IPFW problem

B

BlackWolf

hi, I have a server (FreBSD 8.1) and a client (Fedora 13 - 10.10.10.2)

my RC.CONF
Code: 
keymap="us.iso"
hostname="ServerBSD.Casa.org"
defaultrouter="192.168.1.1"
sshd_enable="YES"
natd_enable="YES"
natd_flags=""
named_enable="YES"
natd_interface="rl0"
gateway_enable="YES"
firewall_enable="YES"
firewall_quiet="NO"
firewall_script="/etc/router2.firewall"
firewall_logging="YES"
inetd_enable="YES"
kern_securelevel_enable="NO"

network_interfaces="auto"
ifconfig_rl0="inet 192.168.1.100 netmask 255.255.255.0"
ifconfig_fxp0="inet 10.10.10.254 netmask 255.255.255.0"

my RESOLV.CONF
Code: 
nameserver 	212.216.112.112
nameserver	212.216.172.62

my ROUTER2.FIREWALL
Code: 
################ Start of IPFW rules file ###############################
ipfw -q -f flush

# Set rules command prefix
cmd="/sbin/ipfw add"
pif="rl0"   

$cmd 00005 allow all from any to any via fxp0
$cmd 00010 allow all from any to any via lo0
$cmd 00015 check-state

#################################################################
#Outbound Section
#################################################################
$cmd 00110 allow tcp from any to 212.212.112.112 53 out via $pif setup keep-state
$cmd 00111 allow udp from any to 212.212.112.112 53 out via $pif keep-state
$cmd 00110 allow tcp from any to 212.212.172.67 53 out via $pif setup keep-state
$cmd 00111 allow udp from any to 212.212.172.67 53 out via $pif keep-state

# Allow out non-secure standard www function
$cmd 00200 allow tcp from any to any 80 out via $pif setup keep-state

# Allow out secure www function https over TLS SSL
$cmd 00220 allow tcp from any to any 443 out via $pif setup keep-state

# Allow out send & get email function
$cmd 00230 allow tcp from any to any 25 out via $pif setup keep-state
$cmd 00231 allow tcp from any to any 110 out via $pif setup keep-state

# Allow out FBSD (make install & CVSUP) functions
# Basically give user root "GOD" privileges.
$cmd 00240 allow tcp from me to any out via $pif setup keep-state uid root

# Allow out ping
$cmd 00250 allow icmp from any to any out via $pif keep-state

# Allow out Time
$cmd 00260 allow tcp from any to any 37 out via $pif setup keep-state

# Allow out nntp news
$cmd 00270 allow tcp from any to any 119 out via $pif setup keep-state

# Allow out secure SSH
$cmd 00280 allow tcp from any to any 22 out via $pif setup keep-state

# Allow out whois
$cmd 00290 allow tcp from any to any 43 out via $pif setup keep-state

$cmd 00299 deny log all from any to any out via $pif

################################################################
#Inbound Section
#################################################################

# Deny all inbound traffic from non-routable reserved address spaces
$cmd 00300 deny all from 192.168.0.0/16 to any in via $pif   #RFC 1918 private IP
$cmd 00301 deny all from 172.16.0.0/12 to any in via $pif     #RFC 1918 private IP
$cmd 00302 deny all from 10.0.0.0/8 to any in via $pif           #RFC 1918 private IP
$cmd 00303 deny all from 127.0.0.0/8 to any in via $pif         #loopback
$cmd 00304 deny all from 0.0.0.0/8 to any in via $pif             #loopback
$cmd 00305 deny all from 169.254.0.0/16 to any in via $pif   #DHCP auto-config
$cmd 00306 deny all from 192.0.2.0/24 to any in via $pif       #reserved for docs
$cmd 00307 deny all from 204.152.64.0/23 to any in via $pif #Sun cluster interconnect
$cmd 00308 deny all from 224.0.0.0/3 to any in via $pif         #Class D & E multicast

# Deny public pings
$cmd 00310 deny icmp from any to any in via $pif

# Deny ident
$cmd 00315 deny tcp from any to any 113 in via $pif

# Deny all Netbios service. 137=name, 138=datagram, 139=session
# Netbios is MS/Windows sharing services.
# Block MS/Windows hosts2 name server requests 81
$cmd 00320 deny tcp from any to any 137 in via $pif
$cmd 00321 deny tcp from any to any 138 in via $pif
$cmd 00322 deny tcp from any to any 139 in via $pif
$cmd 00323 deny tcp from any to any 81 in via $pif

# Deny any late arriving packets
$cmd 00330 deny all from any to any frag in via $pif

# Deny ACK packets that did not match the dynamic rule table
$cmd 00332 deny tcp from any to any established in via $pif

# Allow in standard www function because I have apache server
$cmd 00400 allow tcp from any to me 80 in via $pif setup limit src-addr 2

# Allow in secure FTP, Telnet, and SCP from public Internet
$cmd 00410 allow tcp from any to me 22 in via $pif setup limit src-addr 2

# Reject & Log all incoming connections from the outside
$cmd 00499 deny log all from any to any in via $pif

$cmd 00999 deny log all from any to any
################ End of IPFW rules file ###############################

my client ping the server
my client can't ping the router 192.168.1.1 and go in internet
Can you help me?
 
