Re: IPFW: Blocking me out. How to debug?


Dear W.D. =0ADo you understand that by adding the rules into kernel space n=
umbered from zero to sixty five thousand five hundred thirty four=0Ayou may=
 alter the behavior of the rule number sixty five thousand five hundred thi=
rty five =0Acan you please define and list the goals you are trying to achi=
eve by altering default rule in the terms you can both explain and understa=
nd.=0A=0A----- Original Message ----=0AFrom: W. D. <WD@US-Webmasters.com>=
=0ATo: freebsd-security@freebsd.org=0ACc: Tuomo Latto <djv@iki.fi>=0ASent: =
Thursday, December 20, 2007 8:39:16 AM=0ASubject: Re: IPFW: Blocking me out=
...  How to debug?=0A=0A=0AAt 03:49 12/17/2007, Tuomo Latto wrote:=0A>W. D. w=
rote:=0A>> How do I tell which rule is blocking me out?  SSH *is* working,=
=0A>> but others are not.=0A>=0A>It all depends on what you mean by "blocki=
ng you out" and "others".=0A>=0A>=0A>Did you try *reading* your fw config?=
=0A>=0A>>         # Loopback:=0A>>         # Allow anything on the local lo=
opback:=0A>>         add allow all from any to any via lo0=0A>>         add=
 deny ip from any to 127.0.0.0/8=0A>>         add deny ip from 127.0.0.0/8 =
to any=0A>Nope.=0A>>         # Allow established connections:=0A>>         =
add allow tcp from any to any established=0A>Nope.=0A>>         # Deny frag=
mented packets:=0A>>     =0A    add deny ip from any to any frag=0A>Nope.=
=0A>>         # Show pings:=0A>>         add count icmp from any to any icm=
ptypes 8 in=0A>Nope.=0A>>         # Allow pings, ping replies, and host unr=
each:=0A>>         add allow icmp from any to any icmptypes 0,8,3=0A>Nope.=
=0A>>         # Allow UDP traceroutes:=0A>>         add allow udp from any =
to any 33434-34458 in=0A>>         add allow udp from any 33434-34458 to an=
y out=0A>Nope.=0A>>         # Allow DNS with name server=0A>>         add a=
llow udp from any to any domain out=0A>>         add allow udp from any dom=
ain to any in=0A>Nope.=0A>>         # SSH=0A>>     =0A    #  Note that /etc=
/hosts.allow has restrictions=0A>>         #  on which IP addresses are all=
owed.=0A>>         #=0A>>         # Allow SSH:=0A>>         add allow tcp f=
rom any to any ssh in setup=0A>Nope, but this explains SSH working.=0A>>   =
      # HTTP & HTTPS:=0A>>         add allow tcp from any to any https in s=
etup=0A>>         add allow tcp from any to any http in setup=0A>Nope.=0A>>=
         # Mail: SMTP & IMAP:=0A>>         add allow tcp from any to any sm=
tp in setup=0A>>         add allow tcp from any to any imap in setup=0A>Nop=
e.=0A>>         # FTP:=0A>>         add allow tcp from any to=0A any ftp in=
 setup=0A>>         add allow tcp from any to any ftp\-data in setup=0A>>  =
       add allow tcp from any ftp\-data to any setup out=0A>Nope.=0A>>     =
    # Allow NTP in and out=0A>>         add allow udp from any ntp to 128.2=
52.19.1 ntp out=0A>>         add allow udp from 128.252.19.1 ntp to any ntp=
 in=0A>Nope.=0A>>         # Deny and log everything else:=0A>>         add =
deny log all from any to any=0A>Bingo!=0A>=0A>=0A>"ipfw -a list" may also h=
elp (packet counts).=0A=0AI've been banging my head against this for the pa=
st few=0Adays.  I don't get it.  =0A=0AMy understanding of the way this is =
supposed to work is=0Athat:=0A=0A  # HTTP & HTTPS:=0A  add allow tcp from a=
ny to any https in setup=0A =0A add allow tcp from any to any http in setup=
=0A=0Ashould let initial HTTP & HTTPS requests through,=0Aand that:=0A=0Ath=
