IPFW: Blocking me out. How to debug?
W. D.
WD at US-Webmasters.com
Sun Dec 16 22:51:44 PST 2007
How do I tell which rule is blocking me out? SSH *is* working,
but others are not.
###############################################################
# ipfw.rules
# ipfw firewall ruleset
# Location: /etc/ipfw.rules
# 2007 Dec 16 21:41
# By default, everything is denied access. You
# need to specifically allow something for it
# to work.
# Loopback:
# Allow anything on the local loopback:
add allow all from any to any via lo0
add deny ip from any to 127.0.0.0/8
add deny ip from 127.0.0.0/8 to any
# Allow established connections:
add allow tcp from any to any established
# Deny fragmented packets:
add deny ip from any to any frag
# Show pings:
add count icmp from any to any icmptypes 8 in
# Allow pings, ping replies, and host unreach:
add allow icmp from any to any icmptypes 0,8,3
# Allow UDP traceroutes:
add allow udp from any to any 33434-34458 in
add allow udp from any 33434-34458 to any out
# Allow DNS with name server
add allow udp from any to any domain out
add allow udp from any domain to any in
# SSH
# Note that /etc/hosts.allow has restrictions
# on which IP addresses are allowed.
#
# Allow SSH:
add allow tcp from any to any ssh in setup
# HTTP & HTTPS:
add allow tcp from any to any https in setup
add allow tcp from any to any http in setup
# Mail: SMTP & IMAP:
add allow tcp from any to any smtp in setup
add allow tcp from any to any imap in setup
# FTP:
add allow tcp from any to any ftp in setup
add allow tcp from any to any ftp\-data in setup
add allow tcp from any ftp\-data to any setup out
# Allow NTP in and out
add allow udp from any ntp to 128.252.19.1 ntp out
add allow udp from 128.252.19.1 ntp to any ntp in
# Deny and log everything else:
add deny log all from any to any
###############################################################
I tested the syntax using:
ipfw -n /etc/ipfw.rules
I've got logging working:
/etc/rc.conf:
Make certain you have an entry similar to:
# Log exceptions:
firewall_logging="YES"
/etc/syslog.conf:
# Log ipfw events to their own log file:
!ipfw
*.* /var/log/ipfw/ipfw.log
In the kernel config file, is a limit of 10 too small?
options IPFIREWALL # Required for IPFW
options IPFIREWALL_VERBOSE # Optional - logging
options IPFIREWALL_VERBOSE_LIMIT=10 # Optional - don't get too many log entries
options IPDIVERT # Needed for natd
Any help on this would be greatly appreciated.
Start Here to Find It Fast! -> http://www.US-Webmasters.com/best-start-page/
$8.77 Domain Names -> http://domains.us-webmasters.com/
More information about the freebsd-security
mailing list