Date: Tue, 15 Jun 2004 18:31:58 -0500 From: "Reuben A. Popp" <gobinau@digitalcelt.net> To: freebsd-questions@freebsd.org Subject: ipfw question Message-ID: <200406151832.10733.gobinau@digitalcelt.net>
next in thread | raw e-mail | index | archive | help
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Good afternoon all,
I was tinkering around trying to get my firewall set the way I wanted it, but seem to be running into an issue.
I know that I have logging set in the kernel and in rc.conf, as well as in my ruleset, but for some odd reason,
the firewall is not logging connections to the services I wanted watched (ftp, ssh, web, etc). I'm enclosing
a copy of my ruleset along with this message in case anyone has any ideas. Any help or suggestions would
be greatly appreciated.
Thanks in advance,
Reuben A. Popp
My ruleset:
#!/bin/sh -
#
# Setup system for firewall service.
#
# Suck in the configuration variables.
if [ -z "${source_rc_confs_defined}" ]; then
if [ -r /etc/defaults/rc.conf ]; then
. /etc/defaults/rc.conf
source_rc_confs
elif [ -r /etc/rc.conf ]; then
. /etc/rc.conf
fi
fi
# Flush the existing ruleset
echo "Flushing the existing ruleset, stand by..."
ipfw -f flush
# Setup Loopback
ipfw add 100 pass all from any to any via lo0
ipfw add 200 deny all from any to 127.0.0.0/8
ipfw add 300 deny ip from 127.0.0.0/8 to any
# Stop RFC1918 nets on the outside interface
ipfw add 400 deny all from 10.0.0.0/8 to any via em0
ipfw add 500 deny all from 172.16.0.0/12 to any via em0
ipfw add 600 deny all from 192.168.0.0/16 to any via em0
# Stop draft-manning-dsua-03.txt (1 May 2000) nets (includes RESERVED-1,
# DHCP auto-configuration, NET-TEST, MULTICAST (class D), and class E)
# on the outside interface
ipfw add 700 deny all from 0.0.0.0/8 to any via $em0
ipfw add 800 deny all from 169.254.0.0/16 to any via $em0
ipfw add 900 deny all from 192.0.2.0/24 to any via $em0
ipfw add 1000 deny all from 224.0.0.0/4 to any via $em0
ipfw add 1100 deny all from 240.0.0.0/4 to any via $em0
# Allow TCP through if setup succeeded
ipfw add 1200 pass tcp from any to any established
# Allow IP fragments to pass through
ipfw add 1300 pass all from any to any frag
ipfw add 1400 check-state
ipfw add 1401 deny tcp from any to any in established
ipfw add 1402 allow tcp from any to any out setup keep-state
# Allow DNS
ipfw add 1403 allow udp from xx.xx.xxx.xxx 53 to any in recv em0
ipfw add 1404 allow udp from xxx.xxx.x.x 53 to any in recv em0
ipfw add 1405 allow udp from xxx.xxx.x.x 53 to any in recv em0
ipfw add 1406 allow udp from any to any out
# Allow ftp and log it
ipfw add 1407 allow log tcp from any to xx.xx.xxx.xxx 20,21
ipfw add 1408 allow log udp from any to xx.xx.xxx.xxx 20,21
# Allow ssh and log it
ipfw add 1409 allow log tcp from any to xx.xx.xxx.xxx 22
# Allow mail and log it
ipfw add 1410 allow log tcp from any to xx.xx.xxx.xxx 25
# Allow www and log it
ipfw add 1411 allow log tcp from any to xx.xx.xxx.xxx keep-state
ipfw add 1412 allow log tcp from any to xx.xx.xxx.xxx 443 keep-state
ipfw add 1413 allow log udp from any to xx.xx.xxx.xxx 443 keep-state
# Reject&Log all setup of incoming connections from the outside
ipfw add 1414 deny log tcp from any to any in via em0 setup
# Allow setup of any other TCP connection
ipfw add 1415 pass tcp from any to any setup
# Allow DNS queries out in the world
ipfw add 1416 pass udp from xx.xx.xxx.xxx to any 53 keep-state
# Allow NTP queries out in the world
ipfw add 1417 pass udp from xx.xx.xxx.xxx to any 123 keep-state
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (FreeBSD)
iD8DBQFAz4b5d1N/Kyhy5tIRAqJ9AJ9iEqOXjagPqWalaksbQ+f3NwPjbQCgngUx
EQQ6jITdKYJRpN6NWcsakvo=
=AwhC
-----END PGP SIGNATURE-----
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200406151832.10733.gobinau>