Date: Mon, 24 Dec 2007 03:10:49 -0800 (PST) From: Nash Nipples <trashy_bumper@yahoo.com> To: freebsd-security@freebsd.org Subject: Re: Fwd: Re: IPFW: Blocking me out. How to debug? Message-ID: <596925.68009.qm@web36308.mail.mud.yahoo.com>
next in thread | raw e-mail | index | archive | help
>Date: Sun, 23 Dec 2007 06:04:02 -0800 (PST)=0A>From: Nash Nipples <trashy_=
bumper@yahoo.com>=0A>To: freebsd-security@freebsd.org=0A>Subject: Re: IPFW:=
Blocking me out. How to debug?=0A>=0A>Dear W.D.=0A>=0A>oh come on. i have=
the same problem. =0A=0AWhich problem are we talking about?=0A=0Acut and p=
aste problem.=0A=0A>cut and paste logic:=0A>=0A>#!/bin/sh=0A>#1. count pack=
ets=0A>#2. allow everything on lo0 (loopback)=0A>#3. slow down and deny pac=
kets to buffer overflow enabled daemons=0A>#3.5 to list all the buffer over=
flow enabled daemons use this sockstat=0A -46ul=0A>#4. allow everything in =
and out on the Ethernet interface fxp0. =0A>Remember - wires are long thing=
s!=0A=0AWhat does this mean?=0Athis means that instead of speaking of poli=
cies its rather more important to keep your wires safe=0A=0A>#5. switch ssh=
d to a different port like 55 and use keys to=0A authenticate =0A>#6. do ip=
fw show every morning=0A=0AWhy?=0Ayou will be surprised but moving sshd to =
a non-standard port will make your logs cleaner instantly. it is really exc=
iting to read the passwords files in your /var/log/auth.log but this again =
a traffic and load issue. some people just think its fun to abuse the sshd =
daemon.=0A=0Aso you better keep a hand on the heartbeat and maintain good b=
ackups. that's probably a thing to practice prior to ipfw facility=0A=0A>#7=
. do ipfw zero every evening or as often as your boss wants that=0A=0AHow a=
bout a cron job that sends out a report then zero's ipfw?=0Aofcourse you ca=
n read reports. but you will become cron dependant. and that makes you look=
like a paper monkey.=0Aplus someone will think you don't really hang on th=
e box too often.=0A=0A>#8. learn how to modify this script quickly just to =
plumb all the =0A>other things that leak=0A=0AWhat other things? =0Athere =
are always some things that u just cant predict at this very moment so you =
need to make decisions and which is more important take some actions. for e=
xample blocking out some script kiddie who's sending you a list of ftp pass=
words.=0A=0A>#9. you cant block yourself out if you run this script with a =
trailing=0A =0A>'&' e.g. sh /etc/ipfw.rules &=0A=0AHmmm. I'll have to try =
that. Would something like this =0Awork to reload the rules?=0A=0Aipfw dis=
able firewall; sh /etc/ipfw.rules &=0A=0Ajust sh /etc/ipfw.rules & thats e=
nough to survive the ipfw -f flush and reload afterwards=0A=0A>#TODO: write=
a program that sends bills to customers=0A>#BUGS: it cant smile=0A>=0A>cmd=
=3D"/sbin/ipfw"=0A>ext1=3D"fxp0"=0A>gentleports=3D"21,25,514"=0A=0AWhy are =
these ports "gentle"?=0Aall open ports are gentle and potentially insecure.=
if you are not using them for a reason don't leave them hanging open=0Atho=
se 3 ports are most likely to be left open. try sockstat -46ul to list em=
=0A=0A>=0A>#accounting=0A>#i need these figures to see how bad things are g=
oing=0A>$cmd 100 count ip from any to any in via lo0=0A>$cmd 110 count ip f=
rom any to any out via lo0=0A>$cmd 120 count ip from any to any in via $ext=
1=0A>=0A>=0A>=0A>$cmd 130 count ip from any to any out via $ext1=0A>=0A>#if=
counters below grow too high u are screwed=0A=0AHow so?=0Athere is such th=