What if you comment this
Code: 
# Deny all inbound traffic from non-routable reserved address spaces
$cmd 00300 deny all from 192.168.0.0/16 to any in via $pif   #RFC 1918 private IP
 
nothing

this is the problem
Code: 
$cmd 00299 deny log all from any to any out via $pif

but if i comment this
Code: 
#$cmd 00299 deny log all from any to any out via $pif
this is the new problem!!!
Code: 
$cmd 00999 deny log all from any to any
 
You will have to add explicit rules to allow the intended traffic, eg

Code: 
allow all from any to any out via $pif
allow icmp from any to any
 
Tomtor said:
You will have to add explicit rules to allow the intended traffic, eg

allow all from any to any out via $pif
allow icmp from any to any
Click to expand...

Without more information about your local network, your connectivity to the internet
(eg has your router/modem a firewall) it is hard to help you.

Your current rules are quite restrictive, do you eg really want to limit outbound TCP traffic except HTTP, mail and cvsup?

Most people want to use their firewall to limit incoming traffic, but trust sources on the internal network

To get started I would enter at the start of the inbound section:

Code: 
# Allow all icmp traffic for a start
$cmd 00300 allow log icmp from any to any
# allow all outbound traffic for a start
$cmd 00301 allow all from any to any out via $pif

and comment original rule 300 to 308

I would have expected that rusty's suggestion would have allowed traffic.

To debug you should replace any plain 'deny' with 'deny log' and inspect or post
/var/log/security
 
This is my network


Code: 
[align=center]internet
|
router alice
192.168.1.1
|
192.168.1.100
ServerBSD.Casa.org
(FreeBSD 8.1)
10.10.10.254
|
10.10.10.2
PC-00
(Fedora 13)
[/align]

Code: 
################ Start of IPFW rules file ###############################
ipfw -q -f flush

# Set rules command prefix
cmd="/sbin/ipfw add"
pif="rl0"   

$cmd 00005 allow all from any to any via fxp0
$cmd 00010 allow all from any to any via lo0
$cmd 00015 check-state

#################################################################
#Outbound Section
#################################################################
$cmd 00110 allow tcp from any to 212.212.112.112 53 out via $pif setup keep-state
$cmd 00111 allow udp from any to 212.212.112.112 53 out via $pif keep-state
$cmd 00110 allow tcp from any to 212.212.172.67 53 out via $pif setup keep-state
$cmd 00111 allow udp from any to 212.212.172.67 53 out via $pif keep-state

# Allow out non-secure standard www function
$cmd 00200 allow tcp from any to any 80 out via $pif setup keep-state

# Allow out secure www function https over TLS SSL
$cmd 00220 allow tcp from any to any 443 out via $pif setup keep-state

# Allow out send & get email function
$cmd 00230 allow tcp from any to any 25 out via $pif setup keep-state
$cmd 00231 allow tcp from any to any 110 out via $pif setup keep-state

# Allow out FBSD (make install & CVSUP) functions
# Basically give user root "GOD" privileges.
$cmd 00240 allow tcp from me to any out via $pif setup keep-state uid root

# Allow out ping
$cmd 00250 allow icmp from any to any out via $pif keep-state

# Allow out Time
$cmd 00260 allow tcp from any to any 37 out via $pif setup keep-state

# Allow out nntp news
$cmd 00270 allow tcp from any to any 119 out via $pif setup keep-state

# Allow out secure SSH
$cmd 00280 allow tcp from any to any 22 out via $pif setup keep-state

# Allow out whois
$cmd 00290 allow tcp from any to any 43 out via $pif setup keep-state

$cmd 00299 deny log all from any to any out via $pif

################################################################
#Inbound Section
#################################################################

# Allow all icmp traffic for a start
$cmd 00300 allow log icmp from any to any
# allow all outbound traffic for a start
$cmd 00301 allow all from any to any out via $pif

# Deny all inbound traffic from non-routable reserved address spaces
#$cmd 00300 deny all from 192.168.0.0/16 to any in via $pif   #RFC 1918 private IP
#$cmd 00301 deny all from 172.16.0.0/12 to any in via $pif     #RFC 1918 private IP
#$cmd 00302 deny all from 10.0.0.0/8 to any in via $pif           #RFC 1918 private IP
#$cmd 00303 deny all from 127.0.0.0/8 to any in via $pif         #loopback
#$cmd 00304 deny all from 0.0.0.0/8 to any in via $pif             #loopback
#$cmd 00305 deny all from 169.254.0.0/16 to any in via $pif   #DHCP auto-config
#$cmd 00306 deny all from 192.0.2.0/24 to any in via $pif       #reserved for docs
#$cmd 00307 deny all from 204.152.64.0/23 to any in via $pif #Sun cluster interconnect
#$cmd 00308 deny all from 224.0.0.0/3 to any in via $pif         #Class D & E multicast

