From owner-freebsd-questions@FreeBSD.ORG Tue Jul 19 01:10:19 2005 Return-Path: X-Original-To: questions@freebsd.org Delivered-To: freebsd-questions@FreeBSD.ORG Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5F27516A41C for ; Tue, 19 Jul 2005 01:10:19 +0000 (GMT) (envelope-from jim-c@charter.net) Received: from mxsf13.cluster1.charter.net (mxsf13.cluster1.charter.net [209.225.28.213]) by mx1.FreeBSD.org (Postfix) with ESMTP id BACB043D48 for ; Tue, 19 Jul 2005 01:10:18 +0000 (GMT) (envelope-from jim-c@charter.net) Received: from mxip08a.cluster1.charter.net (mxip08a.cluster1.charter.net [209.225.28.138]) by mxsf13.cluster1.charter.net (8.12.11/8.12.11) with ESMTP id j6J1AHT6025771 for ; Mon, 18 Jul 2005 21:10:17 -0400 Received: from 68-119-202-215.dhcp.spbg.sc.charter.com (HELO [127.0.0.1]) (68.119.202.215) by mxip08a.cluster1.charter.net with ESMTP; 18 Jul 2005 21:10:15 -0400 X-IronPort-AV: i="3.93,297,1115006400"; d="scan'208,217"; a="1140343846:sNHT40566996" Message-ID: <42DC52F2.70807@charter.net> Date: Mon, 18 Jul 2005 21:10:10 -0400 From: Jim Campbell User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.2) Gecko/20040804 Netscape/7.2 (ax) X-Accept-Language: en-us, en MIME-Version: 1.0 To: Dave McCammon References: <20050718182009.51431.qmail@web32813.mail.mud.yahoo.com> In-Reply-To: <20050718182009.51431.qmail@web32813.mail.mud.yahoo.com> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: questions@freebsd.org Subject: Re: Newbie IPFW Questions X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 19 Jul 2005 01:10:19 -0000 Dave McCammon wrote: >--- Jim Campbell wrote: > > > >>Glenn Dawson wrote: >> >> >> >>>At 08:18 PM 7/17/2005, Jim Campbell wrote: >>> >>> >>> >>>>I have a machine set up as a classroom to learn >>>> >>>> >>about FreeBSD. It is >> >> >>>>running 4.11 primarily because anything later >>>> >>>> >>can't see my hard drive. >> >> >>>>As background, my FBSD machine has an address of >>>> >>>> >>192.168.1.110. It is >> >> >>>>situated behind a hardware firewall (a Linksys >>>> >>>> >>router). $pif is vr0. >> >> >>>>I'm having problems setting up IPFW to >>>> >>>> >>communicate with an Onion router. >> >> >>>>The puzzling part is that I am able to use the >>>> >>>> >>Onion router but my >> >> >>>>/var/log/security file says that some of the >>>> >>>> >>packets are being dropped. >> >> >>>>Following is what I hope are the pertinent lines >>>> >>>> >>from my /etc/ipfw.rules >> >> >>>>file: >>>> >>>>$cmd 00225 allow tcp from me to any 9001-9033 out >>>> >>>> >>via $pif setup >> >> >>>>keep-state >>>>$cmd 00299 deny log all from me to any out via >>>> >>>> >>$pif >> >> >>>>$cmd 00332 deny log tcp from any to me >>>> >>>> >>established in via $pif >> >> >>>>Next is an excerpt from the /var/log/security >>>> >>>> >>file: >> >> >>>>Jul 17 21:49:58 JimsP1G /kernel: ipfw: 299 Deny >>>> >>>> >>TCP 192.168.1.110:2218 >> >> >>>>128.148.34.133:9001 out via vr0 >>>>Jul 17 21:49:59 JimsP1G /kernel: ipfw: 299 Deny >>>> >>>> >>TCP 192.168.1.110:4959 >> >> >>>>131.175.189.134:9001 out via vr0 >>>>Jul 17 21:50:18 JimsP1G /kernel: ipfw: 332 Deny >>>> >>>> >>TCP 128.148.34.133:9001 >> >> >>>>192.168.1.110:2218 in via vr0 >>>>Jul 17 21:50:29 JimsP1G /kernel: ipfw: 332 Deny >>>> >>>> >>TCP 131.175.189.134:9030 >> >> >>>>192.168.1.110:4566 in via vr0 >>>> >>>>Now my questions. First, why isn't rule 225 >>>> >>>> >>allowing all the packets >> >> >>>>out >>>>to the Onion router? It seems to me that ipfw >>>> >>>> >>should allow