From owner-freebsd-questions@FreeBSD.ORG Tue Dec 23 06:09:47 2003 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6762816A4CE for ; Tue, 23 Dec 2003 06:09:47 -0800 (PST) Received: from hotmail.com (bay99-f62.bay99.hotmail.com [65.54.175.62]) by mx1.FreeBSD.org (Postfix) with ESMTP id 12A4E43D49 for ; Tue, 23 Dec 2003 06:09:43 -0800 (PST) (envelope-from the_brothel@hotmail.com) Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC; Tue, 23 Dec 2003 06:09:42 -0800 Received: from 203.10.111.38 by by99fd.bay99.hotmail.msn.com with HTTP; Tue, 23 Dec 2003 14:09:42 GMT X-Originating-IP: [203.10.111.38] X-Originating-Email: [the_brothel@hotmail.com] X-Sender: the_brothel@hotmail.com From: "Drew Robertson" To: freebsd-questions@freebsd.org Date: Tue, 23 Dec 2003 14:09:42 +0000 Mime-Version: 1.0 Content-Type: text/plain; format=flowed Message-ID: X-OriginalArrivalTime: 23 Dec 2003 14:09:42.0911 (UTC) FILETIME=[696918F0:01C3C95E] Subject: IPFW Rule set question... X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 23 Dec 2003 14:09:47 -0000 Hi everyone, Thanks to those who take the time to read and reply to these emails. I have a strange issue regarding my firewall (IPFW)... I have enabled SSH, TELNET and FTP on my freeBSD 4.8 box at home... it is dual homed, 2 NICs one for the internal LAN one running my cable modem. Everything works fine on the internal side. When accessing the box using any of those apps from work, the system looks to briefly connect and then returns a "Connection Lost" or "Connection closed by remote host error". The command setup to allow in access is as follows... 820 allow log tcp from any to me 22 limit src-addr 4 in recv tl0 setup 830 allow log tcp from any to me 23 limit src-addr 4 in recv tl0 setup when this didn't work I added another command at the start of the ruleset to just let everything in from a particular IP address range... 202 allow ip from 203.10.10.0/24 to any however this produced the same error... It wasn't until I allowed all from any to any that I was able to connect... When checking out the security log, it tells me that rule 820 is allowing access to my computer at home... Ruleset is attached completely below /sbin/ipfw -q -f flush # Set rules command prefix # The -q option on the command is for quite mode. # Do not display rules as they load. Remove during development to see. cmd="/sbin/ipfw -q add" # Set defaults oif="tl0" # Nic card to cable modem public internet connection odns1="203.2.75.132" # ISP's dns server IP address $cmd 00200 divert natd all from any to any via $oif ######## control section ############################################ # Start of IPFW advanced Stateful Filtering using "dynamic" rules. # The check-state statement behavior is to match bi-directional packet traffic # flow between source and destination using protocol/IP/port/sequence number. # The dynamic rule has a limited lifetime which is controlled by a set of # sysctl(8) variables. The lifetime is refreshed every time a matching # packet is found in the dynamic table. # Allow the packet through if it has previous been added to the # the "dynamic" rules table by an allow keep-state statement. $cmd 00202 allow log all from 203.10.10.0/24 to any $cmd 00203 allow log all from any to any via tun0 $cmd 00400 check-state # SAMBA File/Printer Sharing on Internal LAN $cmd 0410 allow log tcp from 192.168.1.0/24 to 192.168.1.0/24 $cmd 0411 allow log udp from 192.168.1.0/24 to 192.168.1.0/24 # Run all private LAN xl0 packet traffic through the dynamic rules # table so the IP address are in sync with Natd. $cmd 00500 allow log all from any to any via sis0 keep-state # Deny all fragments as bogus packets $cmd 00530 deny log all from any to any frag in via $oif # Deny ACK packets that did not match the dynamic rule table $cmd 00540 deny log tcp from any to any established in via $oif ######## outbound section ############################################ # Interrogate packets originating from behind the firewall, private net. # Upon a rule match, it's keep-state option will create a dynamic rule. # Allow out non-secure standard http function $cmd 00600 allow log tcp from any to any 80 out via $oif setup keep-state # Allow out secure www function https over TLS SSL $cmd 00601 allow log tcp from any to any 443 out via $oif setup keep-state # Allow out access to my ISP's Domain name server. $cmd 00610 allow log tcp from any to $odns1 53 out via $oif setup keep-state $cmd 00611 allow log udp from any to $odns1 53 out via $oif keep-state # Allow out send & get email function $cmd 00630 allow log tcp from any to any 25,110 out via $oif setup keep-state # Allow out & in FBSD (make install & CVSUP) functions # Basically give user id [ROOT] "GOD" privileges. $cmd 00640 allow log tcp from me to any out via $oif setup keep-state uid root ######## inbound section ############################################ # Interrogate packets originating from in front of the firewall, public net. # Allow in www http access to my apache server #$cmd 00800 allow log tcp from any to any 80 in via $oif setup keep-state limit src-addr 4 # Allow TCP FTP control channel in & data channel out $cmd 00810 allow log tcp from any to me 21 in via $oif setup keep-state limit src-addr 4 $cmd 00811 allow log tcp from any 20 to any 1024-49151 out via $oif setup keep limit src-addr 4 # Allow in ssh function $cmd 00820 allow log tcp from any to me 22 in via $oif setup keep-state limit src-addr 4 # Allow in Telnet $cmd 00830 allow log tcp from any to me 23 in via $oif setup keep-state limit src-addr 4 Thanks. D _________________________________________________________________ ninemsn Premium transforms your e-mail with colours, photos and animated text. Click here http://ninemsn.com.au/premium/landing.asp