# IPFW problem



## BlackWolf (Dec 21, 2010)

hi, I have a server (FreBSD 8.1) and a client (Fedora 13 - 10.10.10.2)

my RC.CONF 

```
keymap="us.iso"
hostname="ServerBSD.Casa.org"
defaultrouter="192.168.1.1"
sshd_enable="YES"
natd_enable="YES"
natd_flags=""
named_enable="YES"
natd_interface="rl0"
gateway_enable="YES"
firewall_enable="YES"
firewall_quiet="NO"
firewall_script="/etc/router2.firewall"
firewall_logging="YES"
inetd_enable="YES"
kern_securelevel_enable="NO"

network_interfaces="auto"
ifconfig_rl0="inet 192.168.1.100 netmask 255.255.255.0"
ifconfig_fxp0="inet 10.10.10.254 netmask 255.255.255.0"
```

my RESOLV.CONF 

```
nameserver 	212.216.112.112
nameserver	212.216.172.62
```

my ROUTER2.FIREWALL

```
################ Start of IPFW rules file ###############################
ipfw -q -f flush

# Set rules command prefix
cmd="/sbin/ipfw add"
pif="rl0"   

$cmd 00005 allow all from any to any via fxp0
$cmd 00010 allow all from any to any via lo0
$cmd 00015 check-state

#################################################################
#Outbound Section
#################################################################
$cmd 00110 allow tcp from any to 212.212.112.112 53 out via $pif setup keep-state
$cmd 00111 allow udp from any to 212.212.112.112 53 out via $pif keep-state
$cmd 00110 allow tcp from any to 212.212.172.67 53 out via $pif setup keep-state
$cmd 00111 allow udp from any to 212.212.172.67 53 out via $pif keep-state

# Allow out non-secure standard www function
$cmd 00200 allow tcp from any to any 80 out via $pif setup keep-state

# Allow out secure www function https over TLS SSL
$cmd 00220 allow tcp from any to any 443 out via $pif setup keep-state

# Allow out send & get email function
$cmd 00230 allow tcp from any to any 25 out via $pif setup keep-state
$cmd 00231 allow tcp from any to any 110 out via $pif setup keep-state

# Allow out FBSD (make install & CVSUP) functions
# Basically give user root "GOD" privileges.
$cmd 00240 allow tcp from me to any out via $pif setup keep-state uid root

# Allow out ping
$cmd 00250 allow icmp from any to any out via $pif keep-state

# Allow out Time
$cmd 00260 allow tcp from any to any 37 out via $pif setup keep-state

# Allow out nntp news
$cmd 00270 allow tcp from any to any 119 out via $pif setup keep-state

# Allow out secure SSH
$cmd 00280 allow tcp from any to any 22 out via $pif setup keep-state

# Allow out whois
$cmd 00290 allow tcp from any to any 43 out via $pif setup keep-state

$cmd 00299 deny log all from any to any out via $pif

################################################################
#Inbound Section
#################################################################

# Deny all inbound traffic from non-routable reserved address spaces
$cmd 00300 deny all from 192.168.0.0/16 to any in via $pif   #RFC 1918 private IP
$cmd 00301 deny all from 172.16.0.0/12 to any in via $pif     #RFC 1918 private IP
$cmd 00302 deny all from 10.0.0.0/8 to any in via $pif           #RFC 1918 private IP
$cmd 00303 deny all from 127.0.0.0/8 to any in via $pif         #loopback
$cmd 00304 deny all from 0.0.0.0/8 to any in via $pif             #loopback
$cmd 00305 deny all from 169.254.0.0/16 to any in via $pif   #DHCP auto-config
$cmd 00306 deny all from 192.0.2.0/24 to any in via $pif       #reserved for docs
$cmd 00307 deny all from 204.152.64.0/23 to any in via $pif #Sun cluster interconnect
$cmd 00308 deny all from 224.0.0.0/3 to any in via $pif         #Class D & E multicast

# Deny public pings
$cmd 00310 deny icmp from any to any in via $pif

# Deny ident
$cmd 00315 deny tcp from any to any 113 in via $pif

# Deny all Netbios service. 137=name, 138=datagram, 139=session
# Netbios is MS/Windows sharing services.
# Block MS/Windows hosts2 name server requests 81
$cmd 00320 deny tcp from any to any 137 in via $pif
$cmd 00321 deny tcp from any to any 138 in via $pif
$cmd 00322 deny tcp from any to any 139 in via $pif
$cmd 00323 deny tcp from any to any 81 in via $pif

# Deny any late arriving packets
$cmd 00330 deny all from any to any frag in via $pif

# Deny ACK packets that did not match the dynamic rule table
$cmd 00332 deny tcp from any to any established in via $pif

# Allow in standard www function because I have apache server
$cmd 00400 allow tcp from any to me 80 in via $pif setup limit src-addr 2

# Allow in secure FTP, Telnet, and SCP from public Internet
$cmd 00410 allow tcp from any to me 22 in via $pif setup limit src-addr 2

# Reject & Log all incoming connections from the outside
$cmd 00499 deny log all from any to any in via $pif

$cmd 00999 deny log all from any to any
################ End of IPFW rules file ###############################
```