ats correct! but you also probably would like firewall to create a dynamic =
rule upon match =0Aso keep-state option is required=0A=0A=0A # Allow establ=
ished connections:=0A add allow tcp from any to any established=0A=0Avery i=
nteresting.=0A=0A=0Ashould allow connections that are "setup" to =0Acontinu=
e.  Do I need a "check-state" or "keep-state"=0Astatement somewhere?=0A=0Ac=
heck-state should be applied to incoming packets only not the dynamically a=
dded ones=0A=0A=0AI don't understand what is wrong with the last rule:=0A=
=0A  # Deny and log everything else:=0A  add deny log all from any to any=
=0A=0Ait may lead to console lockup and there is no other way to log in unt=
il you have a physical access to the console=0A=0A=0AMy understanding is th=
at anything that doesn't match=0Athe previous rules will match this one and=
 hence=0Abe logged and denied.  Is this not correct?=0A=0Ayes this is very =
correct. what is recommended is adding a temporary rule=0Athat will allow e=
verything prior to denying everything so you can see in the log files what =
is it literally allowing=0Amaybe your own log files will tell you more than=
 mine cat /var/log/security for details=0Abut after all its only a filterin=
g facility don't expect there are some overframed packets marching on the w=
ires and seeking they way in=0A=0A=0AAgain, I am having a great deal of dif=
ficulty=0Aunderstanding why these rules don't work as expected.=0AI've scou=
red the 'Net and printed out just about=0Aevery coherent ruleset out there.=
=0A=0Athis is true to me as well. nothing ever works as expected. it only m=
alfunction when least expected. a good ruleset for starters with little exp=
ectations is the one u can read in the handbook. i cant wait for you to sta=
rt quoting its firewall section http://www.freebsd.org/doc/en_US.ISO8859-1/=
books/handbook/firewalls-ipfw.html=0A=0A=0ABesides adding the "log" keyword=
 on all of the rules,=0Athese are the debugging tools I have been=0A using:=
=0A=0A  ipfw disable firewall=0A  ipfw -f flush=0A  ipfw enable firewall=0A=
  /etc/rc.d/ipfw start=0A  ipfw -a -S -N -t list=0A  ipfw list      =0A  ta=
il  -f   /var/log/ipfw/ipfw.log=0A  tcpdump -i nve0 'proto \tcp && port htt=
p'=0A=0Amaybe that is your way, but not the syslogd way. tail /var/log/secu=
rity or less=0A=0A=0ACould anyone please throw this tired dog a bone?=0A=0A=
to be honest its quiet difficult to read someone else's code but if you def=
ine the goals you are trying to achieve =0A=0Afor example what is this?=0A>=
>         add deny ip from any to 127.0.0.0/8=0A>>         add deny ip from=
 127.0.0.0/8 to any=0A=0A=0A=0A=0AStart Here to Find It Fast!=99 ->=0A http=
://www.US-Webmasters.com/best-start-page/=0A$8.77 Domain Names -> http://do=
mains.us-webmasters.com/=0A=0A_____________________________________________=
__=0Afreebsd-security@freebsd.org mailing list=0Ahttp://lists.freebsd.org/m=
ailman/listinfo/freebsd-security=0ATo unsubscribe, send any mail to=0A "fre=
ebsd-security-unsubscribe@freebsd.org"=0A=0A=0A=0A=0A=0A=0A      Looking fo=
r last minute shopping deals?  =0AFind them fast with Yahoo! Search.=0A=0A=
=0A      __________________________________________________________________=
__________________=0ALooking for last minute shopping deals?  =0AFind them =
fast with Yahoo! Search.  http://tools.search.yahoo.com/newsearch/category.=
php?category=3Dshopping
_______________________________________________
freebsd-security@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"