need help with ipfw rules
hi all my apologies, this could get long as i'm including the text of various config files: i've been trying to learn ipfw. i've recompiled a kernel with the following options options ICMP_BANDLIM options IPFIREWALL options IPFIREWALL_VERBOSE options IPFIREWALL_VERBOSE_LIMIT=100 options IPDIVERT options TCP_DROP_SYNFIN options IPFIREWALL_FORWARD options IPSTEALTH options DUMMYNET my rc.conf: # This file now contains just the overrides from /etc/defaults/rc.conf. defaultrouter=1.1.1.1 gateway_enable=YES hostname=hostname.com ifconfig_xl0=inet 1.1.1.1 netmask 255.255.255.0 inetd_enable=YES firewall_enable=YES firewall_script=/etc/ipfw.rules firewall_type=open firewall_quiet=NO tcp_drop_synfin=NO firewall_logging_enable=YES icmp_drop_redirect=YES log_in_vain=YES sendmail_flags=-bd kern_securelevel_enable=NO linux_enable=YES moused_enable=YES moused_port=/dev/psm0 moused_type=auto nfs_reserved_port_only=YES saver=logo sendmail_enable=YES sshd_enable=YES usbd_enable=YES portmap_enable=YES nfs_server_enable=YES mountd_flags=-r i haven't edited rc.firewall this machine is a combinationi desktop/web/ftp/nfs server. my /etc/ipfw.rules looks like ipfw add allow ip from any to any ipfw add allow ip from 127.0.0.1 to 127.0.0.1 vua lo0 ipfw add allow udp from any to any 53 ipfw add check-state ipfw add allow tcp from any to any 80 setup keep-state ipfw add allow tcp from any to any 53 setup keep-state ipfw add allow tcp from any to any 21 setup keep-state ipfw add allow tcp from any to any 22 setup keep-state ipfw add allow tcp from any to any 25 setup keep-state ipfw add allow tcp from any to any 110 setup keep-state ipfw add allow tcp from any to any 587 setup keep-state ipfw add allow tcp from any to any 3306 setup keep-state ipfw add allow tcp from any to any 1 setup keep-state ipfw add reject tcp from any to any ipfw add allow udp from any to any 53 ipfw add allow icmp from any to any icmptype 0,3,4,8,11 ipfw add deny log logamount 5000 ip from any to any (i was following phoenix's and kirk's ipfw advice in another thread) i've also added !ipfw *.* /var/log/firewall.log to /etc/syslog.conf, touch /var/log/firewall.log, and restarted syslogd. upon reboot, the machine hangs in 3 different places during the bootup process. my bootup messages look like: [snip] additional network daemons:mountd oct 21 15:27:47 hostname mountd[96]: get hostname failed for www3 oct 21 15:27:47 hostname mountd[96]: bad host www3, skipping oct 21 15:27:47 hostname mountd[96]: bad exports list line /mnt/drive2/dailybackup www3 nfs on reserved port only=YES nfsd rpc.statd [snip] here it hangs on mountd for a minute or two, then proceeds [snip] starting standard daemons: inetd cron sshd usbd sendmail sendmail-clientmqueue [snip] here it hangs on sendmail and sendmail-clientmqueue, then proceeds it then hangs for hours at 'recovering vi sessions:'. it eventually boots all the way through after a few hours. this is not workable for me. i've switched my /etc/ipfw.rules to ipfw add allow ip from any to any ipfw add allow udp from any to any 53 temporarily, so that i can use the machine, but would like to have a set of basic ipfw rules in place. can anyone tell me where i'm going wrong? i think it's hanging on the bootup process because my ipfw.rules are messed up. thanks redmond Redmond Militante Northwestern University, Evanston, IL. USA [EMAIL PROTECTED] 847-467-7617 To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message
Re: need help with ipfw rules
Check out this site, once you get a handle on the setup read this HOWTO. I've looked at lot's of resources but this is the best as far as I'm concerned. http://www.freebsd-howto.com/HOWTO/Ipfw-HOWTO If someone has one better, I would love to see it. Grant Cooper - Original Message - From: Dan Pelleg [EMAIL PROTECTED] To: [EMAIL PROTECTED]; Redmond Militante [EMAIL PROTECTED] Sent: Monday, October 21, 2002 6:16 PM Subject: RE: need help with ipfw rules hi all my apologies, this could get long as i'm including the text of various config files: i've been trying to learn ipfw. i've recompiled a kernel with the following options ipfw add allow ip from any to any Do you really want to allow everything in, or is this just a