my client ping the server 
my client can't ping the router 192.168.1.1 and go in internet
Can you help me?


----------



## rusty (Dec 21, 2010)

What if you comment this 

```
# Deny all inbound traffic from non-routable reserved address spaces
$cmd 00300 deny all from 192.168.0.0/16 to any in via $pif   #RFC 1918 private IP
```


----------



## BlackWolf (Dec 24, 2010)

nothing

this is the problem

```
$cmd 00299 deny log all from any to any out via $pif
```

but if i comment this

```
#$cmd 00299 deny log all from any to any out via $pif
```
this is the new problem!!!

```
$cmd 00999 deny log all from any to any
```


----------



## Tomtor (Dec 24, 2010)

You will have to add explicit rules to allow the intended traffic, eg


```
allow all from any to any out via $pif
allow icmp from any to any
```


----------



## Tomtor (Dec 24, 2010)

Tomtor said:
			
		

> You will have to add explicit rules to allow the intended traffic, eg
> 
> allow all from any to any out via $pif
> allow icmp from any to any



Without more information about your local network, your connectivity to the internet
(eg has your router/modem a firewall) it is hard to help you.

Your current rules are quite restrictive, do you eg really want to limit outbound TCP traffic except HTTP, mail and cvsup?

Most people want to use their firewall to limit incoming traffic, but trust sources on the internal network

To get started I would enter at the start of the inbound section:


```
# Allow all icmp traffic for a start
$cmd 00300 allow log icmp from any to any
# allow all outbound traffic for a start
$cmd 00301 allow all from any to any out via $pif
```

and comment original rule 300 to 308

I would have expected that rusty's suggestion would have allowed traffic.

To debug you should replace any plain 'deny' with 'deny log' and inspect or post
/var/log/security


