ipfw question (FreeBSD 4.11)
Gerard Meijer
gmeijer at palmweb.nl
Mon Jan 3 11:31:45 PST 2005
You are so the man!
That's it. You have no idea how long I've spend looking for this.
Thanks again!
----- Original Message -----
From: "Andras Kende" <andras at kende.com>
To: "'Gerard Meijer'" <gmeijer at palmweb.nl>; <freebsd-questions at freebsd.org>
Sent: Monday, January 03, 2005 7:59 PM
Subject: RE: ipfw question (FreeBSD 4.11)
>
>
> -----Original Message-----
> From: owner-freebsd-questions at freebsd.org
> [mailto:owner-freebsd-questions at freebsd.org] On Behalf Of Gerard Meijer
> Sent: Monday, January 03, 2005 12:29 PM
> To: freebsd-questions at freebsd.org
> Subject: ipfw question (FreeBSD 4.11)
>
> I run apache webserver on my server with FreeBSD 4.11
>
> I have a question about ipfw. I have the following rules in my
> /etc/ipfw.conf:
>
> $cmd 00200 allow tcp from any to any 80 out via $pif setup keep-state
> $cmd 00400 allow tcp from any to any 80 in via $pif setup keep-state
>
> (with $pif being my NIC) Now, everything works fine for me, but I get a
> lot
> (and I mean a lot) of these kind of messages in my log:
>
> [Date] [time] [host] /kernel: ipfw: 299 Deny TCP a.b.c.d:80 e.f.g.h:4472
> out
> via em0
> [Date] [time] [host] /kernel: ipfw: 499 Deny TCP e.f.g.h:1882 a.b.c.d:80
> in
> via em0
>
> (with a.b.c.d being my ip and e.f.g.h being somebody elses ip).
>
> I guess these people are not surfing through port 80??? Correct me if I'm
> wrong. How can I change ipfw's rules so that these people aren't blocked
> anymore?
>
> Thanks in advance!
>
> _______________________________________________
> freebsd-questions at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
> To unsubscribe, send any mail to
> "freebsd-questions-unsubscribe at freebsd.org"
>
>
>
> Hello,
>
> Im not 100% sure, but if I remember correctly you need to put
> "established"
> before the webserver rule :
>
> # Allow TCP through if setup succeeded:
> ${fwcmd} add pass tcp from any to any established
>
> # Allow setup of incoming http:
> ${fwcmd} add pass tcp from any to any 80 setup
>
>
>
>
> [Cc][Ll][Ii][Ee][Nn][Tt])
> ############
> # This is a prototype setup that will protect your system somewhat
> # against people from outside your own network.
> ############
>
> # set these to your network and netmask and ip
> ip="aaa.bbb.ccc.ddd"
>
> setup_loopback
>
> # Allow TCP through if setup succeeded
> ${fwcmd} add pass tcp from any to any established
>
> # Allow IP fragments to pass through
> ${fwcmd} add pass all from any to any frag
>
> # Allow setup of incoming services
> ${fwcmd} add pass tcp from any to ${ip}
> 21,22,25,53,80,110,143,443,993,10000 setup
>
> # Allow setup of PASV FTP
> ${fwcmd} add pass tcp from any to ${ip} 10001-10100 setup
>
> # Allow setup of outgoing TCP connections only
> ${fwcmd} add pass log tcp from ${ip} to any setup
>
> # Disallow setup of all other TCP connections
> ${fwcmd} add deny log tcp from any to any setup
>
> # Allow DNS queries
> ${fwcmd} add pass udp from any to any 53
> ${fwcmd} add pass udp from any 53 to any
>
> # Allow NTP
> ${fwcmd} add pass udp from any to any 123
>
> #ICMP
> ${fwcmd} add pass log icmp from any to any icmptypes 3,4,11,12
>
> # Everything else is denied by default, unless the
> # IPFIREWALL_DEFAULT_TO_ACCEPT option is set in your kernel
> # config file.
> ;;
>
>
> Best regards,
>
> Andras Kende
> http://www.kende.com
>
>
>
> _______________________________________________
> freebsd-questions at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
> To unsubscribe, send any mail to
> "freebsd-questions-unsubscribe at freebsd.org"
>
More information about the freebsd-questions
mailing list