ICMP redirect

From: FreeBSD questions mailing list (FreeBSD_at_amadeus.demon.nl)
Date: 05/25/05

  • Next message: Hexren: "mod_auth_pam apache pam" 
    To: freebsd <freebsd-questions@freebsd.org>
Date: Wed, 25 May 2005 17:46:03 +0200

    Hello,
    Lately i get a lot (really a lot) of these errors:

    icmp redirect from 127.0.0.1: <my outside IP> => 127.0.0.1

    I have no idea where they come from and better how to get rid of them...
    Can anyone point me in a direction to solve this problem?
    Thanks in advance
    Arno

    my firewall rules:

    #!/bin/sh
    ################ Start of IPFW rules file
    ###############################
    # Flush out the list before we begin.
    ipfw -q -f flush

    # Set rules command prefix
    cmd="ipfw -q add"
    skip="skipto 800"
    pif="rl0" # public interface name of NIC
                   # facing the public Internet

    #################################################################
    # No restrictions on Inside LAN Interface for private network
    # Change xl0 to your LAN NIC interface name
    #################################################################
    $cmd 005 allow all from any to any via rl1
    $cmd 006 allow all from any to any via rl2

    #################################################################
    # No restrictions on Loopback Interface
    #################################################################
    $cmd 010 allow all from any to any via lo0

    #################################################################
    # check if packet is inbound and nat address if it is
    #################################################################
    $cmd 014 divert natd ip from any to any in via $pif

    #################################################################
    # Allow the packet through if it has previous been added to the
    # the "dynamic" rules table by a allow keep-state statement.
    #################################################################
    $cmd 015 check-state

    #################################################################
    # Interface facing Public Internet (Outbound Section)
    # Interrogate session start requests originating from behind the
    # firewall on the private network or from this gateway server
    # destine for the public Internet.
    #################################################################

    # Allow out access to my ISP's Domain name server.
    # x.x.x.x must be the IP address of your ISP's DNS
    # Dup these lines if your ISP has more than one DNS server
    # Get the IP addresses from /etc/resolv.conf file
    $cmd 020 $skip udp from any to 194.159.73.137 53 out via $pif keep-state
    $cmd 021 $skip udp from any to 194.159.73.138 53 out via $pif keep-state

    # Allow out access to my ISP's DHCP server for cable/DSL configurations.
    #$cmd 030 $skip udp from any to 82.161.19.0/24 67 out via $pif keep-
    state
    $cmd 031 $skip udp from any to 82.161.19.255 520 out via $pif keep-state

    # Allow out non-secure standard www function
    $cmd 040 $skip tcp from any to any 80 out via $pif setup keep-state

    # Allow out secure www function https over TLS SSL
    $cmd 050 $skip tcp from any to any 443 out via $pif setup keep-state

    # Allow out send & get email function
    $cmd 060 $skip tcp from any to any 25 out via $pif setup keep-state
    $cmd 061 $skip tcp from any to any 110 out via $pif setup keep-state

    # Allow out FreeBSD (make install & CVSUP) functions
    # Basically give user root "GOD" privileges.
    $cmd 070 $skip tcp from me to any out via $pif setup keep-state uid root

    # Allow out ping
    $cmd 080 $skip icmp from any to any out via $pif keep-state

    # Allow out Time
    $cmd 090 $skip tcp from any to any 37 out via $pif setup keep-state

    # Allow out nntp news (i.e. news groups)
    #$cmd 100 $skip tcp from any to any 119 out via $pif setup keep-state

    # Allow out secure FTP, Telnet, and SCP
    # This function is using SSH (secure shell)
    $cmd 110 $skip tcp from any to any 22 out via $pif setup keep-state

    # Allow out whois
    $cmd 120 $skip tcp from any to any 43 out via $pif setup keep-state

    # Allow ntp time server
    $cmd 130 $skip udp from any to any 123 out via $pif keep-state

    # Allow FTP
    $cmd 140 $skip all from any to any 20,21 out via $pif setup keep-state

    # Allow
    $cmd 200 $skip all from any to any 5060,5190,5297,5298,16384-16403
    out via $pif setup keep-state
    $cmd 201 $skip all from any to any 1863 out via $pif setup keep-state
    $cmd 202 $skip all from any to any 8000,8001,8040,8950,9210 out via
    $pif setup keep-state
    $cmd 203 $skip udp from 82.161.18.200 to 66.172.95.197 5499 out via
    $pif keep-state
    $cmd 204 $skip tcp from any to any 5500,5501 out via $pif setup keep-
    state
    $cmd 205 $skip all from any to any 554 out via $pif setup keep-state
    $cmd 206 $skip tcp from any to any 6881-6889 out via $pif setup keep-
    state
    $cmd 207 $skip tcp from any to any 6346 out via $pif setup keep-state
    $cmd 208 $skip all from any to any 2401 out via $pif setup keep-state