----------



## BlackWolf (Dec 25, 2010)

This is my network



```
[align=center]internet
|
router alice
192.168.1.1
|
192.168.1.100
ServerBSD.Casa.org
(FreeBSD 8.1)
10.10.10.254
|
10.10.10.2
PC-00
(Fedora 13)
[/align]
```


```
################ Start of IPFW rules file ###############################
ipfw -q -f flush

# Set rules command prefix
cmd="/sbin/ipfw add"
pif="rl0"   

$cmd 00005 allow all from any to any via fxp0
$cmd 00010 allow all from any to any via lo0
$cmd 00015 check-state

#################################################################
#Outbound Section
#################################################################
$cmd 00110 allow tcp from any to 212.212.112.112 53 out via $pif setup keep-state
$cmd 00111 allow udp from any to 212.212.112.112 53 out via $pif keep-state
$cmd 00110 allow tcp from any to 212.212.172.67 53 out via $pif setup keep-state
$cmd 00111 allow udp from any to 212.212.172.67 53 out via $pif keep-state

# Allow out non-secure standard www function
$cmd 00200 allow tcp from any to any 80 out via $pif setup keep-state

# Allow out secure www function https over TLS SSL
$cmd 00220 allow tcp from any to any 443 out via $pif setup keep-state

# Allow out send & get email function
$cmd 00230 allow tcp from any to any 25 out via $pif setup keep-state
$cmd 00231 allow tcp from any to any 110 out via $pif setup keep-state

# Allow out FBSD (make install & CVSUP) functions
# Basically give user root "GOD" privileges.
$cmd 00240 allow tcp from me to any out via $pif setup keep-state uid root

# Allow out ping
$cmd 00250 allow icmp from any to any out via $pif keep-state

# Allow out Time
$cmd 00260 allow tcp from any to any 37 out via $pif setup keep-state

# Allow out nntp news
$cmd 00270 allow tcp from any to any 119 out via $pif setup keep-state

# Allow out secure SSH
$cmd 00280 allow tcp from any to any 22 out via $pif setup keep-state

# Allow out whois
$cmd 00290 allow tcp from any to any 43 out via $pif setup keep-state

$cmd 00299 deny log all from any to any out via $pif

################################################################
#Inbound Section
#################################################################

# Allow all icmp traffic for a start
$cmd 00300 allow log icmp from any to any
# allow all outbound traffic for a start
$cmd 00301 allow all from any to any out via $pif

# Deny all inbound traffic from non-routable reserved address spaces
#$cmd 00300 deny all from 192.168.0.0/16 to any in via $pif   #RFC 1918 private IP
#$cmd 00301 deny all from 172.16.0.0/12 to any in via $pif     #RFC 1918 private IP
#$cmd 00302 deny all from 10.0.0.0/8 to any in via $pif           #RFC 1918 private IP
#$cmd 00303 deny all from 127.0.0.0/8 to any in via $pif         #loopback
#$cmd 00304 deny all from 0.0.0.0/8 to any in via $pif             #loopback
#$cmd 00305 deny all from 169.254.0.0/16 to any in via $pif   #DHCP auto-config
#$cmd 00306 deny all from 192.0.2.0/24 to any in via $pif       #reserved for docs
#$cmd 00307 deny all from 204.152.64.0/23 to any in via $pif #Sun cluster interconnect
#$cmd 00308 deny all from 224.0.0.0/3 to any in via $pif         #Class D & E multicast

# Deny public pings
$cmd 00310 deny icmp from any to any in via $pif

# Deny ident
$cmd 00315 deny tcp from any to any 113 in via $pif

# Deny all Netbios service. 137=name, 138=datagram, 139=session
# Netbios is MS/Windows sharing services.
# Block MS/Windows hosts2 name server requests 81
$cmd 00320 deny tcp from any to any 137 in via $pif
$cmd 00321 deny tcp from any to any 138 in via $pif
$cmd 00322 deny tcp from any to any 139 in via $pif
$cmd 00323 deny tcp from any to any 81 in via $pif

# Deny any late arriving packets
$cmd 00330 deny all from any to any frag in via $pif

# Deny ACK packets that did not match the dynamic rule table
$cmd 00332 deny tcp from any to any established in via $pif

# Allow in standard www function because I have apache server
$cmd 00400 allow tcp from any to me 80 in via $pif setup limit src-addr 2

# Allow in secure FTP, Telnet, and SCP from public Internet
$cmd 00410 allow tcp from any to me 22 in via $pif setup limit src-addr 2

# Reject & Log all incoming connections from the outside
$cmd 00499 deny log all from any to any in via $pif

$cmd 00999 deny log all from any to any
################ End of IPFW rules file ###############################
```

but nothing


----------



## Tomtor (Dec 25, 2010)

Oops, my fault.

I missed rule 00299, comment it out...


