From owner-freebsd-questions  Mon Jan  7  1:19:21 2002
Delivered-To: freebsd-questions@freebsd.org
Received: from hotmail.com (f190.law9.hotmail.com [64.4.9.190])
	by hub.freebsd.org (Postfix) with ESMTP id 091D837B416
	for <freebsd-questions@freebsd.org>; Mon,  7 Jan 2002 01:19:16 -0800 (PST)
Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC;
	 Mon, 7 Jan 2002 01:19:15 -0800
Received: from 65.30.229.190 by lw9fd.law9.hotmail.msn.com with HTTP;
	Mon, 07 Jan 2002 09:19:15 GMT
X-Originating-IP: [65.30.229.190]
From: "Joe Parks" <pleaseworky@hotmail.com>
To: freebsd-questions@freebsd.org
Subject: weird problems with ipfw rule not applying itself...
Date: Mon, 07 Jan 2002 02:19:15 -0700
Mime-Version: 1.0
Content-Type: text/plain; format=flowed
Message-ID: <F190cCoF7D5YnYccyeE00018dfa@hotmail.com>
X-OriginalArrivalTime: 07 Jan 2002 09:19:15.0985 (UTC) FILETIME=[60CBF810:01C1975C]
Sender: owner-freebsd-questions@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-questions.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-questions>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-questions>
X-Loop: FreeBSD.ORG

I have a 4.4-RELEASE acting as a gateway.  When I start out, my ruleset 
looks like this:

gateway# ipfw show
00100 43866683 26545107129 allow ip from any to any
65535        0           0 deny ip from any to any

Simple.  Let everything through, and it works great.  So then I decided to 
completely block UDP port 514 (syslogd), so I issued this command:

ipfw add 00050 deny udp from any to any 514

So now my ruleset looks like this:

gateway# ipfw show
00050        0           0 deny udp from any to any 514
00100 43866913 26545121843 allow ip from any to any
65535        0           0 deny ip from any to any


So far, so good.  The problem is, then I run `nmap` from an off network 
site, and nmap tells me that UDP 514 is _open_ (!)  How can this be ?

So I go back to the firewall and 'ipfw show' again, and I get:

gateway# ipfw show
00050        5         140 deny udp from any to any 514
00100 43866913 26545121843 allow ip from any to any
65535        0           0 deny ip from any to any


So as you can see, the counters for the UDP 514 rule were incremented and 
everything!  So how come nmap still shows UDP 514 as "open" ?

As a test, I closed some tcp ports with the exact same command (but with 
tcp, and port 443 this time) and nmap said those ports are filtered...so 
that works...and I also tried with udp port 161, but again, the rule is in, 
the rule counters even get incremented, but nmap still says the port is 
OPEN.

How can this be ?

any help appreciated - thanks!

_________________________________________________________________
Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp.


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message