From owner-freebsd-questions@FreeBSD.ORG Mon Jul 18 18:20:11 2005 Return-Path: X-Original-To: questions@freebsd.org Delivered-To: freebsd-questions@FreeBSD.ORG Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 432EB16A41F for ; Mon, 18 Jul 2005 18:20:11 +0000 (GMT) (envelope-from davemac11@yahoo.com) Received: from web32813.mail.mud.yahoo.com (web32813.mail.mud.yahoo.com [68.142.206.43]) by mx1.FreeBSD.org (Postfix) with SMTP id ADA7E43D48 for ; Mon, 18 Jul 2005 18:20:10 +0000 (GMT) (envelope-from davemac11@yahoo.com) Received: (qmail 51433 invoked by uid 60001); 18 Jul 2005 18:20:09 -0000 DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com; h=Message-ID:Received:Date:From:Subject:To:Cc:In-Reply-To:MIME-Version:Content-Type:Content-Transfer-Encoding; b=LdyAJyZdK73r0dnQCnr/troyeLRLIRI5zWDxdB57gXx3pRMYKcUfFShsbGDZwVH5khRzkTt99AYtR9loN8x7eVFDmw/zhu6hphcdxiwXv7KBTEPPSefqmYS/vFSKHHa/r3+9tfvKPkDMgNTqYDTAlqvKnPSOty975ko+11j7Ulg= ; Message-ID: <20050718182009.51431.qmail@web32813.mail.mud.yahoo.com> Received: from [168.91.4.66] by web32813.mail.mud.yahoo.com via HTTP; Mon, 18 Jul 2005 11:20:09 PDT Date: Mon, 18 Jul 2005 11:20:09 -0700 (PDT) From: Dave McCammon To: Jim Campbell In-Reply-To: <42DBB359.3000400@charter.net> MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit Cc: questions@freebsd.org Subject: Re: Newbie IPFW Questions X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 18 Jul 2005 18:20:11 -0000 --- Jim Campbell wrote: > Glenn Dawson wrote: > > > At 08:18 PM 7/17/2005, Jim Campbell wrote: > > > >> I have a machine set up as a classroom to learn > about FreeBSD. It is > >> running 4.11 primarily because anything later > can't see my hard drive. > >> > >> As background, my FBSD machine has an address of > 192.168.1.110. It is > >> situated behind a hardware firewall (a Linksys > router). $pif is vr0. > >> > >> I'm having problems setting up IPFW to > communicate with an Onion router. > >> The puzzling part is that I am able to use the > Onion router but my > >> /var/log/security file says that some of the > packets are being dropped. > >> > >> Following is what I hope are the pertinent lines > from my /etc/ipfw.rules > >> file: > >> > >> $cmd 00225 allow tcp from me to any 9001-9033 out > via $pif setup > >> keep-state > >> $cmd 00299 deny log all from me to any out via > $pif > >> $cmd 00332 deny log tcp from any to me > established in via $pif > >> > >> Next is an excerpt from the /var/log/security > file: > >> > >> Jul 17 21:49:58 JimsP1G /kernel: ipfw: 299 Deny > TCP 192.168.1.110:2218 > >> 128.148.34.133:9001 out via vr0 > >> Jul 17 21:49:59 JimsP1G /kernel: ipfw: 299 Deny > TCP 192.168.1.110:4959 > >> 131.175.189.134:9001 out via vr0 > >> Jul 17 21:50:18 JimsP1G /kernel: ipfw: 332 Deny > TCP 128.148.34.133:9001 > >> 192.168.1.110:2218 in via vr0 > >> Jul 17 21:50:29 JimsP1G /kernel: ipfw: 332 Deny > TCP 131.175.189.134:9030 > >> 192.168.1.110:4566 in via vr0 > >> > >> Now my questions. First, why isn't rule 225 > allowing all the packets > >> out > >> to the Onion router? It seems to me that ipfw > should allow all packets > >> in the port range 9001-9033 out or none. > > > > > > Rule 225 will only match packets used to setup the > tcp session, once > > it's established you need another rule that will > allow the established > > session to function. > > > > Rule 299 is denying everything from leaving your > machine except for > > the packets allowed by rule 225. > > > > > It appears that I didn't include enough of the > ipfw.rules file. > Following is another abstract: > > ################################################################# > # Allow the packet through if it has previous been > added to the > # the "dynamic" rules table by a allow keep-state > statement. > ################################################################# > $cmd 00015 check-state > > It's my understanding that this rule allows through > any returning > packets that match the dynamic rule established by > Rule 225. > > > >> Next, the two inbound packets should be returning > in response to an > >> outbound packet. Why are they being dropped? > Are they exceeding some > >> timeout? > > > > > > Rule 332 is denying all established traffic from > entering your > > machine. So, while rule 225 allows you to > establish a tcp session > > with another system on ports 9001-9033, once the > session is > > established, rule 225 no longer applies and rule > 332 is then throwing > > all those packets away. > > > > -Glenn > > > > > Part of my problem is that I don't understand the > protocols being used > by the Onion routers. It > appears that Tor (the application on my machine that > sets up the > communication with the > Onion routers) begins to communicate with the Onion > routers as soon as > it starts. This > communication continues as long as the FBSD machine > is alive. Really > shook me up > when I first started using Tor and Privoxy. I > thought someone was > hacking my machine :-) > > The really puzzling thing about this situation is > that at least some of > the messages concerning > the Onion protocol are getting through. I can ask > for www.google.com > and sometimes it > resolves to Google in Europe, sometimes to Google in > Asia, and sometines > to Google here > in the US. Ipfw appears to be only dropping some of > the packets. > > Perhaps I should set up another machine to sniff the > packets that > occur. Maybe that would > give me an idea of what is happening with the Onion > protocol. > > In any event, thanks for your input to my problem, > and if you have any > other ideas I would > appreciate them very much. I've been chewing on > this problem the better > part of a week. > > Thanks, > > Jim check the output of #ipfw show and make sure the check-state line is there. Your config says- $cmd 00015 check-state and I think..(at least on a 5.4 machine) it should say $cmd 00015 add check-state ____________________________________________________ Start your day with Yahoo! - make it your home page http://www.yahoo.com/r/hs