Date: Fri, 12 Oct 2001 21:31:11 -0700 From: "Drew Tomlinson" <drew@mykitchentable.net> To: "Mike Meyer" <mwm@mired.org> Cc: <questions@freebsd.org> Subject: Re: How to Allow Incoming Traffic Through Firewall? Message-ID: <024701c1539f$e2c65a00$0301a8c0@bigdaddy> References: <15303.23221.294413.552831@guru.mired.org><01ac01c15380$66d46780$0301a8c0@bigdaddy> <15303.40426.817092.645179@guru.mired.org>
next in thread | previous in thread | raw e-mail | index | archive | help
----- Original Message ----- From: "Mike Meyer" <mwm@mired.org> To: "Drew Tomlinson" <drew@mykitchentable.net> Cc: <questions@freebsd.org> Sent: Friday, October 12, 2001 6:50 PM Subject: Re: How to Allow Incoming Traffic Through Firewall? > Drew Tomlinson <drew@mykitchentable.net> types: > > > > was initiated from my private network. I also want to allow > > incoming > > > > traffic to my mail server (smtp & imap), web server, and ssh. I > > know > > > > the man page indicates that filtering on port numbers is not a > > good > > > > idea so I am also open to other ways of allowing certain traffic. > > > > > > Um - what man page says that filtering on port numbers is not a good > > > idea? It needs to be fixed. > > > > From man ipfw(8): > > > > Note that it may be dangerous to filter on the source IP address > > or > > source TCP/UDP port because either or both could easily be > > spoofed. > > Note that it says *source* port, not destination port. Filtering on > the destination port is practically required. Filtering on the source > port is a bad idea, but may be required for cases. Oh, OK. I missed that one little word. :) > > > > OK, I understand why rule 610 is denying the packet but why isn't > > rule > > > > 505 allowing it? What am I missing? And is there a better way to > > > > accomplish allowing web, mail, etc. traffic? > > > Because 505 allows traffic from all traffic going to port 23. Your > > > telnet session goes from some random port on the initiating system - > > > in this case it was 1027 - to port 23 on the remote system. The > > > initial packet goes out, then comes back bound for that random > > > port. Since it's not going to port 23, 505 won't allow it through. > > I'm sorry I wasn't clear here. The above example was an *incoming* > > telnet session so it was going from port 1027 on the public side (ed1) > > to port 23 on the private side (ed0) (unless I'm missing something). > > It was a telnet session that I initated from my DSL modem so I could > > test incoming connections. > > The same argument works in both directions. You are filtering > connections based on the *destination* port. The telnet connection in > question is from port 23 on the server to port 1027 on the client. So > the packet opening the connection goes through - whether inbound or > outbound - but the reply packet is blocked, because it's not going to > port 23. I thought that "add 00620 allow tcp from any to any out setup keep-state" would allow it but since the connection wasn't initiated from my private network, the "deny established" rule killed the packet? > > > First suggestion - don't set rule numbers in the script. It makes it > > > easier to read and follow. My apologies if you added those for the > > > discussion. > > I set the rule numbers per the example on www.onlamp.com. But since > > you're willing to help me, we'll do it your way. :) Shall I leave > > the rule numbers for discussion? > > Sure. Please note that there are people on the list who are much more > experienced at this than I am - but there wasn't an answer in the > digest, so I decided to point out what I saw as obvious things. And I *really* appreciate that!!! [...lots of wonderful suggestions snipped...] Thank you very much. I will try reworking my rule set tomorrow using the concepts you've shared. I really appreciate your time! Drew To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?024701c1539f$e2c65a00$0301a8c0>