Re: continued IPFW issues... (actually a lack of ability on my part)
On Saturday 14 February 2004 08:14 pm, Eric F Crist wrote: > Well, from what I understand, isn't udp a state-less protocol? How would > established/keepstate/check-state work with that? Ok, so I read that check-state/keep-state should be able to work with udp. According to the man page, I should add: ipfw add check-state ipfw add allow udp from my-subnet to any keep-state ipfw add deny udp from any to any my-subnet was changed to my /29 network address (i.e. 1.2.3.4/29). Still, the rule following all of these is ipfw add allow udp from any to any and it's getting all the packets. I'm still reading, but the check-state isn't making sense to me. TIA -- Eric F Crist AdTech Integrated Systems, Inc (612) 998-3588 pgp0.pgp Description: signature
Re: continued IPFW issues... (actually a lack of ability on my part)
On Saturday 14 February 2004 08:09 pm, Erik Trulsson wrote: > On Sat, Feb 14, 2004 at 08:01:07PM -0600, Eric F Crist wrote: > > My bad, I found the log entry after your prodding. After enabling > > logging in the ruleset and enabling the sysctl variable, I get the > > following output in a tail /var/log/security: > > > > Feb 14 19:59:44 grog kernel: ipfw: 65534 Deny UDP 192.168.0.1:51598 > > 255.255.255.255:61112 in via dc0 > > Feb 14 19:59:45 grog kernel: ipfw: 65534 Deny UDP 204.147.80.1:53 > > 63.228.14.241:49152 in via dc0 > > Feb 14 19:59:46 grog kernel: ipfw: 65534 Deny UDP 204.127.202.4:53 > > 63.228.14.241:49152 in via dc0 > > Feb 14 19:59:50 grog kernel: ipfw: 65534 Deny UDP 192.168.0.1:51599 > > 255.255.255.255:61112 in via dc0 > > Feb 14 19:59:55 grog kernel: ipfw: 65534 Deny UDP 204.127.202.4:53 > > 63.228.14.241:49152 in via dc0 > > Feb 14 19:59:56 grog kernel: ipfw: 65534 Deny UDP 192.168.0.1:51600 > > 255.255.255.255:61112 in via dc0 > > Feb 14 19:59:59 grog kernel: ipfw: 65534 Deny UDP 204.147.80.5:53 > > 63.228.14.241:49152 in via dc0 > > Feb 14 20:00:02 grog kernel: ipfw: 65534 Deny UDP 204.147.80.5:53 > > 63.228.14.241:49152 in via dc0 > > Feb 14 20:00:02 grog kernel: ipfw: 65534 Deny UDP 192.168.0.1:51601 > > 255.255.255.255:61112 in via dc0 > > Feb 14 20:00:03 grog kernel: ipfw: 65534 Deny UDP 204.147.80.1:53 > > 63.228.14.241:49152 in via dc0 > > > > I would assume I need to enable a rule such as: > > > > ipfw add allow udp from any to me 53 > > > > Is this correct? TIA > > I don't think so. > The entries of the form 'Deny UDP 204.147.80.1:53 63.228.14.241:49152 > in via dc0' would appear to be replies to your DNS queries. > They go to the port from which the DNS query was sent (49152 in this > case). > > You need to make sure that you allow replies to connections you > initiate to get through. > > Take a look at the check-state/established/keepstate stuff people have > repeatedly told you to use. They are probably what you want. Well, from what I understand, isn't udp a state-less protocol? How would established/keepstate/check-state work with that? -- Eric F Crist AdTech Integrated Systems, Inc (612) 998-3588 pgp0.pgp Description: signature
Re: continued IPFW issues... (actually a lack of ability on my part)
On Sat, Feb 14, 2004 at 08:01:07PM -0600, Eric F Crist wrote: > My bad, I found the log entry after your prodding. After enabling logging in > the ruleset and enabling the sysctl variable, I get the following output in a > tail /var/log/security: > > Feb 14 19:59:44 grog kernel: ipfw: 65534 Deny UDP 192.168.0.1:51598 > 255.255.255.255:61112 in via dc0 > Feb 14 19:59:45 grog kernel: ipfw: 65534 Deny UDP 204.147.80.1:53 > 63.228.14.241:49152 in via dc0 > Feb 14 19:59:46 grog kernel: ipfw: 65534 Deny UDP 204.127.202.4:53 > 63.228.14.241:49152 in via dc0 > Feb 14 19:59:50 grog kernel: ipfw: 65534 Deny UDP 192.168.0.1:51599 > 255.255.255.255:61112 in via dc0 > Feb 14 19:59:55 grog kernel: ipfw: 65534 Deny UDP 204.127.202.4:53 > 63.228.14.241:49152 in via dc0 > Feb 14 19:59:56 grog kernel: ipfw: 65534 Deny UDP 192.168.0.1:51600 > 255.255.255.255:61112 in via dc0 > Feb 14 19:59:59 grog kernel: ipfw: 65534 Deny UDP 204.147.80.5:53 > 63.228.14.241:49152 in via dc0 > Feb 14 20:00:02 grog kernel: ipfw: 65534 Deny UDP 