Dear W.D. Do you understand that by adding the rules into kernel space numbered from zero to sixty five thousand five hundred thirty four you may alter the behavior of the rule number sixty five thousand five hundred thirty five can you please define and list the goals you are trying to achieve by altering default rule in the terms you can both explain and understand.
----- Original Message ---- From: W. D. <[EMAIL PROTECTED]> To: [email protected] Cc: Tuomo Latto <[EMAIL PROTECTED]> Sent: Thursday, December 20, 2007 8:39:16 AM Subject: Re: IPFW: Blocking me out.. How to debug? At 03:49 12/17/2007, Tuomo Latto wrote: >W. D. wrote: >> How do I tell which rule is blocking me out? SSH *is* working, >> but others are not. > >It all depends on what you mean by "blocking you out" and "others". > > >Did you try *reading* your fw config? > >> # Loopback: >> # Allow anything on the local loopback: >> add allow all from any to any via lo0 >> add deny ip from any to 127.0.0.0/8 >> add deny ip from 127.0.0.0/8 to any >Nope. >> # Allow established connections: >> add allow tcp from any to any established >Nope. >> # Deny fragmented packets: >> add deny ip from any to any frag >Nope. >> # Show pings: >> add count icmp from any to any icmptypes 8 in >Nope. >> # Allow pings, ping replies, and host unreach: >> add allow icmp from any to any icmptypes 0,8,3 >Nope. >> # Allow UDP traceroutes: >> add allow udp from any to any 33434-34458 in >> add allow udp from any 33434-34458 to any out >Nope. >> # Allow DNS with name server >> add allow udp from any to any domain out >> add allow udp from any domain to any in >Nope. >> # SSH >> # Note that /etc/hosts.allow has restrictions >> # on which IP addresses are allowed. >> # >> # Allow SSH: >> add allow tcp from any to any ssh in setup >Nope, but this explains SSH working. >> # HTTP & HTTPS: >> add allow tcp from any to any https in setup >> add allow tcp from any to any http in setup >Nope. >> # Mail: SMTP & IMAP: >> add allow tcp from any to any smtp in setup >> add allow tcp from any to any imap in setup >Nope. >> # FTP: >> add allow tcp from any to any ftp in setup >> add allow tcp from any to any ftp\-data in setup >> add allow tcp from any ftp\-data to any setup out >Nope. >> # Allow NTP in and out >> add allow udp from any ntp to 128.252.19.1 ntp out >> add allow udp from 128.252.19.1 ntp to any ntp in >Nope. >> # Deny and log everything else: >> add deny log all from any to any >Bingo! > > >"ipfw -a list" may also help (packet counts). I've been banging my head against this for the past few days. I don't get it. My understanding of the way this is supposed to work is that: # HTTP & HTTPS: add allow tcp from any to any https in setup add allow tcp from any to any http in setup should let initial HTTP & HTTPS requests through, and that: thats correct! but you also probably would like firewall to create a dynamic rule upon match so keep-state option is required # Allow established connections: add allow tcp from any to any established very interesting. should allow connections that are "setup" to continue. Do I need a "check-state" or "keep-state" statement somewhere? check-state should be applied to incoming packets only not the dynamically added ones I don't understand what is wrong with the last rule: # Deny and log everything else: add deny log all from any to any it may lead to console lockup and there is no other way to log in until you have a physical access to the console My understanding is that anything that doesn't match the previous rules will match this one and hence be logged and denied. Is this not correct? yes this is very correct. what is recommended is adding a temporary rule that will allow everything prior to denying everything so you can see in the log files what is it literally allowing maybe your own log files will tell you more than mine cat /var/log/security for details but after all its only a filtering facility don't expect there are some overframed packets marching on the wires and seeking they way in Again, I am having a great deal of difficulty understanding why these rules don't work as expected. I've scoured the 'Net and printed out just about every coherent ruleset out there. this is true to me as well. nothing ever works as expected. it only malfunction when least expected. a good ruleset for starters with little expectations is the one u can read in the handbook. i cant wait for you to start quoting its firewall section http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/firewalls-ipfw.html Besides adding the "log" keyword on all of the rules, these are the debugging tools I have been using: ipfw disable firewall ipfw -f flush ipfw enable firewall /etc/rc.d/ipfw start ipfw -a -S -N -t list ipfw list tail -f /var/log/ipfw/ipfw.log tcpdump -i nve0 'proto \tcp && port http' maybe that is your way, but not the syslogd way. tail /var/log/security or less Could anyone please throw this tired dog a bone? to be honest its quiet difficult to read someone else's code but if you define the goals you are trying to achieve for example what is this? >> add deny ip from any to 127.0.0.0/8 >> add deny ip from 127.0.0.0/8 to any Start Here to Find It Fast!™ -> http://www.US-Webmasters.com/best-start-page/ $8.77 Domain Names -> http://domains.us-webmasters.com/ _______________________________________________ [email protected] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to "[EMAIL PROTECTED]" Looking for last minute shopping deals? Find them fast with Yahoo! Search. ____________________________________________________________________________________ Looking for last minute shopping deals? Find them fast with Yahoo! Search. http://tools.search.yahoo.com/newsearch/category.php?category=shopping _______________________________________________ [email protected] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to "[EMAIL PROTECTED]"
