You are so the man!
That's it. You have no idea how long I've spend looking for this.
Thanks again!
----- Original Message ----- From: "Andras Kende" <[EMAIL PROTECTED]>
To: "'Gerard Meijer'" <[EMAIL PROTECTED]>; <freebsd-questions@freebsd.org>
Sent: Monday, January 03, 2005 7:59 PM
Subject: RE: ipfw question (FreeBSD 4.11)
-----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gerard Meijer Sent: Monday, January 03, 2005 12:29 PM To: freebsd-questions@freebsd.org Subject: ipfw question (FreeBSD 4.11)
I run apache webserver on my server with FreeBSD 4.11
I have a question about ipfw. I have the following rules in my /etc/ipfw.conf:
$cmd 00200 allow tcp from any to any 80 out via $pif setup keep-state $cmd 00400 allow tcp from any to any 80 in via $pif setup keep-state
(with $pif being my NIC) Now, everything works fine for me, but I get a lot
(and I mean a lot) of these kind of messages in my log:
[Date] [time] [host] /kernel: ipfw: 299 Deny TCP a.b.c.d:80 e.f.g.h:4472 out
via em0
[Date] [time] [host] /kernel: ipfw: 499 Deny TCP e.f.g.h:1882 a.b.c.d:80 in
via em0
(with a.b.c.d being my ip and e.f.g.h being somebody elses ip).
I guess these people are not surfing through port 80??? Correct me if I'm wrong. How can I change ipfw's rules so that these people aren't blocked anymore?
Thanks in advance!
_______________________________________________
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Hello,
Im not 100% sure, but if I remember correctly you need to put "established"
before the webserver rule :
# Allow TCP through if setup succeeded: ${fwcmd} add pass tcp from any to any established
# Allow setup of incoming http: ${fwcmd} add pass tcp from any to any 80 setup
[Cc][Ll][Ii][Ee][Nn][Tt]) ############ # This is a prototype setup that will protect your system somewhat # against people from outside your own network. ############
# set these to your network and netmask and ip ip="aaa.bbb.ccc.ddd"
setup_loopback
# Allow TCP through if setup succeeded ${fwcmd} add pass tcp from any to any established
# Allow IP fragments to pass through ${fwcmd} add pass all from any to any frag
# Allow setup of incoming services ${fwcmd} add pass tcp from any to ${ip} 21,22,25,53,80,110,143,443,993,10000 setup
# Allow setup of PASV FTP ${fwcmd} add pass tcp from any to ${ip} 10001-10100 setup
# Allow setup of outgoing TCP connections only ${fwcmd} add pass log tcp from ${ip} to any setup
# Disallow setup of all other TCP connections ${fwcmd} add deny log tcp from any to any setup
# Allow DNS queries ${fwcmd} add pass udp from any to any 53 ${fwcmd} add pass udp from any 53 to any
# Allow NTP ${fwcmd} add pass udp from any to any 123
#ICMP ${fwcmd} add pass log icmp from any to any icmptypes 3,4,11,12
# Everything else is denied by default, unless the # IPFIREWALL_DEFAULT_TO_ACCEPT option is set in your kernel # config file. ;;
Best regards,
Andras Kende http://www.kende.com
_______________________________________________
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
_______________________________________________ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