----------



## BlackWolf (Dec 25, 2010)

I comment out 00299 and this is my /var/log/security


```
Dec 25 19:38:23 ServerBSD kernel: ipfw: 499 Deny UDP 212.216.112.112:53 192.168.1.100:25525 in via rl0
Dec 25 19:38:26 ServerBSD kernel: ipfw: 499 Deny P:2 192.168.1.1 224.0.0.1 in via rl0
Dec 25 19:38:28 ServerBSD kernel: ipfw: 499 Deny UDP 212.216.172.62:53 192.168.1.100:36460 in via rl0
Dec 25 19:38:30 ServerBSD kernel: ipfw: 499 Deny UDP 212.216.112.112:53 192.168.1.100:25525 in via rl0
Dec 25 19:38:40 ServerBSD kernel: ipfw: 499 Deny UDP 212.216.172.62:53 192.168.1.100:36460 in via rl0
Dec 25 19:38:45 ServerBSD kernel: ipfw: 499 Deny UDP 212.216.112.112:53 192.168.1.100:36106 in via rl0
Dec 25 19:38:50 ServerBSD kernel: ipfw: 499 Deny UDP 212.216.172.62:53 192.168.1.100:17087 in via rl0
Dec 25 19:38:52 ServerBSD kernel: ipfw: 499 Deny UDP 212.216.112.112:53 192.168.1.100:36106 in via rl0
Dec 25 19:39:02 ServerBSD kernel: ipfw: 499 Deny UDP 212.216.172.62:53 192.168.1.100:17087 in via rl0
Dec 25 19:39:07 ServerBSD kernel: ipfw: 499 Deny UDP 212.216.112.112:53 192.168.1.100:60039 in via rl0
Dec 25 19:39:12 ServerBSD kernel: ipfw: 499 Deny UDP 212.216.172.62:53 192.168.1.100:53888 in via rl0
Dec 25 19:39:14 ServerBSD kernel: ipfw: 499 Deny UDP 212.216.112.112:53 192.168.1.100:60039 in via rl0
Dec 25 19:39:24 ServerBSD kernel: ipfw: 499 Deny UDP 212.216.172.62:53 192.168.1.100:53888 in via rl0
Dec 25 19:39:29 ServerBSD kernel: ipfw: 499 Deny UDP 212.216.112.112:53 192.168.1.100:49646 in via rl0
Dec 25 19:39:34 ServerBSD kernel: ipfw: 499 Deny UDP 212.216.172.62:53 192.168.1.100:27245 in via rl0
Dec 25 19:39:36 ServerBSD kernel: ipfw: 499 Deny UDP 212.216.112.112:53 192.168.1.100:49646 in via rl0
Dec 25 19:39:46 ServerBSD kernel: ipfw: 499 Deny UDP 212.216.172.62:53 192.168.1.100:27245 in via rl0
Dec 25 19:40:17 ServerBSD kernel: ipfw: 499 Deny UDP 192.168.1.1:138 192.168.1.255:138 in via rl0
Dec 25 19:40:17 ServerBSD kernel: ipfw: 499 Deny UDP 192.168.1.1:138 192.168.1.255:138 in via rl0
Dec 25 19:40:31 ServerBSD kernel: ipfw: 499 Deny P:2 192.168.1.1 224.0.0.1 in via rl0
```

