IPFW - Allowed but Denied is shown in my logs
Giorgos Keramidas
keramida at ceid.upatras.gr
Wed Aug 4 05:05:37 PDT 2004
On 2004-08-04 20:31, Srot BULL <pwd8jmr22w at me.point.ne.jp> wrote:
>>On 2004-08-04 17:13, Srot BULL <pwd8jmr22w at me.point.ne.jp> wrote:
>>>Why are the above firewall logs telling me that it has denied my TCP
>>>packets and yet I am not experiencing some problems in my emails and
>>>access to the internet through port 80. [...]
>>
>> Giorgos Keramidas wrote:
>> Show us the full ruleset. Otherwise we're just guessing...
> # Flush out EVERYTHING first before starting
> ipfw -q -f flush
> CMD="ipfw -q add"
> IFN="rl0"
> $CMD 00010 allow all from any to any via lo0
> $CMD 00015 check-state
> $CMD 00099 allow tcp from any to any 6088 out via $IFN setup keep-state
> $CMD 00110 allow tcp from any to x.x.x.x 53 out via $IFN setup keep-state
> $CMD 00111 allow udp from any to x.x.x.x 53 out via $IFN keep-state
> $CMD 00112 allow tcp from any to x.x.x.x 53 out via $IFN setup keep-state
> $CMD 00113 allow udp from any to x.x.x.x 53 out via $IFN keep-state
> $CMD 00114 allow tcp from any to x.x.x.x 53 out via $IFN setup keep-state
> $CMD 00115 allow udp from any to x.x.x.x 53 out via $IFN keep-state
> $CMD 00120 allow udp from any to x.x.x.x 67 out via $IFN keep-state
> $CMD 00200 allow tcp from any to any 80 out via $IFN setup keep-state
> $CMD 00201 allow tcp from any to any 2628 out via $IFN setup keep-state
> $CMD 00202 allow tcp from any to any 1863 out via $IFN setup keep-state
> $CMD 00203 allow udp from any to any 1863 out via $IFN setup keep-state
> $CMD 00220 allow tcp from any to any 443 out via $IFN setup keep-state
> $CMD 00230 allow tcp from any to any 25 out via $IFN setup keep-state
> $CMD 00231 allow tcp from any to any 110 out via $IFN setup keep-state
> $CMD 00240 allow tcp from me to any out via $IFN setup keep-state uid root
Hmm. I'm not sure if this is a good idea, but it's unrelated to the
denied packets you're seeing :-/
> $CMD 00250 allow icmp from any to any out via $IFN keep-state
> $CMD 00260 allow tcp from any to any 37 out via $IFN setup keep-state
> $CMD 00270 allow tcp from any to any 119 out via $IFN setup keep-state
> $CMD 00280 allow tcp from any to any 22 out via $IFN setup keep-state
> $CMD 00290 allow tcp from any to any 43 out via $IFN setup keep-state
> $CMD 00299 deny log all from any to any out via $IFN
> $CMD 00300 deny all from 192.168.0.0/16 to any in via $IFN
> $CMD 00301 deny all from 172.16.0.0/12 to any in via $IFN
> $CMD 00302 deny all from 10.0.0.0/8 to any in via $IFN
You might want to also deny incoming packets from these addresses, or fall
back to the default firewall rule -- whatever that rule is ("deny log all"
in your case).
> $CMD 00305 deny all from 169.254.0.0/16 to any in via $IFN
Hmmm, what is this address block supposed to be here for?
> #reserved for doc's#
> $CMD 00307 deny all from 204.152.64.0/23 to any in via $IFN
And this one?
> #* Deny ident *#
> $CMD 00315 deny tcp from any to any in via $IFN
A better approach that will avoid forcing everyone to wait until their
connections times out is to reply with an RST packet, which is the standard
way TCP would reply if no auth/ident service was running at all.
> #* Deny any late arriving packets *#
> $CMD 00330 deny all from any to any frag in via $IFN
Fragments are not late-arriving packets ;-)
> #* Reject & Log all incoming connections from the outside *#
> $CMD 00499 deny log all from any to any in via $IFN
This one is redundant, since it will only do the same as the one below:
> # Everything else is denied by default
> # DENY and LOG all packets that fell through to see what they are
> $CMD 00999 deny log all from any to any
> My basis for my rulesets are taken from:
> http://freebsd.a1poweruser.com:6088/FBSD_firewall/
AFAIK, the author of the page is a reader of the list too. I can't find
anything wrong with the syntax of your rules. The only weird thing I noticed
were the two hard-wired address blocks I mentioned above. Perhaps the author
of the initial ruleset can help you more ;)
- Giorgos
More information about the freebsd-questions
mailing list