From owner-freebsd-questions@FreeBSD.ORG Mon Jan 3 18:59:10 2005 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 92A8916A4CF for ; Mon, 3 Jan 2005 18:59:10 +0000 (GMT) Received: from kende.com (ns1.kende.com [66.17.131.94]) by mx1.FreeBSD.org (Postfix) with SMTP id 361BA43D39 for ; Mon, 3 Jan 2005 18:59:10 +0000 (GMT) (envelope-from andras@kende.com) Received: (qmail 23346 invoked by uid 0); 3 Jan 2005 18:59:16 -0000 Received: from unknown (HELO a) (24.1.129.219) by ns1.kende.com with SMTP; 3 Jan 2005 18:59:16 -0000 From: "Andras Kende" To: "'Gerard Meijer'" , Date: Mon, 3 Jan 2005 12:59:19 -0600 MIME-Version: 1.0 Content-Type: text/plain; charset="US-ASCII" Content-Transfer-Encoding: 7bit X-Mailer: Microsoft Office Outlook, Build 11.0.5510 In-Reply-To: <068101c4f1c2$26f11620$9600000a@guus> X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2527 Thread-Index: AcTxwlQXxhUR4+LVSKir47Gm+s5EfQAAsllA Message-Id: <20050103185910.361BA43D39@mx1.FreeBSD.org> Subject: RE: ipfw question (FreeBSD 4.11) X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 03 Jan 2005 18:59:10 -0000 -----Original Message----- From: owner-freebsd-questions@freebsd.org [mailto:owner-freebsd-questions@freebsd.org] On Behalf Of Gerard Meijer Sent: Monday, January 03, 2005 12:29 PM To: freebsd-questions@freebsd.org Subject: ipfw question (FreeBSD 4.11) I run apache webserver on my server with FreeBSD 4.11 I have a question about ipfw. I have the following rules in my /etc/ipfw.conf: $cmd 00200 allow tcp from any to any 80 out via $pif setup keep-state $cmd 00400 allow tcp from any to any 80 in via $pif setup keep-state (with $pif being my NIC) Now, everything works fine for me, but I get a lot (and I mean a lot) of these kind of messages in my log: [Date] [time] [host] /kernel: ipfw: 299 Deny TCP a.b.c.d:80 e.f.g.h:4472 out via em0 [Date] [time] [host] /kernel: ipfw: 499 Deny TCP e.f.g.h:1882 a.b.c.d:80 in via em0 (with a.b.c.d being my ip and e.f.g.h being somebody elses ip). I guess these people are not surfing through port 80??? Correct me if I'm wrong. How can I change ipfw's rules so that these people aren't blocked anymore? Thanks in advance! _______________________________________________ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.org" Hello, Im not 100% sure, but if I remember correctly you need to put "established" before the webserver rule : # Allow TCP through if setup succeeded: ${fwcmd} add pass tcp from any to any established # Allow setup of incoming http: ${fwcmd} add pass tcp from any to any 80 setup [Cc][Ll][Ii][Ee][Nn][Tt]) ############ # This is a prototype setup that will protect your system somewhat # against people from outside your own network. ############ # set these to your network and netmask and ip ip="aaa.bbb.ccc.ddd" setup_loopback # Allow TCP through if setup succeeded ${fwcmd} add pass tcp from any to any established # Allow IP fragments to pass through ${fwcmd} add pass all from any to any frag # Allow setup of incoming services ${fwcmd} add pass tcp from any to ${ip} 21,22,25,53,80,110,143,443,993,10000 setup # Allow setup of PASV FTP ${fwcmd} add pass tcp from any to ${ip} 10001-10100 setup # Allow setup of outgoing TCP connections only ${fwcmd} add pass log tcp from ${ip} to any setup # Disallow setup of all other TCP connections ${fwcmd} add deny log tcp from any to any setup # Allow DNS queries ${fwcmd} add pass udp from any to any 53 ${fwcmd} add pass udp from any 53 to any # Allow NTP ${fwcmd} add pass udp from any to any 123 #ICMP ${fwcmd} add pass log icmp from any to any icmptypes 3,4,11,12 # Everything else is denied by default, unless the # IPFIREWALL_DEFAULT_TO_ACCEPT option is set in your kernel # config file. ;; Best regards, Andras Kende http://www.kende.com