    #################################################################
    # Interface facing Public Internet (Inbound Section)
    # Interrogate packets originating from the public Internet
    # destine for this gateway server or the private network.
    #################################################################

    # Deny all inbound traffic from non-routable reserved address spaces
    $cmd 300 deny all from 192.168.0.0/16 to any in via $pif #RFC 1918
    private IP
    $cmd 301 deny all from 172.16.0.0/12 to any in via $pif #RFC 1918
    private IP
    $cmd 302 deny all from 10.0.0.0/8 to any in via $pif #RFC 1918
    private IP
    $cmd 303 deny all from 127.0.0.0/8 to any in via $pif #loopback
    $cmd 304 deny all from 0.0.0.0/8 to any in via $pif #loopback
    $cmd 305 deny all from 169.254.0.0/16 to any in via $pif #DHCP auto-
    config
    $cmd 306 deny all from 192.0.2.0/24 to any in via $pif #reserved
    for docs
    $cmd 307 deny all from 204.152.64.0/23 to any in via $pif #Sun cluster
    $cmd 308 deny all from 224.0.0.0/3 to any in via $pif #Class D &
    E multicast

    # Deny ident
    $cmd 315 deny tcp from any to any 113 in via $pif

    # Deny all Netbios service. 137=name, 138=datagram, 139=session
    # Netbios is MS/Windows sharing services.
    # Block MS/Windows hosts2 name server requests 81
    $cmd 320 deny tcp from any to any 137 in via $pif
    $cmd 321 deny tcp from any to any 138 in via $pif
    $cmd 322 deny tcp from any to any 139 in via $pif
    $cmd 323 deny tcp from any to any 81 in via $pif

    # Deny any late arriving packets
    $cmd 330 deny all from any to any frag in via $pif

    # Deny ACK packets that did not match the dynamic rule table
    $cmd 332 deny tcp from any to any established in via $pif

    # Allow traffic in from ISP's DHCP server. This rule must contain
    # the IP address of your ISP's DHCP server as it's the only
    # authorized source to send this packet type.
    # Only necessary for cable or DSL configurations.
    # This rule is not needed for 'user ppp' type connection to
    # the public Internet. This is the same IP address you captured
    # and used in the outbound section.
    $cmd 350 allow udp from 82.161.19.0/24 to any 68 in via $pif keep-state

    # Allow in Apache server
    $cmd 360 allow tcp from any to me 80 in via $pif setup limit src-addr 2

    # Allow in SSH from public Internet
    $cmd 370 allow tcp from any to me 8888 in via $pif setup limit src-
    addr 1

    ### Banned IP:
    $cmd 379 deny ip from 205.151.204.0/24 to me in via $pif

    ### Allow in
    $cmd 380 allow all from any to me 5500,5501 in via $pif setup keep-state
    $cmd 381 allow tcp from any to me 8000 in via $pif setup limit src-
    addr 1

    # Reject & Log all unauthorized incoming connections from the public
    Internet
    $cmd 400 deny log all from any to any in via $pif

    # Reject & Log all unauthorized out going connections to the public
    Internet
    $cmd 450 deny log all from any to any out via $pif

    # This is skipto location for outbound stateful rules
    $cmd 800 divert natd ip from any to any out via $pif
    $cmd 801 allow ip from any to any

    # Everything else is denied by default
    # deny and log all packets that fell through to see what they are
    $cmd 999 deny log all from any to any
    ################ End of IPFW rules file ###############################
    _______________________________________________
    freebsd-questions@freebsd.org mailing list
    http://lists.freebsd.org/mailman/listinfo/freebsd-questions
    To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.org"

  • Next message: Hexren: "mod_auth_pam apache pam"

    Relevant Pages

    • Dumb IPFW Question
      ... going connections to the public Internet ... $cmd 450 deny log all from any to any out via $pif". ... # Allow out access to my ISP's Domain name server. ...
      (freebsd-questions)
    • Webserver behind nat/ipfw
      ... I have been struggling for the last months now to run a webserver behind a firewall. ... $cmd 005 allow all from any to any via $lif1 ... # Allow out access to my ISP's Domain name server. ... # Deny all inbound traffic from non-routable reserved address spaces ...
      (freebsd-questions)
    • ipfw + natd + stateful rules. For the archives
      ... $cmd 100 divert natd ip from any to any in via $pif ... $cmd 450 deny log ip from any to any ... # Interface facing Public internet ... # Allow out access to my ISP's Domain name server. ...
      (freebsd-questions)
    • Re: Load Balancing Outgoing, its possible ?
      ... # - Enabling the specific NAT server for IPFW ... $cmd 10 allow ip from any to any ... $cmd deny ip from any to 127.0.0.0/8 ... # Interface facing Public Internet ...
      (freebsd-net)
    • ipfw and access-list
      ... $cmd 00300 deny all from 192.168.0.0/16 to any in via ... $pif #RFC 1918 private IP ... $cmd 00305 deny all from 169.254.0.0/16 to anyin via ...
      (freebsd-questions)