Date: Fri, 06 Aug 2004 13:54:05 +0900 From: SrotBULL <pwd8jmr22w@me.point.ne.jp> To: Giorgos Keramidas <keramida@ceid.upatras.gr> Cc: freebsd-questions@freebsd.org Subject: Re: IPFW - Allowed but Denied is shown in my logs Message-ID: <41130EED.4080401@me.point.ne.jp> In-Reply-To: <20040804110609.GA4366@orion.daedalusnetworks.priv> References: <41109ABF.4090904@me.point.ne.jp> <20040804103848.GA31620@orion.daedalusnetworks.priv> <4110C905.4080108@me.point.ne.jp> <20040804110609.GA4366@orion.daedalusnetworks.priv>
next in thread | previous in thread | raw e-mail | index | archive | help
Giorgos Keramidas wrote:
> On 2004-08-04 20:31, Srot BULL <pwd8jmr22w@me.point.ne.jp> wrote:
>
>>>On 2004-08-04 17:13, Srot BULL <pwd8jmr22w@me.point.ne.jp> wrote:
>>>
>>>>Why are the above firewall logs telling me that it has denied my TCP
>>>>packets and yet I am not experiencing some problems in my emails and
>>>>access to the internet through port 80. [...]
>>>
>>>Giorgos Keramidas wrote:
>>>Show us the full ruleset. Otherwise we're just guessing...
>
>>$CMD 00240 allow tcp from me to any out via $IFN setup keep-state uid root
> Hmm. I'm not sure if this is a good idea, but it's unrelated to the
> denied packets you're seeing :-/
I will RTFM about this...Thank you.
>>$CMD 00300 deny all from 192.168.0.0/16 to any in via $IFN
>>$CMD 00301 deny all from 172.16.0.0/12 to any in via $IFN
>>$CMD 00302 deny all from 10.0.0.0/8 to any in via $IFN
> You might want to also deny incoming packets from these addresses, or fall
> back to the default firewall rule -- whatever that rule is ("deny log all"
> in your case).
I think I can do this...I guess...
>>$CMD 00305 deny all from 169.254.0.0/16 to any in via $IFN
> Hmmm, what is this address block supposed to be here for?
I am sorry, I only copied this ruleset from the article...I really need
to get back in RTFM and read again the article...maybe I missed something.
>>#reserved for doc's#
>>$CMD 00307 deny all from 204.152.64.0/23 to any in via $IFN
> And this one?
This one too...
> A better approach that will avoid forcing everyone to wait until their
> connections times out is to reply with an RST packet, which is the standard
> way TCP would reply if no auth/ident service was running at all.
I need some reading to understand what you just advised...Thank you.
> Fragments are not late-arriving packets ;-)
>
>
>>#* Reject & Log all incoming connections from the outside *#
>>$CMD 00499 deny log all from any to any in via $IFN
> This one is redundant, since it will only do the same as the one below:
OK...
>># Everything else is denied by default
>># DENY and LOG all packets that fell through to see what they are
>>$CMD 00999 deny log all from any to any
>
>
>>My basis for my rulesets are taken from:
>>http://freebsd.a1poweruser.com:6088/FBSD_firewall/
>
> AFAIK, the author of the page is a reader of the list too. I can't find
> anything wrong with the syntax of your rules. The only weird thing I noticed
> were the two hard-wired address blocks I mentioned above. Perhaps the author
> of the initial ruleset can help you more ;)
It was kind enough for the author to drop me an email...
and, thank you for your advices too...I will base my rulesets from yours
and other peoples' advices, and re-read that article for a better
understanding...and maybe I can tune my rulesets more to better fit my
system.
Have a nice day...
SrotBULL
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?41130EED.4080401>