204.147.80.5:53 > 63.228.14.241:49152 in via dc0 > Feb 14 20:00:02 grog kernel: ipfw: 65534 Deny UDP 192.168.0.1:51601 > 255.255.255.255:61112 in via dc0 > Feb 14 20:00:03 grog kernel: ipfw: 65534 Deny UDP 204.147.80.1:53 > 63.228.14.241:49152 in via dc0 > > I would assume I need to enable a rule such as: > > ipfw add allow udp from any to me 53 > > Is this correct? TIA I don't think so. The entries of the form 'Deny UDP 204.147.80.1:53 63.228.14.241:49152 in via dc0' would appear to be replies to your DNS queries. They go to the port from which the DNS query was sent (49152 in this case). You need to make sure that you allow replies to connections you initiate to get through. Take a look at the check-state/established/keepstate stuff people have repeatedly told you to use. They are probably what you want. -- Erik Trulsson [EMAIL PROTECTED] ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: continued IPFW issues... (actually a lack of ability on my part)
My bad, I found the log entry after your prodding. After enabling logging in the ruleset and enabling the sysctl variable, I get the following output in a tail /var/log/security: Feb 14 19:59:44 grog kernel: ipfw: 65534 Deny UDP 192.168.0.1:51598 255.255.255.255:61112 in via dc0 Feb 14 19:59:45 grog kernel: ipfw: 65534 Deny UDP 204.147.80.1:53 63.228.14.241:49152 in via dc0 Feb 14 19:59:46 grog kernel: ipfw: 65534 Deny UDP 204.127.202.4:53 63.228.14.241:49152 in via dc0 Feb 14 19:59:50 grog kernel: ipfw: 65534 Deny UDP 192.168.0.1:51599 255.255.255.255:61112 in via dc0 Feb 14 19:59:55 grog kernel: ipfw: 65534 Deny UDP 204.127.202.4:53 63.228.14.241:49152 in via dc0 Feb 14 19:59:56 grog kernel: ipfw: 65534 Deny UDP 192.168.0.1:51600 255.255.255.255:61112 in via dc0 Feb 14 19:59:59 grog kernel: ipfw: 65534 Deny UDP 204.147.80.5:53 63.228.14.241:49152 in via dc0 Feb 14 20:00:02 grog kernel: ipfw: 65534 Deny UDP 204.147.80.5:53 63.228.14.241:49152 in via dc0 Feb 14 20:00:02 grog kernel: ipfw: 65534 Deny UDP 192.168.0.1:51601 255.255.255.255:61112 in via dc0 Feb 14 20:00:03 grog kernel: ipfw: 65534 Deny UDP 204.147.80.1:53 63.228.14.241:49152 in via dc0 I would assume I need to enable a rule such as: ipfw add allow udp from any to me 53 Is this correct? TIA -- Eric F Crist AdTech Integrated Systems, Inc (612) 998-3588 pgp0.pgp Description: signature
Re: continued IPFW issues... (actually a lack of ability on my part)
On Sat, Feb 14, 2004 at 07:42:28PM -0600, Eric F Crist wrote: > On Saturday 14 February 2004 06:59 pm, Jez Hancock wrote: > > On Sat, Feb 14, 2004 at 05:59:14PM -0600, Eric F Crist wrote: > > > On Sat, Feb 14, 2004 at 03:27:35PM -0600, Eric F Crist wrote: > > > > I'm still having some sort of issues with ipfw rules on my server. > > > > I've got a > > > > cgi based irc client installed, and I can't connect. Also, it seems > > > > > > as if my > > > > > > > DNS server isn't able to send queries out. An ipfw show displays the > > > > following for me: > > > > > > > > 00050 54632 4640473 allow ip from me to any > > > > 00100 0 0 allow ip from any to any via lo0 > > > > 00200 0 0 deny ip from any to 127.0.0.0/8 > > > > 00300 0 0 deny ip from 127.0.0.0/8 to any > > > > 00400 4027 351563 allow ip from 63.228.14.240/29 to me > > > > 00500 2 80 allow ip from any to me dst-port 22 > > > > 00600 2 80 allow ip from any to me dst-port 21 > > > > 00700 388 25405 allow ip from any to me dst-port 25 > > > > 00800584944 allow ip from any to me dst-port 80 > > > > 00900 2 80 allow ip from any to me dst-port 443 > > > > 01000 2 80 allow ip from any to me dst-port 110 > > > > 01100544247 allow ip from any to me dst-port 53 > > > > 01200 2 80 allow ip from any to me dst-port 6667 > > > > 01300 2 80 allow ip from any to me dst-port 6668 > > > > 01400 4 160 deny ip from not 63.228.14.240/29 to me dst-port > > > > > > 8080 > > > > > > > 65535 46432 7224466 deny ip from any to any > > > > > > > > Where is all that denied traffic coming from on the final rule? > > > > > > You are only allowing traffic in and not out - as Matthew Seaman > > > mentioned in the last post in your previous thread, you should use > > > 'keep-state' to keep track of the connections made to you. See the > > > examples he provided in that thread. > > > > > > >From the manpage for ipfw: > > > > > > check-state > > >Checks the packet against the dynamic ruleset. If a match > > > is > > >found, execute the action associated with the rule which > > > gener- > > >ated this dynamic rule, otherwise move to the next rule. > > >Check-state rules do not have a body. If no check-state > > > rule is > > >found, the dynamic ruleset is checked at the first > > > keep-state or > > >limit rule. > > > > > > ... > > > > > > keep-state > > >Upon a match, the firewall will create a dynamic rule, > > > whose > > >default behaviour is to match bidirectional traffic between > > >source and destination IP/port using the same protocol. > > > The rule > > >has a limited lifetime (controlled by a set of sysctl(8) > > > vari- > > >ables), and the lifetime is refreshed every time a matching > > >packet is found. > > > > > > When a connection is made to port 80 from an external host, with the > > > 'keep-state' flag set on your rule for port 80 data transfer will be > > > allowed in both directions to/from the external host to/from you on port > > > 80 for a limited period. The check-state rule effectively 'shortcuts' > > > the rest of the rules in the ruleset if a match is made for the external > > > host for the given action (inbound connections to port 80 in this case). > > > > > > You'd need to do the same for each of the other ports you want to allow > > > free connections to/from. > > > > > > Wouldn't my first rule: > > > > > > ipfw allow ip from me to any > > > > > > have fixed this problem? > > > > Sorry I missed that rule :( How about adding a log keyword to that last > > deny rule temporarily just to see what exactly is being denied? > > Maybe I'm missing something somewhere, but I can't find anything about log in > the man page. I tried: The you need to read the man page more carefully, because it is there. Look for the the section titled "RULE FORMAT" > ipfw add 65534 add deny ip from any to any log and got this error: Try ipfw add 65534 deny log ip from any to any instead, and it ought to work better. > > ipfw: unrecognised option [-1] log > > Thanks. > > -- > Eric F Crist > AdTech Integrated Systems, Inc > (612) 998-3588 -- Erik Trulsson [EMAIL PROTECTED] ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: continued IPFW issues... (actually a lack of ability on my part)
On Saturday 14 February 2004 06:59 pm, Jez Hancock wrote: > On Sat, Feb 14, 2004 at 05:59:14PM -0600, Eric F Crist wrote: > > On Sat, Feb 14, 2004 at 03:27:35PM -0600, Eric F Crist wrote: > > > I'm still having some sort of issues with ipfw rules on my server. > > > I've got a > > > cgi based irc client installed, and I can't connect. Also, it seems > > > > as if my > > > > > DNS server isn't able to send queries out. An ipfw show displays the > > > following for me: > > > > > > 00050 54632 4640473 allow ip from me to any > > > 00100 0 0 allow ip from any to any via lo0 > > > 00200 0 0 deny ip from any to 127.0.0.0/8 > > > 00300 0 0 deny ip from 127.0.0.0/8 to any > > > 00400 4027 351563 allow ip from 63.228.14.240/29 to me > > > 00500 2 80 allow ip from any to me dst-port 22 > > > 00600 2 80 allow ip from any to me dst-port 21 > > > 00700 388 25405 allow ip from any to me dst-port 25 > > > 00800584944 allow ip from any to me dst-port 80 > > > 00900 2 80 allow ip from any to me dst-port 443 > > > 01000 2 80 allow ip from any to me dst-port 110 > > > 01100544247 allow ip from any to me dst-port 53 > > > 01200 2 80 allow ip from any to me dst-port 6667 > > > 01300 2 80 allow ip from any to me dst-port 6668 > > > 01400 4 160 deny ip from not 63.228.14.240/29 to me dst-port > > > > 8080 > > > > > 65535 46432 7224466 deny ip from any to any > > > > > > Where is all that denied traffic coming from on the final rule? > > > > You are only allowing traffic in and not out - as Matthew Seaman > > mentioned in the last post in your previous thread, you should use > > 'keep-state' to keep track of the connections made to you. See the > > examples he provided in that thread. > > > > >From the manpage for ipfw: > > > > check-state > > Checks the packet against the dynamic