ipfw - denying all - what port for OE

Dave McCammon davemac11 at yahoo.com
Wed Oct 13 08:41:45 PDT 2004 

--- David Banning <david at skytracker.ca> wrote:

> My server is my desktop. My ipfw rules follow.
> Whenever I take
> out line 12000 is runs fine. When I put it back in I
> can't run
> OE. 
> 
> 01000 allow tcp from any to any 10060
> 01040 allow tcp from any to any 22
> 10100 allow tcp from any to any 80
> 10200 allow tcp from any to any 10080
> 10300 allow tcp from any to any 3128
> 10400 allow tcp from any to any 8180
> 10600 allow tcp from any to any 8025
> 10700 allow tcp from any to any 110
> 10800 allow tcp from any to any 25
> 10810 allow tcp from any to any 109
> 10820 allow tcp from any to any 106
> 11001 allow tcp from any to any 389
> 11002 allow tcp from any to any 636
> 11003 allow tcp from any to any 379
> 11004 allow tcp from any to any 390
> 11005 allow tcp from any to any 3268
> 11006 allow tcp from any to any 3269
> 11007 allow tcp from any to any 143
> 11008 allow tcp from any to any 993
> 11009 allow tcp from any to any 995
> 11010 allow tcp from any to any 119
> 11011 allow tcp from any to any 563
> 11012 allow tcp from any to any 443
> 11013 allow tcp from any to any 465
> 11015 allow tcp from any to any 625
> 11016 allow tcp from any to any 135
> 11017 allow tcp from any to any 935
> 12000 deny tcp from 209.188.66.29 to any
> 
I may be assuming alot here with the info you have
given but....

Correct me if I'm wrong but I'm assuming 209.188.66.29
is your machine and it has the services running and,
your ipfw setup in your kernel has 
IPFIREWALL_DEFAULT_TO_ACCEPT.
With that setup, OE will work without rule 12000
because the client-to-server packets match rule 10700
and server-to-client will match the last rule (65535
in #ipfw show).
With rule 12000 inserted, client-to-server packets
match rule 10700 but server-to-client get blocked by
12000.

You may try adding:
01050 allow tcp from any to any established
and add to the end of the rest of the "allow" rules
"setup" example:
01000 allow tcp from any to me 10060 setup

or try rewriting your rules to use dynamic rules.
example:
01050 check-state
01000 allow tcp from any to me 10060 setup keep-state
01040 allow tcp from any to me 22 setup keep-state
10100 allow tcp from any to me 80 setup keep-state
10200 allow tcp from any to me 10080 setup keep-state
.....
(last rule)
50000 deny ip from any to any

Now, if your setup doesn't match what I outlined
above, please send your output of (as root) #ipfw show
. With this output we can better help you adjust your
ruleset.
You may want to also include your /etc/rc.conf file
and what firewall options your have in your kernel
config.






		
_______________________________
Do you Yahoo!?
Declare Yourself - Register online to vote today!
http://vote.yahoo.com

More information about the freebsd-questions mailing list