ipfw uid/gid debugging, tcpdump relation with ipfw and how to block direct access to port 25
Andrey V. Elsukov
bu7cher at yandex.ru
Sun Jul 8 09:45:33 UTC 2018
On 04.07.2018 15:28, supportsobaka--- via freebsd-ipfw wrote:
> Could you please explain whether tcpdum should see a packet dropped
> on ipfw?
tcpdump is not related to ipfw. ipfw(4) has ability to send packets,
that are matched by rules with "log" opcode to special ipfw0 pseudo
interface. This interface can be created at run-time. Then, you can add
"log" keyword to the deny rule and see such packets in `tcpdump -ni
ipfw0` output.
Simple example:
# ifconfig ipfw0 create
# ipfw add 1 deny log icmp from me to any
# ping 127.1
# tcpdump -ni ipfw0
12:21:19.222133 IP 127.0.0.1 > 127.0.0.1: ICMP echo request, id 64151,
seq 0, length 64
12:21:20.230762 IP 127.0.0.1 > 127.0.0.1: ICMP echo request, id 64151,
seq 1, length 64
> Does it look before or after ipfw? tcpdump -vvv port 25
> shows nothing when port is blocked on ipfw (security log shows droped
tcpdump works at layer2 level. The kernel sends packets to BPF when it
goes through ethernet handling routines.
ipfw(4) usually works at layer3 level, i.e. when Ethernet layer already
did, or not yet did its work. Anyway, you can not see dropped packets if
you did not prepared to this like I described.
> packets). Also, is there a way to to see uid/gid on the packet in
> ipfw log? Alternatively, can tcpdump show uid/gid of the packet
> (before ipfw)? I don't see uid/gid when use tcpdump -vvv port 25. Is
> there a way to understand if packet does't have uid/gid or it just
> not shown? I can't figure out a good rule to protect access to port
tcpdump has not such ability or knowledge.
> 25 for other than sendmail (yep, native sendmail). The obvious
> ${ipfw} add allow tcp from me to any 25 out gid smmsp setup
> keep-state :emailfromme doesn't work (email is not sent out,but
> dropped on the ipfw by the last deny rule). Seems like the packet
how do you test this?
> sent by sendmail doesn't belong to snmmsp group. I have tried gid
> operator gid mail gid smmsp gid wheel - won't help. How to debug?
--
WBR, Andrey V. Elsukov
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 553 bytes
Desc: OpenPGP digital signature
URL: <http://lists.freebsd.org/pipermail/freebsd-ipfw/attachments/20180708/cffacced/attachment.sig>
More information about the freebsd-ipfw
mailing list