ruleset. If a match > > is > > found, execute the action associated with the rule which > > gener- > > ated this dynamic rule, otherwise move to the next rule. > > Check-state rules do not have a body. If no check-state > > rule is > > found, the dynamic ruleset is checked at the first > > keep-state or > > limit rule. > > > > ... > > > > keep-state > > Upon a match, the firewall will create a dynamic rule, > > whose > > default behaviour is to match bidirectional traffic between > > source and destination IP/port using the same protocol. > > The rule > > has a limited lifetime (controlled by a set of sysctl(8) > > vari- > > ables), and the lifetime is refreshed every time a matching > > packet is found. > > > > When a connection is made to port 80 from an external host, with the > > 'keep-state' flag set on your rule for port 80 data transfer will be > > allowed in both directions to/from the external host to/from you on port > > 80 for a limited period. The check-state rule effectively 'shortcuts' > > the rest of the rules in the ruleset if a match is made for the external > > host for the given action (inbound connections to port 80 in this case). > > > > You'd need to do the same for each of the other ports you want to allow > > free connections to/from. > > > > Wouldn't my first rule: > > > > ipfw allow ip from me to any > > > > have fixed this problem? > > Sorry I missed that rule :( How about adding a log keyword to that last > deny rule temporarily just to see what exactly is being denied? Maybe I'm missing something somewhere, but I can't find anything about log in the man page. I tried: ipfw add 65534 add deny ip from any to any log and got this error: ipfw: unrecognised option [-1] log Thanks. -- Eric F Crist AdTech Integrated Systems, Inc (612) 998-3588 pgp0.pgp Description: signature
Re: continued IPFW issues... (actually a lack of ability on my part)
On Sat, Feb 14, 2004 at 05:59:14PM -0600, Eric F Crist wrote: > On Sat, Feb 14, 2004 at 03:27:35PM -0600, Eric F Crist wrote: > > I'm still having some sort of issues with ipfw rules on my server. > > I've got a > > cgi based irc client installed, and I can't connect. Also, it seems > as if my > > DNS server isn't able to send queries out. An ipfw show displays the > > following for me: > > > > 00050 54632 4640473 allow ip from me to any > > 00100 0 0 allow ip from any to any via lo0 > > 00200 0 0 deny ip from any to 127.0.0.0/8 > > 00300 0 0 deny ip from 127.0.0.0/8 to any > > 00400 4027 351563 allow ip from 63.228.14.240/29 to me > > 00500 2 80 allow ip from any to me dst-port 22 > > 00600 2 80 allow ip from any to me dst-port 21 > > 00700 388 25405 allow ip from any to me dst-port 25 > > 00800584944 allow ip from any to me dst-port 80 > > 00900 2 80 allow ip from any to me dst-port 443 > > 01000 2 80 allow ip from any to me dst-port 110 > > 01100544247 allow ip from any to me dst-port 53 > > 01200 2 80 allow ip from any to me dst-port 6667 > > 01300 2 80 allow ip from any to me dst-port 6668 > > 01400 4 160 deny ip from not 63.228.14.240/29 to me dst-port > 8080 > > 65535 46432 7224466 deny ip from any to any > > > > Where is all that denied traffic coming from on the final rule? > > You are only allowing traffic in and not out - as Matthew Seaman > mentioned in the last post in your previous thread, you should use > 'keep-state' to keep track of the connections made to you. See the > examples he provided in that thread. > > >From the manpage for ipfw: > > check-state >Checks the packet against the dynamic ruleset. If a match > is >found, execute the action associated with the rule which > gener- >ated this dynamic rule, otherwise move to the next rule. >Check-state rules do not have a body. If no check-state > rule is >found, the dynamic ruleset is checked at the first > keep-state or >limit rule. > > ... > > keep-state >Upon a match, the firewall will create a dynamic rule, > whose >default behaviour is to match bidirectional traffic between >source and destination IP/port using the same protocol. > The rule >has a limited lifetime (controlled by a set of sysctl(8) > vari- >ables), and the lifetime is refreshed every time a matching >packet is