ing as icmp tunnels. i don't really know how they work but i don't want som=
eone to dig one through my box cuz im gona have to pay for the traffic. kee=
ping an eye on these counters will give you a hint when something wrong is =
happening. =0Adaily report you get by cron is a security funerals=0A=0A> #=
this counter should not vary much comparing to the next one=0A>$cmd 210 cou=
nt icmp from any to any out via $ext1 =0A=0A> #if there is an obvious diff=
erence someone's digging holes in the=0A yard=0A=0AWhat does this mean? =0A=
that means icmp tunnels and sanity check. you shouldn't have more pings tha=
n tcp frames.=0AIm only giving you basic ideas emphasizing importance of pe=
rsonal experience. the way you go from here is your own paranoid activity=
=0A=0A> $cmd 220 count icmp from any to any in via $ext1 =0A> #too much =
of dns.=0A>$cmd 230 count ip from any to any 53 out via $ext1=0A>$cmd 240 c=
ount ip from any to any 53 in via $ext1=0A=0AWhy too much? =0Abecause you w=
ant to remember how much of dns you had at this time yesterday and how much=
of dns you see now.=0Ayou might still have a chance to bump a worm or a tr=
ojan isnt it cool? ofcourse you can go the other way. and just say to your =
boss "oh i think we had a little too much of dns last month". its okay that=
most of dns requests one day were pointless=0A=0A>=0A>#if counters below g=
row too high you have screwed someone else=0A=0AWho? Why? =0Asendmail frea=
ked out. it couldn't have resolved something and kept trying. all night unt=
ill u get the cron report. no one's fault. traffic wasted. what if someone =
was sending out spam? anywho for whatever reason.=0A=0A>#oh yes. someone's =
got mail.=0A>$cmd 300 count ip from any to any 25 out via $ext1=0A>#which w=
ay did it go=0A>$cmd 310 count ip from any to any 25 via lo0=0A>=0A>#policy=
=0A>$cmd 1000 allow all from any to any via lo0=0A>/sbin/ipfw add 1110 pipe=
1 ip from any to me $gentleports in via $ext1=0A>/sbin/ipfw pipe 1 config =
bw 1Kbit/s queue 1Kbytes=0A>=0A>$cmd 1120 deny ip from any to me $gentlepor=
ts in via $ext1=0A>$cmd 1130 allow all from any to any via ext1=0A>#you wil=
l wonder but the next rule still has a match=0A>$cmd 1140 deny log all from=
any to any=0A=0AWhat is it?=0Amaybe i have made a few syntax mistakes but =
i like the idea here. allow everything on lo0. =0Aset up a pipe (traffic sh=
aper routine) to the ports u are trying to protect on $ext1. and reject on =
a slow link=0Awhat if there is some idiot who will just keep trying to acce=
ss your syslog daemon all night on a gigabit link?=0A=0A>=0A>I'm sorry but =
i cant draw pretty pictures to make it any more obvious=0Athats a statement=
=0A>=0A>Nash=0A>=0A>=0A>----- Original Message ----=0A>From: W. D. <WD@US-W=
ebmasters.com>=0A>To: FreeBSD-Security@FreeBSD.org=0A>Cc: Ian Smith <info@p=
lot.uz>=0A>Sent: Friday, December 21, 2007 9:30:11 AM=0A>Subject: Re: IPFW:=
Blocking me out. How to debug?=0A>=0A>=0A>At 05:45 12/20/2007, Ian Smith,=
wrote:=0A>=0A>Thanks for your reply Ian. This is the kind of =0A>informat=
ion I am looking for.=0A>=0A>=0A>>Firstly, this really belongs over on free=
bsd-net@ if not =0A>>freebsd-questions@, but anyway ..=0A>=0A>I'll be glad =
to move it there if you would like. I=0A>figured that since IPFW/Firewalls=
are security=0A>related, that FreeBSD-Security would be the most=0A>approp=
riate place.=0A>=0A>=0A>>On Thu, 20 Dec 2007, W. D. wrote:=0A>>=0A>> > At 0=