and if i comment out 499


```
Dec 25 19:42:25 ServerBSD kernel: ipfw: 999 Deny UDP 212.216.112.112:53 192.168.1.100:51271 in via rl0
Dec 25 19:42:30 ServerBSD kernel: ipfw: 999 Deny UDP 212.216.172.62:53 192.168.1.100:52630 in via rl0
Dec 25 19:42:32 ServerBSD kernel: ipfw: 999 Deny UDP 212.216.112.112:53 192.168.1.100:51271 in via rl0
Dec 25 19:42:36 ServerBSD kernel: ipfw: 999 Deny P:2 192.168.1.1 224.0.0.1 in via rl0
Dec 25 19:42:42 ServerBSD kernel: ipfw: 999 Deny UDP 212.216.172.62:53 192.168.1.100:52630 in via rl0
Dec 25 19:42:47 ServerBSD kernel: ipfw: 999 Deny UDP 212.216.112.112:53 192.168.1.100:48546 in via rl0
Dec 25 19:42:52 ServerBSD kernel: ipfw: 999 Deny UDP 212.216.172.62:53 192.168.1.100:43106 in via rl0
Dec 25 19:42:54 ServerBSD kernel: ipfw: 999 Deny UDP 212.216.112.112:53 192.168.1.100:48546 in via rl0
Dec 25 19:43:04 ServerBSD kernel: ipfw: 999 Deny UDP 212.216.172.62:53 192.168.1.100:43106 in via rl0
Dec 25 19:43:09 ServerBSD kernel: ipfw: 999 Deny UDP 212.216.112.112:53 192.168.1.100:52427 in via rl0
Dec 25 19:43:14 ServerBSD kernel: ipfw: 999 Deny UDP 212.216.172.62:53 192.168.1.100:29709 in via rl0
Dec 25 19:43:16 ServerBSD kernel: ipfw: 999 Deny UDP 212.216.112.112:53 192.168.1.100:52427 in via rl0
Dec 25 19:43:26 ServerBSD kernel: ipfw: 999 Deny UDP 212.216.172.62:53 192.168.1.100:29709 in via rl0
Dec 25 19:43:31 ServerBSD kernel: ipfw: 999 Deny UDP 212.216.112.112:53 192.168.1.100:56734 in via rl0
Dec 25 19:43:36 ServerBSD kernel: ipfw: 999 Deny UDP 212.216.172.62:53 192.168.1.100:48420 in via rl0
Dec 25 19:43:38 ServerBSD kernel: ipfw: 999 Deny UDP 212.216.112.112:53 192.168.1.100:56734 in via rl0
Dec 25 19:43:48 ServerBSD kernel: ipfw: 999 Deny UDP 212.216.172.62:53 192.168.1.100:48420 in via rl0
Dec 25 19:44:41 ServerBSD kernel: ipfw: 999 Deny P:2 192.168.1.1 224.0.0.1 in via rl0
```


----------



## Tomtor (Dec 25, 2010)

Ok, almost there...

Add this line to allow DNS queries, place it after the commented 00299


```
# Allow DNS queries out in the world
$cmd 00299 add pass udp from me to any 53 keep-state
```


----------



## BlackWolf (Dec 25, 2010)

when i reboot:

ipfw: invalid action add

i wrote  
	
	



```
$cmd 00110 allow tcp from any to 212.212.112.112 53 out via $pif setup keep-state
$cmd 00111 allow udp from any to 212.212.112.112 53 out via $pif keep-state
$cmd 00110 allow tcp from any to 212.212.172.67 53 out via $pif setup keep-state
$cmd 00111 allow udp from any to 212.212.172.67 53 out via $pif keep-state
```

there are my DNS, there are in /resolv.conf too.
but my DNS server are 192.168.1.1


----------



## BlackWolf (Dec 25, 2010)

there is ADD more


```
# Allow DNS queries out in the world
$cmd 00299 pass udp from me to any 53 keep-state
```
i correct but nothing

I have not even said thanks for everything


----------



## Tomtor (Dec 26, 2010)

BlackWolf said:
			
		

> there is ADD more
> 
> 
> ```
> ...



Replace "from me" by "from all" in that rule, that should fix DNS queries not originating from the server.

Basicly the configuration you started with was ok, except that DNS rules were missing and you filtered out 10/24 and 192.168/16 traffic.

In your current setup the only thing not yet working is DNS, ping and browser traffic to IP-addresses should already work.


----------



## Tomtor (Dec 26, 2010)

BlackWolf said:
			
		

> when i reboot:
> 
> ipfw: invalid action add
> 
> ...



I'm not sure those 4 rules help, and they will overrule later rules in the same configuration. Processing stops at the first matching rule, so you better remove them.

You were getting eg blocked DNS replies from 212.216/16 and I'm not sure the keep-state works for replies from different addresses in rules with an explicit to.

Better would be

```
$cmd 00110 allow tcp from any to any 53 out via $pif setup keep-state
$cmd 00111 allow udp from any to any 53 out via $pif keep-state
```

which could replace my suggestion

```
$cmd 00299 pass udp from me to any 53 keep-state
```
because it is stricter and more secure.


