[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: IPFW works a little to well...

Hi!

Anthony Landreneau (landrena@idsno.com):
> below. The problem, when I execute the script nothing comes in, nothing
> goes out, the perfect firewall. The bad news is I need some traffic to
> pass. The network behind the firewall is a subnet of a class B network with

Uhhm, it seems you mixed some source/destination ports. I'm not shure about
-b - I've removed it (by mistake??) I'd try the following modifications:

> #  By Default DENY ALL services first
> ipfwadm -F -p deny
> #
> #  Flush all Commands
> ipfwadm -F -f
> ipfwadm -I -f
> ipfwadm -O -f
> #
> #  Allow email to NCTAMS01 
> ipfwadm -F -a accept -b -P tcp -S 0.0.0.0/0 1024:65535 -D 111.229.13.13

ipfwadm -F -a accept -P tcp -S 0.0.0.0/0 -D 111.229.13.13 25

> #  Allow email to NS1 Relay host
> ipfwadm -F -a accept -b -P tcp -S 0.0.0.0/0 1024:65535 -D 111.229.13.2

ipfwadm -F -a accept -P tcp -S 0.0.0.0/0 -D 111.229.13.2 25

> #  Allow email to outside mail severs from NCTAMS01
> ipfwadm -F -a accept -b -P tcp -S 111.229.13.13 25 -D 0.0.0.0/0 1024:65535

ipfwadm -F -a accept -P tcp -S 111.229.13.13 -D 0.0.0.0/0 25 

> #  Allow email to ouside mail servers from NS1
> ipfwadm -F -a accept -b -P tcp -S 111.229.13.2 25 -D 0.0.0.0/0 1024:65535

ipfwadm -F -a accept -P tcp -S 111.229.13.2  -D 0.0.0.0/0 25

> #  Allow DNS traffic to NS1
> ipfwadm -F -a accept -b -P udp -S 0.0.0.0/0 53 -D 111.229.13.2
> ipfwadm -F -a accept -b -P tcp -S 0.0.0.0/0 53 -D 111.229.13.2
> ipfwadm -F -a accept -b -P tcp -S 111.229.232.0/24 82 -D 111.229.13.2

# what is port 82? I'm skipping this one
ipfwadm -F -a accept -P udp -S 0.0.0.0/0 -D 111.229.13.2 53
ipfwadm -F -a accept -P tcp -S 0.0.0.0/0 -D 111.229.13.2 53

> #  Allow Web connections to outside Web Servers
> ipfwadm -F -a accept -b -P tcp -S 111.229.13.0/24 80 -D 0.0.0.0/0 1024:65535 

ipfwadm -F -a accept -b -P tcp -S 111.229.13.0/24 -D 0.0.0.0/0 80

> #  Allow FTP connection to outside Servers
> ipfwadm -F -a accept -b -P tcp -S 111.229.13.0/24 20 -D 0.0.0.0/0 1024:65535 
> ipfwadm -F -a accept -b -P tcp -S 111.229.13.0/24 21 -D 0.0.0.0/0 1024:65535 

# not touching FTP - trying to avoid emitting bogons.

> #  Allow Telnet connections to outside Servers
> ipfwadm -F -a accept -b -P tcp -S 111.229.13.0/24 23 -D 0.0.0.0/0 1024:65535

ipfwadm -F -a accept -P tcp -S 111.229.13.0/24 -D 0.0.0.0/0 23

> #  Allow NTP time to NS1
> ipfwadm -F -a accept -b -P tcp -S 111.229.13.2 123 -D 0.0.0.0/0 1024:65535

ipfwadm -F -a accept -P tcp -S 0.0.0.0/0 -D 111.229.13.2 123 


Ok, since my packet filter is less restrictive (and based on an
allow-policy) I'm definatly not shure if this is correct. At least the first
packet to initiate a connection should find it's way :-) Don't know if the
adressed host is able to reply. Try re-adding -b's if it doesn't work.

I wonder why you're (only) using a forward rule. I'd set the Incoming rules(,
too). 

Rainer

-- 
KeyID=58341901 fingerprint=A5 57 04 B3 69 88 A1 FB  78 1D B5 64 E0 BF 72 EB

Attachment: pgpJszdpd5qMm.pgp
Description: PGP signature

Reply to: