A 'Closed' IPFW on 8.1 is not blocking ports

G

ghostcorps

Hi Guys

I have set up IPFW on FreeBSD 8.1 amd64, but while I have set the 'closed' option in rc.conf, it is not actually blocking ports by default. For example, I comment out the line allowing port 21, but after I load the rules I can still access ftp. If I set it to deny, then it is denied.

I have been discussing this with Jailed and he suggested that this may be related to some bugs with IPFW and the amd64-8.1. Has anyone discovered the same issue?

This is my IPFW config:

/etc/rc.conf
Code: 
# ENABLE FIREWALL SETTINGS
gateway_enable="YES"
firewall_enable="YES"
firewall_script="/etc/ipfw.rules"
firewall_type="closed"

/etc/sysctl.conf
Code: 
net.inet.ip.fw.verbose=1
net.inet.ip.fw.verbose_limit=5

/boot/loader.conf
Code: 
## Enable ipfw
ipfw_load="YES"
ipdivert_load="YES"

/usr/src/sys/amd64/conf/MYKERNEL
Code: 
# Firewall Support
options         IPFIREWALL
options         HZ=1000
options         IPDIVERT

This is a minimal ipfw ruleset that Jailed wrote for me to help test the firewall:
/etc/ipfw.rules
Code: 
IPF="ipfw -q add"
ipfw -q -f flush

# allow all internal connections
$IPF 11 allow all from me to me

# allow all passive ports to all IPs.
$IPF 60 allow all from any to any 1024-65535

# allow pings both in and out
$IPF 90 allow icmp from any to any

# Connections to host.
$IPF 900 allow all from any to xxx.xxx.xxx.xx2 22
$IPF 910 allow all from any to xxx.xxx.xxx.xx2 80
$IPF 920 allow all from any to xxx.xxx.xxx.xx2 1194
                                                          
# Connections to Webserver.
$IPF 1000 allow all from any to xxx.xxx.xxx.xx3 80
$IPF 1010 allow all from any to xxx.xxx.xxx.xx3 443
$IPF 1020 allow all from any to xxx.xxx.xxx.xx3 21

Thanks.
 
Code: 
ipfw show
displays a default deny rule at the bottom of your ruleset? I assume you mean the xx3 IP. You may want add port 20 after port 21. One is control channel one is data. If there is a default deny rule, and logging is on (5 may be too low a threshold to be helpful YMMV), then denied packets should be visible in /var/log/security
 
Thanks,

If I run #ipfw show I get an allow all rule at the bottom of the list, what could possibly override the 'closed' option in rc.conf configuration if the program itself is not broken?

For now: I have gone the messy route of manually blocking all the ports I don't need, leaving the passive ports open. I will open port 20 as you say.
 
You must log in or register to reply here.
Back
Top