----------



## BlackWolf (Dec 26, 2010)

there are the roules


```
################ Start of IPFW rules file ###############################
# Flush out the list before we begin.
ipfw -q -f flush
# Set rules command prefix
cmd="/sbin/ipfw add"
pif="rl0"     

$cmd 00005 allow all from any to any via fxp0
$cmd 00010 allow all from any to any via lo0
$cmd 00015 check-state

#################################################################
# Outbound Section
#################################################################

$cmd 00110 allow tcp from any to any 53 out via $pif setup keep-state
$cmd 00111 allow udp from any to any 53 out via $pif keep-state

# Allow out non-secure standard www function
$cmd 00200 allow tcp from any to any 80 out via $pif setup keep-state

# Allow out secure www function https over TLS SSL
$cmd 00220 allow tcp from any to any 443 out via $pif setup keep-state

# Allow out send & get email function
$cmd 00230 allow tcp from any to any 25 out via $pif setup keep-state
$cmd 00231 allow tcp from any to any 110 out via $pif setup keep-state

# Allow out FBSD (make install & CVSUP) functions
# Basically give user root "GOD" privileges.
$cmd 00240 allow tcp from me to any out via $pif setup keep-state uid root

# Allow out ping
$cmd 00250 allow icmp from any to any out via $pif keep-state

# Allow out Time
$cmd 00260 allow tcp from any to any 37 out via $pif setup keep-state

# Allow out nntp news (i.e. news groups)
$cmd 00270 allow tcp from any to any 119 out via $pif setup keep-state

# Allow out secure FTP, Telnet, and SCP
# This function is using SSH (secure shell)
$cmd 00280 allow tcp from any to any 22 out via $pif setup keep-state

# Allow out whois
$cmd 00290 allow tcp from any to any 43 out via $pif setup keep-state

# Allow DNS queries out in the world
$cmd 00299 pass udp from all to any 53 keep-state

#################################################################
# Inbound Section
#################################################################

# Allow all icmp traffic for a start
$cmd 00300 allow log icmp from any to any

# Allow all outbound traffic for a start
$cmd 00301 allow all from any to any out via $pif

# Deny public pings
$cmd 00310 deny icmp from any to any in via $pif

# Deny ident
$cmd 00315 deny tcp from any to any 113 in via $pif

# Deny all Netbios service. 137=name, 138=datagram, 139=session
# Netbios is MS/Windows sharing services.
# Block MS/Windows hosts2 name server requests 81
$cmd 00320 deny tcp from any to any 137 in via $pif
$cmd 00321 deny tcp from any to any 138 in via $pif
$cmd 00322 deny tcp from any to any 139 in via $pif
$cmd 00323 deny tcp from any to any 81 in via $pif

# Deny any late arriving packets
$cmd 00330 deny all from any to any frag in via $pif

# Deny ACK packets that did not match the dynamic rule table
$cmd 00332 deny tcp from any to any established in via $pif

# Allow in standard www function because I have apache server
$cmd 00400 allow tcp from any to me 80 in via $pif setup limit src-addr 2

# Allow in secure FTP, Telnet, and SCP from public Internet
$cmd 00410 allow tcp from any to me 22 in via $pif setup limit src-addr 2

# Reject & Log all incoming connections from the outside
$cmd 00499 deny log all from any to any in via $pif


$cmd 00999 deny log all from any to any
################ End of IPFW rules file ###############################
```

security

```
Dec 26 10:01:12 ServerBSD kernel: ipfw: 499 Deny P:2 192.168.1.1 224.0.0.1 in via rl0
```


----------



## Tomtor (Dec 26, 2010)

So, is it working now?

No more dropped packets in the log (except that unimportant routing multicast), so browsing should work.

You should remove rules 299 (because it is replaced by rule 111), and 300 and 301 because they were only for debugging.


