From owner-freebsd-security  Tue Jul  2  9:12:36 2002
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 9B5A037B400
	for <security@freebsd.org>; Tue,  2 Jul 2002 09:12:29 -0700 (PDT)
Received: from mail4.home.nl (mail4.home.nl [213.51.129.228])
	by mx1.FreeBSD.org (Postfix) with ESMTP id A032443E2F
	for <security@freebsd.org>; Tue,  2 Jul 2002 09:12:28 -0700 (PDT)
	(envelope-from marcel.dijk@home.nl)
Received: from winxp ([217.120.146.224]) by mail4.home.nl
          (InterMail vM.4.01.03.00 201-229-121) with SMTP
          id <20020702161353.IOQD4420.mail4.home.nl@winxp>
          for <security@freebsd.org>; Tue, 2 Jul 2002 18:13:53 +0200
Message-ID: <01ea01c221e3$43a62550$0200a8c0@winxp>
From: "Marcel Dijk" <marcel.dijk@home.nl>
To: <security@freebsd.org>
Subject: Making a firewall more closed
Date: Tue, 2 Jul 2002 18:12:26 +0200
MIME-Version: 1.0
Content-Type: text/plain;
	charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2600.0000
Disposition-Notification-To: "Marcel Dijk" <marcel.dijk@home.nl>
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org

Yes, that works! Thanks very much for your help.

 Now I have another problem, I can log in to an FTP site but then I get this
message:

 227 Entering Passive Mode (212,120,66,212,248,134)
Data Socket Error: Connection Failed

 I think I should open ports 1024 - 65535 ? But that would mean a great
 security risk?

 Thanks,

 Marcel.



> You forgot about DNS. If you change rule 550 from
> add 550 allow log udp from me to any 21,80 keep-state out
> to
> add 550 allow log udp from me to any 21,53,80 keep-state out
> it should work.
>
> You may want to find out what IPs you use for DNS, and specifically allow
> those addresses.
>
> I loaded your rules and im not having any problems now.
>
>
>
> On Monday 01 July 2002 07:05 pm, nascar24 wrote:
> > This is my current ruleset:
> >
> > # allow loopback traffic
> > add 100 allow ip from any to any via lo0
> >
> > # protect loopback address
> > add 200 deny log ip from 127.0.0.1 to any
> > add 249 deny log ip from any to 127.0.0.1
> >
> > # block spoofs
> > add 400 deny log ip from me to any in via ed0
> >
> > # enable NATD
> > add 425 divert 8668 ip from any to any via ed0
> >
> > # check dynamic rules
> > add 450 check-state
> >
> > # make dynamic entries for all outgoing traffic
> > add 500 allow log tcp from me to any 1-65535 keep-state out
> > add 550 allow log udp from me to any 1-65535 keep-state out
> >
> > # services we offer to the world
> > add 600 allow log tcp from any to me 22,5067,5617,8472,10000 keep-state
in
> >
> > # pass ICMP
> > add 700 allow log icmp from me to any out
> > add 750 allow log icmp from any to me in
> >
> > # pass everything on private LAN
> > add 800 allow log all from 192.168.0.0/16 to any
> > add 850 allow log all from any to 192.168.0.0/16
> >
> > # log rejects that have fallen through
> > add 65000 deny log ip from any to any
> >
> > Whith this ruleset I can browse websites, FTP sites etc.
> >
> > But when I replace rules 500 and 550 with this:
> >
> > add 500 allow log tcp from me to any 21,80 keep-state out
> > add 550 allow log udp from me to any 21,80 keep-state out
> >
> > I cannot acces any websites nor FTP sites. But I guess I had just
allowed
> > it?
> >
> > Or is the 'out' the problem here.
> >
> > Marcel.
> >
> > On Monday 01 July 2002 06:45 pm, nascar24 wrote:
> > > What I mean is that I want to grand acces to the internet. But only to
> > > ports I 'trust', like 80,21,22 etc. But when I make a rule like:
> > >
> > > add 550 allow ip from me to any 80,21,22
> > >
> > > I cannot acces a website, that puzzles me.
> >
> > There is a problem with the rule in the example: You allowed traffic to
> > leave
> > through those ports, but not to enter. We can fix this rule:
> >
> > add 550 allow tcp from me to any 80,21,22 keep-state
> >
> > I noticed you already had a rule 550 - you may want to give it a
different
> > number. IPFW (running 4.5R here) gives the following error when trying
to
> > load your rule:
> >
> > ipfw: only TCP and UDP protocols are valid with port specifications
> >
> > hence why i changed it from ip to tcp.
> >
> > GL
>
> --
> ----------
> Ramsey G. Brenner
> rgbrenner@myrealbox.com
> http://rgbrenner.cjb.net/
>
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-security" in the body of the message
>
>


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message