3:49 12/17/2007, Tuomo Latto wrote:=0A>> > >W. D. wrote:=0A>> > >> How do I=
tell which rule is blocking me out? SSH *is* working,=0A>> > >> but other=
s are not.=0A>> > >=0A>> > >It all depends on what you mean by "blocking yo=
u out" and=0A> "others".=0A>>=0A>>True; it's not really clear what you're t=
rying to do, whether this is=0A> a=0A>>single server with a single net inte=
rface with no NAT or what, but=0A> based=0A>>on your present rules I'll hav=
e to make that assumption.=0A>=0A>OK, sorry. I guess I just assumed that i=
t would be obvious =0A>that this is a Web server. ("Never assume anything,=
my good =0A>fellow" - Sherlock Holmes). =0A>=0A>By the way, it is/will be=
running Plesk server management=0A>software, if it matters:=0A>http://www.=
swsoft.com/en/products/plesk/reqs/=0A>=0A>Also, this server is on an intern=
al LAN before I subject=0A>it to the wild, untamed, InterWeb, with its dang=
erous=0A>internets darting back and forth inside all of the tubes.=0A>=0A>=
=0A>> > >> # Loopback:=0A>> > >> # Allow anything on the lo=
cal loopback:=0A>> > >> add allow all from any to any via lo0=0A>> =
> >> add deny ip from any to 127.0.0.0/8=0A>> > >> add deny=
ip from 127.0.0.0/8 to any=0A>>=0A>>Meaning, these rules are ok and not th=
e problem. Ignore Mr. Nipples.=0A>=0A>With a name like that, it's hard to =
take him seriously. ;^)=0A>=0A>=0A>>=0A>> > >> # Allow established=
connections:=0A>> > >> add allow tcp from any to any established=
=0A>>=0A>>That's ok. It may help you in debugging what's happening to use:=
=0A>>=0A>> allow [log] tcp from any to any in established=0A>> allow [log=
] tcp from any to any out established=0A>=0A>I assume here that "[log]" mea=
ns to insert "log" for=0A>debugging like this:=0A>=0A> allow log tcp from =
any to any in established=0A> allow log tcp from any to any out establishe=
d=0A> =0A>rather than including the square brackets, "[" & "]",=0A>correct=
?=0A>=0A>I have done that and have included my latest ruleset=0A>below.=0A>=
=0A>=0A>=0A>>and really, using 'any to any' without specifying on which int=
erfaces=0A> or=0A>>whether 'any' is your box or the outside world is a bit =
too general,=0A> but=0A>>moving on .. =0A>=0A>OK. What should I do? I onl=
y plan on having one=0A>Ethernet interface. What would be more secure?=0A>=
=0A>=0A>=0A>> > >> # Deny fragmented packets:=0A>> > >> add=
deny ip from any to any frag=0A>=0A>> > >> # Show pings:=0A>> > >>=
add count icmp from any to any icmptypes 8 in=0A>> > >=0A>>=0A>>Th=
at's inbound ping requests. Don't forget that 'inbound' means=0A> coming=
=0A>>into the firewall, not necessarily from the outside world. Your own=
=0A>>ping requests _from_ this box also have to both come in, and go out. =
=0A>=0A>Hmmm. OK. Outbound Ping will be rarely used, but should=0A>be all=
owed. Isn't that included in the next rule?=0A>=0A>=0A>> > >> # Al=
low pings, ping replies, and host unreach:=0A>> > >> add allow icmp=
from any to any icmptypes 0,8,3=0A>> > >=0A>>=0A>>Add icmptype 11 as well =
if you want traceroutes to work ..=0A>>=0A>> > >> # Allow UDP trace=
routes:=0A>> > >> add allow udp from any to any 33434-34458 in=0A>>=
> >> add allow udp from any 33434-34458 to any out=0A>> > >=0A>>=
=0A>>Ok, though udp rules are often better done statefully. See below.=0A>=
>=0A>> > >> # Allow DNS with name server=0A>> > >> add allo=
w udp from any to any domain out=0A>> > >> add allow udp from any d=
omain to any in=0A>> > >Nope.=0A>>=0A>>You want to watch out here. This al=
