Date: 10 Jun 2002 19:37:18 +0100 From: "S. Roberts" <sroberts@dsl.pipex.com> To: FreeBSD-Questions <freebsd-questions@freebsd.org> Subject: IPFW error, help? Message-ID: <1023734240.315.29.camel@Demon.Strobe.org>
next in thread | raw e-mail | index | archive | help
--=-pojhGn3G62pSLDI/9nLJ Content-Type: text/plain Content-Transfer-Encoding: quoted-printable Hello, I reloaded my firewall rules today and noticed a strange error on restart: 00618 allow tcp from any to any 53 keep-state out xmit sis0 setup ipfw: unknown argument ``setup'' What does this mean? Its not the only rule that has this structure but this one comes up with that error statement. I noted as well that rule 00619 does not get listed either from ipfw -tN l: # ipfw -tN l 00002 Mon Jun 10 00:27:28 2002 deny udp from any to any router in recv sis0 00500 check-state 00501 deny tcp from any to any established 00502 deny ip from any to any frag 00600 allow tcp from any to any http keep-state out xmit sis0 setup 00601 allow tcp from any to any https keep-state out xmit sis0 setup 00610 allow tcp from any to resolver0.dial.pipex.net domain keep-state out xmit sis0 setup 00611 Mon Jun 10 00:25:51 2002 allow udp from any to resolver0.dial.pipex.net domain keep-state out xmit sis0 00615 allow tcp from any to resolver1.dial.pipex.net domain keep-state out xmit sis0 setup 00616 allow udp from any to resolver1.dial.pipex.net domain keep-state out xmit sis0 00618 allow tcp from any to any domain keep-state out xmit sis0 setup 00630 Mon Jun 10 00:25:54 2002 allow tcp from any to any smtp,pop3 keep-state out xmit sis0 setup 00640 allow tcp from any to any uid root keep-state out xmit sis0 setup00641 allow tcp from any to any uid root keep-state in recv sis0 setup 00642 allow udp from me to any 33435-33500 keep-state out xmit sis0 00643 allow icmp from any to me limit src-addr 2 in recv sis0 icmptype 3,11 <snip> Is there a problem here, or am I not understanding something about the way that IPFW works. Also, I noticed that /var/log/maillog is filling up with tons (up to 12MB prior to log rotation) of deferred mail statements - I take it that's the firewall preventing connections to localhost at port 25? What could I do about that, if anything? Do get back to me as soon as you can, please. Stacey Here're the rules as they are in /etc/firewall: # cat /etc/firewall/fwrules # Define firewall command fwcmd=3D"/sbin/ipfw" # Flush rules list on start $fwcmd -f flush # Set Device variable parameters oif=3D"nic" odns1=3D"ISPDNS1" # ISP dns server 1 odns2=3D"ISPDNS2" # ISP dns server 2 # Start of rules $fwcmd add 00002 deny udp from any to any 520 in via $oif # CONTROL SECTION # Using check-state statements to match bi-directional traffic # flow between source / destination using protocol/IP/port/sequence number # The dynamic rule has a limited lifetime, controlled by a set # of sysctl(8) variables. This lifetime is refreshed each time a # matching packet is matched in the dynamic table # Allow packet through if it has previously been added to # the dynamic rules table by an allow keep-state statement $fwcmd add 00500 check-state # Deny late-arriving packets to prevent catching & logging by # rules 800 or 900 $fwcmd add 00502 deny all from any to any frag # Deny ACK packets that are not matched in dynamic rule table $fwcmd add 00501 deny tcp from any to any established # OUTBOUND SECTION # Interrogate outbound packets originating from private lan=20 # Upon rule-match, its keep-state option creates dynamic rule # Allow out www traffic $fwcmd add 00600 allow tcp from any to any 80 out via $oif setup keep-state $fwcmd add 00601 allow tcp from any to any 443 out via $oif setup keep-state # Allow out access to ISP dns servers $fwcmd add 00610 allow tcp from any to $odns1 53 out via $oif setup keep-state $fwcmd add 00611 allow udp from any to $odns1 53 out via $oif keep-state $fwcmd add 00615 allow tcp from any to $odns2 