IPFW - Allowed but Denied is shown in my logs
pwd8jmr22w at me.point.ne.jp
Thu Aug 5 21:54:54 PDT 2004
Giorgos Keramidas wrote:
> On 2004-08-04 20:31, Srot BULL <pwd8jmr22w at me.point.ne.jp> wrote:
>>>On 2004-08-04 17:13, Srot BULL <pwd8jmr22w at me.point.ne.jp> wrote:
>>>>Why are the above firewall logs telling me that it has denied my TCP
>>>>packets and yet I am not experiencing some problems in my emails and
>>>>access to the internet through port 80. [...]
>>>Giorgos Keramidas wrote:
>>>Show us the full ruleset. Otherwise we're just guessing...
>>$CMD 00240 allow tcp from me to any out via $IFN setup keep-state uid root
> Hmm. I'm not sure if this is a good idea, but it's unrelated to the
> denied packets you're seeing :-/
I will RTFM about this...Thank you.
>>$CMD 00300 deny all from 192.168.0.0/16 to any in via $IFN
>>$CMD 00301 deny all from 172.16.0.0/12 to any in via $IFN
>>$CMD 00302 deny all from 10.0.0.0/8 to any in via $IFN
> You might want to also deny incoming packets from these addresses, or fall
> back to the default firewall rule -- whatever that rule is ("deny log all"
> in your case).
I think I can do this...I guess...
>>$CMD 00305 deny all from 169.254.0.0/16 to any in via $IFN
> Hmmm, what is this address block supposed to be here for?
I am sorry, I only copied this ruleset from the article...I really need
to get back in RTFM and read again the article...maybe I missed something.
>>#reserved for doc's#
>>$CMD 00307 deny all from 22.214.171.124/23 to any in via $IFN
> And this one?
This one too...
> A better approach that will avoid forcing everyone to wait until their
> connections times out is to reply with an RST packet, which is the standard
> way TCP would reply if no auth/ident service was running at all.
I need some reading to understand what you just advised...Thank you.
> Fragments are not late-arriving packets ;-)
>>#* Reject & Log all incoming connections from the outside *#
>>$CMD 00499 deny log all from any to any in via $IFN
> This one is redundant, since it will only do the same as the one below:
>># Everything else is denied by default
>># DENY and LOG all packets that fell through to see what they are
>>$CMD 00999 deny log all from any to any
>>My basis for my rulesets are taken from:
> AFAIK, the author of the page is a reader of the list too. I can't find
> anything wrong with the syntax of your rules. The only weird thing I noticed
> were the two hard-wired address blocks I mentioned above. Perhaps the author
> of the initial ruleset can help you more ;)
It was kind enough for the author to drop me an email...
and, thank you for your advices too...I will base my rulesets from yours
and other peoples' advices, and re-read that article for a better
understanding...and maybe I can tune my rulesets more to better fit my
Have a nice day...
More information about the freebsd-questions