continued IPFW issues... (actually a lack of ability on my part)
Jez Hancock
jez.hancock at munk.nu
Sat Feb 14 15:36:18 PST 2004
On Sat, Feb 14, 2004 at 03:27:35PM -0600, Eric F Crist wrote:
> I'm still having some sort of issues with ipfw rules on my server. I've got a
> cgi based irc client installed, and I can't connect. Also, it seems as if my
> DNS server isn't able to send queries out. An ipfw show displays the
> following for me:
>
> 00050 54632 4640473 allow ip from me to any
> 00100 0 0 allow ip from any to any via lo0
> 00200 0 0 deny ip from any to 127.0.0.0/8
> 00300 0 0 deny ip from 127.0.0.0/8 to any
> 00400 4027 351563 allow ip from 63.228.14.240/29 to me
> 00500 2 80 allow ip from any to me dst-port 22
> 00600 2 80 allow ip from any to me dst-port 21
> 00700 388 25405 allow ip from any to me dst-port 25
> 00800 58 4944 allow ip from any to me dst-port 80
> 00900 2 80 allow ip from any to me dst-port 443
> 01000 2 80 allow ip from any to me dst-port 110
> 01100 54 4247 allow ip from any to me dst-port 53
> 01200 2 80 allow ip from any to me dst-port 6667
> 01300 2 80 allow ip from any to me dst-port 6668
> 01400 4 160 deny ip from not 63.228.14.240/29 to me dst-port 8080
> 65535 46432 7224466 deny ip from any to any
>
> Where is all that denied traffic coming from on the final rule?
You are only allowing traffic in and not out - as Matthew Seaman
mentioned in the last post in your previous thread, you should use
'keep-state' to keep track of the connections made to you. See the
examples he provided in that thread.
>From the manpage for ipfw:
check-state
Checks the packet against the dynamic ruleset. If a match is
found, execute the action associated with the rule which gener-
ated this dynamic rule, otherwise move to the next rule.
Check-state rules do not have a body. If no check-state rule is
found, the dynamic ruleset is checked at the first keep-state or
limit rule.
...
keep-state
Upon a match, the firewall will create a dynamic rule, whose
default behaviour is to match bidirectional traffic between
source and destination IP/port using the same protocol. The rule
has a limited lifetime (controlled by a set of sysctl(8) vari-
ables), and the lifetime is refreshed every time a matching
packet is found.
When a connection is made to port 80 from an external host, with the
'keep-state' flag set on your rule for port 80 data transfer will be
allowed in both directions to/from the external host to/from you on port
80 for a limited period. The check-state rule effectively 'shortcuts'
the rest of the rules in the ruleset if a match is made for the external
host for the given action (inbound connections to port 80 in this case).
You'd need to do the same for each of the other ports you want to allow
free connections to/from.
--
Jez Hancock
- System Administrator / PHP Developer
http://munk.nu/
http://jez.hancock-family.com/ - Another FreeBSD Diary
http://ipfwstats.sf.net/ - ipfw peruser traffic logging
More information about the freebsd-questions
mailing list