IPFW: Blocking me out. How to debug?

Tuomo Latto djv at iki.fi
Mon Dec 17 02:05:02 PST 2007 

W. D. wrote:
> How do I tell which rule is blocking me out?  SSH *is* working,
> but others are not.

It all depends on what you mean by "blocking you out" and "others".


Did you try *reading* your fw config?

>         # Loopback:
>         # Allow anything on the local loopback:
>         add allow all from any to any via lo0
>         add deny ip from any to 127.0.0.0/8
>         add deny ip from 127.0.0.0/8 to any
Nope.
>         # Allow established connections:
>         add allow tcp from any to any established
Nope.
>         # Deny fragmented packets:
>         add deny ip from any to any frag
Nope.
>         # Show pings:
>         add count icmp from any to any icmptypes 8 in
Nope.
>         # Allow pings, ping replies, and host unreach:
>         add allow icmp from any to any icmptypes 0,8,3
Nope.
>         # Allow UDP traceroutes:
>         add allow udp from any to any 33434-34458 in
>         add allow udp from any 33434-34458 to any out
Nope.
>         # Allow DNS with name server
>         add allow udp from any to any domain out
>         add allow udp from any domain to any in
Nope.
>         # SSH
>         #  Note that /etc/hosts.allow has restrictions
>         #  on which IP addresses are allowed.
>         #
>         # Allow SSH:
>         add allow tcp from any to any ssh in setup
Nope, but this explains SSH working.
>         # HTTP & HTTPS:
>         add allow tcp from any to any https in setup
>         add allow tcp from any to any http in setup
Nope.
>         # Mail: SMTP & IMAP:
>         add allow tcp from any to any smtp in setup
>         add allow tcp from any to any imap in setup
Nope.
>         # FTP:
>         add allow tcp from any to any ftp in setup
>         add allow tcp from any to any ftp\-data in setup
>         add allow tcp from any ftp\-data to any setup out
Nope.
>         # Allow NTP in and out
>         add allow udp from any ntp to 128.252.19.1 ntp out
>         add allow udp from 128.252.19.1 ntp to any ntp in
Nope.
>         # Deny and log everything else:
>         add deny log all from any to any
Bingo!


"ipfw -a list" may also help (packet counts).


> In the kernel config file, is a limit of 10 too small?

You tell us.
http://www.defcon1.org/html/NATD-config/firewall-setup/ipfw-2.html


-- 
Tuomo

... She's dead, Jim. Should we bury her or have some fun?

More information about the freebsd-security mailing list