typo? If this rule is really in effect, the rest of the rules are not doing anything. ipfw add allow ip from 127.0.0.1 to 127.0.0.1 vua lo0 I'm assuming vua is a typo - should be via. ipfw add allow udp from any to any 53 ipfw add check-state You're not letting DNS replies to come back. You are allowing the queries to go *out*, but when the remote server's reply packets hit the firewall they have port 53 on the *source* address, not on the destination. So they don't match that rule anymore and are discarded. What you probably want instead is: ipfw add allow udp from any to any 53 keep-state Another point: you're not using the divert rule for natd, and I see you have NAT enabled in your rc.conf. This is likely to be a problem later (well, you'll just not have NAT). A very good resource for this is /etc/rc.firewall. Just try to follow what the CLIENT, SIMPLE and OPEN targets do, or even let them run, then output the generated ruleset and use it as the skeleton of your own ruleset. Another useful debugging tool is ipfw show - typed repeatedly to watch which counters increased and so to know which rules were hit. Once you get into stateful filtering, you'll want ipfw -d show. Having said that, good ol' tcpdump is always handy to have around. Just fire up tcpdump -ni XXX with XXX for your external interface and see what's going out and what's coming in. Once you start firewalling for a network, a tcpdump -ni III with III being the internal interface becomes useful as well, either in itself or in addition to the external-watching tcpdump. -- Dan Pelleg To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message
Re: need help with ipfw rules
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 hi thanks for responding On Mon, Oct 21, 2002 at 09:16:36PM -0400, Dan Pelleg expatiated with great perspicuity: hi all my apologies, this could get long as i'm including the text of various config files: i've been trying to learn ipfw. i've recompiled a kernel with the following options ipfw add allow ip from any to any typo Do you really want to allow everything in, or is this just a typo? If this rule is really in effect, the rest of the rules are not doing anything. ipfw add allow ip from 127.0.0.1 to 127.0.0.1 vua lo0 I'm assuming vua is a typo - should be via. typo again ipfw add allow udp from any to any 53 ipfw add check-state You're not letting DNS replies to come back. You are allowing the queries to go *out*, but when the remote server's reply packets hit the firewall they have port 53 on the *source* address, not on the destination. So they don't match that rule anymore and are discarded. What you probably want instead is: ipfw add allow udp from any to any 53 keep-state i changed this line. boots up fine. webserver, ssh, nfs, mail, etc. work. there's only one problem i noticed right off the bat - it looks like ftp users can authenticate fine, but when their ftp client tries to bring up a list of files in their ftp directories, it hangs at 'getting file list...' any ideas on how to fix? thanks redmond Another point: you're not using the divert rule for natd, and I see you have NAT enabled in your rc.conf. This is likely to be a problem later (well, you'll just not have NAT). A very good resource for this is /etc/rc.firewall. Just try to follow what the CLIENT, SIMPLE and OPEN targets do, or even let them run, then output the generated ruleset and use it as the skeleton of your own ruleset. Another useful debugging tool is ipfw show - typed repeatedly to watch which counters increased and so to know which rules were hit. Once you get into stateful filtering, you'll want ipfw -d show. Having said that, good ol' tcpdump is always handy to have around. Just fire up tcpdump -ni XXX with XXX for your external interface and see what's going out and what's coming in. Once you start firewalling for a network, a tcpdump -ni III with III being the internal interface becomes useful as well, either in itself or in addition to the external-watching tcpdump. -- Dan Pelleg -BEGIN PGP SIGNATURE- Version: GnuPG v1.0.7 (FreeBSD) iD8DBQE9tK3rFNjun16SvHYRAnSNAJ9RPPcFelXQwS3R7ELFN+A8UdEWDwCgsJWS 3TUBFhcGrtRa9eCIrhrnv0w= =07L+ -END PGP SIGNATURE- msg05849/pgp0.pgp Description: PGP signature