From owner-freebsd-questions@FreeBSD.ORG Mon Dec 17 17:33:11 2007 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 4204216A417 for ; Mon, 17 Dec 2007 17:33:11 +0000 (UTC) (envelope-from gore_jarold@yahoo.com) Received: from web63012.mail.re1.yahoo.com (web63012.mail.re1.yahoo.com [69.147.96.223]) by mx1.freebsd.org (Postfix) with SMTP id 0259C13C442 for ; Mon, 17 Dec 2007 17:33:10 +0000 (UTC) (envelope-from gore_jarold@yahoo.com) Received: (qmail 19642 invoked by uid 60001); 17 Dec 2007 17:06:29 -0000 DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com; h=Received:Date:From:Subject:To:MIME-Version:Content-Type:Content-Transfer-Encoding:Message-ID; b=fBmBNEbkv7zZMpCzTpzCuaMNzjRoOEpozwvOcVMVikezDkqXG2OaysduXS5L9Delh/FVfrLWTri+WhPzmpE30lYRwZ3Fg++KKFwFUKP7gjFo7rGLlH+lBafQjcgivWPBCmDHVcxOAgDRJgfhb+4XYryuOQIyH+RRTTU9ii+rBQY=; Received: from [71.63.232.32] by web63012.mail.re1.yahoo.com via HTTP; Mon, 17 Dec 2007 09:06:29 PST Date: Mon, 17 Dec 2007 09:06:29 -0800 (PST) From: Gore Jarold To: freebsd-questions@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit Message-ID: <349277.18679.qm@web63012.mail.re1.yahoo.com> Subject: ipfw rules for all interfaces not working ... X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 17 Dec 2007 17:33:11 -0000 My main goal is to lock down my ipfw rules so that when I run nmap, all I see is: Interesting ports on 192.168.0.10: Not shown: 1677 closed ports PORT STATE SERVICE 22/tcp open ssh MAC Address: 00:12:D8:A2:23:C2 Nmap finished: 1 IP address (1 host up) scanned in 9.791 seconds So that means I will need to explicitly block all ports except for the ones I have real servers running on. That's easy. The problem is, this is a laptop and so sometimes iwi0 exists and sometimes it doesn't, and sometimes xl0 exists and sometimes it doesn't ... and that is why my ipfw rules look like this: 00010 0 0 allow ip from any to any via lo0 00020 0 0 deny ip from any to 127.0.0.0/8 01000 18134 10505749 allow tcp from any to any established 04000 1498 84280 allow icmp from any to any 04001 27 1728 allow tcp from any to any dst-port 22 setup 04008 0 0 deny log logamount 100 ip from any to any recv all 65535 15202 2569754 allow ip from any to any See - in rule 04008, I say to deny "ip from any to any recv all" - so that no matter what interface(s) I have up, and no matter what their addresses are, this one deny rule will apply to them. THe problem is, it doesn't work. As you can see, the counter on that rule is zero, and when I nmap the system I can see things like samba and http, etc., even though the only port I am allowing through is TCP 22. Why is this ? ____________________________________________________________________________________ Looking for last minute shopping deals? Find them fast with Yahoo! Search. http://tools.search.yahoo.com/newsearch/category.php?category=shopping ____________________________________________________________________________________ Looking for last minute shopping deals? Find them fast with Yahoo! Search. http://tools.search.yahoo.com/newsearch/category.php?category=shopping