From owner-freebsd-ipfw@FreeBSD.ORG Sat Jan 29 22:22:46 2005 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1C70C16A4CE for ; Sat, 29 Jan 2005 22:22:46 +0000 (GMT) Received: from smtp.doruk.net.tr (smtp.doruk.net.tr [212.58.5.248]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3360743D1F for ; Sat, 29 Jan 2005 22:22:45 +0000 (GMT) (envelope-from vahric@doruk.net.tr) Received: from smtp.doruk.net.tr (root@localhost) by smtp.doruk.net.tr (8.13.1/8.13.1) with SMTP id j0TMLnOj016406 for ; Sun, 30 Jan 2005 00:21:49 +0200 (EET) (envelope-from vahric@doruk.net.tr) Message-Id: <200501292221.j0TMLnOj016406@smtp.doruk.net.tr> Received: from VAHOXP (vahric.doruk.net.tr [212.58.13.17]) by smtp.doruk.net.tr (8.13.1/8.13.1) with ESMTP id j0TMLnvZ016401; Sun, 30 Jan 2005 00:21:49 +0200 (EET) (envelope-from vahric@doruk.net.tr) From: "Vahric MUHTARYAN" To: "'Gerard Meijer'" , Date: Sun, 30 Jan 2005 00:22:55 +0200 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Mailer: Microsoft Office Outlook, Build 11.0.5510 In-Reply-To: <094d01c5064e$b0010600$9600000a@guus> X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180 Thread-Index: AcUGTlmTH4MFiGFjQWyM9CY12So/RAAAU2gw Subject: RE: ipfw statefull ruleset problem X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 29 Jan 2005 22:22:46 -0000 No no , 400 will drop all fragmanted packages 500 will provide you state check 600 will deny all established ( Because we don't want any established packets past from firewall we want to check all packates state and also did it 500 ) 1100 will allow ftp connection to your ip address 1204 allow your machine turn to client for data transfer Pls see active ftp from this address : http://slacksite.com/other/ftp.html For pop3 connection and for smtp connection use those . ${fwcmd} add 1000 pass tcp from any to ${intip} 110 in via ${int} setup keep-state With this you can make a pop3 connection ...... ${fwcmd} add 1001 pass tcp from any to ${intip} 25 in via ${int} setup keep-state With this you can make a smtp connection to your server Vahric -----Original Message----- From: Gerard Meijer [mailto:gmeijer@palmweb.nl] Sent: Sunday, January 30, 2005 12:06 AM To: Vahric MUHTARYAN; freebsd-ipfw@freebsd.org Subject: Re: ipfw statefull ruleset problem Do you mean that I should change 'allow' to 'pass'? What exactly does pass? Thanks! ----- Original Message ----- From: "Vahric MUHTARYAN" To: "'Gerard Meijer'" ; Sent: Saturday, January 29, 2005 10:27 PM Subject: RE: ipfw statefull ruleset problem > Use like this > > intip="your machine ip address" > int="yourinterfacefor example fxp0 for intel" > > ${fwcmd} add 400 drop all from any to any frag > ${fwcmd} add 500 check-state > ${fwcmd} add 600 deny tcp from any to any established > ${fwcmd} add 1100 pass tcp from any to ${intip} 21 in via ${int} setup > keep-state > ${fwcmd} add 1204 pass tcp from ${intip} 20 to any out via ${int} setup > keep-state > > Bye ... > > -----Original Message----- > From: owner-freebsd-ipfw@freebsd.org > [mailto:owner-freebsd-ipfw@freebsd.org] > On Behalf Of Gerard Meijer > Sent: Saturday, January 29, 2005 10:55 PM > To: freebsd-ipfw@freebsd.org > Subject: ipfw statefull ruleset problem > > Hi everyone, > > First of all, I'm not very experienced with ipfw, so if this is a stupid > question, I'm sorry. > > I have a question regarding my statefull ipfw ruleset. I have the > following > rules: > > ---begin--- > $cmd 00015 check-state > > #www > $cmd 00200 allow tcp from any to any 80 out via $pif setup keep-state > > #mail > $cmd 00231 allow tcp from any to any 110 out via $pif setup keep-state > > #ftp > $cmd 00283 allow tcp from any to any 21 out via $pif setup keep-state > > # Allow in standard www function because I have apache server > $cmd 00400 allow tcp from any to me 80 in via $pif setup limit src-addr 2 > > # Allow in FTP > $cmd 00410 allow tcp from any to me 21 in via $pif setup limit src-addr 2 > > # Allow in mail > $cmd 00420 allow tcp from any to me 110 in via $pif > ---end--- > (there are more rules, but these are the ones that it's about) > > The problem that I'm having is that I can't check mail, and can't FTP and > see a lot of: > > ipfw: 299 Deny TCP [my-server-ip]:80 [some-ip]:[some-port-other-than-80] > out > via em0 > > messages in my logfile. > > When I try to check mail I see in my log: > > ipfw: 299 Deny TCP [my-server-ip]:110 > [my-home-pc-ip]:[some-port-other-than-110] out via em0 > > What happens (I think, as far as I understand ipfw), there is an > connection > setup on port 21/80/110 (ftp/http/mail), which is allowed by the rules. A > dynamic rules is created, but then the other computer switches ports. The > check-state command checks for a dynamic rule, but the port doesn't match > anymore and so it doesn't find a dynamic rule and the other rules also > don't > apply, since they only allow connection initialization. Am I correct? > > I can solve all this by putting in the rule: > > # $cmd 00020 allow tcp from any to any established > > But I learned that that is not the right way to do this in a statefull > ruleset, because the dynamic rules don't have any use in this way. So what > is the right way to solve this? > > Thanks a lot in advance! > _______________________________________________ > freebsd-ipfw@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw > To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" > > > _______________________________________________ > freebsd-ipfw@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw > To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" >