Date: Tue, 10 Jul 2001 20:23:58 -0400 (EDT) From: Francisco Reyes <lists@natserv.com> To: Dru <genisis@istar.ca> Cc: FreeBSD Security List <freebsd-security@FreeBSD.ORG> Subject: Re: Cant ping/nslookup Message-ID: <20010710201436.B22560-100000@zoraida.natserv.net> In-Reply-To: <20010710071252.D345-100000@x1-6-00-50-ba-de-36-33.kico1.on.home.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, 10 Jul 2001, Dru wrote: > Hi Francisco, > > I don't see any rules to allow UDP. I have some rules. I thought I would only include the "deny" clauses to show that they all had the "log" option yet nothing was coming up on /var/log/security. > There's a step-by-step article on > what's required here: > http://www.onlamp.com/pub/a/bsd/2001/05/09/FreeBSD_Basics.html?page=2 Looked at but didn't see anything which helped me solve the problem. There was one thing in the article which helped though. I didn't know about "ipfw show". I had always used "ipfw list". Also the man page doesn't explain/mention "ipfw show". By using "ipfw zero" and then trying some operations I noticed something rather strange. None of the deny rules where hit, yet traffic fails. For example: ipfw zero ipfw show (after I ran a ping using an IP address on the client) 00100 0 0 allow ip from any to any via lo0 00200 0 0 deny log logamount 50 ip from any to 127.0.0.0/8 00300 0 0 deny log logamount 50 ip from 127.0.0.0/8 to any 00400 0 0 allow log logamount 50 tcp from any to 160.79.54.10 00500 0 0 allow log logamount 50 tcp from any to 160.79.2.2 00600 0 0 allow log logamount 50 tcp from any to 216.223.192.21 00700 0 0 allow log logamount 50 tcp from 160.79.54.10 to any 00800 0 0 allow log logamount 50 tcp from 160.79.2.2 to any 00900 0 0 allow log logamount 50 tcp from 216.223.192.21 to any 01000 0 0 allow log logamount 50 udp from any to 160.79.54.10 01100 0 0 allow log logamount 50 udp from any to 160.79.2.2 01200 0 0 allow log logamount 50 udp from any to 216.223.192.21 01300 0 0 allow log logamount 50 udp from 160.79.54.10 to any 01400 0 0 allow log logamount 50 udp from 160.79.2.2 to any 01500 0 0 allow log logamount 50 udp from 216.223.192.21 to any 01600 2 214 allow log logamount 50 udp from any to 192.168.10.255 01700 4 240 allow icmp from any to any via fxp0 01800 4 240 allow icmp from any to any icmptype 8 01900 0 0 allow icmp from any to any icmptype 0 02000 0 0 allow icmp from any to any icmptype 3,4,11,12 02100 0 0 deny log logamount 50 ip from 192.168.10.0/24 to any in recv ed0 02200 0 0 deny log logamount 50 ip from 66.114.65.0/24 to any in recv fxp0 02300 0 0 deny log logamount 50 ip from any to 10.0.0.0/8 via ed0 02400 0 0 deny log logamount 50 ip from any to 172.16.0.0/12 via ed0 02500 0 0 deny log logamount 50 ip from any to 0.0.0.0/8 via ed0 02600 0 0 deny log logamount 50 ip from any to 169.254.0.0/16 via ed0 02700 0 0 deny log logamount 50 ip from any to 192.0.2.0/24 via ed0 02800 0 0 deny log logamount 50 ip from any to 224.0.0.0/4 via ed0 02900 0 0 deny log logamount 50 ip from any to 240.0.0.0/4 via ed0 03000 0 0 divert 8668 ip from any to any via ed0 03100 0 0 deny log logamount 50 ip from 10.0.0.0/8 to any via ed0 03200 0 0 deny log logamount 50 ip from 172.16.0.0/12 to any via ed0 03300 0 0 deny log logamount 50 ip from 0.0.0.0/8 to any via ed0 03400 0 0 deny log logamount 50 ip from 169.254.0.0/16 to any via ed0 03500 0 0 deny log logamount 50 ip from 192.0.2.0/24 to any via ed0 03600 0 0 deny log logamount 50 ip from 224.0.0.0/4 to any via ed0 03700 0 0 deny log logamount 50 ip from 240.0.0.0/4 to any via ed0 03800 0 0 allow tcp from any to any 80 03900 0 0 allow tcp from any to any 110 04000 0 0 allow tcp from any to any 53 04100 0 0 allow udp from any to any 53 04200 0 0 allow tcp from any to any established 04300 0 0 allow ip from any to any frag 04400 0 0 allow tcp from any to 66.114.65.147 25 setup 04500 0 0 allow tcp from any to 66.114.65.147 53 setup 04600 0 0 allow udp from any to 66.114.65.147 53 04700 0 0 allow udp from 66.114.65.147 53 to any 04800 0 0 allow tcp from any to 66.114.65.147 