Re: IPFW: Blocking me out. How to debug?

W. D. wrote:
At 03:49 12/17/2007, Tuomo Latto wrote:
W. D. wrote:
How do I tell which rule is blocking me out? SSH *is* working,
but others are not.
It all depends on what you mean by "blocking you out" and "others".

I've been banging my head against this for the past few
days. I don't get it.

To be fair, you never actually said what exactly your problem is
or what it is you are trying to achieve.
That makes it very difficult to help.

My understanding of the way this is supposed to work is
that:

# HTTP & HTTPS:
add allow tcp from any to any https in setup
add allow tcp from any to any http in setup

should let initial HTTP & HTTPS requests through,

Yes, *into* your box. On to the lap of a listening server there.


and that:

# Allow established connections:
add allow tcp from any to any established

should allow connections that are "setup" to
continue. Do I need a "check-state" or "keep-state"
statement somewhere?

Not for TCP. TCP state can be deduced from the status bits in packets.
TCP stack will take care of any false "established" packets.

"setup Matches TCP packets that have the SYN bit set but no ACK bit.
This is the short form of ``tcpflags syn,!ack''."


I don't understand what is wrong with the last rule:

# Deny and log everything else:
add deny log all from any to any

My understanding is that anything that doesn't match
the previous rules will match this one and hence
be logged and denied. Is this not correct?

Yes. It blocks everything else.
There is nothing wrong with it.
See /var/log/security for logged packets.

The problem is that the allow rules are not working as you would expect.
You could see if dropping out the "in setup" in HTTP/HTTPS rules makes any
difference. But seriously, I don't know what you are *trying* to do,
I only see what you are *doing*, so it is difficult to say anything.

Just so you know, I'm hardly an expert myself.


--
Tuomo

... When in doubt, mumble..

_______________________________________________
freebsd-security@xxxxxxxxxxx mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscribe@xxxxxxxxxxx"

Relevant Pages

  • Re: Fwd: Re: IPFW: Blocking me out. How to debug?
    ... slow down and deny packets to buffer overflow enabled daemons ... you shouldn't have more pings than tcp frames. ... add allow udp from any 33434-34458 to any out ... add allow tcp from any to any https in setup ...
    (FreeBSD-Security)
  • RE: Trouble with ipfw :( help!
    ... The "setup" keyword allows any packets with SYN but no ACK. ... I don't believe this is as secure as using dynamic rules as you ... 00800 allow tcp from any to me dst-port 25,110,995,143,993 setup ...
    (freebsd-questions)
  • Re: IPFW: Blocking me out. How to debug?
    ... add allow tcp from any to any ftp in setup ... Passive mode needs allowing connections to this port range ... add deny log ip from any to 0.0.0.0/8 in ...
    (freebsd-questions)
  • Re: IPFW: Blocking me out. How to debug?
    ... allow tcp from any to any in established ... add allow udp from any 33434-34458 to any out ... add allow tcp from any to any ssh in setup ... someone else used 'deny log ip from any to any recv all' ...
    (freebsd-questions)
  • Re: IPFW: Blocking me out. How to debug?
    ... allow log tcp from any to any out established ... add allow udp from any to any domain out ... add allow tcp from any to any ssh in setup ... $add deny log tcp from any to any in via $setup ...
    (freebsd-questions)