Skip site navigation (1)Skip section navigation (2) 
Date:      Mon, 17 Dec 2007 11:49:21 +0200
From:      Tuomo Latto <djv@iki.fi>
To:        freebsd-security@freebsd.org
Subject:   Re: IPFW: Blocking me out.  How to debug?
Message-ID:  <47664621.50909@iki.fi>
In-Reply-To: <20071217065144.83F6013C447@mx1.freebsd.org>
References:  <20071213081155.ABBC813C4D5@mx1.freebsd.org>	<20071213110009.GB986@in-addr.com>	<20071213183957.B348013C469@mx1.freebsd.org> <20071217065144.83F6013C447@mx1.freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help 
W. D. wrote:
> How do I tell which rule is blocking me out?  SSH *is* working,
> but others are not.

It all depends on what you mean by "blocking you out" and "others".


Did you try *reading* your fw config?

>         # Loopback:
>         # Allow anything on the local loopback:
>         add allow all from any to any via lo0
>         add deny ip from any to 127.0.0.0/8
>         add deny ip from 127.0.0.0/8 to any
Nope.
>         # Allow established connections:
>         add allow tcp from any to any established
Nope.
>         # Deny fragmented packets:
>         add deny ip from any to any frag
Nope.
>         # Show pings:
>         add count icmp from any to any icmptypes 8 in
Nope.
>         # Allow pings, ping replies, and host unreach:
>         add allow icmp from any to any icmptypes 0,8,3
Nope.
>         # Allow UDP traceroutes:
>         add allow udp from any to any 33434-34458 in
>         add allow udp from any 33434-34458 to any out
Nope.
>         # Allow DNS with name server
>         add allow udp from any to any domain out
>         add allow udp from any domain to any in
Nope.
>         # SSH
>         #  Note that /etc/hosts.allow has restrictions
>         #  on which IP addresses are allowed.
>         #
>         # Allow SSH:
>         add allow tcp from any to any ssh in setup
Nope, but this explains SSH working.
>         # HTTP & HTTPS:
>         add allow tcp from any to any https in setup
>         add allow tcp from any to any http in setup
Nope.
>         # Mail: SMTP & IMAP:
>         add allow tcp from any to any smtp in setup
>         add allow tcp from any to any imap in setup
Nope.
>         # FTP:
>         add allow tcp from any to any ftp in setup
>         add allow tcp from any to any ftp\-data in setup
>         add allow tcp from any ftp\-data to any setup out
Nope.
>         # Allow NTP in and out
>         add allow udp from any ntp to 128.252.19.1 ntp out
>         add allow udp from 128.252.19.1 ntp to any ntp in
Nope.
>         # Deny and log everything else:
>         add deny log all from any to any
Bingo!


"ipfw -a list" may also help (packet counts).


> In the kernel config file, is a limit of 10 too small?

You tell us.
http://www.defcon1.org/html/NATD-config/firewall-setup/ipfw-2.html


-- 
Tuomo

... She's dead, Jim. Should we bury her or have some fun?

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?47664621.50909>