lows udp packets from any address=0A>>with source port 53 to connect with a=
ny open udp port on your system,=0A>>and allows the responses as well. It'=
s a simple matter using such as=0A>>netcat to source packets from port 53. =
=0A>=0A>Should I restrict it by specifically stating the service?=0A>How ca=
n I be safe? What would the rule look like? =0A>=0A>=0A>>I gather from thi=
s that you're not running a DNS server yourself, but=0A>>using upstream ser=
ver/s? In that case a stateful rule is safer:=0A>=0A>Again, I apologize fo=
r not being clear. I will be running=0A>DNS on this box for the domains be=
ing hosted. So, it will=0A>be polled whenever a request for a hosted domai=
n is needed.=0A>=0A>=0A>=0A>> allow udp from me to any 53 keep-state =0A>>=
=0A>>which allows after the return packets but denies connections not=0A>>i=
nitiated from your box. =0A>>=0A>> > >> # SSH=0A>> > >> # =
Note that /etc/hosts.allow has restrictions=0A>> > >> # on which I=
P addresses are allowed.=0A>> > >> #=0A>> > >> # Allow SSH:=
=0A>> > >> add allow tcp from any to any ssh in setup=0A>> > >=0A>>=
=0A>>By 'ssh working', I guess you mean ssh connections to this box from=0A=
>>elsewhere, rather than ssh connections from this box? Not clear.=0A>=0A>=
Sorry! I am using SSH into this box, since it is easier to=0A>cut and past=
e for editing and configuration.=0A>=0A>I can't really see a situation wher=
e I would normally need to SSH=0A>outbound, can you? I use the Windoze box=
es for that.=0A>=0A>=0A>> > >> # HTTP & HTTPS:=0A>>; > >> ad=
d allow tcp from any to any https in setup=0A>> > >> add allow tcp =
from any to any http in setup=0A>> > >=0A>>=0A>>So, you have a webserver ru=
nning on this box, listening on ports 80=0A> and=0A>>443? You've verified =
with 'netstat -finet -a' that this is the case?=0A>=0A>Yes:=0A>=0A># netsta=
t -finet -a=0A>Active Internet connections (including servers)=0A>Proto Rec=
v-Q Send-Q Local Address Foreign Address =0A> (state)=0A>tc=
p4 0 0 192.168.1.109.ssh 192.168.1.107.3502 =0A> ESTABL=
ISHED=0A>tcp4 0 52 192.168.1.109.ssh 192.168.1.107.2266 =
=0A> ESTABLISHED=0A>tcp4 0 0 *.poppassd *.* =
=0A> LISTEN=0A>tcp4 0 0 *.ftp *.* =
=0A> LISTEN=0A>tcp4 0 0 *.smtps =
*.* =0A> LISTEN=0A>tcp4 0 0 *.smtp =
*.* =0A> LISTEN=0A>tcp4 0 0 localhost.=
locald.3000 *.* =0A> LISTEN=0A>tcp4 0 0 *.po=
p3s *.* =0A> LISTEN=0A>tcp4 0 0=
*.pop3 *.* =0A> LISTEN=0A>tcp4 0 =
0 *.imaps *.* =0A> LISTEN=0A>tcp4 =
0 0 *.imap *.* =0A> LISTEN=0A>t=
cp4 0 0 *.8443 *.* =0A> LISTE=
N=0A>tcp4 0 0 *.8880 *.* =0A> =
LISTEN=0A>tcp4 0 0 *.3306 *.* =
=0A> LISTEN=0A>tcp4 0 0 localhost.locald.8005 *.* =
=0A> LISTEN=0A>tcp4 0 0 *.9008 *.* =
=0A> LISTEN=0A>tcp4 0 0 *.8009 *.=
* =0A> LISTEN=0A>tcp46 0 0 *.https =
*.* =0A> LISTEN=0A>tcp46 0 0 *.http =
*.* =0A> LISTEN=0A>tcp4 0 0 *.9080 =
*.* =0A> LISTEN=0A>tcp4 0 0 *=
.8180 *.* =0A> LISTEN=0A>tcp4 0 =
0 localhost.locald.postg *.* =0A> LISTEN=0A>tcp4 =
0 0 localhost.locald.rndc *.* =0A> LISTEN=0A>tcp4=
0 0 localhost.locald.domai *.* =0A> LISTEN=
=0A>tcp4 0 0 192.168.1.109.domain *.* =0A> =
LISTEN=0A>tcp4 0 0 *.ssh *.* =
=0A> LISTEN=0A>udp4 0 0 192.168.1.109.24889 ns1.ournameserv=
er.net.53=0A>udp4 0 0 *.51750 *.*=0A>udp4 =
0 0 localhost.locald.domai *.*=0A>udp4 0 0 192.168.1.109.=
domain *.*=0A>udp4 0 0 *.syslog *.*=0A>=0A>=0A>=
=0A>=0A>>=0A>> > >> # Mail: SMTP & IMAP:=0A>> > >> add allo=
w tcp from any to any smtp in setup=0A>> > >> add allow tcp from an=
