Date: Tue, 14 Apr 2015 05:42:07 -0700 From: Jason Cox <cscoman@gmail.com> To: "William A. Mahaffey III" <wam@hiwaay.net> Cc: "FreeBSD Questions !!!!" <freebsd-questions@freebsd.org> Subject: Re: ipfw entries Message-ID: <CAC4WUHoeo5X7Ne0piz8VL8VbcpBveXW3dGpURdaj2RyJP6uzcQ@mail.gmail.com> In-Reply-To: <552BEF97.5060609@hiwaay.net> References: <552BEF97.5060609@hiwaay.net>
next in thread | previous in thread | raw e-mail | index | archive | help
I do not see a rule that would allow the traffic. Can you say which rule
number you think should allow it? The only thing close is 2500, but it only
applies to TCP traffic not your UDP traffic. 2600 applies to UDP, but only
for port 513 not port 525.
On Mon, Apr 13, 2015 at 9:32 AM, William A. Mahaffey III <wam@hiwaay.net>
wrote:
>
>
> I started using timed on my network to keep various *BSD machines
> time-coordinated, NTP for the linux boxen. I have a RPiB+ running NetBSD-7
> as my time server, running ntpd & 'timed -F <itself>'. This box is the only
> other BSD box for now, but more to come. I am seeing the following in my
> messages file (from earlier this A.M.):
>
>
> [root@kabini1, /etc, 8:03:32am] 344 % tail -20 /var/log/security ; date
> Apr 13 07:44:08 kabini1 last message repeated 4 times
> Apr 13 07:44:46 kabini1 kernel: ipfw: 65500 Deny UDP 192.168.0.1:525
> 192.168.0.255:525 in via re0
> Apr 13 07:46:01 kabini1 kernel: ipfw: 65500 Deny P:2 192.168.0.27
> 224.0.0.22 out via re0
> Apr 13 07:46:09 kabini1 last message repeated 3 times
> Apr 13 07:48:07 kabini1 last message repeated 4 times
> Apr 13 07:48:46 kabini1 kernel: ipfw: 65500 Deny UDP 192.168.0.1:525
> 192.168.0.255:525 in via re0
> Apr 13 07:50:01 kabini1 kernel: ipfw: 65500 Deny P:2 192.168.0.27
> 224.0.0.22 out via re0
> Apr 13 07:50:08 kabini1 last message repeated 3 times
> Apr 13 07:52:09 kabini1 last message repeated 4 times
> Apr 13 07:52:46 kabini1 kernel: ipfw: 65500 Deny UDP 192.168.0.1:525
> 192.168.0.255:525 in via re0
> Apr 13 07:54:01 kabini1 kernel: ipfw: 65500 Deny P:2 192.168.0.27
> 224.0.0.22 out via re0
> Apr 13 07:54:07 kabini1 last message repeated 3 times
> Apr 13 07:56:09 kabini1 last message repeated 4 times
> Apr 13 07:56:46 kabini1 kernel: ipfw: 65500 Deny UDP 192.168.0.1:525
> 192.168.0.255:525 in via re0
> Apr 13 07:58:01 kabini1 kernel: ipfw: 65500 Deny P:2 192.168.0.27
> 224.0.0.22 out via re0
> Apr 13 07:58:09 kabini1 last message repeated 3 times
> Apr 13 08:00:07 kabini1 last message repeated 4 times
> Apr 13 08:00:46 kabini1 kernel: ipfw: 65500 Deny UDP 192.168.0.1:525
> 192.168.0.255:525 in via re0
> Apr 13 08:02:01 kabini1 kernel: ipfw: 65500 Deny P:2 192.168.0.27
> 224.0.0.22 out via re0
> Apr 13 08:02:08 kabini1 last message repeated 3 times
> Mon Apr 13 08:03:35 CDT 2015
> [root@kabini1, /etc, 8:03:35am] 345 %
>
>
> I thought I had ifpw rules to allow this traffic, but apparently not. My
> rules are:
>
