-----Original Message-----
From: Jez Hancock [mailto:[EMAIL PROTECTED] On Behalf Of Jez Hancock
Sent: Saturday, February 14, 2004 5:36 PM
To: Eric F Crist
Cc: FreeBSD questions List
Subject: Re: continued IPFW issues... (actually a lack of ability on my
part)


On Sat, Feb 14, 2004 at 03:27:35PM -0600, Eric F Crist wrote:
> I'm still having some sort of issues with ipfw rules on my server.
> I've got a
> cgi based irc client installed, and I can't connect.  Also, it seems
as if my
> DNS server isn't able to send queries out.  An ipfw show displays the
> following for me:
>
> 00050 54632 4640473 allow ip from me to any
> 00100     0       0 allow ip from any to any via lo0
> 00200     0       0 deny ip from any to 127.0.0.0/8
> 00300     0       0 deny ip from 127.0.0.0/8 to any
> 00400  4027  351563 allow ip from 63.228.14.240/29 to me
> 00500     2      80 allow ip from any to me dst-port 22
> 00600     2      80 allow ip from any to me dst-port 21
> 00700   388   25405 allow ip from any to me dst-port 25
> 00800    58    4944 allow ip from any to me dst-port 80
> 00900     2      80 allow ip from any to me dst-port 443
> 01000     2      80 allow ip from any to me dst-port 110
> 01100    54    4247 allow ip from any to me dst-port 53
> 01200     2      80 allow ip from any to me dst-port 6667
> 01300     2      80 allow ip from any to me dst-port 6668
> 01400     4     160 deny ip from not 63.228.14.240/29 to me dst-port
8080
> 65535 46432 7224466 deny ip from any to any
>
> Where is all that denied traffic coming from on the final rule?

You are only allowing traffic in and not out - as Matthew Seaman
mentioned in the last post in your previous thread, you should use
'keep-state' to keep track of the connections made to you.  See the
examples he provided in that thread.

>From the manpage for ipfw:

     check-state
             Checks the packet against the dynamic ruleset.  If a match
is
             found, execute the action associated with the rule which
gener-
             ated this dynamic rule, otherwise move to the next rule.
             Check-state rules do not have a body.  If no check-state
rule is
             found, the dynamic ruleset is checked at the first
keep-state or
             limit rule.

...

     keep-state
             Upon a match, the firewall will create a dynamic rule,
whose
             default behaviour is to match bidirectional traffic between
             source and destination IP/port using the same protocol.
The rule
             has a limited lifetime (controlled by a set of sysctl(8)
vari-
             ables), and the lifetime is refreshed every time a matching
             packet is found.

When a connection is made to port 80 from an external host, with the
'keep-state' flag set on your rule for port 80 data transfer will be
allowed in both directions to/from the external host to/from you on port
80 for a limited period.  The check-state rule effectively 'shortcuts'
the rest of the rules in the ruleset if a match is made for the external
host for the given action (inbound connections to port 80 in this case).

You'd need to do the same for each of the other ports you want to allow
free connections to/from.

Wouldn't my first rule:

ipfw allow ip from me to any

have fixed this problem?

---
Eric F Crist
President
AdTech Integrated Systems, Inc
(612) 998-3588





_______________________________________________
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Reply via email to