approach to use your interface IP/Network IP
as a variable instead of manually typing it it. You could make a
mistake by typing it manually in which case you would not see
error unless you find what you misstyped.

>> I allow access to Telnet from any host on network 209.13.14.0
>> I allow access to Telnet from any host on network 209.13.15.0

Having Telnet is a  bad thing if you already know your
network/computer(s) have been hacked. They could be getting your
passwords. Get SSH. Also in your rules make sure no Telnet info
is getting out by specifically mentioning the "out" card in a
via statement. Something like:
# Stop RFC1918 nets on the outside interface
$fwcmd add deny log all from 192.168.0.0:255.255.0.0 to any via
${oif}
$fwcmd add deny log all from any to 192.168.0.0:255.255.0.0 via
${oif}
$fwcmd add deny log all from 172.16.0.0:255.240.0.0 to any via
${oif}
$fwcmd add deny log all from any to 172.16.0.0:255.240.0.0 via
${oif}


>> I allow HTTP from anyone
>> I allow FTP from anyone
>> I then deny Telnet from everyone else

Reverse the order and have the deny Telnet via the outside card
before you allow it. Since this is your external card you should
not have any telnet traffic there.

>> The default rule #65535 allows everything else in.  Now, where I keep these
>> same rules but change 65535 to deny ip from any to any, then nothing is
>> allowed in, not HTTP or FTP.

As I mentioned earlier log all your rules and see where things
are getting stuck. Having the last rule as denying everything is
safer than the opposite.

Look at your "/etc/rc.conf" and check what type of firewall you
define there. That definition is what determines which part of
rc.firewall is used.
 
>Also, you're not supposed to change rule 65535, I'm not
>even sure you can, or what would happen if you try.

I don't even bother to check what that last rule is just make
sure you make a rule before it that creates the behavior you
need i.e. deny/accept all.

For your reference this setting is changed at the kernel level
and one can change it's default by changing and recompiling the
kernel.


Mark,
Why do you say your system is been hacked?
Do you know the IDs they are using? Did you change all the
passwords in particular root?

Good luck.



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200002211451.JAA20818>