y to any imap in setup=0A>> > >=0A>>=0A>>You're running SMTP and IMAP serve=
rs, verified as above?=0A>>=0A>>You see, this also allows you (as 'any') to=
connect to any outside=0A> SMTP=0A>>server too. It really helps to differ=
entiate connections into your=0A> box=0A>>from those you're making to outsi=
de boxes, which these don't do.=0A>> =0A>>Have a close look at the 'simple'=
section in rc.firewall. =0A>=0A>I have scanned various versions of "rc.fi=
rewall". I kinda understand=0A>what is going on, but there are so many pla=
ces that seem=0A anti-intuitive=0A>to me.=0A>=0A>Also, what are the differe=
nces between running a script and loading=0A>these rules on bootup? =0A>=0A=
>=0A>=0A>>There are=0A>>advantages to running a script such as that rather =
than rules in a=0A> file,=0A>>like variable substitution, at least while ge=
tting it all working=0A> right. =0A>=0A>I have mixed feelings about variabl=
es. I guess they make=0A>it easier if you change a network card or IP addr=
esses--you=0A>only have to do it in one place. =0A>=0A>However, a search a=
nd replace command doesn't take much=0A>time at all. Also, they add a leve=
l of complexity to=0A>a situation that (to me) is complex enough already.=
=0A>And, I wonder if by not using variables, I can save a=0A>few microsecon=
ds when processing traffic. ;^)=0A>=0A>=0A>=0A>> > >> # FTP:=0A>>; =
> >> add allow tcp from any to any ftp in setup=0A>> > >> a=
dd allow tcp from any to any ftp\-data in setup=0A>> > >> add allow=
tcp from any ftp\-data to any setup out=0A>> > >=0A>>=0A>>Mmm, I prefer us=
ing and enforcing FTP passive mode, but YMMV.=0A>=0A>How would I do that? =
This guy doesn't think it's even =0A>possible:=0A>http://tinyurl.com/2z6ynr=
=0A> =0A>=0A>> > >> # Allow NTP in and out=0A>> > >> add al=
low udp from any ntp to 128.252.19.1 ntp out=0A>> > >> add allow ud=
p from 128.252.19.1 ntp to any ntp in=0A>> > >=0A>>=0A>>Unless running a ti=
me service for other boxes, something like:=0A>>=0A>> allow udp from me to=
any ntp keep-state # or to a specific server=0A>=0A>Well, I think that sin=
ce NTP is such a minimal user=0A>of resources, that I would like to rely on=
this=0A>box for the correct time. That way, I don't have=0A>to bug the st=
ratum 1 boxes. Shall I use my original?=0A>=0A>=0A>>=0A>> > >> # D=
eny and log everything else:=0A>> > >> add deny log all from any to=
any=0A>> > >Bingo!=0A>>=0A>>Ok, so you got rid of interface 'all', great.=
=0A>=0A>Is this better?=0A>=0A> add deny log ip from any to any=0A> =0A>I=
f so, I just don't understand this. Here is what the=0A>"Fine Manual" says=
:=0A>=0A> =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=0A> protocol: [not] proto=
col-name | protocol-number=0A> An IP protocol specified by number or name =
(for a complete list=0A> see /etc/protocols), or one of the following keyw=
ords:=0A>=0A> ip4 | ipv4=0A> Matches IPv4 packets.=0A>=0A> ip6 |=
ipv6=0A> Matches IPv6 packets.=0A>=0A> ip | all=0A> Match=
es any packet.=0A> =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=0A> =
=0A>According to this, "ip" and "all" are synonymous. Criminy!=0A>What am=
I missing here?=0A> =0A>=0A>=0A>> > >"ipfw -a list" may also help (packet=
counts).=0A>>=0A>>It's only a short ruleset, it may help us if you show th=
e output of=0A> say=0A>>'ipfw -t show' (or ipfw -at list, same thing), if y=
ou're still having=0A>>problems, but see below re 'inness' and 'outness'.=
=0A>>=0A>> > I've been banging my head against this for the past few=0A>> >=
