Re: ipfw firewall help
Easiest way I have found to troubleshoot rule problems is to turn on
logging for your deny rules and find out what rule is blocking the
traffic. Just add the 'log' or 'log logamount nn' (where nn is a number
of entries to create). Once you try to connect again, you can then read
/var/log/security and see where the packets are being dropped.
Another good method of troubleshooting is using # tcpdump -i ifaceX
(where ifaceX is the interface the traffic is going through first).
After you verify traffic can get through the first interface, dump the
other interface. You will get results verifying whether the traffic was
able to come in to the interface, and whether it was able to go back out.
You may also want to post to freebsd-ipfw.
Hope this helps!
Steve
Please forgive me for asking this, I know it's probably been gone over
numerous times.
I have a network at a colo facility with a freebsd machine and 3 nic's.
Outside nic and the others for the internal networks. I get routed
3 class C's, and the machine is routing and acting as a gateway perfectly.
We decided to close everything and add as needed (ports).
As far as incoming traffic/ports, etc, everything is perfect. But if I
get on any of the internal machines and try to browse the web (windows
update) etc., nothing works.
I'm sure it's something totally simple I'm missing, since it's a colo
facility it's not like it's an office land and people are there but I need
the ability to be on a server there and be able to browse, ftp, etc, all
of which are broken.
Could someone help me figure out what I've done wrong?
Here's the rules I have, the firewall is set to "OPEN" so it runs
/etc/rc.firewall and adds the 3 generic rulesets, then runs rc.joe which
I'm showing here:
#Begin Custom ipfw rules to secure network on fxp0
#We will block at the WAN
#
#adam's IP for term svc
ipfw add 101 allow tcp from xx.xx.xx.xx to any 3389 via bge0
#sarah's IP for term svc
ipfw add 102 allow tcp from xx.xx.xx.xx to any 3389 via bge0
#
#leave the unix machines alone
#WWW
ipfw add 103 allow tcp from any to xx.250.228.0/28 via bge0
ipfw add 104 allow udp from any to xx.250.228.0/28 via bge0
#Outside WAN - Router fbsd
ipfw add 105 allow udp from any to xx.94.245.250 via bge0
ipfw add 106 allow tcp from any to xx.94.245.250 via bge0
ipfw add 107 allow tcp from any to xx.250.227.1 ssh via bge0
#
#Begin Allows - Universal (FTP, WWW, SMTP, POP3)
ipfw add 108 allow tcp from any to xx.250.227.0/22 20,21,25,80,110 via
bge0
#
#Outbound from inside
ipfw add 109 check-state
ipfw add 110 allow tcp from xx.250.224.0/22 via bge0 keep-state
ipfw add 111 allow udp from xx.250.224.0/22 via bge0 keep-state
ipfw add 112 allow tcp from any to any established setup
#Machine specific ports
#Server NEWS 1
ipfw add 120 allow tcp from any to xx.250.227.2 53 via bge0
ipfw add 121 allow tcp from any to xx.250.227.3 53 via bge0
ipfw add 122 allow tcp from any to xx.250.227.4 53 via bge0
ipfw add 123 allow udp from any to xx.250.227.2 via bge0
ipfw add 124 allow udp from any to xx.250.227.3 via bge0
ipfw add 125 allow udp from any to xx.240.227.4 via bge0
#
#Server WWW6
ipfw add 130 allow tcp from any to xx.250.227.208 443 via bge0
#
#Server SQL 3
ipfw add 140 allow tcp from any to xx.250.227.13 1433 via bge0
#
#Server MARZ
ipfw add 150 allow tcp from any to xx.250.227.53 1433 via bge0
#
#Server Mai
ipfw add 160 allow tcp from any to xx.250.227.175 8384 via bge0
#Deny all after above allows - here we go
ipfw add 400 deny tcp from any to xx.250.227.0/22 via bge0
ipfw add 410 deny udp from any to xx.250.227.0/22 via bge0
Goal is if we're on any of the 227 subnetted machines and wish to do
anything on the internet that we be allowed to do so, such as ftp, telnet,
browse the web, etc.
These rules are also in effect as rc.firewall sets them:
${fwcmd} add 100 pass all from any to any via lo0
${fwcmd} add 200 deny all from any to 127.0.0.0/8
${fwcmd} add 300 deny ip from 127.0.0.0/8 to any
# ${fwcmd} add 65000 pass all from any to any
Any help would be greatly appreciated, I know that source packets coming
in aren't matching the rulesets anylonger or it's something like that.
The area that I've tried to make this work is the
109
110
111
112
But to no avail.
