IPFW problems connecting to port 25!
I have IPFW setup, and in my ruleset i have the following line add 04009 allot tcp from any to me dst port 80 in via x10 setup add 04010 allow tcp from any to me dst port 25 in via xl0 setup however if I enable the firewall and try to telnet into port 25, it cannot connect.. BUT if I disable the firewall I have NO problems. With the firewall enabled I can browse my webserver with no problem, but I cannot connect to port 25.. Any suggestions? FreeBSD 5.1-Current ipfw disable firewall I can access port 25 remotely ipfw enable firewall it cannot connect to port 25 remotely ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: IPFW problems connecting to port 25!
[EMAIL PROTECTED] wrote: I have IPFW setup, and in my ruleset i have the following line add 04009 allot tcp from any to me dst port 80 in via x10 setup add 04010 allow tcp from any to me dst port 25 in via xl0 setup however if I enable the firewall and try to telnet into port 25, it cannot connect.. BUT if I disable the firewall I have NO problems. With the firewall enabled I can browse my webserver with no problem, but I cannot connect to port 25.. Any suggestions? FreeBSD 5.1-Current ipfw disable firewall I can access port 25 remotely ipfw enable firewall it cannot connect to port 25 remotely You do have a rule for established connections? Kevin Kinsey DaleCo S.P. ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: IPFW problems connecting to port 25!
[snip] You do have a rule for established connections? Kevin Kinsey DaleCo S.P. you know the only rule i have for that is add 6 deny log tcp from any to any established I am assuming this is incorrect? ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: IPFW problems connecting to port 25!
[EMAIL PROTECTED] wrote:
[snip]
You do have a rule for established connections?
Kevin Kinsey
DaleCo S.P.
you know the only rule i have for that is
add 6 deny log tcp from any to any established
I am assuming this is incorrect?
Aye, there's the rub. Last rule is usually
deny ip from any to any; somewhere above
that, but after the setup rules is allow ip from
any to my.ip.add.ress established* ... it does
no good to allow the setup packets but no
further data
Kevin Kinsey
DaleCo S.P.
*instead of allow ip this could conceivably
be protocol specific, e.g. if you only have tcp
services available, allow tcp from any to {me} established
___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: IPFW problems connecting to port 25!
Aye, there's the rub. Last rule is usually
deny ip from any to any; somewhere above
that, but after the setup rules is allow ip from
any to my.ip.add.ress established* ... it does
no good to allow the setup packets but no
further data
Kevin Kinsey
DaleCo S.P.
*instead of allow ip this could conceivably
be protocol specific, e.g. if you only have tcp
services available, allow tcp from any to {me} established
Below is the rc.firewall.rules file. I found this on a How To website, I
just removed most of the NAT stuff because this is just a VERY SMALL
web/email/test server. I have added what you had mentioned above, but it
still does not connect to port 25. What do I have wronge? Thanks for all
your help...
# be quiet and flush all rules on start
-q flush
# allow local traffic, deny RFC 1918 addresses on the outside
add 00100 allow ip from any to any via lo0
add 00110 deny ip from any to 127.0.0.0/8
add 00120 deny ip from any to any not verrevpath in
add 00301 deny ip from 10.0.0.0/8 to any in via xl0
add 00302 deny ip from 172.16.0.0/12 to any in via xl0
add 00303 deny ip from 192.168.0.0/16 to any in via xl0
# allow some traffic from the local net to the router
# SSH
add 04000 allow tcp from any to me dst-port 22 in via xl0 setup keep-state
#IMAP-SSL
add 04001 allow tcp from any to me dst-port 143 in via xl0 setup keep-state
# NTP
add 04002 allow tcp from any to me dst-port 123 in via xl0 setup keep-state
add 04003 allow udp from any to me dst-port 123 in via xl0 keep-state
#webmin
add 04004 allow tcp from any to me dst-port 1 in via xl0 setup keep-state
#http
add 04005 allow tcp from any to me dst-port 80 in via xl0 setup keep-state
# DNS
add 04006 allow udp from any to me dst-port 53 in via xl0
#POP
add 04007 allow tcp from any to me dst-port 110 in via xl0 setup keep-state
add 04008 allow tcp from any to me dst-port 443 in via xl0 setup keep-state
#IMAPS
add 04009 allow tcp from any to me dst-port 993 in via xl0 setup keep-state
#SMTP
add 04010 allow tcp from any to me smtp in via xl0 setup
add 04011 allow tcp from any to me established
add 04012 allow udp from any to me established
# drop everything else
add 04020 deny ip from any to me
# allow all outgoing traffic from the router
add 05010 allow ip from me to any out keep-state
# drop everything that has come so far. This means it doesn't belong to an
# established connection, don't log the most noisy scans.
add 59998 deny icmp from any to me
add 5 deny ip from any to me dst-port 135,137-139,445,4665
add 6 deny log tcp from any to any established
add 60001 deny log ip from any to any
___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]