days. I don't get it. =0A>> > =0A>> > My understanding of the way this i=
s supposed to work is=0A>> > that:=0A>> > =0A>> > # HTTP & HTTPS:=0A>>; > =
add allow tcp from any to any https in setup=0A>> > add allow tcp from =
any to any http in setup=0A>> > =0A>> > should let initial HTTP & HTTPS req=
uests through,=0A>> > and that:=0A>> > =0A>> > # Allow established connect=
ions:=0A>> > add allow tcp from any to any established=0A>>=0A>>Not quite.=
Looks like you're allowing http/https setup packets in=0A> (ie,=0A>>into =
the firewall) but not letting them out (of the firewall, to the=0A>>webserv=
er). For example in the 'simple' ruleset mentioned, we have:=0A>>=0A>> =
# Allow access to our WWW=0A>> ${fwcmd} add pass tcp from any to=
${oip} 80 setup=0A>>=0A>> # Reject&Log all setup of incoming connec=
tions from the=0A> outside=0A>> ${fwcmd} add deny log tcp from any t=
o any in via ${oif} setup=0A>>=0A>> # Allow setup of any other TCP c=
onnection=0A>> ${fwcmd} add pass tcp from any to any setup=0A>=0A>I =
really don't get the above rule. Isn't it saying that=0A>*any* kind of TCP=
connection can come in or go out initially?=0A>=0A>=0A>=0A>>Note there's n=
o 'in' or 'out' on the port 80 rule, so this allows the=0A>>packets on both=
the in and out pass of the firewall. Also, the IP is=0A>>specified as our=
IP - 'me' will do fine if it's just this box. =0A>=0A>In my set, should I =
include some "out" rules like this:=0A>=0A> add allow tcp from any to any =
https out setup=0A> add allow tcp from any to any http out setup=0A> =0A>=
=0A>>=0A>> > should allow connections that are "setup" to =0A>> > continue.=
Do I need a "check-state" or "keep-state"=0A>> > statement somewhere?=0A>=
>=0A>>No, though you can use stateful TCP rules if you want to, in which=0A=
> case=0A>>you'll want to DENY established connections. Personally I find=
=0A> relying=0A>>on the TCP state established by using 'setup' and 'establi=
shed' fine=0A> for=0A>>TCP, but tend to use keep-state for UDP and some ICM=
P rules. =0A>=0A>That sounds reasonable.=0A>=0A>=0A>> > I don't understand =
what is wrong with the last rule:=0A>> > =0A>> > # Deny and log everythin=
g else:=0A>> > add deny log all from any to any=0A>> > =0A>> > My underst=
anding is that anything that doesn't match=0A>> > the previous rules will m=
atch this one and hence=0A>> > be logged and denied. Is this not correct?=
=0A>>=0A>>That's correct. Aren't you seeing any? Try show rather than tel=
l.=0A>=0A>Showing:=0A>=0A># ipfw -a -S -N -t list=0A>00100 688 173384 Thu=
Dec 20 15:32:17 2007 set 0 allow log logamount=0A> 10 ip from any to any v=
ia lo0=0A>00200 0 0 set 0 deny log logamou=
nt 10=0A> ip from any to 127.0.0.0/8=0A>00300 0 0 =
set 0 deny log logamount 10=0A> ip from 127.0.0.0/8 to any=0A>00400=
4344 1712050 Fri Dec 21 00:23:37 2007 set 0 allow log logamount=0A> 10 tcp=
from any to any established=0A>00500 0 0 =
set 0 deny log logamount 10=0A> ip from any to any frag=0A>00600 4 2=
40 Wed Dec 19 23:05:31 2007 set 0 count icmp from any=0A> to any icmptypes =
8 in=0A>00700 8 480 Wed Dec 19 23:05:31 2007 set 0 allow log logamou=
nt=0A> 10 icmp from any to any icmptypes 0,3,8=0A>00800 0 0 =
set 0 allow log logamount=0A 10=0A> udp from any to any d=
st-port 33434-34458 in=0A>00900 0 0 set 0 =
allow log logamount=0A 10=0A> udp from any 33434-34458 to any out=0A>01000 =
366 24038 Fri Dec 21 00:02:00 2007 set 0 allow log logamount=0A> 10 udp =
from any to any dst-port domain out=0A>01100 364 59582 Fri Dec 21 00:02:=
