# Lost connection to server after enable IPFW



## Ricky (Jul 9, 2012)

Hi,
I have rented a dedicated server which have FreeBSD 8.1. I'm having some troubles configuring my IPFW Rules.

Here is my actual ipfw rule script

```
IPF="ipfw -q add"
ipfw -q -f flush

#loopback
$IPF 10 allow all from any to any via lo0
$IPF 20 deny all from any to 127.0.0.0/8
$IPF 30 deny all from 127.0.0.0/8 to any
$IPF 40 deny tcp from any to any frag

# statefull
$IPF 50 check-state
$IPF 60 allow ip from any to any out keep-state
$IPF 70 allow all from any to me in limit src-addr 10

#Apache
$IPF 120 allow tcp from any to me 80

#PuTTy
$IPF 100 allow tcp from any to me 22
```

I guess my machine is connected to their data center trough some ip address like this: 10.0.0.1

Is there anyway that I can see all the IP addresses connected to me?


----------



## gordon@ (Jul 9, 2012)

`% netstat -an` will give you all of the connections your systems currently has.


----------



## gkontos (Jul 9, 2012)

You can also use:

[CMD=""]# sockstat -4[/CMD]

But the best way to troubleshoot any firewall related issues is tcpdump(1)()


----------



## Ricky (Jul 10, 2012)

Thank you both for your help.

Problem solved 

EDIT:
Just one last thing.


```
$IPF 70 allow all from any to me in limit src-addr 10
```

I want to limit 10 connections per ip.

Is this rule right?


----------



## francis (Jul 10, 2012)

Hi *Ricky*! Please remember and note that on _31 July_ (it will be on Tuesday, if I'm not mistaken), the support for FreeBSD 8.1 will be ended - _Estimated EoL (end-of-life)_. You should consider upgrading to one of available versions, except the 8.2-RELEASE, because also on _July 31_, the support will ends. So you have to choose e.g. 8.3-RELEASE (which is _Extended_ Release) or 9-RELEASE. More info; Supported FreeBSD Releases.

Best regards!

Oh, I noticed you have posted the question about the connection limit. According to ipfw(8) man page it is possible with *setup limit* options, which - in fact - are already in your rule;

[cmd=]ipfw add allow tcp from 192.168.0.0/24 to any 80 limit src-addr 10 _e.g. rule that allows to establish up to 10 TCP connections on port 80 from "our" network_[/cmd]

The *src-addr* determines out connections made from _our_ network. You can also define the inverse limit - connections to the *192.168.0.0/24* network address.

[cmd=]ipfw add allow tcp from any to me setup limit src-addr 4[/cmd]

In the above example _client does not use more than 4 simultaneous connections._ Your rule appears to be correct, but notice that you have added _*in*_ between _*to me*_ and _*limit*_. I do not know whether it is a difference, because I do not use ipfw firewall for a long time.


----------



## Ricky (Jul 11, 2012)

in means all incoming connections. This way I can have few incoming connections and still be able to send whatever my server want to. No one can send more than 10 connections to my server. I guess this will protect me against some DoS attacks.

I would love to have FreeBSD 9.0-RELEASE in my rented dedicated server but they don't support it. Already tried it at home and it seems pretty nice 

Thank you for your help.


----------



## gkontos (Jul 11, 2012)

Ricky said:
			
		

> I would love to have FreeBSD 9.0-RELEASE in my rented dedicated server but they don't support it.



If this is a dedicated server you can install any OS you want.


----------

