From owner-freebsd-security Mon Jul 1 18: 5:25 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B674F37B400 for ; Mon, 1 Jul 2002 18:05:20 -0700 (PDT) Received: from mail3.home.nl (mail3.home.nl [213.51.129.227]) by mx1.FreeBSD.org (Postfix) with ESMTP id F2D3A43E09 for ; Mon, 1 Jul 2002 18:05:19 -0700 (PDT) (envelope-from nascar24@home.nl) Received: from winxp ([217.120.146.224]) by mail3.home.nl (InterMail vM.4.01.03.00 201-229-121) with SMTP id <20020702010259.DOHB28540.mail3.home.nl@winxp>; Tue, 2 Jul 2002 03:02:59 +0200 Message-ID: <008d01c22164$89107ac0$0200a8c0@winxp> From: "nascar24" To: "Ramsey G. Brenner" , References: <01a001c22107$3d3b2850$0200a8c0@winxp> <20020701214825.L1494@shell.gsinet.sittig.org> <007301c22161$c9c76ef0$0200a8c0@winxp> <200207011859.23581.rgbrenner@myrealbox.com> Subject: Re: Making a firewall more closed Date: Tue, 2 Jul 2002 03:05:16 +0200 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2600.0000 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org This is my current ruleset: # allow loopback traffic add 100 allow ip from any to any via lo0 # protect loopback address add 200 deny log ip from 127.0.0.1 to any add 249 deny log ip from any to 127.0.0.1 # block spoofs add 400 deny log ip from me to any in via ed0 # enable NATD add 425 divert 8668 ip from any to any via ed0 # check dynamic rules add 450 check-state # make dynamic entries for all outgoing traffic add 500 allow log tcp from me to any 1-65535 keep-state out add 550 allow log udp from me to any 1-65535 keep-state out # services we offer to the world add 600 allow log tcp from any to me 22,5067,5617,8472,10000 keep-state in # pass ICMP add 700 allow log icmp from me to any out add 750 allow log icmp from any to me in # pass everything on private LAN add 800 allow log all from 192.168.0.0/16 to any add 850 allow log all from any to 192.168.0.0/16 # log rejects that have fallen through add 65000 deny log ip from any to any Whith this ruleset I can browse websites, FTP sites etc. But when I replace rules 500 and 550 with this: add 500 allow log tcp from me to any 21,80 keep-state out add 550 allow log udp from me to any 21,80 keep-state out I cannot acces any websites nor FTP sites. But I guess I had just allowed it? Or is the 'out' the problem here. Marcel. On Monday 01 July 2002 06:45 pm, nascar24 wrote: > What I mean is that I want to grand acces to the internet. But only to > ports I 'trust', like 80,21,22 etc. But when I make a rule like: > > add 550 allow ip from me to any 80,21,22 > > I cannot acces a website, that puzzles me. > There is a problem with the rule in the example: You allowed traffic to leave through those ports, but not to enter. We can fix this rule: add 550 allow tcp from me to any 80,21,22 keep-state I noticed you already had a rule 550 - you may want to give it a different number. IPFW (running 4.5R here) gives the following error when trying to load your rule: ipfw: only TCP and UDP protocols are valid with port specifications hence why i changed it from ip to tcp. GL -- ---------- Ramsey G. Brenner rgbrenner@myrealbox.com http://rgbrenner.cjb.net/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message