RE: IPFW Problem
From: Steven Adams (steve_at_drifthost.com)
Date: 10/01/04
- Previous message: Andy Holyer: "Re: Funny one: "install" dumps core?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
To: "'Subhro'" <subhro.kar@gmail.com>, <drift@freebsd.org> Date: Fri, 1 Oct 2004 18:50:11 +1000
I don't have an internal network.
This is a server with 1 gigabit network card on a gig link.
Im really confussed on whats happing then, because web browsing still works
but its blocking come packets..
I host 60sites+ so I cant pin it down to one site or nothing.
Anyone have any other ideas?
Steven Adams steve@drifthost.com
DriftNet Web Services http://www.drifthost.com
Home: +61 2 94274857
Fax: +61 2 94274857
Mobile +61 (0) 404 085644
-----Original Message-----
From: Subhro [mailto:subhro.kar@gmail.com]
Sent: Friday, 1 October 2004 12:36 AM
To: drift@freebsd.org
Cc: steve@drifthost.com; freebsd-questions@freebsd.org
Subject: Re: IPFW Problem
On Thu, 30 Sep 2004 22:32:16 +1000, Steven Adams <steve@drifthost.com>
wrote:
> When I add
>
> $fwcmd add allow ip from any to any established
>
> The messages go away, but when I remove it they come back, I ran a tcpdump
> it seems most of the packet just have ACK set?
If this works for you then the keep-state is definitely not working
for you. Because when a SYN comes in, the state is saved in the
firewall dynamic states so that subsequent ACKs corresponding to that
SYN gets through without any problem.
<snip>
>===========================================================
> oif=bge0
> fwcmd=ipfw
>
> $fwcmd -f flush
>
> $fwcmd add check-state
>
> $fwcmd add allow ip from any to any via lo0
> $fwcmd add deny ip from any to 127.0.0.0/8
>
> $fwcmd add deny all from any to any frag in via $oif
>
> $fwcmd add allow tcp from any to me
>
21,25,26,53,110,143,443,465,953,993,995,2082,2083,2086,2087,2089,2095,2096,2
> 627,6666,40000-49452
> in via $oif keep-state setup
> $fwcmd add allow tcp from any to me 80 setup keep-state
> $fwcmd add allow udp from me 53 to any keep-state
> $fwcmd add allow udp from any to any 53 keep-state
>
> $fwcmd add allow all from me to any out via $oif setup keep-state
>
> $fwcmd add deny all from any to any 137,138,139,67,68 in
>
> $fwcmd add deny log all from me to any 22
> $fwcmd add deny log all from any to any
change this to $fwcmd add deny log all from any to any in xmit $oif
BTW, any good reason not to trust your internal network from sending
data through the firewall?
<snip>
Regards
S.
-- Subhro Sankha Kar School of Information Technology Block AQ-13/1 Sector V ZIP 700091 India _______________________________________________ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.org" _______________________________________________ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.org"
- Previous message: Andy Holyer: "Re: Funny one: "install" dumps core?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Relevant Pages
|
|
