ipfw rules for all interfaces not working ...
Gore Jarold
gore_jarold at yahoo.com
Mon Dec 17 09:33:11 PST 2007
My main goal is to lock down my ipfw rules so that
when I run nmap, all I see is:
Interesting ports on 192.168.0.10:
Not shown: 1677 closed ports
PORT STATE SERVICE
22/tcp open ssh
MAC Address: 00:12:D8:A2:23:C2
Nmap finished: 1 IP address (1 host up) scanned in
9.791 seconds
So that means I will need to explicitly block all
ports except for the ones I have real servers running
on.
That's easy.
The problem is, this is a laptop and so sometimes iwi0
exists and sometimes it doesn't, and sometimes xl0
exists and sometimes it doesn't ... and that is why my
ipfw rules look like this:
00010 0 0 allow ip from any to any via lo0
00020 0 0 deny ip from any to 127.0.0.0/8
01000 18134 10505749 allow tcp from any to any
established
04000 1498 84280 allow icmp from any to any
04001 27 1728 allow tcp from any to any
dst-port 22 setup
04008 0 0 deny log logamount 100 ip from
any to any recv all
65535 15202 2569754 allow ip from any to any
See - in rule 04008, I say to deny "ip from any to any
recv all" - so that no matter what interface(s) I have
up, and no matter what their addresses are, this one
deny rule will apply to them.
THe problem is, it doesn't work.
As you can see, the counter on that rule is zero, and
when I nmap the system I can see things like samba and
http, etc., even though the only port I am allowing
through is TCP 22.
Why is this ?
____________________________________________________________________________________
Looking for last minute shopping deals?
Find them fast with Yahoo! Search. http://tools.search.yahoo.com/newsearch/category.php?category=shopping
____________________________________________________________________________________
Looking for last minute shopping deals?
Find them fast with Yahoo! Search. http://tools.search.yahoo.com/newsearch/category.php?category=shopping
More information about the freebsd-questions
mailing list