IPFW - Allowed but Denied is shown in my logs

SrotBULL pwd8jmr22w at me.point.ne.jp
Thu Aug 5 21:54:54 PDT 2004 

Giorgos Keramidas wrote:
> On 2004-08-04 20:31, Srot BULL <pwd8jmr22w at me.point.ne.jp> wrote:
> 
>>>On 2004-08-04 17:13, Srot BULL <pwd8jmr22w at me.point.ne.jp> wrote:
>>>
>>>>Why are the above firewall logs telling me that it has denied my TCP
>>>>packets and yet I am not experiencing some problems in my emails and
>>>>access to the internet through port 80. [...]
>>>
>>>Giorgos Keramidas wrote:
>>>Show us the full ruleset.  Otherwise we're just guessing...
> 
>>$CMD 00240 allow tcp from me to any out via $IFN setup keep-state uid root
> Hmm.  I'm not sure if this is a good idea, but it's unrelated to the
> denied packets you're seeing :-/

I will RTFM about this...Thank you.

>>$CMD 00300 deny all from 192.168.0.0/16 to any in via $IFN
>>$CMD 00301 deny all from 172.16.0.0/12 to any in via $IFN
>>$CMD 00302 deny all from 10.0.0.0/8 to any in via $IFN 
> You might want to also deny incoming packets from these addresses, or fall
> back to the default firewall rule -- whatever that rule is ("deny log all"
> in your case).

I think I can do this...I guess...

>>$CMD 00305 deny all from 169.254.0.0/16 to any in via $IFN
> Hmmm, what is this address block supposed to be here for?

I am sorry, I only copied this ruleset from the article...I really need 
to get back in RTFM and read again the article...maybe I missed something.


>>#reserved for doc's#
>>$CMD 00307 deny all from 204.152.64.0/23 to any in via $IFN 
> And this one?

This one too...

> A better approach that will avoid forcing everyone to wait until their
> connections times out is to reply with an RST packet, which is the standard
> way TCP would reply if no auth/ident service was running at all.

I need some reading to understand what you just advised...Thank you.

> Fragments are not late-arriving packets ;-)
> 
> 
>>#* Reject & Log all incoming connections from the outside *#
>>$CMD 00499 deny log all from any to any in via $IFN
> This one is redundant, since it will only do the same as the one below:

OK...

>># Everything else is denied by default
>># DENY and LOG all packets that fell through to see what they are
>>$CMD 00999 deny log all from any to any
> 
> 
>>My basis for my rulesets are taken from:
>>http://freebsd.a1poweruser.com:6088/FBSD_firewall/
>  
> AFAIK, the author of the page is a reader of the list too.  I can't find
> anything wrong with the syntax of your rules.  The only weird thing I noticed
> were the two hard-wired address blocks I mentioned above.  Perhaps the author
> of the initial ruleset can help you more ;)

It was kind enough for the author to drop me an email...
and, thank you for your advices too...I will base my rulesets from yours 
and other peoples' advices, and re-read that article for a better 
understanding...and maybe I can tune my rulesets more to better fit my 
system.
Have a nice day...

SrotBULL

More information about the freebsd-questions mailing list