OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Ramsey G. Brenner (rgbrennermyrealbox.com)
Date: Mon Jul 01 2002 - 20:36:30 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    You forgot about DNS. If you change rule 550 from
    add 550 allow log udp from me to any 21,80 keep-state out
    to
    add 550 allow log udp from me to any 21,53,80 keep-state out
    it should work.

    You may want to find out what IPs you use for DNS, and specifically allow
    those addresses.

    I loaded your rules and im not having any problems now.

    On Monday 01 July 2002 07:05 pm, nascar24 wrote:
    > This is my current ruleset:
    >
    > # allow loopback traffic
    > add 100 allow ip from any to any via lo0
    >
    > # protect loopback address
    > add 200 deny log ip from 127.0.0.1 to any
    > add 249 deny log ip from any to 127.0.0.1
    >
    > # block spoofs
    > add 400 deny log ip from me to any in via ed0
    >
    > # enable NATD
    > add 425 divert 8668 ip from any to any via ed0
    >
    > # check dynamic rules
    > add 450 check-state
    >
    > # make dynamic entries for all outgoing traffic
    > add 500 allow log tcp from me to any 1-65535 keep-state out
    > add 550 allow log udp from me to any 1-65535 keep-state out
    >
    > # services we offer to the world
    > add 600 allow log tcp from any to me 22,5067,5617,8472,10000 keep-state in
    >
    > # pass ICMP
    > add 700 allow log icmp from me to any out
    > add 750 allow log icmp from any to me in
    >
    > # pass everything on private LAN
    > add 800 allow log all from 192.168.0.0/16 to any
    > add 850 allow log all from any to 192.168.0.0/16
    >
    > # log rejects that have fallen through
    > add 65000 deny log ip from any to any
    >
    > Whith this ruleset I can browse websites, FTP sites etc.
    >
    > But when I replace rules 500 and 550 with this:
    >
    > add 500 allow log tcp from me to any 21,80 keep-state out
    > add 550 allow log udp from me to any 21,80 keep-state out
    >
    > I cannot acces any websites nor FTP sites. But I guess I had just allowed
    > it?
    >
    > Or is the 'out' the problem here.
    >
    > Marcel.
    >
    > On Monday 01 July 2002 06:45 pm, nascar24 wrote:
    > > What I mean is that I want to grand acces to the internet. But only to
    > > ports I 'trust', like 80,21,22 etc. But when I make a rule like:
    > >
    > > add 550 allow ip from me to any 80,21,22
    > >
    > > I cannot acces a website, that puzzles me.
    >
    > There is a problem with the rule in the example: You allowed traffic to
    > leave
    > through those ports, but not to enter. We can fix this rule:
    >
    > add 550 allow tcp from me to any 80,21,22 keep-state
    >
    > I noticed you already had a rule 550 - you may want to give it a different
    > number. IPFW (running 4.5R here) gives the following error when trying to
    > load your rule:
    >
    > ipfw: only TCP and UDP protocols are valid with port specifications
    >
    > hence why i changed it from ip to tcp.
    >
    > GL 

    -- 
----------
Ramsey G. Brenner
rgbrennermyrealbox.com
http://rgbrenner.cjb.net/

    To Unsubscribe: send mail to majordomoFreeBSD.org
with "unsubscribe freebsd-security" in the body of the message