Skip site navigation (1)Skip section navigation (2) 
Date:      Sat, 11 Sep 1999 01:13:05 -0700
From:      Dean <dean@thegrid.net>
To:        freebsd-security@freebsd.org
Subject:   ipfw passing packets past deny rule?
Message-ID:  <4.1.19990911010348.00988480@mail.thegrid.net>
next in thread | raw e-mail | index | archive | help 
Hello.  I am running ipfw/natd on a 486 75MHz.
wormhole:/home/king-> uname -a
FreeBSD wormhole 3.2-RELEASE FreeBSD 3.2-RELEASE #2: Fri Aug 20 19:54:03
GMT 1999     root@remus.denofslack.net:/usr/src/sys/compile/WORMHOLE  i386

I've got a pretty simple ruleset.  Today, I saw this in my security check:
wormhole denied packets: 
> 10000 1113  84640 deny log ip from any to any 
> 65535 1       328 deny ip from any to any

This looks to me like one 328 byte packet got by rule 10000.  Is this the case?
My complete rulest is as follows:
00010 allow ip from any to any via lo0
00020 deny log ip from any to 127.0.0.0/8
00030 divert 8668 ip from any to any via ed0
00080 deny log ip from any to any ipopt ssrr,lsrr
00090 deny log ip from 10.0.0.0/8 to any in recv ed0
00100 allow tcp from any to any established
00200 allow ip from any to any via ed1
00300 allow ip from any to any via ed2
00400 allow ip from any to any out xmit ed0
00500 allow udp from any 53 to any 1024-65535 in recv ed0
00600 allow log tcp from any 1024-65535 to any 113 setup
00700 allow log tcp from any 1024-65535 to <my ip> 21 setup
00800 allow log tcp from any 1024-65535 to <my ip> 22 setup
00900 allow log tcp from any 1024-65535 to <my ip> 23 setup
01100 allow log tcp from any 20 to any 1024-65535 setup
01200 allow udp from 63.192.96.2 123 to <my ip> 123 in recv ed0
01300 allow udp from any 1024-65535 to 10.0.1.1 1024-65535
01400 allow icmp from any to any icmptype 0,3,4,11,12,14,16,18
01500 allow udp from any 53 to 10.0.1.1 137 in recv ed0
10000 deny log ip from any to any
65535 deny ip from any to any

Thank you for your help.  If anyone sees any glaring holes in this, please
don't be shy.
-Dean
-------------------------------------------------------------------------------
Staccato signals of constant information.


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4.1.19990911010348.00988480>