80 setup 04900 0 0 allow tcp from any to any 22 05000 0 0 deny log logamount 50 tcp from any to any in recv ed0 setup 05100 0 0 allow tcp from any to any setup 05200 0 0 allow udp from 66.114.65.147 to any 53 keep-state 05300 0 0 allow udp from 66.114.65.147 to any 123 keep-state 05400 0 0 deny log logamount 50 ip from any to any 65535 0 0 deny ip from any to any Notice that NONE of the deny rules were hit, yet my ping timed out. Doing the DNS query does something simmilar: ipfw zero ipfw show (after trying nslookup freebsd.org at the client) 00100 0 0 allow ip from any to any via lo0 00200 0 0 deny log logamount 50 ip from any to 127.0.0.0/8 00300 0 0 deny log logamount 50 ip from 127.0.0.0/8 to any 00400 0 0 allow log logamount 50 tcp from any to 160.79.54.10 00500 0 0 allow log logamount 50 tcp from any to 160.79.2.2 00600 0 0 allow log logamount 50 tcp from any to 216.223.192.21 00700 0 0 allow log logamount 50 tcp from 160.79.54.10 to any 00800 0 0 allow log logamount 50 tcp from 160.79.2.2 to any 00900 0 0 allow log logamount 50 tcp from 216.223.192.21 to any 01000 12 780 allow log logamount 50 udp from any to 160.79.54.10 01100 2 138 allow log logamount 50 udp from any to 160.79.2.2 01200 0 0 allow log logamount 50 udp from any to 216.223.192.21 01300 0 0 allow log logamount 50 udp from 160.79.54.10 to any 01400 0 0 allow log logamount 50 udp from 160.79.2.2 to any 01500 0 0 allow log logamount 50 udp from 216.223.192.21 to any 01600 4 428 allow log logamount 50 udp from any to 192.168.10.255 01700 0 0 allow icmp from any to any via fxp0 01800 0 0 allow icmp from any to any icmptype 8 01900 0 0 allow icmp from any to any icmptype 0 02000 0 0 allow icmp from any to any icmptype 3,4,11,12 02100 0 0 deny log logamount 50 ip from 192.168.10.0/24 to any in recv ed0 02200 0 0 deny log logamount 50 ip from 66.114.65.0/24 to any in recv fxp0 02300 0 0 deny log logamount 50 ip from any to 10.0.0.0/8 via ed0 02400 0 0 deny log logamount 50 ip from any to 172.16.0.0/12 via ed0 02500 0 0 deny log logamount 50 ip from any to 0.0.0.0/8 via ed0 02600 0 0 deny log logamount 50 ip from any to 169.254.0.0/16 via ed0 02700 0 0 deny log logamount 50 ip from any to 192.0.2.0/24 via ed0 02800 0 0 deny log logamount 50 ip from any to 224.0.0.0/4 via ed0 02900 0 0 deny log logamount 50 ip from any to 240.0.0.0/4 via ed0 03000 0 0 divert 8668 ip from any to any via ed0 03100 0 0 deny log logamount 50 ip from 10.0.0.0/8 to any via ed0 03200 0 0 deny log logamount 50 ip from 172.16.0.0/12 to any via ed0 03300 0 0 deny log logamount 50 ip from 0.0.0.0/8 to any via ed0 03400 0 0 deny log logamount 50 ip from 169.254.0.0/16 to any via ed0 03500 0 0 deny log logamount 50 ip from 192.0.2.0/24 to any via ed0 03600 0 0 deny log logamount 50 ip from 224.0.0.0/4 to any via ed0 03700 0 0 deny log logamount 50 ip from 240.0.0.0/4 to any via ed0 03800 0 0 allow tcp from any to any 80 03900 0 0 allow tcp from any to any 110 04000 0 0 allow tcp from any to any 53 04100 0 0 allow udp from any to any 53 04200 0 0 allow tcp from any to any established 04300 0 0 allow ip from any to any frag 04400 0 0 allow tcp from any to 66.114.65.147 25 setup 04500 0 0 allow tcp from any to 66.114.65.147 53 setup 04600 0 0 allow udp from any to 66.114.65.147 53 04700 0 0 allow udp from 66.114.65.147 53 to any 04800 0 0 allow tcp from any to 66.114.65.147 80 setup 04900 0 0 allow tcp from any to any 22 05000 0 0 deny log logamount 50 tcp from any to any in recv ed0 setup 05100 0 0 allow tcp from any to any setup 05200 0 0 allow udp from 66.114.65.147 to any 53 keep-state 05300 0 0 allow udp from 66.114.65.147 to any 123 keep-state 05400 0 0 deny log logamount 50 ip from any to any 65535 0 0 deny ip from any to any Again NONE of the deny rules was hit. I find this strange. I wonder what I am doing wrong. I also double checked that I have forwarding set. zoraida:/etc#sysctl -a | grep forwardin net.inet.ip.forwarding: 1 net.inet.ip.fastforwarding: 0 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010710201436.B22560-100000>