Date: Thu, 04 Nov 1999 13:16:21 -0500 From: Carroll Kong <damascus@eden.rutgers.edu> To: "Curtis Schofield" <schofiel@home.com>, <freebsd-security@FreeBSD.ORG> Subject: Re: FW: rc.firewall Message-ID: <4.2.0.58.19991104131213.00aca850@email.eden.rutgers.edu> In-Reply-To: <NDBBLOPPCLHEGEGAGOANOEFOCAAA.schofiel@home.com>
next in thread | previous in thread | raw e-mail | index | archive | help
At 10:44 AM 11/4/99 -0700, Curtis Schofield wrote: >hello, i was checking out my firewall, an it seems that it doesn't actually >do anything >=), i've been tring to get it to block FTP lately for example, but when i >ftp in from >a remote host it isn't blocked.. > >Could someOne help me? > >This is my situation: > I am running DHCPclient and as such i don't have a static ip that > i could >put into >the rc.firewall, i was told that it would be OK to generalize the whole >thing (ie any to any) but it doesn't apear to be working.. > >#!/bin/sh >fwcmd="/sbin/ipfw -N" >$fwcmd -f flush > >$fwcmd add 100 divert natd all from any to any via xl0 >$fwcmd add 110 pass all from any to any >$fwcmd add 120 pass all from any to any via lo0 >$fwcmd add 130 pass tcp from any to any established >$fwcmd add 144 pass all from 10.0.0.0/3 to any >Please someone help? Why doesn't this apear to work.. > >(the only thing i could do to stop ftp was comment it out in /etc/services) > >I'm new to ipfw, and wouldn't mind if someone could help and or point me to >resources that would help with this problem > >THanks! >Curtis I snipped out a bit, but basically, if you have this rule...... $fwcmd add 110 pass all from any to any it will pass all the packets, and never filter the others. By declaring add <int> or so, you are saying... try out the rule in this order, and if you already told it to pass all the packets with a rule # earlier than consequential rules, the future rules will never get a chance to match. At least, this seems like what is wrong to me. To double check, reload that firewall script, run ipfw show as root, and see if the #s in the first two columns of rule #110 is increasing, whereas all the other rules underneath never have a match. If that is the case, then my hypothesis is most likely correct, and that rule is passing everything before even getting a chance to get matched. -Carroll Kong To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4.2.0.58.19991104131213.00aca850>