From owner-freebsd-security  Sun Jun 16 19:33:59 2002
Delivered-To: freebsd-security@freebsd.org
Received: from tomts24-srv.bellnexxia.net (tomts24.bellnexxia.net [209.226.175.187])
	by hub.freebsd.org (Postfix) with ESMTP
	id 2BEA337B40D; Sun, 16 Jun 2002 19:33:54 -0700 (PDT)
Received: from dagobah.hotrs.org ([65.94.133.192])
          by tomts24-srv.bellnexxia.net
          (InterMail vM.5.01.04.19 201-253-122-122-119-20020516) with SMTP
          id <20020617023353.XEVW9770.tomts24-srv.bellnexxia.net@dagobah.hotrs.org>;
          Sun, 16 Jun 2002 22:33:53 -0400
Date: Sun, 16 Jun 2002 22:34:29 -0400
From: grimm <grimm@planetquake.com>
To: "Crist J. Clark" <cjc@FreeBSD.ORG>
Cc: crist.clark@attbi.com, freebsd-security@FreeBSD.ORG
Subject: Re: ipfw-ntad-jail
Message-Id: <20020616223429.2f200728.grimm@planetquake.com>
In-Reply-To: <20020616135903.B94357@blossom.cjclark.org>
References: <20020616134201.529b01aa.grimm@planetquake.com>
	<20020616135903.B94357@blossom.cjclark.org>
X-Mailer: Sylpheed version 0.7.6 (GTK+ 1.2.10; i586-pc-linux-gnu)
Mime-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org

Greetings Crist,

	What I find odd is that I read that section of
my rules from a tutorial on the o'reilly site. I read
through a bunch of tutors and help pages and never saw
the keyword "me" being used. But I will definately give
it a try.

	Like I said, I read that 351 rule directly from
a tutorial. The problem I am having is that I don't have
the machine at home, and sending messages to the list from
work wasn't working!

	I am so glad to have gotten so much feedback already!
I am new to this, but what can you suggest I do.

	Are there some rules in there you think are trouble
and I should edit or comment out and test with something else?
I mean, so far I've gotten great help, but no one has mentionned
a specific rule which is WRONG! so I am not really sure where
to begin. I'll take your advice and see where that leads.

	As for the logging, great idea! I'll also enable log_in_vain.

	cheers,

	__
	Andrew
	
"Crist J. Clark" <crist.clark@attbi.com> wrote:
> OK, some problems here. First, ITYM to have rules like,
> 
>   add allow tcp from any to me 80 in via xl0
>   add allow tcp from me 80 to any out via xl0
> 
> No? Second, these won't work since you are blocking all TCP
> connections that are not using 'keep-state' with rule 351.

>>> add 00350 check-state
>>> add 00351 deny tcp from any to any in established
>>> add 00352 allow tcp from any to any out setup keep-state

> But...
> Always a good idea to add a,
> 
>   65534 deny log ip from any to any
> 
> Or something like it to help debugging.

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message