RE: ipfw - denying all - what port for OE
-Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Banning Sent: woensdag 13 oktober 2004 7:04 To: [EMAIL PROTECTED]; Luke Kearney; [EMAIL PROTECTED] Subject: Re: ipfw - denying all - what port for OE My server is my desktop. My ipfw rules follow. Whenever I take out line 12000 is runs fine. When I put it back in I can't run OE. 01000 allow tcp from any to any 10060 01040 allow tcp from any to any 22 10100 allow tcp from any to any 80 10200 allow tcp from any to any 10080 10300 allow tcp from any to any 3128 10400 allow tcp from any to any 8180 10600 allow tcp from any to any 8025 10700 allow tcp from any to any 110 10800 allow tcp from any to any 25 10810 allow tcp from any to any 109 10820 allow tcp from any to any 106 11001 allow tcp from any to any 389 11002 allow tcp from any to any 636 11003 allow tcp from any to any 379 11004 allow tcp from any to any 390 11005 allow tcp from any to any 3268 11006 allow tcp from any to any 3269 11007 allow tcp from any to any 143 11008 allow tcp from any to any 993 11009 allow tcp from any to any 995 11010 allow tcp from any to any 119 11011 allow tcp from any to any 563 11012 allow tcp from any to any 443 11013 allow tcp from any to any 465 11015 allow tcp from any to any 625 11016 allow tcp from any to any 135 11017 allow tcp from any to any 935 12000 deny tcp from 209.188.66.29 to any -- You may wanna try something like: 10700 allow tcp from any to any 110 out keep-state Mark. ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]" ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
RE: ipfw - denying all - what port for OE
-Original Message- From: [EMAIL PROTECTED] on behalf of David Banning Sent: Wed 10/13/2004 7:04 To: [EMAIL PROTECTED]; Luke Kearney; [EMAIL PROTECTED] Subject: Re: ipfw - denying all - what port for OE My server is my desktop. My ipfw rules follow. Whenever I take out line 12000 is runs fine. When I put it back in I can't run OE. 01000 allow tcp from any to any 10060 01040 allow tcp from any to any 22 10100 allow tcp from any to any 80 10200 allow tcp from any to any 10080 10300 allow tcp from any to any 3128 10400 allow tcp from any to any 8180 10600 allow tcp from any to any 8025 10700 allow tcp from any to any 110 10800 allow tcp from any to any 25 10810 allow tcp from any to any 109 10820 allow tcp from any to any 106 11001 allow tcp from any to any 389 11002 allow tcp from any to any 636 11003 allow tcp from any to any 379 11004 allow tcp from any to any 390 11005 allow tcp from any to any 3268 11006 allow tcp from any to any 3269 11007 allow tcp from any to any 143 11008 allow tcp from any to any 993 11009 allow tcp from any to any 995 11010 allow tcp from any to any 119 11011 allow tcp from any to any 563 11012 allow tcp from any to any 443 11013 allow tcp from any to any 465 11015 allow tcp from any to any 625 11016 allow tcp from any to any 135 11017 allow tcp from any to any 935 12000 deny tcp from 209.188.66.29 to any -- What if you try the following: 10700 allow tcp from any to any 110 keep-state Mark. ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]" ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: ipfw - denying all - what port for OE
--- David Banning <[EMAIL PROTECTED]> wrote: > My server is my desktop. My ipfw rules follow. > Whenever I take > out line 12000 is runs fine. When I put it back in I > can't run > OE. > > 01000 allow tcp from any to any 10060 > 01040 allow tcp from any to any 22 > 10100 allow tcp from any to any 80 > 10200 allow tcp from any to any 10080 > 10300 allow tcp from any to any 3128 > 10400 allow tcp from any to any 8180 > 10600 allow tcp from any to any 8025 > 10700 allow tcp from any to any 110 > 10800 allow tcp from any to any 25 > 10810 allow tcp from any to any 109 > 10820 allow tcp from any to any 106 > 11001 allow tcp from any to any 389 > 11002 allow tcp from any to any 636 > 11003 allow tcp from any to any 379 > 11004 allow tcp from any to any 390 > 11005 allow tcp from any to any 3268 > 11006 allow tcp from any to any 3269 > 11007 allow tcp from any to any 143 > 11008 allow tcp from any to any 993 > 11009 allow tcp from any to any 995 > 11010 allow tcp from any to any 119 > 11011 allow tcp from any to any 563 > 11012 allow tcp from any to any 443 > 11013 allow tcp from any to any 465 > 11015 allow tcp from any to any 625 > 11016 allow tcp from any to any 135 > 11017 allow tcp from any to any 935 > 12000 deny tcp from 209.188.66.29 to any > I may be assuming alot here with the info you have given but Correct me if I'm wrong but I'm assuming 209.188.66.29 is your machine and it has the services running and, your ipfw setup in your kernel has IPFIREWALL_DEFAULT_TO_ACCEPT. With that setup, OE will work without rule 12000 because the client-to-server packets match rule 10700 and server-to-client will match the last rule (65535 in #ipfw show). With