Thanks again,
Joe
To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-questions" in the body of the message
To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-questions" in the body of the message
Re: ipfw firewall help
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 >ipfw add 108 allow tcp from any to xx.250.227.0/22 20,21,25,80,110 via >bge0 > >#Outbound from inside >ipfw add 109 check-state >ipfw add 110 allow tcp from xx.250.224.0/22 via bge0 keep-state >ipfw add 111 allow udp from xx.250.224.0/22 via bge0 keep-state >ipfw add 112 allow tcp from any to any established setup >#Machine specific ports >#Server NEWS 1 >ipfw add 120 allow tcp from any to xx.250.227.2 53 via bge0 >ipfw add 121 allow tcp from any to xx.250.227.3 53 via bge0 >ipfw add 122 allow tcp from any to xx.250.227.4 53 via bge0 >ipfw add 123 allow udp from any to xx.250.227.2 via bge0 >ipfw add 124 allow udp from any to xx.250.227.3 via bge0 >ipfw add 125 allow udp from any to xx.240.227.4 via bge0 >#Deny all after above allows - here we go >ipfw add 400 deny tcp from any to xx.250.227.0/22 via bge0 >ipfw add 410 deny udp from any to xx.250.227.0/22 via bge0 > > >Goal is if we're on any of the 227 subnetted machines and wish to do >anything on the internet that we be allowed to do so, such as ftp, >telnet, >browse the web, etc. 1)General tip when using firewalls, especially if you are having problems.. ALWAYS log the denied packetsso in ruleset 400 you should put a log statement. 2) When using firewall always remember that packets are usually two way packets..which means somebody connectes to your port and your port sends a reply. So rule 108 should also include a 'keep state' option or it should be immediately followed byt a ipfw add 108 allow tcp from xx.250.227.0/22 20,21,25,80,110 to any via bge 3) Your problem is located on a missing rule. You have rules for the 224 subnet but not for the 227 for outgoing... So you should also include a line ipfw add 113 allow all from xx.250.227.0/22 via bge keep-state 4) Also whatever is not specifically writen with 2 rules (one incoming and other outgoing) it should have a keep-state option. For example rule 120 it has only the incoming connection to 53. You dont allow the outgoing. So prefereably you should i) make two rules for it ii) use a keep-state directive Regards, BigB - --- We are being monitored..but there is a solution... Use PGP for signing and encrypting emails Download my public key at http://www.us.pgp.net -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.1 (FreeBSD) iD8DBQE98F9jGe/V3CxAyHoRAn+sAJ0X65d6o/+YrI1iLMq+mHvDxtCrdACffrMb Uz0a1/8Z6fgUOuspgXeOjVk= =Dh2k -END PGP SIGNATURE- To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-questions" in the body of the message
ipfw firewall help
Please forgive me for asking this, I know it's probably been gone over
numerous times.
I have a network at a colo facility with a freebsd machine and 3 nic's.
Outside nic and the others for the internal networks. I get routed
3 class C's, and the machine is routing and acting as a gateway perfectly.
We decided to close everything and add as needed (ports).
As far as incoming traffic/ports, etc, everything is perfect. But if I
get on any of the internal machines and try to browse the web (windows
update) etc., nothing works.
I'm sure it's something totally simple I'm missing, since it's a colo
facility it's not like it's an office land and people are there but I need
the ability to be on a server there and be able to browse, ftp, etc, all
of which are broken.
Could someone help me figure out what I've done wrong?
Here's the rules I have, the firewall is set to "OPEN" so it runs
/etc/rc.firewall and adds the 3 generic rulesets, then runs rc.joe which
I'm showing here:
#Begin Custom ipfw rules to secure network on fxp0
#We will block at the WAN
#
#adam's IP for term svc
ipfw add 101 allow tcp from xx.xx.xx.xx to any 3389 via bge0
#sarah's IP for term svc
ipfw add 102 allow tcp from xx.xx.xx.xx to any 3389 via bge0
#
#leave the unix machines alone
#WWW
ipfw add 103 allow tcp from any to xx.250.228.0/28 via bge0
ipfw add 104 allow udp from any to xx.250.228.0/28 via bge0
#Outside WAN - Router fbsd
ipfw add 105 allow udp from any to xx.94.245.250 via bge0
ipfw add 106 allow tcp from any to xx.94.245.250 via bge0
ipfw add 107 allow tcp from any to xx.250.227.1 ssh via bge0
#
#Begin Allows - Universal (FTP, WWW, SMTP, POP3)
ipfw add 108 allow tcp from any to xx.250.227.0/22 20,21,25,80,110 via
bge0
#
#Outbound from inside
ipfw add 109 check-state
ipfw add 110 allow tcp from xx.250.224.0/22 via bge0 keep-state
ipfw add 111 allow udp from xx.250.224.0/22 via bge0 keep-state
ipfw add 112 allow tcp from any to any established setup
#Machine specific ports
#Server NEWS 1
ipfw add 120 allow tcp from any to xx.250.227.2 53 via bge0
ipfw add 121 allow tcp from any to xx.250.227.3 53 via bge0
ipfw add 122 allow tcp from any to xx.250.227.4 53 via bge0
ipfw add 123 allow udp from any to xx.250.227.2 via bge0
ipfw add 124 allow udp from any to xx.250.227.3 via bge0
ipfw add 125 allow udp from any to xx.240.227.4 via bge0
#
#Server WWW6
ipfw add 130 allow tcp from any to xx.250.227.208 443 via bge0
#
#Server SQL 3
ipfw add 140 allow tcp from any to xx.250.227.13 1433 via bge0
#
#Server MARZ
ipfw add 150 allow tcp from any to xx.250.227.53 1433 via bge0
#
#Server Mai
ipfw add 160 allow tcp from any to xx.250.227.175 8384 via bge0
#Deny all after above allows - here we go
ipfw add 400 deny tcp from any to xx.250.227.0/22 via bge0
ipfw add 410 deny udp from any to xx.250.227.0/22 via bge0
Goal is if we're on any of the 227 subnetted machines and wish to do
anything on the internet that we be allowed to do so, such as ftp, telnet,
browse the web, etc.
These rules are also in effect as rc.firewall sets them:
${fwcmd} add 100 pass all from any to any via lo0
${fwcmd} add 200 deny all from any to 127.0.0.0/8
${fwcmd} add 300 deny ip from 127.0.0.0/8 to any
# ${fwcmd} add 65000 pass all from any to any
Any help would be greatly appreciated, I know that source packets coming
in aren't matching the rulesets anylonger or it's something like that.
The area that I've tried to make this work is the
109
110
111
112
But to no avail.
Thanks again,
Joe
To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-questions" in the body of the message
