Newbie IPFW Questions

Dave McCammon davemac11 at yahoo.com
Mon Jul 18 18:20:11 GMT 2005 


--- Jim Campbell <jim-c at charter.net> wrote:

> Glenn Dawson wrote:
> 
> > At 08:18 PM 7/17/2005, Jim Campbell wrote:
> >
> >> I have a machine set up as a classroom to learn
> about FreeBSD.  It is
> >> running 4.11 primarily because anything later
> can't see my hard drive.
> >>
> >> As background, my FBSD machine has an address of
> 192.168.1.110.  It is
> >> situated behind a hardware firewall (a Linksys
> router).  $pif is vr0.
> >>
> >> I'm having problems setting up IPFW to
> communicate with an Onion router.
> >> The puzzling part is that I am able to use the
> Onion router but my
> >> /var/log/security file says that some of the
> packets are being dropped.
> >>
> >> Following is what I hope are the pertinent lines
> from my /etc/ipfw.rules
> >> file:
> >>
> >> $cmd 00225 allow tcp from me to any 9001-9033 out
> via $pif setup 
> >> keep-state
> >> $cmd 00299 deny log all from me to any out via
> $pif
> >> $cmd 00332 deny log tcp from any to me
> established in via $pif
> >>
> >> Next is an excerpt from the /var/log/security
> file:
> >>
> >> Jul 17 21:49:58 JimsP1G /kernel: ipfw: 299 Deny
> TCP 192.168.1.110:2218
> >> 128.148.34.133:9001 out via vr0
> >> Jul 17 21:49:59 JimsP1G /kernel: ipfw: 299 Deny
> TCP 192.168.1.110:4959
> >> 131.175.189.134:9001 out via vr0
> >> Jul 17 21:50:18 JimsP1G /kernel: ipfw: 332 Deny
> TCP 128.148.34.133:9001
> >> 192.168.1.110:2218 in via vr0
> >> Jul 17 21:50:29 JimsP1G /kernel: ipfw: 332 Deny
> TCP 131.175.189.134:9030
> >> 192.168.1.110:4566 in via vr0
> >>
> >> Now my questions.  First, why isn't rule 225
> allowing all the packets 
> >> out
> >> to the Onion router?  It seems to me that ipfw
> should allow all packets
> >> in the port range 9001-9033 out or none.
> >
> >
> > Rule 225 will only match packets used to setup the
> tcp session, once 
> > it's established you need another rule that will
> allow the established 
> > session to function.
> >
> > Rule 299 is denying everything from leaving your
> machine except for 
> > the packets allowed by rule 225.
> >
> >
> It appears that I didn't include enough of the
> ipfw.rules file.  
> Following is another abstract:
> 
>
#################################################################
> # Allow the packet through if it has previous been
> added to the
> # the "dynamic" rules table by a allow keep-state
> statement.
>
#################################################################
> $cmd 00015 check-state
> 
> It's my understanding that this rule allows through
> any returning
> packets that match the dynamic rule established by
> Rule 225.
> 
> 
> >> Next, the two inbound packets should be returning
> in response to an 
> >> outbound packet.  Why are they being dropped? 
> Are they exceeding some
> >> timeout?
> >
> >
> > Rule 332 is denying all established traffic from
> entering your 
> > machine.  So, while rule 225 allows you to
> establish a tcp session 
> > with another system on ports 9001-9033, once the
> session is 
> > established, rule 225 no longer applies and rule
> 332 is then throwing 
> > all those packets away.
> >
> > -Glenn
> >
> >
> Part of my problem is that I don't understand the
> protocols being used 
> by the Onion routers.  It
> appears that Tor (the application on my machine that
> sets up the 
> communication with the
> Onion routers) begins to communicate with the Onion
> routers as soon as 
> it starts.  This
> communication continues as long as the FBSD machine
> is alive. Really 
> shook me up
> when I first started using Tor and Privoxy.  I
> thought someone was 
> hacking my machine :-)
> 
> The really puzzling thing about this situation is
> that at least some of 
> the messages concerning
> the Onion protocol are getting through.  I can ask
> for www.google.com 
> and sometimes it
> resolves to Google in Europe, sometimes to Google in
> Asia, and sometines 
> to Google here
> in the US.  Ipfw appears to be only dropping some of
> the packets.
> 
> Perhaps I should set up another machine to sniff the
> packets that 
> occur.  Maybe that would
> give me an idea of what is happening with the Onion
> protocol.
> 
> In any event, thanks for your input to my problem,
> and if you have any 
> other ideas I would
> appreciate them very much.  I've been chewing on
> this problem the better 
> part of a week.
> 
> Thanks,
> 
> Jim

check the output of 
#ipfw show
and make sure the check-state line is there.

Your config says-
$cmd 00015 check-state

and I think..(at least on a 5.4 machine)
it should say 

$cmd 00015 add check-state




		
____________________________________________________
Start your day with Yahoo! - make it your home page 
http://www.yahoo.com/r/hs

More information about the freebsd-questions mailing list