fbsd_user schreef:
Post complete content of your rules file for review by people here on list. -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Mark Frasa Sent: Wednesday, January 25, 2006 4:04 AM To: freebsd-questions@freebsd.org Subject: IPFW / NFSD Hello, I am currently running 1 HTTP server on FreeBSD 6.0 Offcourse, like anyone that likes security, i am running IPFW and set the kernel to block by default. Behind that HTTP server i am running 2 Linux boxes. The problem is that when i enable the firewall and openup ports from rpcinfo -p: program vers proto port service 100000 4 tcp 111 rpcbind 100000 3 tcp 111 rpcbind 100000 2 tcp 111 rpcbind 100000 4 udp 111 rpcbind 100000 3 udp 111 rpcbind 100000 2 udp 111 rpcbind 100000 4 local 111 rpcbind 100000 3 local 111 rpcbind 100000 2 local 111 rpcbind 100005 1 udp 668 mountd 100005 3 udp 668 mountd 100005 1 tcp 984 mountd 100005 3 tcp 984 mountd 100003 2 udp 2049 nfs 100003 3 udp 2049 nfs 100003 2 tcp 2049 nfs 100003 3 tcp 2049 nfs I opened up all these ports but i cant do an ls or write to nfs or whatever. Then i thought maybe it's trying something local so i added: $cmd add 00225 allow ip from 1.2.3.4/24 to any keep-state Even this does not work. Tcpdump shows me that when i have ipfw open, it only communicates with port 2049 and i don't see anything more. Can anybody help me out here? Additional info: { [EMAIL PROTECTED] } uname -a FreeBSD arcas 6.0-RELEASE-p1 FreeBSD 6.0-RELEASE-p1 #2: Wed Jan 4 15:45:38 UTC 2006 [EMAIL PROTECTED]:/usr/obj/usr/src/sys/ARCAS i386 Mark. _______________________________________________ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]" _______________________________________________ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Here is the list: # Flush out the list before we begin. ipfw -q -f flush # Set rules command prefix cmd="ipfw -q add" pif="vr0" # public interface name of NIC # facing the public Internet secure="ip2.of.this.box" arcas="ip.of.this.box" $cmd 00010 allow all from any to any via lo0 $cmd 00015 check-state $cmd 00100 allow ip from any to any out via $pif keep-state $cmd 00200 allow tcp from any to $arcas 80 in via $pif $cmd 00310 allow icmp from any to any in via $pif # Allow in secure from selected ip's $cmd 00410 allow tcp from x.x.x.x/32 to $secure 22 in via $pif keep-state $cmd 00411 allow tcp from x.x.x.x/32 to $secure 22 in via $pif keep-state # Allow in nfs requests on secured ip from own network only $cmd 00425 allow ip from x.x.x.x/24 to $secure setup keep-state # deny and log all packets that fell through to see what they are $cmd 00999 deny log all from any to any Mark. _______________________________________________ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"