From owner-freebsd-security Thu Nov 4 10:17:42 1999 Delivered-To: freebsd-security@freebsd.org Received: from goshen.rutgers.edu (goshen.rutgers.edu [165.230.180.150]) by hub.freebsd.org (Postfix) with ESMTP id 0450214DF6 for ; Thu, 4 Nov 1999 10:17:39 -0800 (PST) (envelope-from damascus@eden.rutgers.edu) Received: from damascus (damascus.dorm.rutgers.edu [165.230.0.68]) by goshen.rutgers.edu (8.8.8/8.8.8) with ESMTP id NAA07738; Thu, 4 Nov 1999 13:15:55 -0500 (EST) Message-Id: <4.2.0.58.19991104131213.00aca850@email.eden.rutgers.edu> X-Sender: damascus@email.eden.rutgers.edu X-Mailer: QUALCOMM Windows Eudora Pro Version 4.2.0.58 Date: Thu, 04 Nov 1999 13:16:21 -0500 To: "Curtis Schofield" , From: Carroll Kong Subject: Re: FW: rc.firewall In-Reply-To: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org At 10:44 AM 11/4/99 -0700, Curtis Schofield wrote: >hello, i was checking out my firewall, an it seems that it doesn't actually >do anything >=), i've been tring to get it to block FTP lately for example, but when i >ftp in from >a remote host it isn't blocked.. > >Could someOne help me? > >This is my situation: > I am running DHCPclient and as such i don't have a static ip that > i could >put into >the rc.firewall, i was told that it would be OK to generalize the whole >thing (ie any to any) but it doesn't apear to be working.. > >#!/bin/sh >fwcmd="/sbin/ipfw -N" >$fwcmd -f flush > >$fwcmd add 100 divert natd all from any to any via xl0 >$fwcmd add 110 pass all from any to any >$fwcmd add 120 pass all from any to any via lo0 >$fwcmd add 130 pass tcp from any to any established >$fwcmd add 144 pass all from 10.0.0.0/3 to any >Please someone help? Why doesn't this apear to work.. > >(the only thing i could do to stop ftp was comment it out in /etc/services) > >I'm new to ipfw, and wouldn't mind if someone could help and or point me to >resources that would help with this problem > >THanks! >Curtis I snipped out a bit, but basically, if you have this rule...... $fwcmd add 110 pass all from any to any it will pass all the packets, and never filter the others. By declaring add or so, you are saying... try out the rule in this order, and if you already told it to pass all the packets with a rule # earlier than consequential rules, the future rules will never get a chance to match. At least, this seems like what is wrong to me. To double check, reload that firewall script, run ipfw show as root, and see if the #s in the first two columns of rule #110 is increasing, whereas all the other rules underneath never have a match. If that is the case, then my hypothesis is most likely correct, and that rule is passing everything before even getting a chance to get matched. -Carroll Kong To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message