Date: Tue, 22 Jan 2002 20:04:46 -0500 (EST) From: Scott Nolde <scott@smnolde.com> To: Ray Kohler <rkohler1@cox.rr.com> Cc: <freebsd-questions@FreeBSD.ORG> Subject: Re: Some questions about ipfw Message-ID: <20020122200126.A48937-100000@bsd.smnolde.com> In-Reply-To: <0e9d45329001712FE6@Mail6.mgfairfax.rr.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Thus sayeth the previous author: >Date: Tue, 22 Jan 2002 19:33:06 -0500 >From: Ray Kohler <rkohler1@cox.rr.com> >To: freebsd-questions@FreeBSD.ORG >Subject: Some questions about ipfw > >I have a protect-this-client-only firewall set up here, >and I'm not sure that my rules are good. It's very simple: > >ipfw add allow ip from any to any via lo0 >ipfw add allow tcp from me to any keep-state >ipfw add allow udp from me to any keep-state >ipfw add allow icmp from me to any keep-state >ipfw add allow icmp from any to me icmptype 3 >ipfw add deny log ip from any to any > >(No, I'm not using rc.firewall and not running natd.) I >intend to let anything out and nothing in that isn't part >of an established connection (and of course the ICMP type 3 packets). Perhaps you should use rc.firewall. firewall_type="CLIENT" is a good start. >I have 3 questions: > >1) Why does the rc.firewall script use "setup" and "established" rules >for tcp instead of keep-state like it does for udp? Setup will allow the SYN packet through and established lets the rest of the session's packets through. >2) Are these tules sufficient for my purpose? You have essentially allowd your computer to send, but not receive. >3) I'm having trouble fetching ports even with >FETCH_CMD= fetch -p set in make.conf. Eventually I get the file, >but not until after a lot of servers are tried. In my logs I see a lot of: > >Jan 22 18:19:47 B1M1X9 /kernel: ipfw: 600 Deny TCP 199.232.41.9:20167 24.163.113.25:1039 in via rl0 >Jan 22 18:19:49 B1M1X9 /kernel: ipfw: 600 Deny TCP 130.94.149.162:21 24.163.113.25:1032 in via rl0 >Jan 22 18:19:59 B1M1X9 /kernel: ipfw: 600 Deny TCP 199.232.41.9:20167 24.163.113.25:1039 in via rl0 >Jan 22 18:20:23 B1M1X9 /kernel: ipfw: 600 Deny TCP 199.232.41.9:20167 24.163.113.25:1039 in via rl0 > >where the "from" IPs belong to the about a dozen ftp servers I've tried, >and the packet arrives a few minutes after fetch has given up on that server. >(Why are these servers contacting me anyway when I'm using passive >ftp, anyway?) This is a normal response after instituting the rules you've set forth. > >Thanks to all for reading such a long post. > np >Ray Kohler Scott Nolde GPG Key 0xD869AB48 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020122200126.A48937-100000>