Hi I am having a problem with my rule set. For some reason the who accesses from my local host, router and other machine on my local net are are being rejected. I have tried opening the port 513 but somehow the rules set does not see this.
Any ideas? ---------------------------------------------------------------# # # # IPFW Firewall Rules (ipfw.rules_180508) # # # #-----------------------------------------------------------------------# #!/bin/sh #-----------------------------------------------------------------------# # Flush out the list before we begin. # #-----------------------------------------------------------------------# ipfw -q -f flush #-----------------------------------------------------------------------# # Reset logging # #-----------------------------------------------------------------------# ipfw -q resetlog #-----------------------------------------------------------------------# # Set rules command prefix # #-----------------------------------------------------------------------# cmd="ipfw -q add" #-----------------------------------------------------------------------# # Interface names # #-----------------------------------------------------------------------# pif="ath0" # public interface name of NIC facing the public Internet iif="nve0" # public interface name of NIC facing the private LAN lif="lo0" # Loopback #-----------------------------------------------------------------------# # DYNAMIC RULES # #-----------------------------------------------------------------------# $cmd 0010 check-state #-----------------------------------------------------------------------# # LOOPBACK INTERFACE 127.0.0.1 (lo0) "$lif" # # # # Purpose : allow Loopback and Deny Loopback Spoofing # #-----------------------------------------------------------------------# #---------------# # INBOUND # #---------------# $cmd 0020 allow all from 127.0.0.1 to me in via "$lif" $cmd 0030 allow all from me to 127.0.0.1 out via "$lif" $cmd 0040 allow tcp from 127.0.0.1 to 127.0.0.1 111 keep-state # Allow RPC from Loopback $cmd 0050 allow tcp from 127.0.0.1 to 127.0.0.1 113 keep-state # Allow Identd from loopback #---------------# # OUTBOUND # #---------------# $cmd 0060 allow all from 127.0.0.1 to me in via "$lif" $cmd 0070 allow all from me to 127.0.0.1 out via "$lif" #-----------------------------------------------------------------------# # INTERNAL NETWORK 10.0.0.4 (nve0) "$iif" # # # # Object : No restrictions on LAN Interface # #-----------------------------------------------------------------------# #---------------# # INBOUND # #---------------# $cmd 0100 allow all from 10.0.0.0/8 to me in via $iif $cmd 0200 deny all from 192.168.2.1 to any in via $iif #---------------# # OUTBOUND # #---------------# $cmd 0300 allow all from me to 10.0.0.0/8 out via $iif #-----------------------------------------------------------------------# # EXTERNAL NETWORK 192.168.2.1 (ath0) "$pif" # # # # Object : # #-----------------------------------------------------------------------# #---------------# # INBOUND # #---------------# $cmd 01000 allow tcp from any to me established $cmd 01010 allow tcp from any to me 21 in via $pif # FTP $cmd 01020 allow tcp from any to me 22 in via $pif setup keep-state # SSH $cmd 01030 allow udp from any to me 25 in via $pif setup keep-state # SMTP $cmd 01040 allow tcp from any to me 53 in via $ pif setup keep-state # DNS $cmd 01050 allow udp from any to me 53 in via $pif keep-state $cmd 01060 allow tcp from any to me 80 in via $pif setup keep-state # HTTP/WWW $cmd 01070 allow tcp from any to me 110 in via $pif setup keep-state # POP3 $cmd 01080 allow udp from any to me 161 in via $pif keep-state # SNMP $cmd 01090 allow udp from any to me 27015 in via $pif keep-state # Unassigned # Allow all IPv6 packets through - they are handled by the separate # ipv6 firewall rules in rc.firewall6. $cmd 01100 deny ipv6 from any to any $cmd 01110 deny all from 0.0.0.0/8 to me in via $pif #loopback $cmd 01120 deny all from any to 0.0.0.0/8 in via $pif $cmd 01130 deny all from any to 127.0.0.1/8 in via $pif $cmd 01140 deny all from 127.0.0.0/8 to me in via $pif #loopback $cmd 01150 deny all from any to 