Re: IPFW ruleset not working... advice? WAS Re: Running processes...
On Sat, Feb 14, 2004 at 12:47:01PM -0600, Eric F Crist wrote: Hello all, I've got the following ruleset, but I can't ssh into my server anymore. What did I miss? You missed allowing IP packets going from your server to the outside. You only allow packets from the outside to you. I also think you might have misplaced the port numbers. As it is you allow connections *from* port 25 (etc.) on the outside to any port on your machine. I believe you want it the other way around (i.e. allowing connections *to* port 25 on your machine from anywhere on the outside.) grog# ipfw show 00100 0 0 allow ip from any to any via lo0 00200 0 0 deny ip from any to 127.0.0.0/8 00300 0 0 deny ip from 127.0.0.0/8 to any 00400 7 1562 allow ip from 1.2.3.4/29 to me 00500 0 0 allow ip from any 22 to me 00600 0 0 allow ip from any 21 to me 00700 0 0 allow ip from any 25 to me 00800 0 0 allow ip from any 80 to me 00900 0 0 allow ip from any 443 to me 01000 0 0 allow ip from any 110 to me 01100 0 0 allow ip from any 53 to me 01200 0 0 allow ip from any 6667 to me 01300 0 0 allow ip from any 6668 to me 01400 0 0 deny ip from not 1.2.3.4/29 8080 to me 65535 101 13960 deny ip from any to any Thanks. -- Eric F Crist AdTech Integrated Systems, Inc (612) 998-3588 -- Insert your favourite quote here. Erik Trulsson [EMAIL PROTECTED] ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: IPFW ruleset not working... advice? WAS Re: Running processes...
On Saturday 14 February 2004 12:58 pm, Erik Trulsson wrote: On Sat, Feb 14, 2004 at 12:47:01PM -0600, Eric F Crist wrote: Hello all, I've got the following ruleset, but I can't ssh into my server anymore. What did I miss? You missed allowing IP packets going from your server to the outside. You only allow packets from the outside to you. I also think you might have misplaced the port numbers. As it is you allow connections *from* port 25 (etc.) on the outside to any port on your machine. I believe you want it the other way around (i.e. allowing connections *to* port 25 on your machine from anywhere on the outside.) grog# ipfw show 00100 0 0 allow ip from any to any via lo0 00200 0 0 deny ip from any to 127.0.0.0/8 00300 0 0 deny ip from 127.0.0.0/8 to any 00400 7 1562 allow ip from 1.2.3.4/29 to me 00500 0 0 allow ip from any 22 to me 00600 0 0 allow ip from any 21 to me 00700 0 0 allow ip from any 25 to me 00800 0 0 allow ip from any 80 to me 00900 0 0 allow ip from any 443 to me 01000 0 0 allow ip from any 110 to me 01100 0 0 allow ip from any 53 to me 01200 0 0 allow ip from any 6667 to me 01300 0 0 allow ip from any 6668 to me 01400 0 0 deny ip from not 1.2.3.4/29 8080 to me 65535 101 13960 deny ip from any to any Thanks. -- Eric F Crist AdTech Integrated Systems, Inc (612) 998-3588 Hey, thanks! I changed all the rules so they read: allow ip from any to me port and added the rule: allow ip from me to any at rule 50 All seems to work now! Does anyone have any suggestions on how to make this system even tighter? Thanks. -- Eric F Crist AdTech Integrated Systems, Inc (612) 998-3588 pgp0.pgp Description: signature
Re: IPFW ruleset not working... advice? WAS Re: Running processes...
On Sat, Feb 14, 2004 at 01:15:07PM -0600, Eric F Crist wrote: Hey, thanks! I changed all the rules so they read: allow ip from any to me port and added the rule: allow ip from me to any at rule 50 All seems to work now! Does anyone have any suggestions on how to make this system even tighter? Thanks. Yes. Use the stateful rules feature. Instead of opening up outgoing packets to everywhere, the keep-state rules dynamically open up a point to point connection that remains open while traffic is flowing beteeen the two systems, and times out after traffic stops or the connection is closed. A very minimal partial ruleset to allow incoming SSH, HTTP, HTTPS, SMTP and outgoing DNS lookups would look like: 00100 check-state 00200 deny log tcp from any to any established 00300 allow tcp from any to me 22,25,80,443 keep-state in recv fxp0 00400 allow udp from me to any 53 out xmit fxp0 00500 deny log ip from any to any [The 'in recv fxp0' and 'out xmit fxp0' stuff is optional: all it does is filter packets according to what interface they are traversing and in what direction. Remember to substitute the correct device name for your network interface.] Although at first sight, this would appear to block all tcp traffic except for the first 'SYN' packet, and not permit any incoming UDP traffic at all, the 'keep-state' flag in rules 00300 and 00400 generates dynamic rules that permit packets to flow in response to the packet that triggered them. Those rules are effectively inserted into the ruleset at the 'check-state' line (or at the first occuring 'limit' or 'keep-state' line). Use 'ipfw -d list' to show all active dynamic rules. Cheers, Matthew -- Dr Matthew J Seaman MA, D.Phil. 26 The Paddocks Savill Way PGP: http://www.infracaninophile.co.uk/pgpkey Marlow Tel: +44 1628 476614 Bucks., SL7 1TH UK pgp0.pgp Description: PGP signature