Re: ipfw rules for connect port 993
Hello , thank you for your answer. ad1. i send my current firewall rules and record from tcpdump on re0 . My LAN is 172.16.0.0/22 (10... it was easy. I think it does not matter) My second LAN is 192.168.1.0/24(on this network connection to the IMAP port 993 works) My public IP is 86.49.91.98 ad2. Tcpdump on rl0 shows nothing ad3. Yes . I have gateway_enable=YES in /etc/rc.conf ad4. I think yes... PS : Firewall is not my work . I inherited it. Thank you very much Petr Chocholac Dne 24.8.2015 v 15:39 Allan Jude napsal(a): On 2015-08-24 09:05, Petr Chocholáč wrote: Hello, I would like to ask you for advice. I can not connect to imap.gmail.com on port 993 from my local network. My LAN is behind freeBSD server with IPFW. Server has two network cards rl0=Internet and re0=LAN(10.0.0.0/16). Tcpdump on re0 shows three SYN packets without answers. What rules should i create? I tried someting like this, without success: #ipfw add 01500 allow ip from 10.0.0.0/16 to any in via re0 Thank you very much for any advice and your patience Petr Chocholáč Brno, Czech Republic ___ freebsd-current@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-current To unsubscribe, send any mail to freebsd-current-unsubscr...@freebsd.org We would need to see all of your current firewall rules (ipfw show) You'll want to tcpdump on rl0, to see if the packet is being forwarded. Do you have the machine configured as a gateway? (gateway_enable=YES in /etc/rc.conf) Are you doing NAT (Network Address Translation) to remap the internal (10.0.0.0/16) addresses to your internet routable IP? 00100 9036394 8499055198 allow ip from any to any via lo0 00200 00 deny ip from any to 127.0.0.0/8 00300 00 deny ip from 127.0.0.0/8 to any 00400 134 9313 allow udp from any to 86.49.91.110 dst-port 53 keep-state 00500 00 allow udp from 86.49.91.110 53 to any keep-state 00600 00 allow tcp from 86.49.91.107 to any dst-port 25 setup 00700 00 allow tcp from 86.49.91.98 25 to any dst-port 25 setup 00800 00 allow udp from 86.49.91.110 53 to any keep-state 00900956234 80342962 allow icmp from 86.49.91.98 to any keep-state 01000 17235 1324207 allow icmp from any to 86.49.91.98 keep-state 01100 14068 1530257 allow udp from 86.49.91.98 53 to any keep-state 01200 7759 554809 allow ip from 172.16.0.0/24 to 86.49.91.96/28 01300 94672736 allow ip from 86.49.91.96/28 to 172.16.0.0/24 01400 00 allow ip from 172.16.0.0/16 to 195.113.191.160/28 dst-port 8080,26,5,10943,22,26,3128,61085,514,25,53 01500 00 allow ip from 172.16.0.0/16 to 86.49.91.96/28 dst-port 8080,26,5,10943,22,26,3128,61085,514,25,53,993 01600 72238642 deny log ip from 218.0.0.0/8 to any via rl0 01700 00 deny log ip from 221.6.178.0/24{0-63} to any via rl0 01800 00 deny log ip from 210.68.8.128/25 to any via rl0 0190012 845 deny log ip from 121.8.0.0/13 to any via rl0 02000 00 deny log ip from 58.208.0.0/20 to any via rl0 02100 00 deny log ip from 62.193.235.47 to any via rl0 02200 00 deny log ip from 74.208.164.166 to any via rl0 02300 00 deny log ip from any to 74.208.164.166 02400 00 deny log ip from 61.78.0.0/16 to any via rl0 02500 00 deny log ip from 91.200.108.0/24 to any dst-port 25 via rl0 02600 00 allow ip from 172.16.2.0/24 to any dst-port 53 keep-state 02700 67565 11649052 allow ip from 172.16.2.0/23 to any dst-port 53 keep-state 02800 24017484 allow log logamount 2 udp from 172.16.0.99 to any dst-port 53 out via rl0 keep-state 02900 00 allow log logamount 2 udp from any 53 to 172.16.0.99 in via rl0 keep-state 03000 00 allow log logamount 2 udp from any 53 to 192.168.1.1 in via rl0 keep-state 0310023 1493 allow log logamount 100 udp from 192.168.1.1 53 to any keep-state 03200 00 fwd 172.16.0.99,8080 tcp from 172.16.2.0/24 to any dst-port 80 out via rl0 03300 2543961222167859 fwd 172.16.0.99,8080 tcp from 172.16.2.0/23 to any dst-port 80 out via rl0 03400 00 allow tcp from 172.16.2.0/23 to 172.16.0.2 setup 03500 00 allow tcp from 172.16.2.0/24 to 172.16.0.2 setup 03600 00 allow ip from 172.16.2.0/23 to 172.16.0.2 setup 03700 00 allow ip from 172.16.2.0/24 to 172.16.0.2 setup 03800 00 allow tcp from 172.16.2.0/24 to 192.168.1.1 setup 03900 00 allow tcp from 172.16.2.0/24 to 192.168.1.1 setup 04000 29654 1806084 allow tcp
