Date: Fri, 12 Oct 2001 22:03:07 +0200 From: "Jonas Sonntag" <js@jonsonn.de> To: <freebsd-questions@FreeBSD.ORG> Subject: IPFW question Message-ID: <KIEEILJCLAIJNFGECHJOAEEICCAA.js@jonsonn.de> In-Reply-To: <20011009034032.K350@blossom.cjclark.org>
next in thread | previous in thread | raw e-mail | index | archive | help
hi list looks better now, but i still have a serious problem ;) with my current rules, everything for the internet works fine. no more messages from natd. :) connections from the outside can communicate without problems on the allowed ports. only my lan is (again) disconnectet from the net. here are the rules: fwcmd="/sbin/ipfw" $fwcmd -f flush #lan $fwcmd add divert natd all from any to any via rl0 $fwcmd add allow all from any to any via lo0 $fwcmd add allow all from any to any via xl0 # inet $fwcmd add allow all from me to any via rl0 $fwcmd add allow tcp from any to me established via rl0 $fwcmd add allow tcp from any to me 21 setup via rl0 $fwcmd add allow tcp from any to me 22 setup via rl0 $fwcmd add allow tcp from any to me 80 setup via rl0 $fwcmd add allow udp from 213.196.65.2 53 to me $fwcmd add allow udp from 213.196.64.2 53 to me $fwcmd add allow icmp from any to any $fwcmd add deny log ip from any to any i don't understand why the lan cannot connect any more, name resolving works fine, but http, ftp and so on fail to connect. i thougt by 'allow all from me to any' and 'allow tcp from any to me established' at least this should work. please help, i'm stuck for two days now :( js > -----Ursprungliche Nachricht----- > Von: Crist J. Clark [mailto:cristjc@earthlink.net] > Gesendet: Dienstag, 9. Oktober 2001 12:41 > An: Jonas Sonntag > Cc: Jonathan Chen; freebsd-questions@FreeBSD.ORG > Betreff: Re: rpc.statd: invalid hostname to sm_stat: ^X?y?.... + IPFW > questions > > > On Tue, Oct 09, 2001 at 11:24:18AM +0200, Jonas Sonntag wrote: > > > Some script kiddie is attempting to overflow your portmapper. Why have > > > you got it running attached to the 'Net? > > > > i thought it to be closed !? > > I don't see a rule for it. Do you? Where is rpc.statd's port blocked? > > > this is my current ipfw config where rl0 is the outside > interface and xl0 > > connects the lan: > > > > 00100 3281039 2395988201 divert 8668 ip from any to any via rl0 > > 00200 5418 235058 allow ip from any to any via lo0 > > 00300 12328087 9850315840 allow ip from any to any via xl0 > > 00400 2 96 deny tcp from any to me 25 via rl0 setup > > 00500 0 0 deny tcp from any to me 53 via rl0 setup > > 00600 2 96 deny tcp from any to me 110 via rl0 setup > > 00700 10 600 deny tcp from any to me 111 via rl0 setup > > 00800 8 384 deny tcp from any to me 139 via rl0 setup > > 00900 0 0 deny tcp from any to me 587 via rl0 setup > > 01000 3280075 2395948580 allow ip from any to any via rl0 > > 65535 490 312763 deny ip from any to any > > > > should i change rules for 111? or is there other ports the > portmapper uses? > > You don't actually need to consult the portmapper to use an RPC > service. You can guess or brute force at what port a given service is > listening on. > > > btw, i'd like to use this config for the rl0 interface: > > Right, this is in the right direction. You want to explicitly pass > what you allow and deny all else by default. > > > $fwcmd add allow all from 192.168.0.0/24 to any via rl0 > > This rule doesn't make a lot of sense if it is coming after your > divert(4) rule (which I assume it is?). All traffic leaving your LAN > has already had the source address NAT'ed when this rule is hit. > > > $fwcmd add allow tcp from any to me 1-65535 established via rl0 > > I don't really understand the point of explicitly telling it to pass > all possible port numbers. > > > $fwcmd add allow tcp from any to me 21 setup via rl0 > > $fwcmd add allow tcp from any to me 22 setup via rl0 > > $fwcmd add allow tcp from any to me 80 setup via rl0 > > $fwcmd add allow icmp from any to any > > $fwcmd add deny log ip from any to any > > I don't see a rule that ever passes anything leaving the system. In > addition, for the same reason NAT'ed traffic leaving your system will > never match that first rule, NAT'ed traffic entering on rl0 will never > match any of these. > > > but when i activate this set of rules, syslog keeps saying: > > > > natd[182]: failed to write packet back (Permission denied) > > last message repeated 87 times > > > > ...and so on and the lan is disconnectet from the internet until i > > reload with the *deny-some-ports-and-allow-the-rest-config* > > Which would be expected from these rules. > -- > Crist J. Clark cjclark@alum.mit.edu > cjclark@jhu.edu > cjc@freebsd.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?KIEEILJCLAIJNFGECHJOAEEICCAA.js>