Solved IPFW Blocking Almost everything

OK this is probably operator error or stupidity. I rebuilding my server I naturally can't find my tried and true ipfw.rules. This is what I tried and it seems to block https and some map. I thought I allowed the right ports but I have thought a lot of things

Code:
IPF="ipfw -q add"
ipfw -q -f flush
                                        
 
#loopback
$IPF 10 allow all from any to any via lo0
$IPF 20 deny all from any to 127.0.0.0/8
$IPF 30 deny all from 127.0.0.0/8 to any
$IPF 40 deny tcp from any to any frag

# statefull
$IPF 50 check-state
$IPF 60 allow tcp from any to any established
$IPF 70 allow all from any to any out keep-state
$IPF 80 allow icmp from any to any
$IPF 100 deny ip from table\(22\) to any

# open port ftp (20,21), ssh (22), mail (25)
# http (80), dns (53) etc
$IPF 110 allow tcp from any to any 21 in
$IPF 120 allow tcp from any to any 21 out
$IPF 130 allow tcp from any to any 22 in
$IPF 140 allow tcp from any to any 22 out
$IPF 150 allow tcp from any to any 25 in
$IPF 160 allow tcp from any to any 25 out
$IPF 170 allow udp from any to any 53 in
$IPF 175 allow tcp from any to any 53 in
$IPF 180 allow udp from any to any 53 out
$IPF 185 allow tcp from any to any 53 out
$IPF 200 allow tcp from any to any 80 in
$IPF 210 allow tcp from any to any 80 out
$IPF 215 allow tcp from any to any 110 in
$IPF 216 allow tcp from any to any 110 out
$IPF 220 allow tcp from any to any 143 in
$IPF 225 allow tcp from any to any 143 out
$IPF 227 allow tcp from any to any 443 in
$IPF 228 allow tcp from any to any 443 out
$IPF 230 allow tcp from any to any 465 in
$IPF 235 allow tcp from any to any 465 out
$IPF 250 allow tcp from any to any 587 in
$IPF 255 allow tcp from any to any 587 out
$IPF 260 allow tcp from any to any 993 in
$IPF 265 allow tcp from any to any 993  out
$IPF 270 allow tcp from any to any 995 in
$IPF 275 allow tcp from any to any 995 out
# deny and log everything

$IPF 500 deny log all from any to any

I know IPFW is not real popular here but I thought it and I got along
 
Try:

Code:
$IPF 200 allow tcp from any to any 80 in setup keep-state
$IPF 210 allow tcp from any to any 80 out setup keep-state
$IPF 227 allow tcp from any to any 443 in setup keep-state
$IPF 228 allow tcp from any to any 443 out setup keep-state

On TCP

Code:
setup keep-state

On UDP

Code:
keep-state

From ipfw man
 
Ok made those changes and added rule for webmin (port 9000)
IMAP s. The log shows that the IPFW catchall rule is blocking

log
Code:
Dec 30 22:17:22 triggerfish kernel: ipfw: 500 Deny TCP 73.150.178.106:58925 209.160.64.187:443 in via em0
Dec 30 22:17:22 triggerfish kernel: ipfw: 500 Deny TCP 73.150.178.106:58925 209.160.64.187:443 in via em0
Dec 30 22:17:22 triggerfish kernel: ipfw: 500 Deny TCP 73.150.178.106:58925 209.160.64.187:443 in via em0
Dec 30 22:17:22 triggerfish kernel: ipfw: 500 Deny TCP 73.150.178.106:58925 209.160.64.187:443 in via em0
Dec 30 22:17:23 triggerfish kernel: ipfw: 500 Deny TCP 73.150.178.106:58925 209.160.64.187:443 in via em0
Dec 30 22:17:24 triggerfish kernel: ipfw: 500 Deny TCP 73.150.178.106:58925 209.160.64.187:443 in via em0

ipfw.rules

Code:
ipfw -q -f flush

#loopback
$IPF 10 allow all from any to any via lo0
$IPF 20 deny all from any to 127.0.0.0/8
$IPF 30 deny all from 127.0.0.0/8 to any
$IPF 40 deny tcp from any to any frag