53 out via $oif setup keep-state $fwcmd add 00616 allow udp from any to $odns2 53 out via $oif keep-state # Allow out access to Internet Domain name server $fwcmd add 00618 allow tcp from any to any 53 out via $oif setup keep-state=20 $fwcmd add 00619 allow udp from any to any 53 out via $oif setup keep-state # Allow out send & get e-mail function $fwcmd add 00630 allow tcp from any to any 25,110 out via $oif setup keep-state # Allow out & in FreeBSD maintenance functions (make install & CVSUP) $fwcmd add 00640 allow tcp from any to any out via $oif setup keep-state uid root $fwcmd add 00641 allow tcp from any to any in via $oif setup keep-state uid root $fwcmd add 00642 allow udp from me to any 33435-33500 out via $oif keep-state $fwcmd add 00643 allow icmp from any to me icmptype 3,11 in via $oif limit src-addr 2 # Allow out ping function $fwcmd add 00650 allow icmp from any to any out via $oif keep-state # Allow FTP control channel $fwcmd add 00671 allow tcp from any to any 21 out via $oif setup keep-state # Allow FTP data channel in $fwcmd add 00672 allow tcp from any to any 20 in via $oif setup keep-state # Allow out SSH $fwcmd add 00680 allow tcp from any to any 22 out via $oif setup keep-state # Allow out TELNET $fwcmd add 00690 allow tcp from any to any 23 out via $oif setup keep-state # Allow out Network Time Protocol (NTP) queries $fwcmd add 00694 allow tcp from any to any 123 out via $oif setup keep-state $fwcmd add 00695 allow udp from any to any 123 out via $oif keep-state # Allow out TIME $fwcmd add 00696 allow tcp from any to any 37 out via $oif setup keep-state $fwcmd add 00697 allow udp from any to any 37 out via $oif keep-state # Allow out IDENT $fwcmd add 00700 allow tcp from any to any 113 out via $oif setup keep-state $fwcmd add 00701 allow udp from any to any 113 out via $oif keep-state # Allow out WHOIS $fwcmd add 00712 allow tcp from any to any 43 out via $oif setup keep-state $fwcmd add 00713 allow udp from any to any 43 out via $oif keep-state # Allow out WHOIS++ $fwcmd add 00715 allow tcp from any to any 63 out via $oif setup keep-state $fwcmd add 00716 allow udp from any to any 63 out via $oif keep-state # Allow out FINGER=20 $fwcmd add 00720 allow tcp from any to any 79 out via $oif setup keep-state $fwcmd add 00721 allow udp from any to any 79 out via $oif keep-state # Allow out NNTP=20 $fwcmd add 00725 allow tcp from any to any 119 out via $oif setup keep-state $fwcmd add 00726 allow udp from any to any 119 out via $oif keep-state # Allow out GOPHER $fwcmd add 00730 allow tcp from any to any 70 out via $oif setup keep-state $fwcmd add 00731 allow udp from any to any 70 out via $oif keep-state # INBOUND SECTION # Interrogate packets originating from outside # Statements here allow public requests for services # Allow in WWW #$fwcmd add 00800 allow tcp from any to any 80 in via $oif setup keep-state # Deny & log all attempts to connect over httpd $fwcmd add 00800 deny log tcp from any to any 80 in via $oif setup keep-state # Allow TCP FTP control channel in and data channel out $fwcmd add 00810 allow tcp from any to me 21 in via $oif setup keep-state $fwcmd add 00811 allow tcp from any 20 to any 1024-49151 out via $oif setup keep-state=20 # CATCH-ALL SECTION # Send RESET to all IDENT packets $fwcmd add 00840 reset tcp from any to me 113 in via $oif # Stop and LOG spoofing attack attempts $fwcmd add 00850 deny log ip from me to me in via $oif # Stop and LOG ping echo attacks $fwcmd add 00860 deny log icmp from any to me icmptype 0,8 in via $oif # Reject and LOG all setup of incoming connections from outside $fwcmd add 00900 deny log all from any to any in via $oif # All else is denied by default $fwcmd add 00910 deny log logamount 500 ip from any to any # --=20 Stacey Roberts B.Sc. (HONS) Computer Science Network Systems Engineer --=-pojhGn3G62pSLDI/9nLJ Content-Type: application/pgp-signature; name=signature.asc