> [root@kabini1, /etc, 11:30:31am] 336 % ipfw show
> 00100 851096 1539836796 allow ip from any to any via lo0
> 00200 0 0 deny ip from any to 127.0.0.0/8
> 00300 0 0 deny ip from 127.0.0.0/8 to any
> 00400 0 0 deny ip from any to ::1
> 00500 0 0 deny ip from ::1 to any
> 00600 0 0 allow ipv6-icmp from :: to ff02::/16
> 00700 0 0 allow ipv6-icmp from fe80::/10 to fe80::/10
> 00800 2 152 allow ipv6-icmp from fe80::/10 to ff02::/16
> 00900 0 0 allow ipv6-icmp from any to any ip6 icmp6types 1
> 01000 0 0 allow ipv6-icmp from any to any ip6 icmp6types
> 2,135,136
> 01100 0 0 check-state
> 01200 14122906 19461418543 allow tcp from me to any established
> 01300 1112427 1007602974 allow tcp from me to any setup keep-state
> 01400 33508 3756508 allow udp from me to any keep-state
> 01500 124 11672 allow icmp from me to any keep-state
> 01600 0 0 allow ipv6-icmp from me to any keep-state
> 01700 0 0 allow udp from 0.0.0.0 68 to 255.255.255.255
> dst-port 67 out
> 01800 0 0 allow udp from any 67 to me dst-port 68 in
> 01900 0 0 allow udp from any 67 to 255.255.255.255
> dst-port 68 in
> 02000 0 0 allow udp from fe80::/10 to me dst-port 546 in
> 02100 4 400 allow icmp from any to any icmptypes 8
> 02200 0 0 allow ipv6-icmp from any to any ip6 icmp6types
> 128,129
> 02300 5290 296240 allow icmp from any to any icmptypes 3,4,11
> 02400 0 0 allow ipv6-icmp from any to any ip6 icmp6types 3
> 02500 7902577 596794526 allow tcp from 192.168.0.0/24 to me
> 02600 1303 333232 allow udp from 192.168.0.0/24 513 to
> 192.168.0.0/24 dst-port 513
> 65000 9223 1641961 count ip from any to any
> 65100 758 173995 deny { tcp or udp } from any to any dst-port
> 111,137,138 in
> 65200 2983 996998 deny { tcp or udp } from 192.168.0.0/24 to me
> 65300 0 0 deny ip from any to 255.255.255.255
> 65400 0 0 deny ip from any to 224.0.0.0/24 in
> 65500 0 0 deny udp from any to any dst-port 520 in
> 65500 0 0 deny tcp from any 80,443 to any dst-port
> 1024-65535 in
> 65500 5482 470968 deny log logamount 50000 ip from any to any
> 65535 0 0 deny ip from any to any
> [root@kabini1, /etc, 11:30:56am] 337 % uname -a
> FreeBSD kabini1.local 9.3-RELEASE-p10 FreeBSD 9.3-RELEASE-p10 #0: Tue Feb
> 24 21:28:03 UTC 2015 root@amd64-builder.daemonology.net:/usr/obj/usr/src/sys/GENERIC
> amd64
> [root@kabini1, /etc, 11:31:34am] 338 %
>
>
> Any clues appreciated & TIA ....
>
> --
>
> William A. Mahaffey III
>
> ----------------------------------------------------------------------
>
> "The M1 Garand is without doubt the finest implement of war
> ever devised by man."
> -- Gen. George S. Patton Jr.
>
> _______________________________________________
> freebsd-questions@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
> To unsubscribe, send any mail to "freebsd-questions-
> unsubscribe@freebsd.org"
>
--
Jason Cox
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAC4WUHoeo5X7Ne0piz8VL8VbcpBveXW3dGpURdaj2RyJP6uzcQ>