IPFW - Allowed but Denied is shown in my logs
Ian Smith
smithi at nimnet.asn.au
Wed Aug 4 11:27:39 PDT 2004
On Wed, 4 Aug 2004 freebsd-questions-request at freebsd.org wrote:
> Message: 11
> From: Srot BULL <pwd8jmr22w at me.point.ne.jp>
> > Giorgos Keramidas wrote:
> > Show us the full ruleset. Otherwise we're just guessing...
> >
> My apologies, below is my complete ruleset:
[..]
> #* Deny ident *#
> $CMD 00315 deny tcp from any to any in via $IFN
I think perhaps you meant:
$CMD 00315 deny tcp from any to any 113 in via $IFN
as yours denied all remaining TCP, making some rules below irrelevant,
including allows for www, ssh etc if you ever wanted to enable these.
You'd also likely do better using reset rather than deny - assuming this
rule really was meant to block ident - to avoid timeout delays on mail.
> #* Deny all Netbios service. 137=name, 138=datagram, 139=session *#
> #* Netbios is MS/Windows sharing services. *#
> #* Block MS/Windows hosts2 name server requests 81 *#
> $CMD 00320 deny tcp from any to any 137 in via $IFN
> $CMD 00321 deny tcp from any to any 138 in via $IFN
> $CMD 00322 deny tcp from any to any 139 in via $IFN
> $CMD 00323 deny tcp from any to any 81 in via $IFN
None of these or any other tcp .. in via $IFN rules below are ever seen.
[..]
> #* Deny ACK packets that did not match the dynamic rule table *#
> $CMD 00332 deny tcp from any to any established in via $IFN
That rule is also not seen ..
[..]
> #* Reject & Log all incoming connections from the outside *#
> $CMD 00499 deny log all from any to any in via $IFN
.. nor that one, for TCP packets ..
> My basis for my rulesets are taken from:
> http://freebsd.a1poweruser.com:6088/FBSD_firewall/
Cheers, Ian
More information about the freebsd-questions
mailing list