Content-Description: This is a digitally signed message part -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Content-Type: text/plain Content-Transfer-Encoding: quoted-printable Hello, I reloaded my firewall rules today and noticed a strange error on restart: 00618 allow tcp from any to any 53 keep-state out xmit sis0 setup ipfw: unknown argument ``setup'' What does this mean? Its not the only rule that has this structure but this one comes up with that error statement. I noted as well that rule 00619 does not get listed either from ipfw -tN l: # ipfw -tN l 00002 Mon Jun 10 00:27:28 2002 deny udp from any to any router in recv sis0 00500 check-state 00501 deny tcp from any to any established 00502 deny ip from any to any frag 00600 allow tcp from any to any http keep-state out xmit sis0 setup 00601 allow tcp from any to any https keep-state out xmit sis0 setup 00610 allow tcp from any to resolver0.dial.pipex.net domain keep-state out xmit sis0 setup 00611 Mon Jun 10 00:25:51 2002 allow udp from any to resolver0.dial.pipex.net domain keep-state out xmit sis0 00615 allow tcp from any to resolver1.dial.pipex.net domain keep-state out xmit sis0 setup 00616 allow udp from any to resolver1.dial.pipex.net domain keep-state out xmit sis0 00618 allow tcp from any to any domain keep-state out xmit sis0 setup 00630 Mon Jun 10 00:25:54 2002 allow tcp from any to any smtp,pop3 keep-state out xmit sis0 setup 00640 allow tcp from any to any uid root keep-state out xmit sis0 setup00641 allow tcp from any to any uid root keep-state in recv sis0 setup 00642 allow udp from me to any 33435-33500 keep-state out xmit sis0 00643 allow icmp from any to me limit src-addr 2 in recv sis0 icmptype 3,11 <snip> Is there a problem here, or am I not understanding something about the way that IPFW works. Also, I noticed that /var/log/maillog is filling up with tons (up to 12MB prior to log rotation) of deferred mail statements - - I take it that's the firewall preventing connections to localhost at port 25? What could I do about that, if anything? Do get back to me as soon as you can, please. Stacey Here're the rules as they are in /etc/firewall: # cat /etc/firewall/fwrules # Define firewall command fwcmd=3D"/sbin/ipfw" # Flush rules list on start $fwcmd -f flush # Set Device variable parameters oif=3D"nic" odns1=3D"ISPDNS1" # ISP dns server 1 odns2=3D"ISPDNS2" # ISP dns server 2 # Start of rules $fwcmd add 00002 deny udp from any to any 520 in via $oif # CONTROL SECTION # Using check-state statements to match bi-directional traffic # flow between source / destination using protocol/IP/port/sequence number # The dynamic rule has a limited lifetime, controlled by a set # of sysctl(8) variables. This lifetime is refreshed each time a # matching packet is matched in the dynamic table # Allow packet through if it has previously been added to # the dynamic rules table by an allow keep-state statement $fwcmd add 00500 check-state # Deny late-arriving packets to prevent catching & logging by # rules 800 or 900 $fwcmd add 00502 deny all from any to any frag # Deny ACK packets that are not matched in dynamic rule table $fwcmd add 00501 deny tcp from any to any established # OUTBOUND SECTION # Interrogate outbound packets originating from private lan=20 # Upon rule-match, its keep-state option creates dynamic rule # Allow out www traffic $fwcmd add 00600 allow tcp from any to any 80 out via $oif setup keep-state $fwcmd add 00601 allow tcp from any to any 443 out via $oif setup keep-state # Allow out access to ISP dns servers $fwcmd add 00610 allow tcp from any to $odns1 53 out via $oif setup keep-state $fwcmd add 00611 allow udp from any to $odns1 53 out via $oif keep-state $fwcmd add 00615 allow tcp from any to $odns2 53 out via $oif setup keep-state $fwcmd add 00616 allow udp from any to $odns2 53 out via $oif keep-state # Allow out access to Internet Domain name server $fwcmd add 00618 allow tcp