On 2004-08-04 17:13, Srot BULL <[EMAIL PROTECTED]> wrote:
This is found in my /etc/ipfw.rules
### Allow out non-secure standard www function  ###
$CMD 00200 allow tcp from any to any 80 out via $IFN setup keep-state
### Allow out send & get email function ###
$CMD 00230 allow tcp from any to any 25 out via $IFN setup keep-state
$CMD 00231 allow tcp from any to any 110 out via $IFN setup keep-state
### deny and log everything else that's trying to get out.      ###
### This rule enforces the block all by default logic.  ###
$CMD 00299 deny log all from any to any out via $IFN


Why are the above firewall logs telling me that it has denied my TCP
packets and yet I am not experiencing some problems in my emails and
access to the internet through port 80. [...]

Giorgos Keramidas wrote: Show us the full ruleset. Otherwise we're just guessing...


My apologies, below is my complete ruleset:
# Flush out EVERYTHING first before starting
ipfw -q -f flush

# Set rules command prefix
CMD="ipfw -q add"
IFN="rl0"


# No restrictions on Loopback Interface # $CMD 00010 allow all from any to any via lo0

#* Allow the packet through if it has previous been added to the *#
#* the "dynamic" rules table by a allow keep-state statement. *#
$CMD 00015 check-state

#* Interface facing Public internet (Outbound Section) *#
#* Interrogate session start requests originating from behind the *#
#* firewall on the private network or from this gateway server *#
#* destine for the public internet. *#

#*** Temporary OPENINGS ***#
$CMD 00099 allow tcp from any to any 6088 out via $IFN setup keep-state

#* Allow out access to ISP's DNS. *#
$CMD 00110 allow tcp from any to x.x.x.x 53 out via $IFN setup keep-state
$CMD 00111 allow udp from any to x.x.x.x 53 out via $IFN keep-state
$CMD 00112 allow tcp from any to x.x.x.x 53 out via $IFN setup keep-state
$CMD 00113 allow udp from any to x.x.x.x 53 out via $IFN keep-state
$CMD 00114 allow tcp from any to x.x.x.x 53 out via $IFN setup keep-state
$CMD 00115 allow udp from any to x.x.x.x 53 out via $IFN keep-state

#* Allow out access to my ISP's DHCP server for cable/DSL configurations. *#
$CMD 00120 allow udp from any to x.x.x.x 67 out via $IFN keep-state

#* Allow out non-secure standard www function *#
$CMD 00200 allow tcp from any to any 80 out via $IFN setup keep-state

#* Allow out connection for my Dictionary *#
$CMD 00201 allow tcp from any to any 2628 out via $IFN setup keep-state

#* Allow out connection for MSN Protocol *#
$CMD 00202 allow tcp from any to any 1863 out via $IFN setup keep-state
$CMD 00203 allow udp from any to any 1863 out via $IFN setup keep-state

#* Allow out secure www function https over TLS SSL *#
$CMD 00220 allow tcp from any to any 443 out via $IFN setup keep-state

#* Allow out SEND & GET email function *#
$CMD 00230 allow tcp from any to any 25 out via $IFN setup keep-state
$CMD 00231 allow tcp from any to any 110 out via $IFN setup keep-state

#* Allow out FBSD (make install & CVSUP) functions *#
#* Basically give user root "GOD" privileges. *#
$CMD 00240 allow tcp from me to any out via $IFN setup keep-state uid root

# Allow out ping *#
$CMD 00250 allow icmp from any to any out via $IFN keep-state

#* Allow out Time *#
$CMD 00260 allow tcp from any to any 37 out via $IFN setup keep-state

#* Allow out nntp news (IE: news groups) *#
$CMD 00270 allow tcp from any to any 119 out via $IFN setup keep-state

#* Allow out secure FTP, Telnet, and SCP *#
#* This function is using SSH (secure shell)
$CMD 00280 allow tcp from any to any 22 out via $IFN setup keep-state

#* Allow out whois *#
$CMD 00290 allow tcp from any to any 43 out via $IFN setup keep-state

#* DENY and LOG everything else thats trying to get out. *#
#* This rule enforces the block all by default logic. *#
$CMD 00299 deny log all from any to any out via $IFN


#* Interface facing Public internet (Inbound Section) *# #* Interrogate packets originating from the public internet *# #* destine for this gateway server or the private network. *#

#* Deny all inbound traffic from non-routable reserved address spaces *#
#RFC 1918 private IP#
$CMD 00300 deny all from 192.168.0.0/16 to any in via $IFN
#RFC 1918 private IP#
$CMD 00301 deny all from 172.16.0.0/12 to any in via $IFN
#RFC 1918 private IP#
$CMD 00302 deny all from 10.0.0.0/8 to any in via $IFN
#loopback#
$CMD 00303 deny all from 127.0.0.0/8 to any in via $IFN
#loopback#
$CMD 00304 deny all from 0.0.0.0/8 to any in via $IFN
$CMD 00305 deny all from 169.254.0.0/16 to any in via $IFN
#DHCP auto-config#
$CMD 00306 deny all from 192.0.2.0/24 to any in via $IFN
#reserved for doc's#
$CMD 00307 deny all from 204.152.64.0/23 to any in via $IFN
#Class D & E multicast#
$CMD 00308 deny all from 224.0.0.0/3 to any in via $IFN

#* Deny public pings *#
$CMD 00310 deny icmp from any to any in via $IFN

#* Deny ident *#
$CMD 00315 deny tcp from any to any in via $IFN

#* Deny all Netbios service. 137=name, 138=datagram, 139=session *#
#* Netbios is MS/Windows sharing services. *#
#* Block MS/Windows hosts2 name server requests 81 *#
$CMD 00320 deny tcp from any to any 137 in via $IFN
$CMD 00321 deny tcp from any to any 138 in via $IFN
$CMD 00322 deny tcp from any to any 139 in via $IFN
$CMD 00323 deny tcp from any to any 81 in via $IFN

#* Deny any late arriving packets *#
$CMD 00330 deny all from any to any frag in via $IFN

#* Deny ACK packets that did not match the dynamic rule table *#
$CMD 00332 deny tcp from any to any established in via $IFN

#* Allow traffic in from ISP's DHCP server. *#
#* Only necessary for cable or DSL configurations. *#
$CMD 00360 allow udp from any to x.x.x.x 67 in via $IFN keep-state

#* Allow in standard www function because Apache Server *#
#$CMD 00400 allow tcp from any to me 80 in via $IFN setup limit src-addr 2

#* Allow in secure FTP, Telnet, and SCP from public Internet *#
#$CMD 00410 allow tcp from any to me 22 in via $IFN setup limit src-addr 2

# Allow in non-secure Telnet session from public Internet *#
# labeled non-secure because ID & PW are passed over public *#
# internet as clear text. *#
#$CMD 00420 allow tcp from any to me 23 in via $IFN setup limit src-addr 2

#* Reject & Log all incoming connections from the outside *#
$CMD 00499 deny log all from any to any in via $IFN

# Everything else is denied by default
# DENY and LOG all packets that fell through to see what they are
$CMD 00999 deny log all from any to any

My basis for my rulesets are taken from:
http://freebsd.a1poweruser.com:6088/FBSD_firewall/
If you find anything wrong with my rulesets please do comment...only if you do not mind...


Thanks,

Srot BULL
_______________________________________________
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Reply via email to