----------



## BlackWolf (Dec 27, 2010)

rules 


```
################ Start of IPFW rules file ###############################
# Flush out the list before we begin.
ipfw -q -f flush
# Set rules command prefix
cmd="/sbin/ipfw add"
pif="rl0"     

$cmd 00005 allow all from any to any via fxp0
$cmd 00010 allow all from any to any via lo0
$cmd 00015 check-state

#################################################################
# Outbound Section
#################################################################

$cmd 00110 allow tcp from any to any 53 out via $pif setup keep-state
$cmd 00111 allow udp from any to any 53 out via $pif keep-state

# Allow out non-secure standard www function
$cmd 00200 allow tcp from any to any 80 out via $pif setup keep-state

# Allow out secure www function https over TLS SSL
$cmd 00220 allow tcp from any to any 443 out via $pif setup keep-state

# Allow out send & get email function
$cmd 00230 allow tcp from any to any 25 out via $pif setup keep-state
$cmd 00231 allow tcp from any to any 110 out via $pif setup keep-state

# Allow out FBSD (make install & CVSUP) functions
# Basically give user root "GOD" privileges.
$cmd 00240 allow tcp from me to any out via $pif setup keep-state uid root

# Allow out ping
$cmd 00250 allow icmp from any to any out via $pif keep-state

# Allow out Time
$cmd 00260 allow tcp from any to any 37 out via $pif setup keep-state

# Allow out nntp news (i.e. news groups)
$cmd 00270 allow tcp from any to any 119 out via $pif setup keep-state

# Allow out secure FTP, Telnet, and SCP
# This function is using SSH (secure shell)
$cmd 00280 allow tcp from any to any 22 out via $pif setup keep-state

# Allow out whois
$cmd 00290 allow tcp from any to any 43 out via $pif setup keep-state

#################################################################
# Inbound Section
#################################################################

# Deny public pings
$cmd 00310 deny icmp from any to any in via $pif

# Deny ident
$cmd 00315 deny tcp from any to any 113 in via $pif

# Deny all Netbios service. 137=name, 138=datagram, 139=session
# Netbios is MS/Windows sharing services.
# Block MS/Windows hosts2 name server requests 81
$cmd 00320 deny tcp from any to any 137 in via $pif
$cmd 00321 deny tcp from any to any 138 in via $pif
$cmd 00322 deny tcp from any to any 139 in via $pif
$cmd 00323 deny tcp from any to any 81 in via $pif

# Deny any late arriving packets
$cmd 00330 deny all from any to any frag in via $pif

# Deny ACK packets that did not match the dynamic rule table
$cmd 00332 deny tcp from any to any established in via $pif

# Allow in standard www function because I have apache server
$cmd 00400 allow tcp from any to me 80 in via $pif setup limit src-addr 2

# Allow in secure FTP, Telnet, and SCP from public Internet
$cmd 00410 allow tcp from any to me 22 in via $pif setup limit src-addr 2

# Reject & Log all incoming connections from the outside
$cmd 00499 deny log all from any to any in via $pif


$cmd 00999 deny log all from any to any
################ End of IPFW rules file ###############################
```

security


```
Dec 27 07:17:25 ServerBSD kernel: ipfw: 999 Deny TCP 10.10.10.2:57541 66.220.151.80:80 out via rl0
Dec 27 07:17:40 ServerBSD kernel: ipfw: 499 Deny P:2 192.168.1.1 224.0.0.1 in via rl0
Dec 27 07:17:47 ServerBSD kernel: ipfw: 999 Deny TCP 10.10.10.2:57541 66.220.151.80:80 out via rl0
Dec 27 07:18:33 ServerBSD kernel: ipfw: 999 Deny TCP 10.10.10.2:57541 66.220.151.80:80 out via rl0
```

nothing


----------



## qsecofr (Dec 27, 2010)

The setup keyword matches TCP packets that have the SYN bit but no ACK bit, according to 
	
	



```
man ipfw
```

You might try temporarily adding a rule to allow out established packets on port 80.  At least something to help you diagnose why some packets to port 80 are not allowed out..  Once you know why they're denied you can then take action to allow them (or not).