rule 12000 inserted, client-to-server packets match rule 10700 but server-to-client get blocked by 12000. You may try adding: 01050 allow tcp from any to any established and add to the end of the rest of the "allow" rules "setup" example: 01000 allow tcp from any to me 10060 setup or try rewriting your rules to use dynamic rules. example: 01050 check-state 01000 allow tcp from any to me 10060 setup keep-state 01040 allow tcp from any to me 22 setup keep-state 10100 allow tcp from any to me 80 setup keep-state 10200 allow tcp from any to me 10080 setup keep-state . (last rule) 5 deny ip from any to any Now, if your setup doesn't match what I outlined above, please send your output of (as root) #ipfw show . With this output we can better help you adjust your ruleset. You may want to also include your /etc/rc.conf file and what firewall options your have in your kernel config. ___ Do you Yahoo!? Declare Yourself - Register online to vote today! http://vote.yahoo.com ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: ipfw - denying all - what port for OE
In the immortal words of David Banning <[EMAIL PROTECTED]>... > My server is my desktop. My ipfw rules follow. Whenever I take > out line 12000 is runs fine. When I put it back in I can't run > OE. You might want to try something like: ipfw add allow ip from any to me 25 # SMTP ipfw add allow ip from any to me 52 # DNS ipfw add allow ip from any to me 67 # DHCP ipfw add allow ip from any to me 80 # HTTP ipfw add allow ip from any to me 110 # POP3 ipfw add allow ip from any to me 143 # IMAP ipfw add allow ip from any to me 443 # HTTPS and so forth. Note the "from any to me" rather than "from any to any" Hope this helps Cheers Tim -- Tim Aslat <[EMAIL PROTECTED]> Spyderweb Consulting http://www.spyderweb.com.au Phone: +61 0401088479 ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: ipfw - denying all - what port for OE
My server is my desktop. My ipfw rules follow. Whenever I take out line 12000 is runs fine. When I put it back in I can't run OE. 01000 allow tcp from any to any 10060 01040 allow tcp from any to any 22 10100 allow tcp from any to any 80 10200 allow tcp from any to any 10080 10300 allow tcp from any to any 3128 10400 allow tcp from any to any 8180 10600 allow tcp from any to any 8025 10700 allow tcp from any to any 110 10800 allow tcp from any to any 25 10810 allow tcp from any to any 109 10820 allow tcp from any to any 106 11001 allow tcp from any to any 389 11002 allow tcp from any to any 636 11003 allow tcp from any to any 379 11004 allow tcp from any to any 390 11005 allow tcp from any to any 3268 11006 allow tcp from any to any 3269 11007 allow tcp from any to any 143 11008 allow tcp from any to any 993 11009 allow tcp from any to any 995 11010 allow tcp from any to any 119 11011 allow tcp from any to any 563 11012 allow tcp from any to any 443 11013 allow tcp from any to any 465 11015 allow tcp from any to any 625 11016 allow tcp from any to any 135 11017 allow tcp from any to any 935 12000 deny tcp from 209.188.66.29 to any -- ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: ipfw - denying all - what port for OE
--- David Banning <[EMAIL PROTECTED]> wrote: > I am attempting to block everything except ports 80, > 110, 25 and a > few others, but I can't seem to get Outlook Express > mail clients > to collect mail on the network. Does anyone happen > to know what > ports they use? I have tried 110, 25, 443 and about > 20 others. > > I tried using tcpdump to track the activity when I > have all ports > open and use OE, but it seems to use a different > port each time: > ports like 2843 and other non-allocated port > numbers. > > The client(OE) will use a non-privileged port to connect to the POP3(I assume this is what you want) server port 110. To be clearer, are you attempting to block everything except 80,110,25, and a few others _in_ or _out_? If you are allowing the client to connect,let's say out, to the pop server, are you allowing the return traffic? Example:(arrows for traffic flow) Client request client(2843)->ipfw allow->pop3(110) Server reply client(2843)<-ipfw established<-pop3(110) Simple rule example allow tcp from any to me established allow tcp from me to (server) 110 setup deny ip from any to any This is similar to the example in the ipfw man page. Simple rule using dynamic rules check-state allow tcp from me to (server) 110 setup keep-state deny ip from any to any When "me" makes a setup connection to pop server it creates a dynamic rule for return traffic. After looking at the man page again, this rule is like the example except i didn't use the "established" rule. Read through the examples in the man page and look at key words like "established, keep-state, setup, check-state". ___ Do you Yahoo!? Declare Yourself - Register online to vote today! http://vote.yahoo.com ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"