Re: ipfw rules for connect port 993
On 8/25/15 4:02 PM, Petr Chocholáč wrote: Hello , ignore my previous email, you have answered my questions here. the firewall set you show is pretty horrible. It really needs a rewrite. do you want to block the two LANs from each other or block any machines on the LANs from reaching the firewall? if not then you should start by adding two rules. ipfw add 350 allow ip from any to any in recv {LAN interface} ipfw add 351 allow ip from any to any out xmit {LAN interface} as you do not want to block that traffic.. you should only be looking at traffic on the internet interface.. In your current rule set all the rules are being tested at all interfaces which is a waste of CPU and also makes it very hard to work out what is going on. if you DO want to filter on other interfaces then send traffic for each interface to a different set of rules, incoming and outgoing. for example add 350 skipto 1000 ip from any to any in recv rl0 add 360 skipto 1100 ip from any to any out xmit rl0 add 370 skipto 1200 ip from any to any in recv re0 add 380 skipto 1300 ip from any to any out xmit re0 etc... then at each rule set (1000, 2000, 3000... you only have rules you need for that exact flow.. also you should use a table to hold all the subnets and addresses that are there for example: you have: 08800 00 allow tcp from 85.70.0.0/16 to 86.49.91.98 dst-port 443 setup via rl0 08900 00 allow tcp from 85.71.0.0/16 to 86.49.91.98 dst-port 443 setup via rl0 09000 00 allow tcp from 84.42.232.0/21 to 86.49.91.98 dst-port 443 setup via rl0 09100 00 allow tcp from 84.42.240.0/20 to 86.49.91.98 dst-port 443 setup via rl0 09200 00 allow tcp from 80.188.157.0/24 to 86.49.91.98 dst-port 443 setup via rl0 09300 00 allow tcp from 89.102.9.0/24 to 86.49.91.98 dst-port 443 setup via rl0 09400 00 allow tcp from 89.102.0.0/16 to 86.49.91.98 dst-port 443 setup via rl0 this should all be: allow tcp from table(1) to 86.49.91.98 dst-port 443 setup and it would appear only in the rules to do with incoming packets to rl0 (i.e. in the rules starting with 1000) you would populate the table with: ipfw table 1 add 85.70.0.0/16 ipfw table 1 add 85.71.0.0/16 ipfw table 1 add 84.42.232.0/21 ... etc. I can't actually read your ruleset enough without getting a headache to tell you what is failing. Also you talked about 10.x.x.x in your email, and about 2 interfaces, but later you talked about different addresses and 3 interfaces. can you say what is the actual setup. (you do not have to give your actual internet IP address.. though you already did.. I would replace it with ${OUTSIDE} in the script that makes it.. thank you for your answer. ad1. i send my current firewall rules and record from tcpdump on re0 . My LAN is 172.16.0.0/22 (10... it was easy. I think it does not matter) My second LAN is 192.168.1.0/24(on this network connection to the IMAP port 993 works) My public IP is 86.49.91.98 ad2. Tcpdump on rl0 shows nothing ad3. Yes . I have gateway_enable=YES in /etc/rc.conf ad4. I think yes... PS : Firewall is not my work . I inherited it. Thank you very much Petr Chocholac Dne 24.8.2015 v 15:39 Allan Jude napsal(a): On 2015-08-24 09:05, Petr Chocholáč wrote: Hello, I would like to ask you for advice. I can not connect to imap.gmail.com on port 993 from my local network. My LAN is behind freeBSD server with IPFW. Server has two network cards rl0=Internet and re0=LAN(10.0.0.0/16). Tcpdump on re0 shows three SYN packets without answers. What rules should i create? I tried someting like this, without success: #ipfw add 01500 allow ip from 10.0.0.0/16 to any in via re0 Thank you very much for any advice and your patience Petr Chocholáč Brno, Czech Republic ___ freebsd-current@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-current To unsubscribe, send any mail to freebsd-current-unsubscr...