Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > FreeBSD Security> 1999-q3

FreeBSD Security Archives: Re: FW: rc.firewall

Re: FW: rc.firewall

Carroll Kong (damascuseden.rutgers.edu)
Thu, 04 Nov 1999 13:16:21 -0500

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Next message: Rodney W. Grimes: "Re: Firewall questions"
Previous message: Keith Stevenson: "Re: suidperl ? (Was: Examining FBSD set[ug]ids and their use)"
In reply to: Igor Roshchin: "suidperl ? (Was: Examining FBSD set[ug]ids and their use)"

At 10:44 AM 11/4/99 -0700, Curtis Schofield wrote:
>hello, i was checking out my firewall, an it seems that it doesn't actually
>do anything
>=), i've been tring to get it to block FTP lately for example, but when i
>ftp in from
>a remote host it isn't blocked..
>
>Could someOne help me?
>
>This is my situation:
> I am running DHCPclient and as such i don't have a static ip that
> i could
>put into
>the rc.firewall, i was told that it would be OK to generalize the whole
>thing (ie any to any) but it doesn't apear to be working..
>
>#!/bin/sh
>fwcmd="/sbin/ipfw -N"
>$fwcmd -f flush
>
>$fwcmd add 100 divert natd all from any to any via xl0
>$fwcmd add 110 pass all from any to any
>$fwcmd add 120 pass all from any to any via lo0
>$fwcmd add 130 pass tcp from any to any established
>$fwcmd add 144 pass all from 10.0.0.0/3 to any
>Please someone help? Why doesn't this apear to work..
>
>(the only thing i could do to stop ftp was comment it out in /etc/services)
>
>I'm new to ipfw, and wouldn't mind if someone could help and or point me to
>resources that would help with this problem
>
>THanks!
>Curtis

I snipped out a bit, but basically, if you have this rule......

$fwcmd add 110 pass all from any to any

it will pass all the packets, and never filter the others. By declaring
add <int> or so, you are saying... try out the rule in this order, and if
you already told it to pass all the packets with a rule # earlier than
consequential rules, the future rules will never get a chance to match. At
least, this seems like what is wrong to me.

To double check, reload that firewall script, run ipfw show as root, and
see if the #s in the first two columns of rule #110 is increasing, whereas
all the other rules underneath never have a match. If that is the case,
then my hypothesis is most likely correct, and that rule is passing
everything before even getting a chance to get matched.

-Carroll Kong

To Unsubscribe: send mail to majordomoFreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

Next message: Rodney W. Grimes: "Re: Firewall questions"
Previous message: Keith Stevenson: "Re: suidperl ? (Was: Examining FBSD set[ug]ids and their use)"
In reply to: Igor Roshchin: "suidperl ? (Was: Examining FBSD set[ug]ids and their use)"

This archive was generated by hypermail 2.0b3 on Thu Nov 04 1999 - 12:17:04 CST