ipfw entries

Jason Cox cscoman at gmail.com
Tue Apr 14 12:42:08 UTC 2015 

I do not see a rule that would allow the traffic. Can you say which rule
number you think should allow it? The only thing close is 2500, but it only
applies to TCP traffic not your UDP traffic. 2600 applies to UDP, but only
for port 513 not port 525.

On Mon, Apr 13, 2015 at 9:32 AM, William A. Mahaffey III <wam at hiwaay.net>
wrote:

>
>
> I started using timed on my network to keep various *BSD machines
> time-coordinated, NTP for the linux boxen. I have a RPiB+ running NetBSD-7
> as my time server, running ntpd & 'timed -F <itself>'. This box is the only
> other BSD box for now, but more to come. I am seeing the following in my
> messages file (from earlier this A.M.):
>
>
> [root at kabini1, /etc, 8:03:32am] 344 % tail -20 /var/log/security ; date
> Apr 13 07:44:08 kabini1 last message repeated 4 times
> Apr 13 07:44:46 kabini1 kernel: ipfw: 65500 Deny UDP 192.168.0.1:525
> 192.168.0.255:525 in via re0
> Apr 13 07:46:01 kabini1 kernel: ipfw: 65500 Deny P:2 192.168.0.27
> 224.0.0.22 out via re0
> Apr 13 07:46:09 kabini1 last message repeated 3 times
> Apr 13 07:48:07 kabini1 last message repeated 4 times
> Apr 13 07:48:46 kabini1 kernel: ipfw: 65500 Deny UDP 192.168.0.1:525
> 192.168.0.255:525 in via re0
> Apr 13 07:50:01 kabini1 kernel: ipfw: 65500 Deny P:2 192.168.0.27
> 224.0.0.22 out via re0
> Apr 13 07:50:08 kabini1 last message repeated 3 times
> Apr 13 07:52:09 kabini1 last message repeated 4 times
> Apr 13 07:52:46 kabini1 kernel: ipfw: 65500 Deny UDP 192.168.0.1:525
> 192.168.0.255:525 in via re0
> Apr 13 07:54:01 kabini1 kernel: ipfw: 65500 Deny P:2 192.168.0.27
> 224.0.0.22 out via re0
> Apr 13 07:54:07 kabini1 last message repeated 3 times
> Apr 13 07:56:09 kabini1 last message repeated 4 times
> Apr 13 07:56:46 kabini1 kernel: ipfw: 65500 Deny UDP 192.168.0.1:525
> 192.168.0.255:525 in via re0
> Apr 13 07:58:01 kabini1 kernel: ipfw: 65500 Deny P:2 192.168.0.27
> 224.0.0.22 out via re0
> Apr 13 07:58:09 kabini1 last message repeated 3 times
> Apr 13 08:00:07 kabini1 last message repeated 4 times
> Apr 13 08:00:46 kabini1 kernel: ipfw: 65500 Deny UDP 192.168.0.1:525
> 192.168.0.255:525 in via re0
> Apr 13 08:02:01 kabini1 kernel: ipfw: 65500 Deny P:2 192.168.0.27
> 224.0.0.22 out via re0
> Apr 13 08:02:08 kabini1 last message repeated 3 times
> Mon Apr 13 08:03:35 CDT 2015
> [root at kabini1, /etc, 8:03:35am] 345 %
>
>
> I thought I had ifpw rules to allow this traffic, but apparently not. My
> rules are:
>
> [root at kabini1, /etc, 11:30:31am] 336 % ipfw show
> 00100   851096  1539836796 allow ip from any to any via lo0
> 00200        0           0 deny ip from any to 127.0.0.0/8
> 00300        0           0 deny ip from 127.0.0.0/8 to any
> 00400        0           0 deny ip from any to ::1
> 00500        0           0 deny ip from ::1 to any
> 00600        0           0 allow ipv6-icmp from :: to ff02::/16
> 00700        0           0 allow ipv6-icmp from fe80::/10 to fe80::/10
> 00800        2         152 allow ipv6-icmp from fe80::/10 to ff02::/16
> 00900        0           0 allow ipv6-icmp from any to any ip6 icmp6types 1
> 01000        0           0 allow ipv6-icmp from any to any ip6 icmp6types
> 2,135,136
> 01100        0           0 check-state
> 01200 14122906 19461418543 allow tcp from me to any established
> 01300  1112427  1007602974 allow tcp from me to any setup keep-state
> 01400    33508     3756508 allow udp from me to any keep-state
> 01500      124       11672 allow icmp from me to any keep-state
> 01600        0           0 allow ipv6-icmp from me to any keep-state
> 01700        0           0 allow udp from 0.0.0.0 68 to 255.255.255.255
> dst-port 67 out
> 01800        0           0 allow udp from any 67 to me dst-port 68 in
> 01900        0           0 allow udp from any 67 to 255.255.255.255
> dst-port 68 in
> 02000        0           0 allow udp from fe80::/10 to me dst-port 546 in
> 02100        4         400 allow icmp from any to any icmptypes 8
> 02200        0           0 allow ipv6-icmp from any to any ip6 icmp6types
> 128,129
> 02300     5290      296240 allow icmp from any to any icmptypes 3,4,11
> 02400        0           0 allow ipv6-icmp from any to any ip6 icmp6types 3
> 02500  7902577   596794526 allow tcp from 192.168.0.0/24 to me
> 02600     1303      333232 allow udp from 192.168.0.0/24 513 to
> 192.168.0.0/24 dst-port 513
> 65000     9223     1641961 count ip from any to any
> 65100      758      173995 deny { tcp or udp } from any to any dst-port
> 111,137,138 in
> 65200     2983      996998 deny { tcp or udp } from 192.168.0.0/24 to me
> 65300        0           0 deny ip from any to 255.255.255.255
> 65400        0           0 deny ip from any to 224.0.0.0/24 in
> 65500        0           0 deny udp from any to any dst-port 520 in
> 65500        0           0 deny tcp from any 80,443 to any dst-port
> 1024-65535 in
> 65500     5482      470968 deny log logamount 50000 ip from any to any
> 65535        0           0 deny ip from any to any
> [root at kabini1, /etc, 11:30:56am] 337 % uname -a
> FreeBSD kabini1.local 9.3-RELEASE-p10 FreeBSD 9.3-RELEASE-p10 #0: Tue Feb
> 24 21:28:03 UTC 2015 root at amd64-builder.daemonology.net:/usr/obj/usr/src/sys/GENERIC
> amd64
> [root at kabini1, /etc, 11:31:34am] 338 %
>
>
> Any clues appreciated & TIA ....
>
> --
>
>         William A. Mahaffey III
>
>  ----------------------------------------------------------------------
>
>         "The M1 Garand is without doubt the finest implement of war
>          ever devised by man."
>                            -- Gen. George S. Patton Jr.
>
> _______________________________________________
> freebsd-questions at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
> To unsubscribe, send any mail to "freebsd-questions-
> unsubscribe at freebsd.org"
>



-- 
Jason Cox

More information about the freebsd-questions mailing list