Date: Mon, 18 Jul 2005 11:20:09 -0700 (PDT) From: Dave McCammon <davemac11@yahoo.com> To: Jim Campbell <jim-c@charter.net> Cc: questions@freebsd.org Subject: Re: Newbie IPFW Questions Message-ID: <20050718182009.51431.qmail@web32813.mail.mud.yahoo.com> In-Reply-To: <42DBB359.3000400@charter.net>
next in thread | previous in thread | raw e-mail | index | archive | help
--- Jim Campbell <jim-c@charter.net> wrote: > Glenn Dawson wrote: > > > At 08:18 PM 7/17/2005, Jim Campbell wrote: > > > >> I have a machine set up as a classroom to learn > about FreeBSD. It is > >> running 4.11 primarily because anything later > can't see my hard drive. > >> > >> As background, my FBSD machine has an address of > 192.168.1.110. It is > >> situated behind a hardware firewall (a Linksys > router). $pif is vr0. > >> > >> I'm having problems setting up IPFW to > communicate with an Onion router. > >> The puzzling part is that I am able to use the > Onion router but my > >> /var/log/security file says that some of the > packets are being dropped. > >> > >> Following is what I hope are the pertinent lines > from my /etc/ipfw.rules > >> file: > >> > >> $cmd 00225 allow tcp from me to any 9001-9033 out > via $pif setup > >> keep-state > >> $cmd 00299 deny log all from me to any out via > $pif > >> $cmd 00332 deny log tcp from any to me > established in via $pif > >> > >> Next is an excerpt from the /var/log/security > file: > >> > >> Jul 17 21:49:58 JimsP1G /kernel: ipfw: 299 Deny > TCP 192.168.1.110:2218 > >> 128.148.34.133:9001 out via vr0 > >> Jul 17 21:49:59 JimsP1G /kernel: ipfw: 299 Deny > TCP 192.168.1.110:4959 > >> 131.175.189.134:9001 out via vr0 > >> Jul 17 21:50:18 JimsP1G /kernel: ipfw: 332 Deny > TCP 128.148.34.133:9001 > >> 192.168.1.110:2218 in via vr0 > >> Jul 17 21:50:29 JimsP1G /kernel: ipfw: 332 Deny > TCP 131.175.189.134:9030 > >> 192.168.1.110:4566 in via vr0 > >> > >> Now my questions. First, why isn't rule 225 > allowing all the packets > >> out > >> to the Onion router? It seems to me that ipfw > should allow all packets > >> in the port range 9001-9033 out or none. > > > > > > Rule 225 will only match packets used to setup the > tcp session, once > > it's established you need another rule that will > allow the established > > session to function. > > > > Rule 299 is denying everything from leaving your > machine except for > > the packets allowed by rule 225. > > > > > It appears that I didn't include enough of the > ipfw.rules file. > Following is another abstract: > > ################################################################# > # Allow the packet through if it has previous been > added to the > # the "dynamic" rules table by a allow keep-state > statement. > ################################################################# > $cmd 00015 check-state > > It's my understanding that this rule allows through > any returning > packets that match the dynamic rule established by > Rule 225. > > > >> Next, the two inbound packets should be returning > in response to an > >> outbound packet. Why are they being dropped? > Are they exceeding some > >> timeout? > > > > > > Rule 332 is denying all established traffic from > entering your > > machine. So, while rule 225 allows you to > establish a tcp session > > with another system on ports 9001-9033, once the > session is > > established, rule 225 no longer applies and rule > 332 is then throwing > > all those packets away. > > > > -Glenn > > > > > Part of my problem is that I don't understand the > protocols being used > by the Onion routers. It > appears that Tor (the application on my machine that > sets up the > communication with the > Onion routers) begins to communicate with the Onion > routers as soon as > it starts. This > communication continues as long as the FBSD machine > is alive. Really > shook me up > when I first started using Tor and Privoxy. I > thought someone was > hacking my machine :-) > > The really puzzling thing about this situation is > that at least some of > the messages concerning > the Onion protocol are getting through. I can ask > for www.google.com > and sometimes it > resolves to Google in Europe, sometimes to Google in > Asia, and sometines > to Google here > in the US. Ipfw appears to be only dropping some of > the packets. > > Perhaps I should set up another machine to sniff the > packets that > occur. Maybe that would > give me an idea of what is happening with the Onion > protocol. > > In any event, thanks for your input to my problem, > and if you have any > other ideas I would > appreciate them very much. I've been chewing on > this problem the better > part of a week. > > Thanks, > > Jim check the output of #ipfw show and make sure the check-state line is there. Your config says- $cmd 00015 check-state and I think..(at least on a 5.4 machine) it should say $cmd 00015 add check-state ____________________________________________________ Start your day with Yahoo! - make it your home page http://www.yahoo.com/r/hs
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20050718182009.51431.qmail>