found. > > When a connection is made to port 80 from an external host, with the > 'keep-state' flag set on your rule for port 80 data transfer will be > allowed in both directions to/from the external host to/from you on port > 80 for a limited period. The check-state rule effectively 'shortcuts' > the rest of the rules in the ruleset if a match is made for the external > host for the given action (inbound connections to port 80 in this case). > > You'd need to do the same for each of the other ports you want to allow > free connections to/from. > > Wouldn't my first rule: > > ipfw allow ip from me to any > > have fixed this problem? Sorry I missed that rule :( How about adding a log keyword to that last deny rule temporarily just to see what exactly is being denied? -- Jez Hancock - System Administrator / PHP Developer http://munk.nu/ http://jez.hancock-family.com/ - Another FreeBSD Diary http://ipfwstats.sf.net/- ipfw peruser traffic logging ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
RE: continued IPFW issues... (actually a lack of ability on my part)
-Original Message- From: Jez Hancock [mailto:[EMAIL PROTECTED] On Behalf Of Jez Hancock Sent: Saturday, February 14, 2004 5:36 PM To: Eric F Crist Cc: FreeBSD questions List Subject: Re: continued IPFW issues... (actually a lack of ability on my part) On Sat, Feb 14, 2004 at 03:27:35PM -0600, Eric F Crist wrote: > I'm still having some sort of issues with ipfw rules on my server. > I've got a > cgi based irc client installed, and I can't connect. Also, it seems as if my > DNS server isn't able to send queries out. An ipfw show displays the > following for me: > > 00050 54632 4640473 allow ip from me to any > 00100 0 0 allow ip from any to any via lo0 > 00200 0 0 deny ip from any to 127.0.0.0/8 > 00300 0 0 deny ip from 127.0.0.0/8 to any > 00400 4027 351563 allow ip from 63.228.14.240/29 to me > 00500 2 80 allow ip from any to me dst-port 22 > 00600 2 80 allow ip from any to me dst-port 21 > 00700 388 25405 allow ip from any to me dst-port 25 > 00800584944 allow ip from any to me dst-port 80 > 00900 2 80 allow ip from any to me dst-port 443 > 01000 2 80 allow ip from any to me dst-port 110 > 01100544247 allow ip from any to me dst-port 53 > 01200 2 80 allow ip from any to me dst-port 6667 > 01300 2 80 allow ip from any to me dst-port 6668 > 01400 4 160 deny ip from not 63.228.14.240/29 to me dst-port 8080 > 65535 46432 7224466 deny ip from any to any > > Where is all that denied traffic coming from on the final rule? You are only allowing traffic in and not out - as Matthew Seaman mentioned in the last post in your previous thread, you should use 'keep-state' to keep track of the connections made to you. See the examples he provided in that thread. >From the manpage for ipfw: check-state Checks the packet against the dynamic ruleset. If a match is found, execute the action associated with the rule which gener- ated this dynamic rule, otherwise move to the next rule. Check-state rules do not have a body. If no check-state rule is found, the dynamic ruleset is checked at the first keep-state or limit rule. ... keep-state Upon a match, the firewall will create a dynamic rule, whose default behaviour is to match bidirectional traffic between source and destination IP/port using the same protocol. The rule has a limited lifetime (controlled by a set of sysctl(8) vari- ables), and the lifetime is refreshed every time a matching packet is found. When a connection is made to port 80 from an external host, with the 'keep-state' flag set on your rule for port 80 data transfer will be allowed in both directions to/from the external host to/from you on port 80 for a limited period. The check-state rule effectively 'shortcuts' the rest of the rules in the ruleset if a match is made for the external host for the given action (inbound connections to port 80 in this case). You'd need to do the same for each of the other ports you want to allow free connections to/from. Wouldn't my first rule: ipfw allow ip from me to any have fixed this problem? --- Eric F Crist President AdTech Integrated Systems, Inc (612) 998-3588 ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: continued IPFW issues... (actually a lack of ability on my part)