00 2007 set 0 allow log logamount=0A> 10 udp from any domain to any in=0A>0=
1200 1 48 Thu Dec 20 16:49:47 2007 set 0 allow log logamount=0A> 10=
tcp from any to any dst-port ssh in setup=0A>01300 0 0 =
set 0 allow log logamount=0A 10=0A> tcp from any to any dst-p=
ort https in setup=0A>01400 6 288 Thu Dec 20 14:43:38 2007 set 0 all=
ow log logamount=0A> 10 tcp from any to any dst-port http in setup=0A>01500=
98 6272 Fri Dec 21 00:02:00 2007 set 0 allow log logamount=0A> 10 tcp=
from any to any dst-port http=0A>01600 1 64 Thu Dec 20 15:25:01 20=
07 set 0 allow log logamount=0A> 10 tcp from any to any dst-port https=0A>0=
1700 0 0 set 0 allow log logamount=0A 10=
=0A> tcp from any to any dst-port smtp in setup=0A>01800 0 0 =
set 0 allow log logamount=0A 10=0A> tcp from any to any =
dst-port imap in setup=0A>01900 43 2064 Wed Dec 19 23:16:18 2007 set 0=
allow log logamount=0A> 10 tcp from any to any dst-port ftp in setup=0A>02=
000 0 0 set 0 allow log logamount=0A 10=0A=
> tcp from any to any dst-port ftp-data in setup=0A>02100 0 0 =
set 0 allow log logamount=0A 10=0A> tcp from any ftp-da=
ta to any setup out=0A>02200 100 7600 Thu Dec 20 23:47:00 2007 set 0 al=
low log logamount=0A> 10 udp from any ntp to navobs1.wustl.edu dst-port ntp=
out=0A>02300 100 7600 Thu Dec 20 23:47:00 2007 set 0 allow log logamou=
nt=0A> 10 udp from navobs1.wustl.edu ntp to any dst-port ntp in=0A>02400 20=
58 226123 Fri Dec 21 00:17:20 2007 set 0 deny log logamount=0A 10=0A> ip f=
rom any to any=0A>65535 7 909 Wed Dec 19 22:58:29 2007 set 31 deny i=
p from any to=0A> any=0A>=0A>Lot of stuff being denied. I think some of th=
at=0A>is my HTTP and HTTPS initial requests. What to do?=0A>=0A>>=0A>> > A=
gain, I am having a great deal of difficulty=0A>> > understanding why these=
rules don't work as expected.=0A>> > I've scoured the 'Net and printed out=
just about=0A>> > every coherent ruleset out there.=0A>> > =0A>> > Besides=
adding the "log" keyword on all of the rules,=0A>> > these are the debuggi=
ng tools I have been using:=0A>> > =0A>> > ipfw disable firewall=0A>> > =
ipfw -f flush=0A>> > ipfw enable firewall=0A>> > /etc/rc.d/ipfw start=
=0A>> > ipfw -a -S -N -t list=0A>> > ipfw list =0A>> > tail -f =
/var/log/ipfw/ipfw.log=0A>> > tcpdump -i nve0 'proto \tcp && port http'=
=0A> netstat -finet -a=0A>> > =0A>> > Could anyone please throw this t=
ired dog a bone?=0A>>=0A>>Getting the two-pass nature of ipfw understood se=
ems to be your main=0A>>difficulty. =0A>=0A>I would definitely agree with =
you. I am completely lost.=0A>=0A>By "two-pass" do you mean "in" to the fi=
rewall, and then=0A>"in" to the webserver, and another "two-pass": "out" fr=
om the=0A>webserver, and "out" from the firewall?=0A>=0A>=0A>>I know it was=
for me back then. Have a look at the section=0A>>in ipfw(8) regarding pac=
ket flows, and although it sounds trite, RTFM=0A>>about 10 times :)=0A>>=0A=
>>Cheers, Ian=0A>=0A>Love the "Fine Manual" --not! Just not enough example=
s for=0A>me to understand everything. Too much abstraction--AAArrrrgh!=0A>=
=0A>Am using this link, since "man ipfw" doesn't work on 6.2. (I dare=0A>s=
omeone to explain to me how to get it to work):=0A>http://www.freebsd.org/c=
gi/man.cgi?query=3Dipfw&sektion=3D8=0A>=0A>Thanks for your help, Ian. Woul=
d appreciate it if you would=0A>kick my butt in the proper direction again.=
=0A>=0A>Any other takers/kickers?=0A>=0A>=0A>Latest grope in the dark:=0A>=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=0A># ipfw.rules=0A># ipfw firewall =
