Skip site navigation (1)Skip section navigation (2)
Date:      Mon, 07 Jan 2002 02:19:15 -0700
From:      "Joe Parks" <pleaseworky@hotmail.com>
To:        freebsd-questions@freebsd.org
Subject:   weird problems with ipfw rule not applying itself...
Message-ID:  <F190cCoF7D5YnYccyeE00018dfa@hotmail.com>

next in thread | raw e-mail | index | archive | help
I have a 4.4-RELEASE acting as a gateway.  When I start out, my ruleset 
looks like this:

gateway# ipfw show
00100 43866683 26545107129 allow ip from any to any
65535        0           0 deny ip from any to any

Simple.  Let everything through, and it works great.  So then I decided to 
completely block UDP port 514 (syslogd), so I issued this command:

ipfw add 00050 deny udp from any to any 514

So now my ruleset looks like this:

gateway# ipfw show
00050        0           0 deny udp from any to any 514
00100 43866913 26545121843 allow ip from any to any
65535        0           0 deny ip from any to any


So far, so good.  The problem is, then I run `nmap` from an off network 
site, and nmap tells me that UDP 514 is _open_ (!)  How can this be ?

So I go back to the firewall and 'ipfw show' again, and I get:

gateway# ipfw show
00050        5         140 deny udp from any to any 514
00100 43866913 26545121843 allow ip from any to any
65535        0           0 deny ip from any to any


So as you can see, the counters for the UDP 514 rule were incremented and 
everything!  So how come nmap still shows UDP 514 as "open" ?

As a test, I closed some tcp ports with the exact same command (but with 
tcp, and port 443 this time) and nmap said those ports are filtered...so 
that works...and I also tried with udp port 161, but again, the rule is in, 
the rule counters even get incremented, but nmap still says the port is 
OPEN.

How can this be ?

any help appreciated - thanks!

_________________________________________________________________
Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp.


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?F190cCoF7D5YnYccyeE00018dfa>