# statefull
$IPF 50 check-state
$IPF 60 allow tcp from any to any established
$IPF 70 allow all from any to any out keep-state
$IPF 80 allow icmp from any to any
$IPF 100 deny ip from table\(22\) to any

# open port ftp (20,21), ssh (22), mail (25)
# http (80), dns (53) etc
$IPF 110 allow tcp from any to any 21 in setup keep-state
$IPF 120 allow tcp from any to any 21 out setup keep-state
$IPF 130 allow tcp from any to any 22 in setup keep-state
$IPF 140 allow tcp from any to any 22 out setup keep-state
$IPF 150 allow tcp from any to any 25 in setup keep-state
$IPF 160 allow tcp from any to any 25 out setup keep-state
$IPF 170 allow udp from any to any 53 in keep-state
$IPF 175 allow tcp from any to any 53 in setup keep-state
$IPF 180 allow udp from any to any 53 out setup keep-state
$IPF 185 allow tcp from any to any 53 out setup keep-state
$IPF 200 allow tcp from any to any 80 in setup keep-state
$IPF 210 allow tcp from any to any 80 out setup keep-state
$IPF 215 allow tcp from any to any 110 in setup keep-state
$IPF 216 allow tcp from any to any 110 out setup keep-state
$IPF 220 allow tcp from any to any 143 in setup keep-state
$IPF 225 allow tcp from any to any 143 out setup keep-state
$IPF 227 allow tcp from any to any 443 in setup keep-state
$IPF 228 allow tcp from any to any 443 out setup keep-state
$IPF 230 allow tcp from any to any 465 in setup keep-state
$IPF 235 allow tcp from any to any 465 out setup keep-state
$IPF 250 allow tcp from any to any 587 in setup keep-state
$IPF 255 allow tcp from any to any 587 out setup keep-state
$IPF 260 allow tcp from any to any 993 in setup keep-state
$IPF 265 allow tcp from any to any 993 out setup keep-state
$IPF 270 allow tcp from any to any 995 in setup keep-state
$IPF 275 allow tcp from any to any 995 out setup keep-state
$IPF 280 allow tcp from any to any 9000 in setup keep-state
$IPF 280 allow tcp from any to any 9000 out setup keep-state

# deny and log everything

$IPF 500 deny log all from any to any
 
Ok so I tried some more. with the rules

The issue appears to be with my attempts at implementing sshguard

The rule (now edited to read this way) seem to be the problem

Code:
$IPF 100 deny ip from table(22) to any

My IP is not in table 22.
Code:
PF="ipfw -q add"
ipfw -q -f flush

#loopback
$IPF 10 allow all from any to any via lo0
$IPF 20 deny all from any to 127.0.0.0/8
$IPF 30 deny all from 127.0.0.0/8 to any
$IPF 40 deny tcp from any to any frag

