From owner-freebsd-security@FreeBSD.ORG Thu Dec 20 18:35:21 2007 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id B2FDF16A419 for ; Thu, 20 Dec 2007 18:35:21 +0000 (UTC) (envelope-from piechota@argolis.org) Received: from kythira.argolis.org (kythira.argolis.org [64.22.103.203]) by mx1.freebsd.org (Postfix) with ESMTP id 6070513C45D for ; Thu, 20 Dec 2007 18:35:12 +0000 (UTC) (envelope-from piechota@argolis.org) Received: from kythira.argolis.org (localhost.localdomain [127.0.0.1]) by kythira.argolis.org (8.13.1/8.13.1) with ESMTP id lBKHoJKh026337; Thu, 20 Dec 2007 12:50:20 -0500 Received: (from apache@localhost) by kythira.argolis.org (8.13.1/8.13.1/Submit) id lBKHoHZn026336; Thu, 20 Dec 2007 12:50:17 -0500 X-Authentication-Warning: kythira.argolis.org: apache set sender to piechota@argolis.org using -f Received: from 192.35.35.35 (SquirrelMail authenticated user piechota) by webmail.argolis.org with HTTP; Thu, 20 Dec 2007 12:50:16 -0500 (EST) Message-ID: <18704.192.35.35.35.1198173016.squirrel@webmail.argolis.org> In-Reply-To: <20071220063926.4B2D113C457@mx1.freebsd.org> References: <20071213081155.ABBC813C4D5@mx1.freebsd.org> <20071213110009.GB986@in-addr.com> <20071213183957.B348013C469@mx1.freebsd.org> <20071217065144.83F6013C447@mx1.freebsd.org> <47664621.50909@iki.fi> <20071220063926.4B2D113C457@mx1.freebsd.org> Date: Thu, 20 Dec 2007 12:50:16 -0500 (EST) From: "Matt Piechota" To: "W. D." User-Agent: SquirrelMail/1.4.8-4.0.1.el4.centos MIME-Version: 1.0 Content-Type: text/plain;charset=iso-8859-1 Content-Transfer-Encoding: 8bit X-Priority: 3 (Normal) Importance: Normal Cc: freebsd-security@freebsd.org, Tuomo Latto Subject: Re: IPFW: Blocking me out. How to debug? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 20 Dec 2007 18:35:21 -0000 On Thu, December 20, 2007 1:39 am, W. D. wrote: I'm no expert on firewalls, so take this with a grain of salt. >>> # Loopback: >>> # Allow anything on the local loopback: >>> add allow all from any to any via lo0 >>> add deny ip from any to 127.0.0.0/8 >>> add deny ip from 127.0.0.0/8 to any >>Nope. >>> # Allow established connections: >>> add allow tcp from any to any established >>Nope. >>> # Deny fragmented packets: >>> add deny ip from any to any frag Perhaps this is the issue? I would think that if an IP fragment comes in, it's specifically *not* an established TCP connection (yet), so it would be blocked by this rule. No IP fragments means they don't have a chance to be reassembled into an actual packet. All the profiles in rc.firewall specifically allow ip frags, so I'd think they're required. > Could anyone please throw this tired dog a bone? Fetch! :) -- Matt Piechota