Re: IPFW: Blocking me out. How to debug?

W. D. wrote:
How do I tell which rule is blocking me out? SSH *is* working,
but others are not.

It all depends on what you mean by "blocking you out" and "others".


Did you try *reading* your fw config?

# Loopback:
# Allow anything on the local loopback:
add allow all from any to any via lo0
add deny ip from any to 127.0.0.0/8
add deny ip from 127.0.0.0/8 to any
Nope.
# Allow established connections:
add allow tcp from any to any established
Nope.
# Deny fragmented packets:
add deny ip from any to any frag
Nope.
# Show pings:
add count icmp from any to any icmptypes 8 in
Nope.
# Allow pings, ping replies, and host unreach:
add allow icmp from any to any icmptypes 0,8,3
Nope.
# Allow UDP traceroutes:
add allow udp from any to any 33434-34458 in
add allow udp from any 33434-34458 to any out
Nope.
# Allow DNS with name server
add allow udp from any to any domain out
add allow udp from any domain to any in
Nope.
# SSH
# Note that /etc/hosts.allow has restrictions
# on which IP addresses are allowed.
#
# Allow SSH:
add allow tcp from any to any ssh in setup
Nope, but this explains SSH working.
# HTTP & HTTPS:
add allow tcp from any to any https in setup
add allow tcp from any to any http in setup
Nope.
# Mail: SMTP & IMAP:
add allow tcp from any to any smtp in setup
add allow tcp from any to any imap in setup
Nope.
# FTP:
add allow tcp from any to any ftp in setup
add allow tcp from any to any ftp\-data in setup
add allow tcp from any ftp\-data to any setup out
Nope.
# Allow NTP in and out
add allow udp from any ntp to 128.252.19.1 ntp out
add allow udp from 128.252.19.1 ntp to any ntp in
Nope.
# Deny and log everything else:
add deny log all from any to any
Bingo!


"ipfw -a list" may also help (packet counts).


In the kernel config file, is a limit of 10 too small?

You tell us.
http://www.defcon1.org/html/NATD-config/firewall-setup/ipfw-2.html


--
Tuomo

... She's dead, Jim. Should we bury her or have some fun?

_______________________________________________
freebsd-security@xxxxxxxxxxx mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscribe@xxxxxxxxxxx"

Relevant Pages

  • Re: IPFW: Blocking me out. How to debug?
    ... allow tcp from any to any in established ... add allow udp from any 33434-34458 to any out ... add allow tcp from any to any ssh in setup ... someone else used 'deny log ip from any to any recv all' ...
    (freebsd-questions)
  • Re: IPFW: Blocking me out. How to debug?
    ... slow down and deny packets to buffer overflow enabled daemons ... allow tcp from any to any in established ... add allow udp from any 33434-34458 to any out ... add allow tcp from any to any https in setup ...
    (FreeBSD-Security)
  • Fwd: Re: IPFW: Blocking me out. How to debug?
    ... allow tcp from any to any in established ... add allow udp from any 33434-34458 to any out ... add allow tcp from any to any https in setup ...
    (freebsd-questions)
  • Re: IPFW: Blocking me out. How to debug?
    ... allow log tcp from any to any out established ... add allow udp from any to any domain out ... add allow tcp from any to any ssh in setup ... $add deny log tcp from any to any in via $setup ...
    (freebsd-questions)
  • Re: Fwd: Re: IPFW: Blocking me out. How to debug?
    ... slow down and deny packets to buffer overflow enabled daemons ... you shouldn't have more pings than tcp frames. ... add allow udp from any 33434-34458 to any out ... add allow tcp from any to any https in setup ...
    (FreeBSD-Security)