# statefull
$IPF 50 check-state
$IPF 60 allow tcp from any to any established
$IPF 70 allow all from any to any out keep-state
$IPF 80 allow icmp from any to any
$IPF 100  deny ip from table(22) to any
# open port ftp (20,21), ssh (22), mail (25)
# http (80), dns (53) etc
$IPF 110 allow tcp from any to any 21 in setup keep-state
$IPF 120 allow tcp from any to any 21 out setup keep-state
$IPF 130 allow tcp from any to any 22 in setup keep-state
$IPF 140 allow tcp from any to any 22 out setup keep-state
$IPF 150 allow tcp from any to any 25 in setup keep-state
$IPF 160 allow tcp from any to any 25 out setup keep-state
$IPF 170 allow udp from any to any 53 in keep-state
$IPF 175 allow tcp from any to any 53 in setup keep-state
$IPF 180 allow udp from any to any 53 out setup keep-state
$IPF 185 allow tcp from any to any 53 out setup keep-state
$IPF 200 allow tcp from any to any 80 in setup keep-state
$IPF 210 allow tcp from any to any 80 out setup keep-state
$IPF 215 allow tcp from any to any 110 in setup keep-state
$IPF 216 allow tcp from any to any 110 out setup keep-state
$IPF 220 allow tcp from any to any 143 in setup keep-state
$IPF 225 allow tcp from any to any 143 out setup keep-state
$IPF 227 allow tcp from any to any 443 in setup keep-state
$IPF 228 allow tcp from any to any 443 out setup keep-state
$IPF 230 allow tcp from any to any 465 in setup keep-state
$IPF 235 allow tcp from any to any 465 out setup keep-state
$IPF 250 allow tcp from any to any 587 in setup keep-state
$IPF 255 allow tcp from any to any 587 out setup keep-state
$IPF 260 allow tcp from any to any 993 in setup keep-state
$IPF 265 allow tcp from any to any 993 out setup keep-state
$IPF 270 allow tcp from any to any 995 in setup keep-state
$IPF 275 allow tcp from any to any 995 out setup keep-state
$IPF 280 allow tcp from any to any 9000 in setup keep-state
$IPF 280 allow tcp from any to any 9000 out setup keep-state

# deny and log everything

$IPF 500 deny log all from any to any

What is a little strange although this seems to block about everything. it DOES NOT block ping.

thoughts would be appreciated
 
What is a little strange although this seems to block about everything. it DOES NOT block ping.

Your rule:

Code:
$IPF 80 allow icmp from any to any

Allow ping work.

Your rule:

Code:
$IPF 180 allow udp from any to any 53 out setup keep-state

Should use only keep-state since is udp.

For debug, maybe you should try enable log and inspect.

Add on /etc/rc.conf:

Code:
firewall_logging="YES"

Try specify the NIC, this is how I do ipfw.rules, example using your current rules:

Code:
...
NIC="vmx0" #set your NIC

...

$IPF 200 allow tcp from any to any 80 out via $NIC setup keep-state
$IPF 210 allow tcp from any to any 80 in via $NIC setup keep-state

...

PS.: Usually I set the OUT first, the IN after (note I have change the order on example to 200 and 210)
 
My bad you are right about the ping.

Logging is enabled but when I use the last mentioned rules, no logging occurs which would seem to indicate that IPFW died with that ruleset. I will try your edit. Haven't aggravated tech support at my host in a couple of hours.
 
... no logging occurs which would seem to indicate that IPFW died with that ruleset

Rules are first match ignore the rest, your deny are on:

Code:
$IPF 40 deny tcp from any to any frag
$IPF 100 deny ip from table\(22\) to any

Comment those and see if works.

Not sure if is an typo:

Code:
table\(22\)

But, if is, you should try use:

Code:
$IPF 100 deny ip from "table(22)" to any
 
Since I have been spending a week with frustration rebuilding this serve, I will admit I "borrowed: stuff
Doesn't
Code:
deny tcp from any to any frag
deal with only TCP fragments. (what ever they are I though they were bad
 
deal with only TCP fragments. (what ever they are I though they were bad

If you network add fragments on packets, then everything will be dropped with this rule...

Noone will know how your infrastructure works, only you...

Remember the old principle:

"Split to conquer"

In another way, first make work, then start deny step by step till found the source of your problem.

The "hardening" tutorials around internet make the assumption you already have something working...
And usually says:

Enable one hardnening process per time and test if this fit your scenario...
 
sage advice....

