Solved add allow

fernandel

fernandel

Hi!

I have one trusted IP which I want allow coonect to me.
I just add a line in /etc/rc.firewall:
Code: 
${fwcmd} add allow tcp from 1.2.3.4 to me port
ipfw list show that I allow that IP but firewall deny anywhere because there is also (default):
Code: 
deny tcp from any 80,443 to any 1024-65535 in
What I did wrong, please?

Thank you.
 
In an ipfw(8) firewall, the rules are ordered ( ipfw list shows the rule numbers). Packets are checked against the rules sequentially, and once a packet matches a rule, FW processing is done. That said, perhaps there are rules with lower rule numbers which deny the packets which you want to allow. You want to explicitly specify the rule numbers when you add ipfw rules. So, make your rule being one of the first by giving it a low rule number, e.g.
${fwcmd} add 7 allow tcp from 1.2.3.4 to me port.
 
Please post the output of ipfw show. Did you specify the „trusted IP“ by the way of a domain name? Or just the IP itself? In case of domain name, it might be an issue with the starting-up sequence since the resolver may not be ready when the firewall is loaded.
 
Code: 
ipfw show
00007      0         0 allow tcp from 1.2.3.4 to me 993
00100     43      1720 allow ip from any to any via lo0
00200      0         0 deny ip from any to 127.0.0.0/8
00300      0         0 deny ip from 127.0.0.0/8 to any
00400      0         0 deny ip from any to ::1
00500      0         0 deny ip from ::1 to any
00600      0         0 allow ipv6-icmp from :: to ff02::/16
00700      0         0 allow ipv6-icmp from fe80::/10 to fe80::/10
00800      0         0 allow ipv6-icmp from fe80::/10 to ff02::/16
00900      0         0 allow ipv6-icmp from any to any icmp6types 1
01000      0         0 allow ipv6-icmp from any to any icmp6types 2,135,136
01100      0         0 check-state :default
01200     98      5902 allow tcp from me to any established
01300 251509 215989248 allow tcp from me to any setup keep-state :default
01400   1431    147801 allow udp from me to any keep-state :default
01500      0         0 allow icmp from me to any keep-state :default
01600      0         0 allow ipv6-icmp from me to any keep-state :default
01700      0         0 allow udp from 0.0.0.0 68 to 255.255.255.255 67 out
01800      0         0 allow udp from any 67 to me 68 in
01900      0         0 allow udp from any 67 to 255.255.255.255 68 in
02000      0         0 allow udp from fe80::/10 to me 546 in
02100      0         0 allow icmp from any to any icmptypes 8
02200      0         0 allow ipv6-icmp from any to any icmp6types 128,129
02300      0         0 allow icmp from any to any icmptypes 3,4,11
02400      0         0 allow ipv6-icmp from any to any icmp6types 3
65000    481     92198 count ip from any to any
65100    104     14707 deny { tcp or udp } from any to any 135-139,445 in
65200      0         0 deny { tcp or udp } from any to any 1026,1027 in
65300      0         0 deny { tcp or udp } from any to any 1433,1434 in
65400     46      3994 deny ip from any to 255.255.255.255
65500     39      1404 deny ip from any to 224.0.0.0/24 in
65500      0         0 deny udp from any to any 520 in
65500    271     53697 deny tcp from any 80,443 to any 1024-65535 in
65500     21     18396 deny log logamount 500 ip from any to any
65535      0         0 deny ip from any to any

The first one (7) is what I added, just IP. It doesn't deny everytime just sometimes. It is an IMAP server.
 
fernandel said:
... It doesn't deny everytime just sometimes. ...
Click to expand...

Quite obvious, this is not an issue of the given ipfw firewall. A firewall rule like rule #7 acts on all matching packets and not arbitrarily only on some of the matches. Are there other firewalls effective?

Try adding another rule #8:
${fwcmd} add 8 allow tcp from me to 1.2.3.4
 
obsigna said:
Quite obvious, this is not an issue of the given ipfw firewall. A firewall rule like rule #7 acts on all matching packets and not arbitrarily only on some of the matches. Are there other firewalls effective?

Try adding another rule #8:
${fwcmd} add 8 allow tcp from me to 1.2.3.4
Click to expand...
I did but it is the same:

Code: 
ipfw: 65500 Deny TCP 1.2.3.4:993 192.168.1.4:49296 in via bge0
 
You must log in or register to reply here.
Back
Top