From owner-freebsd-security@FreeBSD.ORG Thu Dec 20 06:39:26 2007 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 791A616A417 for ; Thu, 20 Dec 2007 06:39:26 +0000 (UTC) (envelope-from WD@US-Webmasters.com) Received: from server1.grabweb.com (split.grabweb.net [67.15.22.16]) by mx1.freebsd.org (Postfix) with ESMTP id 4B2D113C457 for ; Thu, 20 Dec 2007 06:39:26 +0000 (UTC) (envelope-from WD@US-Webmasters.com) Received: (qmail 9380 invoked from network); 20 Dec 2007 00:39:24 -0600 Received: from batv-01-192.dsl.netins.net (HELO Sabrina.US-Webmasters.com) (207.199.193.192) by uswdns.net with (DHE-RSA-AES256-SHA encrypted) SMTP; 20 Dec 2007 00:39:24 -0600 X-Mailer: QUALCOMM Windows Eudora Version 7.1.0.9 Date: Thu, 20 Dec 2007 00:39:16 -0600 To: freebsd-security@freebsd.org From: "W. D." In-Reply-To: <47664621.50909@iki.fi> References: <20071213081155.ABBC813C4D5@mx1.freebsd.org> <20071213110009.GB986@in-addr.com> <20071213183957.B348013C469@mx1.freebsd.org> <20071217065144.83F6013C447@mx1.freebsd.org> <47664621.50909@iki.fi> Mime-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Message-Id: <20071220063926.4B2D113C457@mx1.freebsd.org> Cc: Tuomo Latto Subject: Re: IPFW: Blocking me out. How to debug? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 20 Dec 2007 06:39:26 -0000 At 03:49 12/17/2007, Tuomo Latto wrote: >W. D. wrote: >> How do I tell which rule is blocking me out? SSH *is* working, >> but others are not. > >It all depends on what you mean by "blocking you out" and "others". > > >Did you try *reading* your fw config? > >> # Loopback: >> # Allow anything on the local loopback: >> add allow all from any to any via lo0 >> add deny ip from any to 127.0.0.0/8 >> add deny ip from 127.0.0.0/8 to any >Nope. >> # Allow established connections: >> add allow tcp from any to any established >Nope. >> # Deny fragmented packets: >> add deny ip from any to any frag >Nope. >> # Show pings: >> add count icmp from any to any icmptypes 8 in >Nope. >> # Allow pings, ping replies, and host unreach: >> add allow icmp from any to any icmptypes 0,8,3 >Nope. >> # Allow UDP traceroutes: >> add allow udp from any to any 33434-34458 in >> add allow udp from any 33434-34458 to any out >Nope. >> # Allow DNS with name server >> add allow udp from any to any domain out >> add allow udp from any domain to any in >Nope. >> # SSH >> # Note that /etc/hosts.allow has restrictions >> # on which IP addresses are allowed. >> # >> # Allow SSH: >> add allow tcp from any to any ssh in setup >Nope, but this explains SSH working. >> # HTTP & HTTPS: >> add allow tcp from any to any https in setup >> add allow tcp from any to any http in setup >Nope. >> # Mail: SMTP & IMAP: >> add allow tcp from any to any smtp in setup >> add allow tcp from any to any imap in setup >Nope. >> # FTP: >> add allow tcp from any to any ftp in setup >> add allow tcp from any to any ftp\-data in setup >> add allow tcp from any ftp\-data to any setup out >Nope. >> # Allow NTP in and out >> add allow udp from any ntp to 128.252.19.1 ntp out >> add allow udp from 128.252.19.1 ntp to any ntp in >Nope. >> # Deny and log everything else: >> add deny log all from any to any >Bingo! > > >"ipfw -a list" may also help (packet counts). I've been banging my head against this for the past few days. I don't get it. =20 My understanding of the way this is supposed to work is that: # HTTP & HTTPS: add allow tcp from any to any https in setup add allow tcp from any to any http in setup should let initial HTTP & HTTPS requests through, and that: # Allow established connections: add allow tcp from any to any established should allow connections that are "setup" to=20 continue. Do I need a "check-state" or "keep-state" statement somewhere? I don't understand what is wrong with the last rule: # Deny and log everything else: add deny log all from any to any My understanding is that anything that doesn't match the previous rules will match this one and hence be logged and denied. Is this not correct? Again, I am having a great deal of difficulty understanding why these rules don't work as expected. I've scoured the 'Net and printed out just about every coherent ruleset out there. Besides adding the "log" keyword on all of the rules, these are the debugging tools I have been using: ipfw disable firewall ipfw -f flush ipfw enable firewall /etc/rc.d/ipfw start ipfw -a -S -N -t list ipfw list =20 tail -f /var/log/ipfw/ipfw.log tcpdump -i nve0 'proto \tcp && port http' Could anyone please throw this tired dog a bone? Start Here to Find It Fast!=99 ->= http://www.US-Webmasters.com/best-start-page/ $8.77 Domain Names -> http://domains.us-webmasters.com/