Date: Mon, 3 Jan 2005 20:31:52 +0100 From: "Gerard Meijer" <gmeijer@palmweb.nl> To: "Andras Kende" <andras@kende.com>, <freebsd-questions@freebsd.org> Subject: Re: ipfw question (FreeBSD 4.11) Message-ID: <069b01c4f1ca$e0d24160$9600000a@guus> References: <20050103185910.361BA43D39@mx1.FreeBSD.org>
next in thread | previous in thread | raw e-mail | index | archive | help
You are so the man! That's it. You have no idea how long I've spend looking for this. Thanks again! ----- Original Message ----- From: "Andras Kende" <andras@kende.com> To: "'Gerard Meijer'" <gmeijer@palmweb.nl>; <freebsd-questions@freebsd.org> Sent: Monday, January 03, 2005 7:59 PM Subject: RE: ipfw question (FreeBSD 4.11) > > > -----Original Message----- > From: owner-freebsd-questions@freebsd.org > [mailto:owner-freebsd-questions@freebsd.org] On Behalf Of Gerard Meijer > Sent: Monday, January 03, 2005 12:29 PM > To: freebsd-questions@freebsd.org > Subject: ipfw question (FreeBSD 4.11) > > I run apache webserver on my server with FreeBSD 4.11 > > I have a question about ipfw. I have the following rules in my > /etc/ipfw.conf: > > $cmd 00200 allow tcp from any to any 80 out via $pif setup keep-state > $cmd 00400 allow tcp from any to any 80 in via $pif setup keep-state > > (with $pif being my NIC) Now, everything works fine for me, but I get a > lot > (and I mean a lot) of these kind of messages in my log: > > [Date] [time] [host] /kernel: ipfw: 299 Deny TCP a.b.c.d:80 e.f.g.h:4472 > out > via em0 > [Date] [time] [host] /kernel: ipfw: 499 Deny TCP e.f.g.h:1882 a.b.c.d:80 > in > via em0 > > (with a.b.c.d being my ip and e.f.g.h being somebody elses ip). > > I guess these people are not surfing through port 80??? Correct me if I'm > wrong. How can I change ipfw's rules so that these people aren't blocked > anymore? > > Thanks in advance! > > _______________________________________________ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to > "freebsd-questions-unsubscribe@freebsd.org" > > > > Hello, > > Im not 100% sure, but if I remember correctly you need to put > "established" > before the webserver rule : > > # Allow TCP through if setup succeeded: > ${fwcmd} add pass tcp from any to any established > > # Allow setup of incoming http: > ${fwcmd} add pass tcp from any to any 80 setup > > > > > [Cc][Ll][Ii][Ee][Nn][Tt]) > ############ > # This is a prototype setup that will protect your system somewhat > # against people from outside your own network. > ############ > > # set these to your network and netmask and ip > ip="aaa.bbb.ccc.ddd" > > setup_loopback > > # Allow TCP through if setup succeeded > ${fwcmd} add pass tcp from any to any established > > # Allow IP fragments to pass through > ${fwcmd} add pass all from any to any frag > > # Allow setup of incoming services > ${fwcmd} add pass tcp from any to ${ip} > 21,22,25,53,80,110,143,443,993,10000 setup > > # Allow setup of PASV FTP > ${fwcmd} add pass tcp from any to ${ip} 10001-10100 setup > > # Allow setup of outgoing TCP connections only > ${fwcmd} add pass log tcp from ${ip} to any setup > > # Disallow setup of all other TCP connections > ${fwcmd} add deny log tcp from any to any setup > > # Allow DNS queries > ${fwcmd} add pass udp from any to any 53 > ${fwcmd} add pass udp from any 53 to any > > # Allow NTP > ${fwcmd} add pass udp from any to any 123 > > #ICMP > ${fwcmd} add pass log icmp from any to any icmptypes 3,4,11,12 > > # Everything else is denied by default, unless the > # IPFIREWALL_DEFAULT_TO_ACCEPT option is set in your kernel > # config file. > ;; > > > Best regards, > > Andras Kende > http://www.kende.com > > > > _______________________________________________ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to > "freebsd-questions-unsubscribe@freebsd.org" >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?069b01c4f1ca$e0d24160$9600000a>