IPFW Problem
steve_at_drifthost.com
Date: 09/30/04
- Previous message: bsdfsse: "How do you know how to install ports? (like vmware3)"
- In reply to: bsdfsse: "How do you know how to install ports? (like vmware3)"
- Next in thread: Steven Adams: "RE: IPFW Problem"
- Reply: Steven Adams: "RE: IPFW Problem"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Date: Thu, 30 Sep 2004 16:33:18 +1000 (EST) To: freebsd-questions@freebsd.org
Hi,
I am tryin to setup my Firewall on my server, so far i have the following.
===========================================================
oif=bge0
fwcmd=ipfw
$fwcmd -f flush
$fwcmd add check-state
$fwcmd add allow ip from any to any via lo0
$fwcmd add deny ip from any to 127.0.0.0/8
$fwcmd add deny all from any to any frag in via $oif
$fwcmd add allow tcp from any to me
21,25,26,53,110,143,443,465,953,993,995,2082,2083,2086,2087,2089,2095,2096,2627,6666,40000-49452
in via $oif keep-state setup
$fwcmd add allow tcp from any to me 80 setup keep-state
$fwcmd add allow udp from me 53 to any keep-state
$fwcmd add allow udp from any to any 53 keep-state
$fwcmd add allow all from me to any out via $oif setup keep-state
$fwcmd add deny all from any to any 137,138,139,67,68 in
$fwcmd add deny log all from me to any 22
$fwcmd add deny log all from any to any
======================================================
When i turn the firewall on i am getting this in my /var/log/security
========================================================
Sep 30 16:30:48 inertia kernel: ipfw: 1200 Deny TCP SOMECLIENT:2858
MYIP:80 in via bge0
Sep 30 16:30:48 inertia kernel: ipfw: 1200 Deny TCP SOMECLIENT:2864
MYIP:80 in via bge0
Sep 30 16:30:48 inertia kernel: ipfw: 1200 Deny TCP SOMECLIENT:2858
MYIP:80 in via bge0
Sep 30 16:30:48 inertia kernel: ipfw: 1200 Deny TCP MYIP:80
SOMECLIENT:1431 out via bge0
Sep 30 16:30:49 inertia kernel: ipfw: 1200 Deny TCP MYIP:80
SOMECLIENT:2694 out via bge0
Sep 30 16:30:49 inertia kernel: ipfw: 1200 Deny TCP MYIP:80
SOMECLIENT:3059 out via bge0
Sep 30 16:30:49 inertia kernel: ipfw: 1200 Deny TCP MYIP:80
SOMECLIENT:33077 out via bge0
Sep 30 16:30:49 inertia kernel: ipfw: 1200 Deny TCP MYIP:80
SOMECLIENT:33130 out via bge0
==============================================================
I am unsure to why i am getting theses, its like the check-state command
is half working..
I can still browse my web server fine but im still getting theses messages.
Anyone got any ideas?
Thanks
Steve
_______________________________________________
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.org"
- Previous message: bsdfsse: "How do you know how to install ports? (like vmware3)"
- In reply to: bsdfsse: "How do you know how to install ports? (like vmware3)"
- Next in thread: Steven Adams: "RE: IPFW Problem"
- Reply: Steven Adams: "RE: IPFW Problem"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Relevant Pages
- Still having IPFW/natd trouble
... I have the following setup: ... sis0 setup keep-state ... ${fwcmd}
add 100 pass all from any to any via lo0 ... (comp.unix.bsd.freebsd.misc) - RE: IPFW Problem
... $fwcmd add allow ip from any to any established ... $fwcmd add deny all
from any to any frag in via $oif ... $fwcmd add allow tcp from any to me 80 setup keep-state
... MYIP:80 in via bge0 ... (freebsd-questions) - Re: natd port redirect
... ${fwcmd} add 100 pass all from any to any via lo0 ... $add divert natd all from
any to any via ${oif} ... $add divert natd tcp from any to me 23 in via $ ...
$add pass tcp from any to any 80 out via $setup keep-state ... (comp.unix.bsd.freebsd.misc) - Re: ipfw and ssh
... ${fwcmd} add pass all from $to $:$ ... This allows any existing TCP connections
to work. ... This way you only need one rule (setup) for each inbound service you want.
... This will allow anyone access to my system through SSH provided they can authenticate.
... (freebsd-questions) - Re: IPFW rules being weird?
... > $fwcmd add allow all from any to any ... keep-state and natddo not
play well together. ... expect TCP connections to work briefly, ... (freebsd-net)
