IPFW: Blocking me out. How to debug?

Nash Nipples trashy_bumper at yahoo.com
Thu Dec 20 02:12:23 PST 2007


Dear W.D. 
Do you understand that by adding the rules into kernel space numbered from zero to sixty five thousand five hundred thirty four
you may alter the behavior of the rule number sixty five thousand five hundred thirty five 
can you please define and list the goals you are trying to achieve by altering default rule in the terms you can both explain and understand.

----- Original Message ----
From: W. D. <WD at US-Webmasters.com>
To: freebsd-security at freebsd.org
Cc: Tuomo Latto <djv at iki.fi>
Sent: Thursday, December 20, 2007 8:39:16 AM
Subject: Re: IPFW: Blocking me out..  How to debug?


At 03:49 12/17/2007, Tuomo Latto wrote:
>W. D. wrote:
>> How do I tell which rule is blocking me out?  SSH *is* working,
>> but others are not.
>
>It all depends on what you mean by "blocking you out" and "others".
>
>
>Did you try *reading* your fw config?
>
>>         # Loopback:
>>         # Allow anything on the local loopback:
>>         add allow all from any to any via lo0
>>         add deny ip from any to 127.0.0.0/8
>>         add deny ip from 127.0.0.0/8 to any
>Nope.
>>         # Allow established connections:
>>         add allow tcp from any to any established
>Nope.
>>         # Deny fragmented packets:
>>     
    add deny ip from any to any frag
>Nope.
>>         # Show pings:
>>         add count icmp from any to any icmptypes 8 in
>Nope.
>>         # Allow pings, ping replies, and host unreach:
>>         add allow icmp from any to any icmptypes 0,8,3
>Nope.
>>         # Allow UDP traceroutes:
>>         add allow udp from any to any 33434-34458 in
>>         add allow udp from any 33434-34458 to any out
>Nope.
>>         # Allow DNS with name server
>>         add allow udp from any to any domain out
>>         add allow udp from any domain to any in
>Nope.
>>         # SSH
>>     
    #  Note that /etc/hosts.allow has restrictions
>>         #  on which IP addresses are allowed.
>>         #
>>         # Allow SSH:
>>         add allow tcp from any to any ssh in setup
>Nope, but this explains SSH working.
>>         # HTTP & HTTPS:
>>         add allow tcp from any to any https in setup
>>         add allow tcp from any to any http in setup
>Nope.
>>         # Mail: SMTP & IMAP:
>>         add allow tcp from any to any smtp in setup
>>         add allow tcp from any to any imap in setup
>Nope.
>>         # FTP:
>>         add allow tcp from any to
 any ftp in setup
>>         add allow tcp from any to any ftp\-data in setup
>>         add allow tcp from any ftp\-data to any setup out
>Nope.
>>         # Allow NTP in and out
>>         add allow udp from any ntp to 128.252.19.1 ntp out
>>         add allow udp from 128.252.19.1 ntp to any ntp in
>Nope.
>>         # Deny and log everything else:
>>         add deny log all from any to any
>Bingo!
>
>
>"ipfw -a list" may also help (packet counts).

I've been banging my head against this for the past few
days.  I don't get it.  

My understanding of the way this is supposed to work is
that:

  # HTTP & HTTPS:
  add allow tcp from any to any https in setup
 
 add allow tcp from any to any http in setup

should let initial HTTP & HTTPS requests through,
and that:

thats correct! but you also probably would like firewall to create a dynamic rule upon match 
so keep-state option is required


 # Allow established connections:
 add allow tcp from any to any established

very interesting.


should allow connections that are "setup" to 
continue.  Do I need a "check-state" or "keep-state"
statement somewhere?

check-state should be applied to incoming packets only not the dynamically added ones


I don't understand what is wrong with the last rule:

  # Deny and log everything else:
  add deny log all from any to any

it may lead to console lockup and there is no other way to log in until you have a physical access to the console


My understanding is that anything that doesn't match
the previous rules will match this one and hence
be logged and denied.  Is this not correct?

yes this is very correct. what is recommended is adding a temporary rule
that will allow everything prior to denying everything so you can see in the log files what is it literally allowing
maybe your own log files will tell you more than mine cat /var/log/security for details
but after all its only a filtering facility don't expect there are some overframed packets marching on the wires and seeking they way in


Again, I am having a great deal of difficulty
understanding why these rules don't work as expected.
I've scoured the 'Net and printed out just about
every coherent ruleset out there.

this is true to me as well. nothing ever works as expected. it only malfunction when least expected. a good ruleset for starters with little expectations is the one u can read in the handbook. i cant wait for you to start quoting its firewall section http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/firewalls-ipfw.html


Besides adding the "log" keyword on all of the rules,
these are the debugging tools I have been
 using:

  ipfw disable firewall
  ipfw -f flush
  ipfw enable firewall
  /etc/rc.d/ipfw start
  ipfw -a -S -N -t list
  ipfw list      
  tail  -f   /var/log/ipfw/ipfw.log
  tcpdump -i nve0 'proto \tcp && port http'

maybe that is your way, but not the syslogd way. tail /var/log/security or less


Could anyone please throw this tired dog a bone?

to be honest its quiet difficult to read someone else's code but if you define the goals you are trying to achieve 

for example what is this?
>>         add deny ip from any to 127.0.0.0/8
>>         add deny ip from 127.0.0.0/8 to any




Start Here to Find It Fast!™ ->
 http://www.US-Webmasters.com/best-start-page/
$8.77 Domain Names -> http://domains.us-webmasters.com/

_______________________________________________
freebsd-security at freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to
 "freebsd-security-unsubscribe at freebsd.org"






      Looking for last minute shopping deals?  
Find them fast with Yahoo! Search.


      ____________________________________________________________________________________
Looking for last minute shopping deals?  
Find them fast with Yahoo! Search.  http://tools.search.yahoo.com/newsearch/category.php?category=shopping


More information about the freebsd-security mailing list