IPFW problems connecting to port 25!
I have IPFW setup, and in my ruleset i have the following line add 04009 allot tcp from any to me dst port 80 in via x10 setup add 04010 allow tcp from any to me dst port 25 in via xl0 setup however if I enable the firewall and try to telnet into port 25, it cannot connect.. BUT if I disable the firewall I have NO problems. With the firewall enabled I can browse my webserver with no problem, but I cannot connect to port 25.. Any suggestions? FreeBSD 5.1-Current ipfw disable firewall I can access port 25 remotely ipfw enable firewall it cannot connect to port 25 remotely ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: IPFW problems connecting to port 25!
[EMAIL PROTECTED] wrote: I have IPFW setup, and in my ruleset i have the following line add 04009 allot tcp from any to me dst port 80 in via x10 setup add 04010 allow tcp from any to me dst port 25 in via xl0 setup however if I enable the firewall and try to telnet into port 25, it cannot connect.. BUT if I disable the firewall I have NO problems. With the firewall enabled I can browse my webserver with no problem, but I cannot connect to port 25.. Any suggestions? FreeBSD 5.1-Current ipfw disable firewall I can access port 25 remotely ipfw enable firewall it cannot connect to port 25 remotely You do have a rule for established connections? Kevin Kinsey DaleCo S.P. ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: IPFW problems connecting to port 25!
[snip] You do have a rule for established connections? Kevin Kinsey DaleCo S.P. you know the only rule i have for that is add 6 deny log tcp from any to any established I am assuming this is incorrect? ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: IPFW problems connecting to port 25!
[EMAIL PROTECTED] wrote: [snip] You do have a rule for established connections? Kevin Kinsey DaleCo S.P. you know the only rule i have for that is add 6 deny log tcp from any to any established I am assuming this is incorrect? Aye, there's the rub. Last rule is usually deny ip from any to any; somewhere above that, but after the setup rules is allow ip from any to my.ip.add.ress established* ... it does no good to allow the setup packets but no further data Kevin Kinsey DaleCo S.P. *instead of allow ip this could conceivably be protocol specific, e.g. if you only have tcp services available, allow tcp from any to {me} established ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: IPFW problems connecting to port 25!
Aye, there's the rub. Last rule is usually deny ip from any to any; somewhere above that, but after the setup rules is allow ip from any to my.ip.add.ress established* ... it does no good to allow the setup packets but no further data Kevin Kinsey DaleCo S.P. *instead of allow ip this could conceivably be protocol specific, e.g. if you only have tcp services available, allow tcp from any to {me} established Below is the rc.firewall.rules file. I found this on a How To website, I just removed most of the NAT stuff because this is just a VERY SMALL web/email/test server. I have added what you had mentioned above, but it still does not connect to port 25. What do I have wronge? Thanks for all your help... # be quiet and flush all rules on start -q flush # allow local traffic, deny RFC 1918 addresses on the outside add 00100 allow ip from any to any via lo0 add 00110 deny ip from any to 127.0.0.0/8 add 00120 deny ip from any to any not verrevpath in add 00301 deny ip from 10.0.0.0/8 to any in via xl0 add 00302 deny ip from 172.16.0.0/12 to any in via xl0 add 00303 deny ip from 192.168.0.0/16 to any in via xl0 # allow some traffic from the local net to the router # SSH add 04000 allow tcp from any to me dst-port 22 in via xl0 setup keep-state #IMAP-SSL add 04001 allow tcp from any to me dst-port 143 in via xl0 setup keep-state # NTP add 04002 allow tcp from any to me dst-port 123 in via xl0 setup keep-state add 04003 allow udp from any to me dst-port 123 in via xl0 keep-state #webmin add 04004 allow tcp from any to me dst-port 1 in via xl0 setup keep-state #http add 04005 allow tcp from any to me dst-port 80 in via xl0 setup keep-state # DNS add 04006 allow udp from any to me dst-port 53 in via xl0 #POP add 04007 allow tcp from any to me dst-port 110 in via xl0 setup keep-state add 04008 allow tcp from any to me dst-port 443 in via xl0 setup keep-state #IMAPS add 04009 allow tcp from any to me dst-port 993 in via xl0 setup keep-state #SMTP add 04010 allow tcp from any to me smtp in via xl0 setup add 04011 allow tcp from any to me established add 04012 allow udp from any to me established # drop everything else add 04020 deny ip from any to me # allow all outgoing traffic from the router add 05010 allow ip from me to any out keep-state # drop everything that has come so far. This means it doesn't belong to an # established connection, don't log the most noisy scans. add 59998 deny icmp from any to me add 5 deny ip from any to me dst-port 135,137-139,445,4665 add 6 deny log tcp from any to any established add 60001 deny log ip from any to any ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]