From owner-freebsd-questions Tue Jul 29 05:44:49 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.5/8.8.5) id FAA09234 for questions-outgoing; Tue, 29 Jul 1997 05:44:49 -0700 (PDT) Received: from weenix.guru.org (weenix.guru.org [198.82.200.65]) by hub.freebsd.org (8.8.5/8.8.5) with ESMTP id FAA09227 for ; Tue, 29 Jul 1997 05:44:46 -0700 (PDT) Received: (from kmitch@localhost) by weenix.guru.org (8.8.6/8.8.5) id IAA27471 for questions@freebsd.org; Tue, 29 Jul 1997 08:44:43 -0400 (EDT) From: Keith Mitchell Message-Id: <199707291244.IAA27471@weenix.guru.org> Subject: ipfw Question To: questions@freebsd.org Date: Tue, 29 Jul 1997 08:44:43 -0400 (EDT) X-Mailer: ELM [version 2.4ME+ PL30 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-questions@freebsd.org X-Loop: FreeBSD.org Precedence: bulk I have amanda set up on my machine, so I want to prevent anyone but the server to connect to it. To accomplish this, I added the following rules with ipfw: [1400] /sbin/ipfw add allow udp from ${oip} to ${oip} amanda [1500] /sbin/ipfw add allow udp from ${iip} to ${oip} amanda [1600] /sbin/ipfw add allow udp from ${iip} to ${iip} amanda [1700] /sbin/ipfw add allow udp from ${oip} to ${iip} amanda [1800] /sbin/ipfw add deny log udp from any to ${iip} amanda in recv ${iif} [1900] /sbin/ipfw add deny log udp from any to ${oip} amanda in recv ${iif} [2000] /sbin/ipfw add deny log udp from any to ${oip} amanda in recv ${oif} Where: The numbers in brackets are the rule numbers that get assigned after running rc.firewall. ${iif} is the internal ethernet interface (de1) ${oif} is the external ethernet interface (de0) ${iip} is the internal ip number (10.10.10.12) ${oip} is the external ip number The problem lies with NFS. Occasionaly NFS traffic gets caught by the above rules. The output I get is: ipfw: 1800 Deny UDP 10.10.10.14:26988 10.10.10.12:25719 in via de1 Fragment = 185 ipfw: 1800 Deny UDP 10.10.10.14:8224 10.10.10.12:8224 in via de1 Fragment = 370 ipfw: 1800 Deny UDP 10.10.10.14:26988 10.10.10.12:25719 in via de1 Fragment = 185 ipfw: 1800 Deny UDP 10.10.10.14:8224 10.10.10.12:8224 in via de1 Fragment = 370 ipfw: 1800 Deny UDP 10.10.10.14:26988 10.10.10.12:25719 in via de1 Fragment = 185 ipfw: 1800 Deny UDP 10.10.10.14:8224 10.10.10.12:8224 in via de1 Fragment = 370 ipfw: 1800 Deny UDP 10.10.10.14:26988 10.10.10.12:25719 in via de1 Fragment = 185 ipfw: 1800 Deny UDP 10.10.10.14:8224 10.10.10.12:8224 in via de1 Fragment = 370 ipfw: 1800 Deny UDP 10.10.10.14:26988 10.10.10.12:25719 in via de1 Fragment = 185 ipfw: 1800 Deny UDP 10.10.10.14:8224 10.10.10.12:8224 in via de1 Fragment = 370 ipfw: 1800 Deny UDP 10.10.10.14:26988 10.10.10.12:25719 in via de1 Fragment = 185 ipfw: 1800 Deny UDP 10.10.10.14:8224 10.10.10.12:8224 in via de1 Fragment = 370 >From the look of the messages above, neither of the port numbers is the amanda port (10080), so why are they getting matched?? Is there a way to fix my rules so that only traffic that would otherwise go to amanda be dropped?? I am running -current from 7/23, but I think this also fails in 2.2.2. -- Keith Mitchell Head Administrator: acm.vt.edu Email: kmitch@weenix.guru.org PGP key available upon request http://weenix.guru.org/~kmitch Address and URL (c) 1997 Keith Mitchell - All Rights Reserved Unauthorized use or duplication prohibited