Re: Newbie IPFW Questions

[Jim Campbell]

Dave McCammon wrote:

--- Jim Campbell <[EMAIL PROTECTED]> wrote:
 

Glenn Dawson wrote:

   

At 08:18 PM 7/17/2005, Jim Campbell wrote:

     

I have a machine set up as a classroom to learn
       

about FreeBSD.  It is
   

running 4.11 primarily because anything later
       

can't see my hard drive.
   

As background, my FBSD machine has an address of
       

192.168.1.110.  It is
   

situated behind a hardware firewall (a Linksys
       

router).  $pif is vr0.
   

I'm having problems setting up IPFW to
       

communicate with an Onion router.
   

The puzzling part is that I am able to use the
       

Onion router but my
   

/var/log/security file says that some of the
       

packets are being dropped.
   

Following is what I hope are the pertinent lines
       

from my /etc/ipfw.rules
   

file:

$cmd 00225 allow tcp from me to any 9001-9033 out
       

via $pif setup 
   

keep-state
$cmd 00299 deny log all from me to any out via
       

$pif
   

$cmd 00332 deny log tcp from any to me
       

established in via $pif
   

Next is an excerpt from the /var/log/security
       

file:
   

Jul 17 21:49:58 JimsP1G /kernel: ipfw: 299 Deny
       

TCP 192.168.1.110:2218
   

128.148.34.133:9001 out via vr0
Jul 17 21:49:59 JimsP1G /kernel: ipfw: 299 Deny
       

TCP 192.168.1.110:4959
   

131.175.189.134:9001 out via vr0
Jul 17 21:50:18 JimsP1G /kernel: ipfw: 332 Deny
       

TCP 128.148.34.133:9001
   

192.168.1.110:2218 in via vr0
Jul 17 21:50:29 JimsP1G /kernel: ipfw: 332 Deny
       

TCP 131.175.189.134:9030
   

192.168.1.110:4566 in via vr0

Now my questions.  First, why isn't rule 225
       

allowing all the packets 
   

out
to the Onion router?  It seems to me that ipfw
       

should allow all packets
   

in the port range 9001-9033 out or none.
       

Rule 225 will only match packets used to setup the
     

tcp session, once 
   

it's established you need another rule that will
     

allow the established 
   

session to function.

Rule 299 is denying everything from leaving your
     

machine except for 
   

the packets allowed by rule 225.


     

It appears that I didn't include enough of the
ipfw.rules file.  
Following is another abstract:


   

#################################################################
 

# Allow the packet through if it has previous been
added to the
# the "dynamic" rules table by a allow keep-state
statement.

   

#################################################################
 

$cmd 00015 check-state

It's my understanding that this rule allows through
any returning
packets that match the dynamic rule established by
Rule 225.


   

Next, the two inbound packets should be returning
       

in response to an 
   

outbound packet.  Why are they being dropped? 
       

Are they exceeding some
   

timeout?
       

Rule 332 is denying all established traffic from
     

entering your 
   

machine.  So, while rule 225 allows you to
     

establish a tcp session 
   

with another system on ports 9001-9033, once the
     

session is 
   

established, rule 225 no longer applies and rule
     

332 is then throwing 
   

all those packets away.

-Glenn


     

Part of my problem is that I don't understand the
protocols being used 
by the Onion routers.  It
appears that Tor (the application on my machine that
sets up the 
communication with the
Onion routers) begins to communicate with the Onion
routers as soon as 
it starts.  This
communication continues as long as the FBSD machine
is alive. Really 
shook me up
when I first started using Tor and Privoxy.  I
thought someone was 
hacking my machine :-)

The really puzzling thing about this situation is
that at least some of 
the messages concerning
the Onion protocol are getting through.  I can ask
for www.google.com 
and sometimes it
resolves to Google in Europe, sometimes to Google in
Asia, and sometines 
to Google here
in the US.  Ipfw appears to be only dropping some of
the packets.

Perhaps I should set up another machine to sniff the
packets that 
occur.  Maybe that would
give me an idea of what is happening with the Onion
protocol.

In any event, thanks for your input to my problem,
and if you have any 
other ideas I would
appreciate them very much.  I've been chewing on
this problem the better 
part of a week.

Thanks,

Jim
   


check the output of 
#ipfw show
and make sure the check-state line is there.

Your config says-
$cmd 00015 check-state

and I think..(at least on a 5.4 machine)
it should say 

$cmd 00015 add check-state
 


Dave,

#ipfw show does show that check-state is there

I am using a 4.11 machine and $cmd = "ipfw -q add"

The command "#ipfw -a list" shows that there are many replies for each 
outbound packet
to port 9001. 

I suppose that I should just let things be since the Tor service is 
working satisfactorily
and I sure have learned a lot about firewalls while chasing this.  And 
that is the whole point
of my effort with FBSD.

Many thanks to all who have assisted me in this endeavor.

Jim
_______________________________________________
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"