@freebsd.org We would need to see all of your current firewall rules (ipfw show) You'll want to tcpdump on rl0, to see if the packet is being forwarded. Do you have the machine configured as a gateway? (gateway_enable=YES in /etc/rc.conf) Are you doing NAT (Network Address Translation) to remap the internal (10.0.0.0/16) addresses to your internet routable IP? ___ freebsd-current@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-current To unsubscribe, send any mail to freebsd-current-unsubscr...@freebsd.org ___ freebsd-current@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-current To unsubscribe, send any mail to freebsd-current-unsubscr...@freebsd.org
Re: ipfw rules for connect port 993
On 8/24/15 9:05 PM, Petr Chocholáč wrote: Hello, I would like to ask you for advice. I can not connect to imap.gmail.com on port 993 from my local network. My LAN is behind freeBSD server with IPFW. Server has two network cards rl0=Internet and re0=LAN(10.0.0.0/16). Tcpdump on re0 shows three SYN packets without answers. What rules should i create? I tried someting like this, without success: #ipfw add 01500 allow ip from 10.0.0.0/16 to any in via re0 are you doing nat? the syn packets are going which way? on which interface did you do the tcpdump? what does the rest of the firewall look like? is it a standard one? what are the settings? Thank you very much for any advice and your patience Petr Chocholáč Brno, Czech Republic ___ freebsd-current@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-current To unsubscribe, send any mail to freebsd-current-unsubscr...@freebsd.org ___ freebsd-current@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-current To unsubscribe, send any mail to freebsd-current-unsubscr...@freebsd.org
ipfw rules for connect port 993
Hello, I would like to ask you for advice. I can not connect to imap.gmail.com on port 993 from my local network. My LAN is behind freeBSD server with IPFW. Server has two network cards rl0=Internet and re0=LAN(10.0.0.0/16). Tcpdump on re0 shows three SYN packets without answers. What rules should i create? I tried someting like this, without success: #ipfw add 01500 allow ip from 10.0.0.0/16 to any in via re0 Thank you very much for any advice and your patience Petr Chocholáč Brno, Czech Republic ___ freebsd-current@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-current To unsubscribe, send any mail to freebsd-current-unsubscr...@freebsd.org
Re: ipfw rules for connect port 993
On 2015-08-24 09:05, Petr Chocholáč wrote: Hello, I would like to ask you for advice. I can not connect to imap.gmail.com on port 993 from my local network. My LAN is behind freeBSD server with IPFW. Server has two network cards rl0=Internet and re0=LAN(10.0.0.0/16). Tcpdump on re0 shows three SYN packets without answers. What rules should i create? I tried someting like this, without success: #ipfw add 01500 allow ip from 10.0.0.0/16 to any in via re0 Thank you very much for any advice and your patience Petr Chocholáč Brno, Czech Republic ___ freebsd-current@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-current To unsubscribe, send any mail to freebsd-current-unsubscr...@freebsd.org We would need to see all of your current firewall rules (ipfw show) You'll want to tcpdump on rl0, to see if the packet is being forwarded. Do you have the machine configured as a gateway? (gateway_enable=YES in /etc/rc.conf) Are you doing NAT (Network Address Translation) to remap the internal (10.0.0.0/16) addresses to your internet routable IP? -- Allan Jude signature.asc Description: OpenPGP digital signature