Your last point I sort of remember back when

I disposed of the frag rule. and edited

Code:
$IPF 100 deny ip from table\(22\) to any

to

Code:
$IPF 100 deny ip from "table(22)" to any

I want to do a couple more tests to make sure before I call this solved. but I THINK we are there
 
The two edits DID NOT it. Essentially I am block from any port whose permission was after rule 100
Code:
IPF="ipfw -q add"
ipfw -q -f flush

#loopback
$IPF 10 allow all from any to any via lo0
$IPF 13 allow tcp from any to any 22 in setup keep-state
$IPF 14 allow tcp from any to any 22 out setup keep-state
$IPF 15 allow tcp from any to any 9000 in setup keep-state
$IPF 10 allow tcp from any to any 9000 out setup keep-state


$IPF 20 deny all from any to 127.0.0.0/8
$IPF 30 deny all from 127.0.0.0/8 to any

# statefull
$IPF 50 check-state
$IPF 60 allow tcp from any to any established
$IPF 70 allow all from any to any out keep-state

$IPF 80 allow icmp from any to any


# sshguard
$IPF 100 deny ip from "table(22)" to any

# open port ftp (20,21), ssh (22), mail (25)
# http (80), dns (53) etc
$IPF 110 allow tcp from any to any 21 in setup keep-state
$IPF 120 allow tcp from any to any 21 out setup keep-state
#$IPF 130 allow tcp from any to any 22 in setup keep-state
#$IPF 140 allow tcp from any to any 22 out setup keep-state
$IPF 150 allow tcp from any to any 25 in setup keep-state
$IPF 160 allow tcp from any to any 25 out setup keep-state
$IPF 170 allow udp from any to any 53 in keep-state
$IPF 175 allow tcp from any to any 53 in setup keep-state
$IPF 180 allow udp from any to any 53 out setup keep-state
$IPF 185 allow tcp from any to any 53 out setup keep-state
$IPF 200 allow tcp from any to any 80 in setup keep-state
$IPF 210 allow tcp from any to any 80 out setup keep-state
$IPF 215 allow tcp from any to any 110 in setup keep-state
$IPF 216 allow tcp from any to any 110 out setup keep-state
$IPF 220 allow tcp from any to any 143 in setup keep-state
$IPF 225 allow tcp from any to any 143 out setup keep-state
$IPF 227 allow tcp from any to any 443 in setup keep-state
$IPF 228 allow tcp from any to any 443 out setup keep-state
$IPF 230 allow tcp from any to any 465 in setup keep-state
$IPF 235 allow tcp from any to any 465 out setup keep-state
$IPF 250 allow tcp from any to any 587 in setup keep-state
$IPF 255 allow tcp from any to any 587 out setup keep-state
$IPF 260 allow tcp from any to any 993 in setup keep-state
$IPF 265 allow tcp from any to any 993 out setup keep-state
$IPF 270 allow tcp from any to any 995 in setup keep-state
$IPF 275 allow tcp from any to any 995 out setup keep-state
$IPF 277 allow tcp from any to any 1149 in setup keep-state
$IPF 278 allow tcp from any to any 1149 out setup keep-state

 deny and log everything

$IPF 500 deny log all from any to any

Got me good and beat. Comment out run 100 and all is good
 
I don't know anything about ipfw but it seems to boil down to rule 100 - is that what the problem seems to be?

And if you do
Code:
$IPF 100 deny ip from "table(22)" to any
or
Code:
$IPF 100 deny ip from table\(22\) to any
then anything from that rule onwards is ignored/blocked?

From the man page: When a match is found, the action corresponding to the matching rule is performed.

So it is as though your rule 100 is being read as "deny ip from <anything>"?

What is that table? How are you setting it up? Maybe don't have to have the whole thing, but maybe a sample line or two from it?
 
My rule name is "ra" and I have in four emtpy spaces and than in each lane IP which I want to block,
In /etc/ipfw.rules I have:
Code:
cat /etc/ra | xargs -n1 ipfw table 1 add
and than late in the rules for blocking IPs from table I have:
Code:
$cmd 00600 deny ip from 'table(1)' to any in via $pif
 
Richard nailed it.... Looked in Table 22 and low and behold sshguard decided to block my new home IP. Delete and all is its should be.. just a little embarrassed
 
Back
Top