From owner-freebsd-hackers Sun Mar 28 6:19:54 1999 Delivered-To: freebsd-hackers@freebsd.org Received: from chmls05.mediaone.net (ne.mediaone.net [24.128.1.70]) by hub.freebsd.org (Postfix) with ESMTP id E2A8515735 for ; Sun, 28 Mar 1999 06:19:51 -0800 (PST) (envelope-from housley@frenchknot.ne.mediaone.net) Received: from frenchknot.ne.mediaone.net (frenchknot.ne.mediaone.net [24.128.74.10]) by chmls05.mediaone.net (8.8.7/8.8.7) with ESMTP id JAA26474; Sun, 28 Mar 1999 09:19:31 -0500 (EST) Received: from frenchknot.ne.mediaone.net (housley@localhost [127.0.0.1]) by frenchknot.ne.mediaone.net (8.9.2/8.9.1) with ESMTP id JAA50433; Sun, 28 Mar 1999 09:19:32 -0500 (EST) (envelope-from housley@frenchknot.ne.mediaone.net) Message-ID: <36FE3A73.645CDE1A@frenchknot.ne.mediaone.net> Date: Sun, 28 Mar 1999 09:19:31 -0500 From: "James E. Housley" X-Mailer: Mozilla 4.5 [en] (X11; U; FreeBSD 3.1-STABLE i386) X-Accept-Language: en MIME-Version: 1.0 To: Noor Dawod Cc: freebsd-hackers@FreeBSD.ORG Subject: Re: ipfw behavior, is it normal? References: Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-hackers@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG Noor Dawod wrote: > > Hi.. > > Like many others have done before me, this is my first message to this > mailing list and I hope not the last. I've been dealing with FreeBSD for > quite some time now, and I cannot still understand why few ipfw rules > don't work for me. I would like to share it with you and maybe get some > help on it. > > My current ipfw rules are: > > ----------------------------------------------------------------- > 00100 allow ip from any to any via lo0 > 00200 allow ip from [machine-a-ip] to [server-ip] via xl0 > 00300 allow ip from [machine-b-ip] to [server-ip] via xl0 > 00400 allow ip from any to [server-ip] 80 in via xl0 > 00500 allow ip from any to [server-ip] 21 in via xl0 > 65000 allow ip from any to any > 65535 deny ip from any to any > ----------------------------------------------------------------- > > 00200 and 00300 seem redundant because of rule 65000. But this is where > all the problem lies. If I understand right the ipfw rules, if I remove > line 65000 from the rules table, then I can still do all ip-related > actions from [machine-a] and [machine-b], which their ip numbers are > listed in 00200 and 00300. But, once I remove line 65000, I cannot do any > ip-related actions on the [server], and even WWW/FTP services are not > served as well. > 65000 is needed to allow packets from YOUR machine BACK to the originator of the WWW/FTP requests. The other option is 00450 allow tcp from [server-ip] 80 to any out via xl0 For FTP you need ports 20 and 21. 21 is for FTP connecitons and 20 is actually used for the data connection. Jim -- James E. Housley PGP: 1024/03983B4D System Supply, Inc. 2C 3F 3A 0D A8 D8 C3 13 Pager: pagejim@notepage.com 7C F0 B5 BF 27 8B 92 FE To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message