from any to any 53 out via $oif setup keep-state=20 $fwcmd add 00619 allow udp from any to any 53 out via $oif setup keep-state # Allow out send & get e-mail function $fwcmd add 00630 allow tcp from any to any 25,110 out via $oif setup keep-state # Allow out & in FreeBSD maintenance functions (make install & CVSUP) $fwcmd add 00640 allow tcp from any to any out via $oif setup keep-state uid root $fwcmd add 00641 allow tcp from any to any in via $oif setup keep-state uid root $fwcmd add 00642 allow udp from me to any 33435-33500 out via $oif keep-state $fwcmd add 00643 allow icmp from any to me icmptype 3,11 in via $oif limit src-addr 2 # Allow out ping function $fwcmd add 00650 allow icmp from any to any out via $oif keep-state # Allow FTP control channel $fwcmd add 00671 allow tcp from any to any 21 out via $oif setup keep-state # Allow FTP data channel in $fwcmd add 00672 allow tcp from any to any 20 in via $oif setup keep-state # Allow out SSH $fwcmd add 00680 allow tcp from any to any 22 out via $oif setup keep-state # Allow out TELNET $fwcmd add 00690 allow tcp from any to any 23 out via $oif setup keep-state # Allow out Network Time Protocol (NTP) queries $fwcmd add 00694 allow tcp from any to any 123 out via $oif setup keep-state $fwcmd add 00695 allow udp from any to any 123 out via $oif keep-state # Allow out TIME $fwcmd add 00696 allow tcp from any to any 37 out via $oif setup keep-state $fwcmd add 00697 allow udp from any to any 37 out via $oif keep-state # Allow out IDENT $fwcmd add 00700 allow tcp from any to any 113 out via $oif setup keep-state $fwcmd add 00701 allow udp from any to any 113 out via $oif keep-state # Allow out WHOIS $fwcmd add 00712 allow tcp from any to any 43 out via $oif setup keep-state $fwcmd add 00713 allow udp from any to any 43 out via $oif keep-state # Allow out WHOIS++ $fwcmd add 00715 allow tcp from any to any 63 out via $oif setup keep-state $fwcmd add 00716 allow udp from any to any 63 out via $oif keep-state # Allow out FINGER=20 $fwcmd add 00720 allow tcp from any to any 79 out via $oif setup keep-state $fwcmd add 00721 allow udp from any to any 79 out via $oif keep-state # Allow out NNTP=20 $fwcmd add 00725 allow tcp from any to any 119 out via $oif setup keep-state $fwcmd add 00726 allow udp from any to any 119 out via $oif keep-state # Allow out GOPHER $fwcmd add 00730 allow tcp from any to any 70 out via $oif setup keep-state $fwcmd add 00731 allow udp from any to any 70 out via $oif keep-state # INBOUND SECTION # Interrogate packets originating from outside # Statements here allow public requests for services # Allow in WWW #$fwcmd add 00800 allow tcp from any to any 80 in via $oif setup keep-state # Deny & log all attempts to connect over httpd $fwcmd add 00800 deny log tcp from any to any 80 in via $oif setup keep-state # Allow TCP FTP control channel in and data channel out $fwcmd add 00810 allow tcp from any to me 21 in via $oif setup keep-state $fwcmd add 00811 allow tcp from any 20 to any 1024-49151 out via $oif setup keep-state=20 # CATCH-ALL SECTION # Send RESET to all IDENT packets $fwcmd add 00840 reset tcp from any to me 113 in via $oif # Stop and LOG spoofing attack attempts $fwcmd add 00850 deny log ip from me to me in via $oif # Stop and LOG ping echo attacks $fwcmd add 00860 deny log icmp from any to me icmptype 0,8 in via $oif # Reject and LOG all setup of incoming connections from outside $fwcmd add 00900 deny log all from any to any in via $oif # All else is denied by default $fwcmd add 00910 deny log logamount 500 ip from any to any # - --=20 Stacey Roberts B.Sc. (HONS) Computer Science Network Systems Engineer -----BEGIN PGP SIGNATURE----- Version: PGP 6.5.8 iQA/AwUBPQTx3Pdn4A8qiCO5EQKWEwCgrNE14U2G8elKxM70f510MqSib94AoIef D8a7J+he4hOjdRjdBcIPL6Yf =4Gcw -----END PGP SIGNATURE----- --=-pojhGn3G62pSLDI/9nLJ-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?1023734240.315.29.camel>