----------



## Tomtor (Dec 28, 2010)

*Try this conf*


```
################ Start of IPFW rules file ###############################
# Flush out the list before we begin.
ipfw -q -f flush
# Set rules command prefix
cmd="/sbin/ipfw add"
pif="rl0"     

$cmd 00005 allow all from any to any via fxp0
$cmd 00010 allow all from any to any via lo0
$cmd 00015 check-state

# Allow TCP through if setup succeeded
$cmd 00110 allow tcp from any to any established

#################################################################
# Outbound Section
#################################################################

$cmd 00110 allow tcp from any to any 53 out via $pif setup keep-state
$cmd 00111 allow udp from any to any 53 out via $pif keep-state

# Allow out non-secure standard www function
$cmd 00200 allow tcp from any to any 80 out via $pif setup keep-state

# Allow out secure www function https over TLS SSL
$cmd 00220 allow tcp from any to any 443 out via $pif setup keep-state

# Allow out send & get email function
$cmd 00230 allow tcp from any to any 25 out via $pif setup keep-state
$cmd 00231 allow tcp from any to any 110 out via $pif setup keep-state

# Allow out FBSD (make install & CVSUP) functions
# Basically give user root "GOD" privileges.
$cmd 00240 allow tcp from me to any out via $pif setup keep-state uid root

# Allow out ping
$cmd 00250 allow icmp from any to any out via $pif keep-state

# Allow out Time
$cmd 00260 allow tcp from any to any 37 out via $pif setup keep-state

# Allow out nntp news (i.e. news groups)
$cmd 00270 allow tcp from any to any 119 out via $pif setup keep-state

# Allow out secure FTP, Telnet, and SCP
# This function is using SSH (secure shell)
$cmd 00280 allow tcp from any to any 22 out via $pif setup keep-state

# Allow out whois
$cmd 00290 allow tcp from any to any 43 out via $pif setup keep-state

#################################################################
# Inbound Section
#################################################################

# Deny public pings
$cmd 00310 deny icmp from any to any in via $pif

# Deny ident
$cmd 00315 deny tcp from any to any 113 in via $pif

# Deny all Netbios service. 137=name, 138=datagram, 139=session
# Netbios is MS/Windows sharing services.
# Block MS/Windows hosts2 name server requests 81
$cmd 00320 deny tcp from any to any 137 in via $pif
$cmd 00321 deny tcp from any to any 138 in via $pif
$cmd 00322 deny tcp from any to any 139 in via $pif
$cmd 00323 deny tcp from any to any 81 in via $pif

# Deny any late arriving packets
$cmd 00330 deny log all from any to any frag in via $pif

# Deny ACK packets that did not match the dynamic rule table
$cmd 00332 deny log tcp from any to any established in via $pif

# Allow in standard www function because I have apache server
$cmd 00400 allow tcp from any to me 80 in via $pif setup limit src-addr 2

# Allow in secure FTP, Telnet, and SCP from public Internet
$cmd 00410 allow tcp from any to me 22 in via $pif setup limit src-addr 2

# Reject & Log all incoming connections from the outside
$cmd 00499 deny log all from any to any in via $pif


$cmd 00999 deny log all from any to any
################ End of IPFW rules file ###############################
```


----------



## BlackWolf (Dec 30, 2010)

```
Dec 30 09:26:40 ServerBSD kernel: ipfw: 499 Deny P:2 192.168.1.1 224.0.0.1 in via rl0
```

nothing
this is SECURITY


----------



## Tomtor (Jan 1, 2011)

BlackWolf said:
			
		

> ```
> Dec 30 09:26:40 ServerBSD kernel: ipfw: 499 Deny P:2 192.168.1.1 224.0.0.1 in via rl0
> ```
> 
> ...



You have zero dropped packets and log all dropping rules, so there is no reason to blame your FreeBSD firewall anymore.

My guess is that your upstream router (alice 192.168.1.1) is now the problem
and not doing NAT for your TCP streams originating from your 10/24 linux box.

Cannot help you with that...


----------

