Date: Sat, 14 Feb 2004 17:59:14 -0600 From: "Eric F Crist" <ecrist@adtechintegrated.com> To: "'Jez Hancock'" <jez.hancock@munk.nu> Cc: 'FreeBSD questions List' <freebsd-questions@freebsd.org> Subject: RE: continued IPFW issues... (actually a lack of ability on my part) Message-ID: <000201c3f356$906d6010$6401a8c0@Nomad> In-Reply-To: <20040214233615.GB38665@users.munk.nu>
next in thread | previous in thread | raw e-mail | index | archive | help
-----Original Message----- From: Jez Hancock [mailto:munk@munk.nu] On Behalf Of Jez Hancock Sent: Saturday, February 14, 2004 5:36 PM To: Eric F Crist Cc: FreeBSD questions List Subject: Re: continued IPFW issues... (actually a lack of ability on my part) On Sat, Feb 14, 2004 at 03:27:35PM -0600, Eric F Crist wrote: > I'm still having some sort of issues with ipfw rules on my server. > I've got a > cgi based irc client installed, and I can't connect. Also, it seems as if my > DNS server isn't able to send queries out. An ipfw show displays the > following for me: > > 00050 54632 4640473 allow ip from me to any > 00100 0 0 allow ip from any to any via lo0 > 00200 0 0 deny ip from any to 127.0.0.0/8 > 00300 0 0 deny ip from 127.0.0.0/8 to any > 00400 4027 351563 allow ip from 63.228.14.240/29 to me > 00500 2 80 allow ip from any to me dst-port 22 > 00600 2 80 allow ip from any to me dst-port 21 > 00700 388 25405 allow ip from any to me dst-port 25 > 00800 58 4944 allow ip from any to me dst-port 80 > 00900 2 80 allow ip from any to me dst-port 443 > 01000 2 80 allow ip from any to me dst-port 110 > 01100 54 4247 allow ip from any to me dst-port 53 > 01200 2 80 allow ip from any to me dst-port 6667 > 01300 2 80 allow ip from any to me dst-port 6668 > 01400 4 160 deny ip from not 63.228.14.240/29 to me dst-port 8080 > 65535 46432 7224466 deny ip from any to any > > Where is all that denied traffic coming from on the final rule? You are only allowing traffic in and not out - as Matthew Seaman mentioned in the last post in your previous thread, you should use 'keep-state' to keep track of the connections made to you. See the examples he provided in that thread. >From the manpage for ipfw: check-state Checks the packet against the dynamic ruleset. If a match is found, execute the action associated with the rule which gener- ated this dynamic rule, otherwise move to the next rule. Check-state rules do not have a body. If no check-state rule is found, the dynamic ruleset is checked at the first keep-state or limit rule. ... keep-state Upon a match, the firewall will create a dynamic rule, whose default behaviour is to match bidirectional traffic between source and destination IP/port using the same protocol. The rule has a limited lifetime (controlled by a set of sysctl(8) vari- ables), and the lifetime is refreshed every time a matching packet is found. When a connection is made to port 80 from an external host, with the 'keep-state' flag set on your rule for port 80 data transfer will be allowed in both directions to/from the external host to/from you on port 80 for a limited period. The check-state rule effectively 'shortcuts' the rest of the rules in the ruleset if a match is made for the external host for the given action (inbound connections to port 80 in this case). You'd need to do the same for each of the other ports you want to allow free connections to/from. Wouldn't my first rule: ipfw allow ip from me to any have fixed this problem? --- Eric F Crist President AdTech Integrated Systems, Inc (612) 998-3588
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?000201c3f356$906d6010$6401a8c0>