ruleset=0A># 2007 Dec 20=0A>=0A># By default, everything is denied access.=
You=0A># need to specifically allow something for it=0A># to work.=0A>=0A=
># Loopback: =0A># Allow anything on the local loopback:=0A>add allow log a=
ll from any to any via lo0=0A>=0A># Disallow spoofed access to local:=0A>ad=
d deny log ip from any to 127.0.0.0/8=0A>add deny log ip from 127.0.0.0/8 t=
o any=0A>=0A># Allow established connections:=0A>add allow log tcp from any=
to any established=0A>=0A># Deny fragmented packets:=0A>add deny log ip fr=
om any to any frag=0A>=0A># Show pings:=0A>add count icmp from any to any i=
cmptypes 8 in=0A>=0A># Allow pings, ping replies, and host unreach:=0A>add =
allow log icmp from any to any icmptypes 0,8,3=0A>=0A># Allow UDP tracerout=
es:=0A>add allow log udp from any to any 33434-34458 in=0A>add allow log ud=
p from any 33434-34458 to any out=0A>=0A># Allow DNS with name server=0A>ad=
d allow log udp from any to any domain out=0A>add allow log udp from any do=
main to any in=0A>=0A># SSH=0A># Note that /etc/hosts.allow has restrictio=
ns=0A># on which IP addresses are allowed.=0A>#=0A># Allow SSH:=0A>add all=
ow log tcp from any to any ssh in setup=0A>=0A># HTTP & HTTPS:=0A>add allow=
log tcp from any to any https in setup=0A>add allow log tcp from any to an=
y http in setup=0A>=0A>add allow log tcp from any to any dst-port 80=0A>add=
allow log tcp from any to any dst-port 443=0A>=0A># Mail: SMTP & IMAP:=0A>=
add allow log tcp from any to any smtp in setup=0A>add allow log tcp from a=
ny to any imap in setup=0A>=0A># FTP:=0A>add allow log tcp from any to any =
ftp in setup=0A>add allow log tcp from any to any ftp\-data in setup=0A>add=
allow log tcp from any ftp\-data to any setup out=0A>=0A># Allow NTP in an=
d out=0A>add allow log udp from any ntp to 128.252.19.1 ntp out=0A>add allo=
w log udp from 128.252.19.1 ntp to any ntp in=0A>=0A>=0A># Deny and log eve=
rything else:=0A># add deny log all from any to any=0A>add deny log ip from=
any to any=0A>=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=0A>=0A>=0A>=0A>=0A>=
=0A>Start Here to Find It Fast!=99 ->=0A> http://www.US-Webmasters.com/best=
-start-page/=0A>$8.77 Domain Names -> http://domains.us-webmasters.com/=0A>=
=0A>_______________________________________________=0A>freebsd-security@fre=
ebsd.org mailing list=0A>http://lists.freebsd.org/mailman/listinfo/freebsd-=
security=0A>To unsubscribe, send any mail to=0A> "freebsd-security-unsubscr=
ibe@freebsd.org"=0A>=0A>=0A>=0A>=0A>=0A>=0A> =0A>_____________________=
_________________________________________________=0A>______________=0A>Neve=
r miss a thing. Make Yahoo your home page. =0A>http://www.yahoo.com/r/hs=
=0A>_______________________________________________=0A>freebsd-security@fre=
ebsd.org mailing list=0A>http://lists.freebsd.org/mailman/listinfo/freebsd-=
security=0A>To unsubscribe, send any mail to=0A "freebsd-security-unsubscri=
be@freebsd.org"=0A=0AStart Here to Find It Fast!=99 ->=0A http://www.US-Web=
masters.com/best-start-page/=0A$8.77 Domain Names -> http://domains.us-webm=
asters.com/=0A=0A=0A=0A=0A=0A=0A=0A __________________________________=
__________________________________________________=0ABe a better friend, ne=
wshound, and =0Aknow-it-all with Yahoo! Mobile. Try it now. http://mobile=
.yahoo.com/;_ylt=3DAhu06i62sR8HDtDypao8Wcj9tAcJ =0A
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?596925.68009.qm>