Date: Tue, 29 Jul 1997 08:44:43 -0400 (EDT) From: Keith Mitchell <kmitch@weenix.guru.org> To: questions@freebsd.org Subject: ipfw Question Message-ID: <199707291244.IAA27471@weenix.guru.org>
next in thread | raw e-mail | index | archive | help
I have amanda set up on my machine, so I want to prevent anyone but the
server to connect to it. To accomplish this, I added the following rules
with ipfw:
[1400] /sbin/ipfw add allow udp from ${oip} to ${oip} amanda
[1500] /sbin/ipfw add allow udp from ${iip} to ${oip} amanda
[1600] /sbin/ipfw add allow udp from ${iip} to ${iip} amanda
[1700] /sbin/ipfw add allow udp from ${oip} to ${iip} amanda
[1800] /sbin/ipfw add deny log udp from any to ${iip} amanda in recv ${iif}
[1900] /sbin/ipfw add deny log udp from any to ${oip} amanda in recv ${iif}
[2000] /sbin/ipfw add deny log udp from any to ${oip} amanda in recv ${oif}
Where:
The numbers in brackets are the rule numbers that get assigned after running
rc.firewall.
${iif} is the internal ethernet interface (de1)
${oif} is the external ethernet interface (de0)
${iip} is the internal ip number (10.10.10.12)
${oip} is the external ip number
The problem lies with NFS. Occasionaly NFS traffic gets caught by the above
rules. The output I get is:
ipfw: 1800 Deny UDP 10.10.10.14:26988 10.10.10.12:25719 in via de1 Fragment = 185
ipfw: 1800 Deny UDP 10.10.10.14:8224 10.10.10.12:8224 in via de1 Fragment = 370
ipfw: 1800 Deny UDP 10.10.10.14:26988 10.10.10.12:25719 in via de1 Fragment = 185
ipfw: 1800 Deny UDP 10.10.10.14:8224 10.10.10.12:8224 in via de1 Fragment = 370
ipfw: 1800 Deny UDP 10.10.10.14:26988 10.10.10.12:25719 in via de1 Fragment = 185
ipfw: 1800 Deny UDP 10.10.10.14:8224 10.10.10.12:8224 in via de1 Fragment = 370
ipfw: 1800 Deny UDP 10.10.10.14:26988 10.10.10.12:25719 in via de1 Fragment = 185
ipfw: 1800 Deny UDP 10.10.10.14:8224 10.10.10.12:8224 in via de1 Fragment = 370
ipfw: 1800 Deny UDP 10.10.10.14:26988 10.10.10.12:25719 in via de1 Fragment = 185
ipfw: 1800 Deny UDP 10.10.10.14:8224 10.10.10.12:8224 in via de1 Fragment = 370
ipfw: 1800 Deny UDP 10.10.10.14:26988 10.10.10.12:25719 in via de1 Fragment = 185
ipfw: 1800 Deny UDP 10.10.10.14:8224 10.10.10.12:8224 in via de1 Fragment = 370
>From the look of the messages above, neither of the port numbers is the amanda
port (10080), so why are they getting matched?? Is there a way to fix my
rules so that only traffic that would otherwise go to amanda be dropped??
I am running -current from 7/23, but I think this also fails in 2.2.2.
--
Keith Mitchell Head Administrator: acm.vt.edu
Email: kmitch@weenix.guru.org PGP key available upon request
http://weenix.guru.org/~kmitch
Address and URL (c) 1997 Keith Mitchell - All Rights Reserved
Unauthorized use or duplication prohibited
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199707291244.IAA27471>