IPFW help (dialup)
From: Ed Hurst (me_at_privacy.net)
Date: 03/09/04
- Next message: Jas: "Upgrading Sendmail via the Ports tree...?"
- Previous message: Colin Andrew Percival: "Re: 5.2 CDROM .0 or .1?"
- Next in thread: Alan Hicks: "Re: IPFW help (dialup)"
- Reply: Alan Hicks: "Re: IPFW help (dialup)"
- Reply: Justins local account: "Re: IPFW help (dialup)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Date: Mon, 08 Mar 2004 21:37:27 -0600
I recently switched from an older firewall formula to the one
recommended in the bundled articles. I really do not understand, even
with the commenting. I've done the RTFM, but it's still over my head.
Here it is:
------------------[snip]---------------------------
# Define the firewall command (as in /etc/rc.firewall) for easy
# reference. Helps to make it easier to read.
fwcmd="/sbin/ipfw"
# Force a flushing of the current rules before we reload.
${fwcmd} -f flush
# Allow all connections that have dynamic rules built for them,
# but deny established connections that don't have a dynamic rule.
# See ipfw(8) for details.
$fwcmd add check-state
$fwcmd add deny tcp from any to any established
# Allow all localhost connections
$fwcmd add allow tcp from me to any out via lo0 setup keep-state
$fwcmd add deny tcp from me to any out via lo0
$fwcmd add allow ip from me to any out via lo0 keep-state
# Allow all connections from my network card that I initiate
$fwcmd add allow tcp from me to any out xmit any setup keep-state
$fwcmd add deny tcp from me to any
$fwcmd add allow ip from me to any out xmit any keep-state
# This sends a RESET to all ident packets.
$fwcmd add reset log tcp from any to me 113 in recv any
# Enable ICMP: remove type 8 if you don't want your host to be pingable
${fwcmd} add allow icmp from any to any icmptypes 0,3,11,12,13,14
# Deny all the rest.
${fwcmd} add drop log ip from any to any
-----------------------[snip]------------------------------
I offer no services. Now these rules are more flexible than previous,
but I still see lots of refusals from my ISP's DNS server. Here's a
short sample:
-----------------------[snip]------------------------------
Mar 8 20:58:11 thud /kernel: ipfw: 1100 Deny UDP 208.23.212.253:53
208.31.95.75:1774 in via ppp0
Mar 8 20:58:11 thud /kernel: ipfw: 1100 Deny UDP 208.23.212.253:53
208.31.95.75:1772 in via ppp0
Mar 8 20:58:23 thud /kernel: ipfw: 1100 Deny UDP 208.23.212.252:53
208.31.95.75:1775 in via ppp0
Mar 8 20:58:23 thud /kernel: ipfw: 1100 Deny UDP 208.23.212.252:53
208.31.95.75:1776 in via ppp0
Mar 8 20:58:23 thud /kernel: ipfw: 1100 Deny UDP 208.23.212.252:53
208.31.95.75:1778 in via ppp0
Mar 8 20:58:24 thud /kernel: ipfw: 1100 Deny UDP 208.23.212.252:53
208.31.95.75:1777 in via ppp0
Mar 8 20:58:27 thud /kernel: ipfw: 1100 Deny UDP 208.23.212.253:53
208.31.95.75:1779 in via ppp0
-----------------------[snip]------------------------------
(There's no privacy fears here, so I've left it unedited.)
So why is my firewall blocking these responses? Can someone help me make
an adjustment?
-- Ed Hurst --------- return addy is a spam-catcher, used by permission; try softedges a=t softhome d0t net
- Next message: Jas: "Upgrading Sendmail via the Ports tree...?"
- Previous message: Colin Andrew Percival: "Re: 5.2 CDROM .0 or .1?"
- Next in thread: Alan Hicks: "Re: IPFW help (dialup)"
- Reply: Alan Hicks: "Re: IPFW help (dialup)"
- Reply: Justins local account: "Re: IPFW help (dialup)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Relevant Pages
|