all packets >> >> >>>>in the port range 9001-9033 out or none. >>>> >>>> >>>Rule 225 will only match packets used to setup the >>> >>> >>tcp session, once >> >> >>>it's established you need another rule that will >>> >>> >>allow the established >> >> >>>session to function. >>> >>>Rule 299 is denying everything from leaving your >>> >>> >>machine except for >> >> >>>the packets allowed by rule 225. >>> >>> >>> >>> >>It appears that I didn't include enough of the >>ipfw.rules file. >>Following is another abstract: >> >> >> >> >################################################################# > > >># Allow the packet through if it has previous been >>added to the >># the "dynamic" rules table by a allow keep-state >>statement. >> >> >> >################################################################# > > >>$cmd 00015 check-state >> >>It's my understanding that this rule allows through >>any returning >>packets that match the dynamic rule established by >>Rule 225. >> >> >> >> >>>>Next, the two inbound packets should be returning >>>> >>>> >>in response to an >> >> >>>>outbound packet. Why are they being dropped? >>>> >>>> >>Are they exceeding some >> >> >>>>timeout? >>>> >>>> >>>Rule 332 is denying all established traffic from >>> >>> >>entering your >> >> >>>machine. So, while rule 225 allows you to >>> >>> >>establish a tcp session >> >> >>>with another system on ports 9001-9033, once the >>> >>> >>session is >> >> >>>established, rule 225 no longer applies and rule >>> >>> >>332 is then throwing >> >> >>>all those packets away. >>> >>>-Glenn >>> >>> >>> >>> >>Part of my problem is that I don't understand the >>protocols being used >>by the Onion routers. It >>appears that Tor (the application on my machine that >>sets up the >>communication with the >>Onion routers) begins to communicate with the Onion >>routers as soon as >>it starts. This >>communication continues as long as the FBSD machine >>is alive. Really >>shook me up >>when I first started using Tor and Privoxy. I >>thought someone was >>hacking my machine :-) >> >>The really puzzling thing about this situation is >>that at least some of >>the messages concerning >>the Onion protocol are getting through. I can ask >>for www.google.com >>and sometimes it >>resolves to Google in Europe, sometimes to Google in >>Asia, and sometines >>to Google here >>in the US. Ipfw appears to be only dropping some of >>the packets. >> >>Perhaps I should set up another machine to sniff the >>packets that >>occur. Maybe that would >>give me an idea of what is happening with the Onion >>protocol. >> >>In any event, thanks for your input to my problem, >>and if you have any >>other ideas I would >>appreciate them very much. I've been chewing on >>this problem the better >>part of a week. >> >>Thanks, >> >>Jim >> >> > >check the output of >#ipfw show >and make sure the check-state line is there. > >Your config says- >$cmd 00015 check-state > >and I think..(at least on a 5.4 machine) >it should say > >$cmd 00015 add check-state > > Dave, #ipfw show does show that check-state is there I am using a 4.11 machine and $cmd = "ipfw -q add" The command "#ipfw -a list" shows that there are many replies for each outbound packet to port 9001. I suppose that I should just let things be since the Tor service is working satisfactorily and I sure have learned a lot about firewalls while chasing this. And that is the whole point of my effort with FBSD. Many thanks to all who have assisted me in this endeavor. Jim