Date: Tue, 22 Jan 2002 19:33:06 -0500 From: Ray Kohler <rkohler1@cox.rr.com> To: freebsd-questions@FreeBSD.ORG Subject: Some questions about ipfw Message-ID: <0e9d45329001712FE6@Mail6.mgfairfax.rr.com>
next in thread | raw e-mail | index | archive | help
I have a protect-this-client-only firewall set up here, and I'm not sure that my rules are good. It's very simple: ipfw add allow ip from any to any via lo0 ipfw add allow tcp from me to any keep-state ipfw add allow udp from me to any keep-state ipfw add allow icmp from me to any keep-state ipfw add allow icmp from any to me icmptype 3 ipfw add deny log ip from any to any (No, I'm not using rc.firewall and not running natd.) I intend to let anything out and nothing in that isn't part of an established connection (and of course the ICMP type 3 packets). I have 3 questions: 1) Why does the rc.firewall script use "setup" and "established" rules for tcp instead of keep-state like it does for udp? 2) Are these tules sufficient for my purpose? 3) I'm having trouble fetching ports even with FETCH_CMD= fetch -p set in make.conf. Eventually I get the file, but not until after a lot of servers are tried. In my logs I see a lot of: Jan 22 18:19:47 B1M1X9 /kernel: ipfw: 600 Deny TCP 199.232.41.9:20167 24.163.113.25:1039 in via rl0 Jan 22 18:19:49 B1M1X9 /kernel: ipfw: 600 Deny TCP 130.94.149.162:21 24.163.113.25:1032 in via rl0 Jan 22 18:19:59 B1M1X9 /kernel: ipfw: 600 Deny TCP 199.232.41.9:20167 24.163.113.25:1039 in via rl0 Jan 22 18:20:23 B1M1X9 /kernel: ipfw: 600 Deny TCP 199.232.41.9:20167 24.163.113.25:1039 in via rl0 where the "from" IPs belong to the about a dozen ftp servers I've tried, and the packet arrives a few minutes after fetch has given up on that server. (Why are these servers contacting me anyway when I'm using passive ftp, anyway?) Thanks to all for reading such a long post. -- Ray Kohler Lewis's Law of Travel: The first piece of luggage out of the chute doesn't belong to anyone, ever. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?0e9d45329001712FE6>