10.0.0.0/8 in via $pif $cmd 01160 deny all from 10.0.0.4 to any in via $pif $cmd 01170 deny all from 10.0.0.0/8 to me in via $pif #RFC 1918 private IP $cmd 01180 deny all from any to 172.16.0.0/12 in via $pif $cmd 01190 deny all from 172.16.0.0/12 to me in via $pif #RFC 1918 private IP $cmd 01200 deny all from any to 169.254.0.0/16 in via $pif $cmd 01210 deny all from 192.168.0.0/16 to me in via $pif #RFC 1918 private IP $cmd 01220 deny all from any to 224.0.0.0/4 in via $pif $cmd 01230 deny all from any to 240.0.0.0/4 in via $pif $cmd 01240 deny all from 169.254.0.0/16 to me in via $pif #DHCP auto-config $cmd 01250 deny all from 192.0.2.0/24 to me in via $pif #reserved for docs $cmd 01260 deny all from any to 192.0.2.0/24 in via $pif $cmd 01270 deny all from 204.152.64.0/23 to me in via $pif #Sun cluster interconnect $cmd 01280 deny all from 224.0.0.0/3 to me in via $pif #Class D & E multicast $cmd 01290 deny icmp from any to me in via $pif # Deny public pings $cmd 01300 deny tcp from any to me 113 in via $pif # Deny ident $cmd 01310 deny tcp from any to me 137 in via $pif # Netbios service=name $cmd 01320 deny tcp from any to me 138 in via $pif # Netbios service=datagram $cmd 01330 deny tcp from any to me 139 in via $pif # Netbios service=session $cmd 01340 deny tcp from any to me 81 in via $pif # Unassigned $cmd 01350 deny all from any to me frag in via $pif # Deny any late arriving packets $cmd 01360 deny tcp from any to me established in via $pif #---------------# # OUTBOUND # #---------------# $cmd 01370 deny all from 0.0.0.0/8 to any out via $pif $cmd 01380 deny log all from 127.0.0.1/8 to any out via $pif $cmd 01390 deny log all from 10.0.0.0/8 to any out via $pif $cmd 01400 deny tcp from any to me 25 out via $pif setup keep-state $cmd 01419 deny tcp from any to me 110 out via $pif setup keep-state $cmd 01420 allow all from me to any out via $pif keep-state $cmd 01430 allow icmp from me to any out via $pif $cmd 01440 allow tcp from 192.168.2.1 53 out via $pif setup keep-state # DNS $cmd 01450 allow udp from 192.168.2.1 53 out via $pif keep-state # DNS $cmd 01460 allow udp from any 68 to 192.168.2.1 67 out via $pif keep-state # Bootstrap Protocol Server $cmd 01470 allow tcp from me to any 21 out via $pif # FTP $cmd 01480 allow udp from me to any 53 out via $pif keep-state # DNS $cmd 01490 allow udp from me to any 53 out keep-state $cmd 01500 allow tcp from me to any 80 out via $pif setup keep-state # Allow out non-secure standard www function $cmd 01510 allow tcp from any to any 443 out via $pif setup keep-state # Allow out secure www function https over TLS SSL $cmd 01520 allow tcp from me to any out via $pif setup keep-state uid root # Allow out FBSD (make install & CVSUP) functions $cmd 01530 allow icmp from me to any out via $pif keep-state # Allow out ping $cmd 01540 allow tcp from me to any 37 out via $pif setup keep-state # Allow out Time $cmd 01550 allow tcp from me to any 119 out via $pif setup keep-state # Allow out nntp news (i.e. news groups 119)) $cmd 01560 allow tcp from me to any 22 out via $pif setup keep-state # Allow out secure FTP, Telnet, and SCP $cmd 01570 allow tcp from me to any 43 out via $pif setup keep-state # Allow out whois $cmd 01580 deny log udp from any to me in $cmd 01590 deny log udp from any to me out $cmd 01600 deny log udp from me to any in $cmd 01610 deny log udp from me to any out $cmd 01620 deny log ip from any to me in $cmd 01630 deny log ip from any to me out $cmd 01640 deny log ip from me to any in $cmd 01650 deny log ip from me to any out #-------------------------------------------------------------------------------# # Everything else is denied by default # # deny and log all packets that fell through to see what they are # #-------------------------------------------------------------------------------# $cmd 02000 deny log all from any to any #-------------------------# End of IPFW rules file #----------------------------# -- Lysergius says "Stay light and trust gravity" _______________________________________________ [email protected] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw To unsubscribe, send any mail to "[EMAIL PROTECTED]"