On Sat, Feb 14, 2004 at 03:27:35PM -0600, Eric F Crist wrote: > I'm still having some sort of issues with ipfw rules on my server. I've got a > cgi based irc client installed, and I can't connect. Also, it seems as if my > DNS server isn't able to send queries out. An ipfw show displays the > following for me: > > 00050 54632 4640473 allow ip from me to any > 00100 0 0 allow ip from any to any via lo0 > 00200 0 0 deny ip from any to 127.0.0.0/8 > 00300 0 0 deny ip from 127.0.0.0/8 to any > 00400 4027 351563 allow ip from 63.228.14.240/29 to me > 00500 2 80 allow ip from any to me dst-port 22 > 00600 2 80 allow ip from any to me dst-port 21 > 00700 388 25405 allow ip from any to me dst-port 25 > 00800584944 allow ip from any to me dst-port 80 > 00900 2 80 allow ip from any to me dst-port 443 > 01000 2 80 allow ip from any to me dst-port 110 > 01100544247 allow ip from any to me dst-port 53 > 01200 2 80 allow ip from any to me dst-port 6667 > 01300 2 80 allow ip from any to me dst-port 6668 > 01400 4 160 deny ip from not 63.228.14.240/29 to me dst-port 8080 > 65535 46432 7224466 deny ip from any to any > > Where is all that denied traffic coming from on the final rule? You are only allowing traffic in and not out - as Matthew Seaman mentioned in the last post in your previous thread, you should use 'keep-state' to keep track of the connections made to you. See the examples he provided in that thread. >From the manpage for ipfw: check-state Checks the packet against the dynamic ruleset. If a match is found, execute the action associated with the rule which gener- ated this dynamic rule, otherwise move to the next rule. Check-state rules do not have a body. If no check-state rule is found, the dynamic ruleset is checked at the first keep-state or limit rule. ... keep-state Upon a match, the firewall will create a dynamic rule, whose default behaviour is to match bidirectional traffic between source and destination IP/port using the same protocol. The rule has a limited lifetime (controlled by a set of sysctl(8) vari- ables), and the lifetime is refreshed every time a matching packet is found. When a connection is made to port 80 from an external host, with the 'keep-state' flag set on your rule for port 80 data transfer will be allowed in both directions to/from the external host to/from you on port 80 for a limited period. The check-state rule effectively 'shortcuts' the rest of the rules in the ruleset if a match is made for the external host for the given action (inbound connections to port 80 in this case). You'd need to do the same for each of the other ports you want to allow free connections to/from. -- Jez Hancock - System Administrator / PHP Developer http://munk.nu/ http://jez.hancock-family.com/ - Another FreeBSD Diary http://ipfwstats.sf.net/- ipfw peruser traffic logging ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
continued IPFW issues... (actually a lack of ability on my part)
I'm still having some sort of issues with ipfw rules on my server. I've got a cgi based irc client installed, and I can't connect. Also, it seems as if my DNS server isn't able to send queries out. An ipfw show displays the following for me: 00050 54632 4640473 allow ip from me to any 00100 0 0 allow ip from any to any via lo0 00200 0 0 deny ip from any to 127.0.0.0/8 00300 0 0 deny ip from 127.0.0.0/8 to any 00400 4027 351563 allow ip from 63.228.14.240/29 to me 00500 2 80 allow ip from any to me dst-port 22 00600 2 80 allow ip from any to me dst-port 21 00700 388 25405 allow ip from any to me dst-port 25 00800584944 allow ip from any to me dst-port 80 00900 2 80 allow ip from any to me dst-port 443 01000 2 80 allow ip from any to me dst-port 110 01100544247 allow ip from any to me dst-port 53 01200 2 80 allow ip from any to me dst-port 6667 01300 2 80 allow ip from any to me dst-port 6668 01400 4 160 deny ip from not 63.228.14.240/29 to me dst-port 8080 65535 46432 7224466 deny ip from any to any Where is all that denied traffic coming from on the final rule? TIA -- Eric F Crist AdTech Integrated Systems, Inc (612) 998-3588 pgp0.pgp Description: signature
