RE: IPFW Problem
From: Steven Adams (steve_at_drifthost.com)
Date: 09/30/04
- Previous message: Subhro: "Re: a very annoying pb with accounts"
- In reply to: steve_at_drifthost.com: "IPFW Problem"
- Next in thread: Subhro: "Re: IPFW Problem"
- Reply: Subhro: "Re: IPFW Problem"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
To: <steve@drifthost.com>, <freebsd-questions@freebsd.org> Date: Thu, 30 Sep 2004 22:32:16 +1000
When I add
$fwcmd add allow ip from any to any established
The messages go away, but when I remove it they come back, I ran a tcpdump
it seems most of the packet just have ACK set?
Im not to sure whats going on?
Steven Adams steve@drifthost.com
DriftNet Web Services http://www.drifthost.com
Home: +61 2 94274857
Fax: +61 2 94274857
Mobile +61 (0) 404 085644
-----Original Message-----
From: steve@drifthost.com [mailto:steve@drifthost.com]
Sent: Thursday, 30 September 2004 4:33 PM
To: freebsd-questions@freebsd.org
Subject: IPFW Problem
Hi,
I am tryin to setup my Firewall on my server, so far i have the following.
===========================================================
oif=bge0
fwcmd=ipfw
$fwcmd -f flush
$fwcmd add check-state
$fwcmd add allow ip from any to any via lo0
$fwcmd add deny ip from any to 127.0.0.0/8
$fwcmd add deny all from any to any frag in via $oif
$fwcmd add allow tcp from any to me
21,25,26,53,110,143,443,465,953,993,995,2082,2083,2086,2087,2089,2095,2096,2
627,6666,40000-49452
in via $oif keep-state setup
$fwcmd add allow tcp from any to me 80 setup keep-state
$fwcmd add allow udp from me 53 to any keep-state
$fwcmd add allow udp from any to any 53 keep-state
$fwcmd add allow all from me to any out via $oif setup keep-state
$fwcmd add deny all from any to any 137,138,139,67,68 in
$fwcmd add deny log all from me to any 22
$fwcmd add deny log all from any to any
======================================================
When i turn the firewall on i am getting this in my /var/log/security
========================================================
Sep 30 16:30:48 inertia kernel: ipfw: 1200 Deny TCP SOMECLIENT:2858
MYIP:80 in via bge0
Sep 30 16:30:48 inertia kernel: ipfw: 1200 Deny TCP SOMECLIENT:2864
MYIP:80 in via bge0
Sep 30 16:30:48 inertia kernel: ipfw: 1200 Deny TCP SOMECLIENT:2858
MYIP:80 in via bge0
Sep 30 16:30:48 inertia kernel: ipfw: 1200 Deny TCP MYIP:80
SOMECLIENT:1431 out via bge0
Sep 30 16:30:49 inertia kernel: ipfw: 1200 Deny TCP MYIP:80
SOMECLIENT:2694 out via bge0
Sep 30 16:30:49 inertia kernel: ipfw: 1200 Deny TCP MYIP:80
SOMECLIENT:3059 out via bge0
Sep 30 16:30:49 inertia kernel: ipfw: 1200 Deny TCP MYIP:80
SOMECLIENT:33077 out via bge0
Sep 30 16:30:49 inertia kernel: ipfw: 1200 Deny TCP MYIP:80
SOMECLIENT:33130 out via bge0
==============================================================
I am unsure to why i am getting theses, its like the check-state command
is half working..
I can still browse my web server fine but im still getting theses messages.
Anyone got any ideas?
Thanks
Steve
_______________________________________________
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.org"
_______________________________________________
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.org"
- Previous message: Subhro: "Re: a very annoying pb with accounts"
- In reply to: steve_at_drifthost.com: "IPFW Problem"
- Next in thread: Subhro: "Re: IPFW Problem"
- Reply: Subhro: "Re: IPFW Problem"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Relevant Pages
- nice firewall script
... # Only valid response to the packets I've sent out are allowed in. ... # the
"dynamic" rules table by an allow keep-state statement. ... $fwcmd 00400 check-state
... $fwcmd 00530 deny all from any to any frag in via $oif ... (comp.security.firewalls) - Re: IPFW.
... they key thing to remember is not to add any stateful stuff (keep-state ...
${fwcmd} add skipto 20000 all from any to any via $ ... $add allow tcp from any 22 to any
out via ${extif} ... $add deny all from any to 172.16.0.0/12 in via $ ...
(freebsd-net) - IPFW Problem
... I am tryin to setup my Firewall on my server, so far i have the following. ...
$fwcmd add check-state ... $fwcmd add allow tcp from any to me 80 setup keep-state
... MYIP:80 in via bge0 ... (freebsd-questions) - Translate IPFW rules to PF rules
... bge0 setup keep-state ... 00340 deny ip from 192.168.0.0/16 to any in
via bge0 ... 00350 deny tcp from any to any dst-port 113 in via bge0 ... (comp.unix.bsd.freebsd.misc) - Re: Translate IPFW rules to PF rules
... bge0 setup keep-state ... 00340 deny ip from 192.168.0.0/16 to any in
via bge0 ... 00350 deny tcp from any to any dst-port 113 in via bge0 ... (comp.unix.bsd.freebsd.misc)
