From owner-freebsd-questions Mon May 15 10:49: 0 2000 Delivered-To: freebsd-questions@freebsd.org Received: from alpha.root-servers.ch (alpha.root-servers.ch [195.49.62.125]) by hub.freebsd.org (Postfix) with SMTP id D2D7237B882 for ; Mon, 15 May 2000 10:48:53 -0700 (PDT) (envelope-from gabriel_ambuehl-fbquestions@buz.ch) Received: (qmail 27130 invoked from network); 15 May 2000 17:50:52 -0000 Received: from unknown (HELO ATHLON-550) (62.2.99.59) by ns1.root-servers.ch with SMTP; 15 May 2000 17:50:52 -0000 Date: Mon, 15 May 2000 19:49:32 +0200 From: Gabriel Ambuehl X-Mailer: The Bat! (v1.42 Beta/19) UNREG / CD5BF9353B3B7091 Organization: BUZ Internet Services X-Priority: 3 (Normal) Message-ID: <210913272.20000515194932@buz.ch> To: freebsd-questions@freebsd.org Subject: ipfw: HTTP(S) is working but everything else doesn't... Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG Hello, my ipfw is driving me nuts. I want to allow SMTP (both incoming and outgoing), POP3, HTTP, HTTPS and DNS (well, FTP should work as well but that one has got it's own problems because of that FTP-data thingy) for the firewall box itself and all boxes which use it as gateway [1]. Everything beside this should be rejected. To accomplish this, I wanted to use the following ruleset: 00100 allow ip from any to any via lo0 00200 deny ip from any to 127.0.0.0/8 00300 allow tcp from any to any established 00400 allow ip from any to any frag 00500 allow tcp from any to any 25 setup 00600 allow udp from any to any 53 00700 allow udp from any 53 to any 53 00800 allow tcp from any to any 80 setup 00900 allow tcp from any to any 443 setup 01000 allow tcp from any to any 21 setup 01100 allow tcp from any to any 110 setup 01200 allow tcp from any to any 22 setup 01300 allow udp from any to any 22 # DHCP, I need this during development phase, it's going to be kicked out in production 01400 allow tcp from any to any 546 setup 01500 allow udp from any to any 546 65535 deny ip from any to any but this isn't working as expected. HTTP and HTTPS both work as they should. DNS doesn't work at all, neither SMTP nor POP (meaning: I can't connect to the server from outside or to outside servers from the box itself). And the most strange thing (or atleast does this seem to me this way) is happening with ssh: first, ssh (PuTTY) takes over a minute to show me a login prompt (connecting to the box from outside) and then, when I try to login, I can type without any problems, but as soon as I hit enter, the ssh client exits and the server reports |sshd[645]: fatal: Timeout before authentication for 10.2.2.150. What's going on wrong here? [1] Meaning the box acts as some kind of bastion host for the entire net behind it. I know this isn't the optimum but as we can't setup enough of those boxes (supplier ran out of them :-(( it has to offer those services as well. Best regards, Gabriel To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message