Newbie IPFW Questions

Jim Campbell jim-c at charter.net
Tue Jul 19 01:10:19 GMT 2005 

Dave McCammon wrote:

>--- Jim Campbell <jim-c at charter.net> wrote:
>
>  
>
>>Glenn Dawson wrote:
>>
>>    
>>
>>>At 08:18 PM 7/17/2005, Jim Campbell wrote:
>>>
>>>      
>>>
>>>>I have a machine set up as a classroom to learn
>>>>        
>>>>
>>about FreeBSD.  It is
>>    
>>
>>>>running 4.11 primarily because anything later
>>>>        
>>>>
>>can't see my hard drive.
>>    
>>
>>>>As background, my FBSD machine has an address of
>>>>        
>>>>
>>192.168.1.110.  It is
>>    
>>
>>>>situated behind a hardware firewall (a Linksys
>>>>        
>>>>
>>router).  $pif is vr0.
>>    
>>
>>>>I'm having problems setting up IPFW to
>>>>        
>>>>
>>communicate with an Onion router.
>>    
>>
>>>>The puzzling part is that I am able to use the
>>>>        
>>>>
>>Onion router but my
>>    
>>
>>>>/var/log/security file says that some of the
>>>>        
>>>>
>>packets are being dropped.
>>    
>>
>>>>Following is what I hope are the pertinent lines
>>>>        
>>>>
>>from my /etc/ipfw.rules
>>    
>>
>>>>file:
>>>>
>>>>$cmd 00225 allow tcp from me to any 9001-9033 out
>>>>        
>>>>
>>via $pif setup 
>>    
>>
>>>>keep-state
>>>>$cmd 00299 deny log all from me to any out via
>>>>        
>>>>
>>$pif
>>    
>>
>>>>$cmd 00332 deny log tcp from any to me
>>>>        
>>>>
>>established in via $pif
>>    
>>
>>>>Next is an excerpt from the /var/log/security
>>>>        
>>>>
>>file:
>>    
>>
>>>>Jul 17 21:49:58 JimsP1G /kernel: ipfw: 299 Deny
>>>>        
>>>>
>>TCP 192.168.1.110:2218
>>    
>>
>>>>128.148.34.133:9001 out via vr0
>>>>Jul 17 21:49:59 JimsP1G /kernel: ipfw: 299 Deny
>>>>        
>>>>
>>TCP 192.168.1.110:4959
>>    
>>
>>>>131.175.189.134:9001 out via vr0
>>>>Jul 17 21:50:18 JimsP1G /kernel: ipfw: 332 Deny
>>>>        
>>>>
>>TCP 128.148.34.133:9001
>>    
>>
>>>>192.168.1.110:2218 in via vr0
>>>>Jul 17 21:50:29 JimsP1G /kernel: ipfw: 332 Deny
>>>>        
>>>>
>>TCP 131.175.189.134:9030
>>    
>>
>>>>192.168.1.110:4566 in via vr0
>>>>
>>>>Now my questions.  First, why isn't rule 225
>>>>        
>>>>
>>allowing all the packets 
>>    
>>
>>>>out
>>>>to the Onion router?  It seems to me that ipfw
>>>>        
>>>>
>>should allow all packets
>>    
>>
>>>>in the port range 9001-9033 out or none.
>>>>        
>>>>
>>>Rule 225 will only match packets used to setup the
>>>      
>>>
>>tcp session, once 
>>    
>>
>>>it's established you need another rule that will
>>>      
>>>
>>allow the established 
>>    
>>
>>>session to function.
>>>
>>>Rule 299 is denying everything from leaving your
>>>      
>>>
>>machine except for 
>>    
>>
>>>the packets allowed by rule 225.
>>>
>>>
>>>      
>>>
>>It appears that I didn't include enough of the
>>ipfw.rules file.  
>>Following is another abstract:
>>
>>
>>    
>>
>#################################################################
>  
>
>># Allow the packet through if it has previous been
>>added to the
>># the "dynamic" rules table by a allow keep-state
>>statement.
>>
>>    
>>
>#################################################################
>  
>
>>$cmd 00015 check-state
>>
>>It's my understanding that this rule allows through
>>any returning
>>packets that match the dynamic rule established by
>>Rule 225.
>>
>>
>>    
>>
>>>>Next, the two inbound packets should be returning
>>>>        
>>>>
>>in response to an 
>>    
>>
>>>>outbound packet.  Why are they being dropped? 
>>>>        
>>>>
>>Are they exceeding some
>>    
>>
>>>>timeout?
>>>>        
>>>>
>>>Rule 332 is denying all established traffic from
>>>      
>>>
>>entering your 
>>    
>>
>>>machine.  So, while rule 225 allows you to
>>>      
>>>
>>establish a tcp session 
>>    
>>
>>>with another system on ports 9001-9033, once the
>>>      
>>>
>>session is 
>>    
>>
>>>established, rule 225 no longer applies and rule
>>>      
>>>
>>332 is then throwing 
>>    
>>
>>>all those packets away.
>>>
>>>-Glenn
>>>
>>>
>>>      
>>>
>>Part of my problem is that I don't understand the
>>protocols being used 
>>by the Onion routers.  It
>>appears that Tor (the application on my machine that
>>sets up the 
>>communication with the
>>Onion routers) begins to communicate with the Onion
>>routers as soon as 
>>it starts.  This
>>communication continues as long as the FBSD machine
>>is alive. Really 
>>shook me up
>>when I first started using Tor and Privoxy.  I
>>thought someone was 
>>hacking my machine :-)
>>
>>The really puzzling thing about this situation is
>>that at least some of 
>>the messages concerning
>>the Onion protocol are getting through.  I can ask
>>for www.google.com 
>>and sometimes it
>>resolves to Google in Europe, sometimes to Google in
>>Asia, and sometines 
>>to Google here
>>in the US.  Ipfw appears to be only dropping some of
>>the packets.
>>
>>Perhaps I should set up another machine to sniff the
>>packets that 
>>occur.  Maybe that would
>>give me an idea of what is happening with the Onion
>>protocol.
>>
>>In any event, thanks for your input to my problem,
>>and if you have any 
>>other ideas I would
>>appreciate them very much.  I've been chewing on
>>this problem the better 
>>part of a week.
>>
>>Thanks,
>>
>>Jim
>>    
>>
>
>check the output of 
>#ipfw show
>and make sure the check-state line is there.
>
>Your config says-
>$cmd 00015 check-state
>
>and I think..(at least on a 5.4 machine)
>it should say 
>
>$cmd 00015 add check-state
>  
>

Dave,

#ipfw show does show that check-state is there

I am using a 4.11 machine and $cmd = "ipfw -q add"

The command "#ipfw -a list" shows that there are many replies for each 
outbound packet
to port 9001. 

I suppose that I should just let things be since the Tor service is 
working satisfactorily
and I sure have learned a lot about firewalls while chasing this.  And 
that is the whole point
of my effort with FBSD.

Many thanks to all who have assisted me in this endeavor.

Jim

More information about the freebsd-questions mailing list