# Deny public pings
$cmd 00310 deny icmp from any to any in via $pif

# Deny ident
$cmd 00315 deny tcp from any to any 113 in via $pif

# Deny all Netbios service. 137=name, 138=datagram, 139=session
# Netbios is MS/Windows sharing services.
# Block MS/Windows hosts2 name server requests 81
$cmd 00320 deny tcp from any to any 137 in via $pif
$cmd 00321 deny tcp from any to any 138 in via $pif
$cmd 00322 deny tcp from any to any 139 in via $pif
$cmd 00323 deny tcp from any to any 81 in via $pif

# Deny any late arriving packets
$cmd 00330 deny all from any to any frag in via $pif

# Deny ACK packets that did not match the dynamic rule table
$cmd 00332 deny tcp from any to any established in via $pif

# Allow in standard www function because I have apache server
$cmd 00400 allow tcp from any to me 80 in via $pif setup limit src-addr 2

# Allow in secure FTP, Telnet, and SCP from public Internet
$cmd 00410 allow tcp from any to me 22 in via $pif setup limit src-addr 2

# Reject & Log all incoming connections from the outside
$cmd 00499 deny log all from any to any in via $pif

$cmd 00999 deny log all from any to any
################ End of IPFW rules file ###############################

but nothing
 
I comment out 00299 and this is my /var/log/security

Code: 
Dec 25 19:38:23 ServerBSD kernel: ipfw: 499 Deny UDP 212.216.112.112:53 192.168.1.100:25525 in via rl0
Dec 25 19:38:26 ServerBSD kernel: ipfw: 499 Deny P:2 192.168.1.1 224.0.0.1 in via rl0
Dec 25 19:38:28 ServerBSD kernel: ipfw: 499 Deny UDP 212.216.172.62:53 192.168.1.100:36460 in via rl0
Dec 25 19:38:30 ServerBSD kernel: ipfw: 499 Deny UDP 212.216.112.112:53 192.168.1.100:25525 in via rl0
Dec 25 19:38:40 ServerBSD kernel: ipfw: 499 Deny UDP 212.216.172.62:53 192.168.1.100:36460 in via rl0
Dec 25 19:38:45 ServerBSD kernel: ipfw: 499 Deny UDP 212.216.112.112:53 192.168.1.100:36106 in via rl0
Dec 25 19:38:50 ServerBSD kernel: ipfw: 499 Deny UDP 212.216.172.62:53 192.168.1.100:17087 in via rl0
Dec 25 19:38:52 ServerBSD kernel: ipfw: 499 Deny UDP 212.216.112.112:53 192.168.1.100:36106 in via rl0
Dec 25 19:39:02 ServerBSD kernel: ipfw: 499 Deny UDP 212.216.172.62:53 192.168.1.100:17087 in via rl0
Dec 25 19:39:07 ServerBSD kernel: ipfw: 499 Deny UDP 212.216.112.112:53 192.168.1.100:60039 in via rl0
Dec 25 19:39:12 ServerBSD kernel: ipfw: 499 Deny UDP 212.216.172.62:53 192.168.1.100:53888 in via rl0
Dec 25 19:39:14 ServerBSD kernel: ipfw: 499 Deny UDP 212.216.112.112:53 192.168.1.100:60039 in via rl0
Dec 25 19:39:24 ServerBSD kernel: ipfw: 499 Deny UDP 212.216.172.62:53 192.168.1.100:53888 in via rl0
Dec 25 19:39:29 ServerBSD kernel: ipfw: 499 Deny UDP 212.216.112.112:53 192.168.1.100:49646 in via rl0
Dec 25 19:39:34 ServerBSD kernel: ipfw: 499 Deny UDP 212.216.172.62:53 192.168.1.100:27245 in via rl0
Dec 25 19:39:36 ServerBSD kernel: ipfw: 499 Deny UDP 212.216.112.112:53 192.168.1.100:49646 in via rl0
Dec 25 19:39:46 ServerBSD kernel: ipfw: 499 Deny UDP 212.216.172.62:53 192.168.1.100:27245 in via rl0
Dec 25 19:40:17 ServerBSD kernel: ipfw: 499 Deny UDP 192.168.1.1:138 192.168.1.255:138 in via rl0
Dec 25 19:40:17 ServerBSD kernel: ipfw: 499 Deny UDP 192.168.1.1:138 192.168.1.255:138 in via rl0
Dec 25 19:40:31 ServerBSD kernel: ipfw: 499 Deny P:2 192.168.1.1 224.0.0.1 in via rl0

and if i comment out 499

Code: 
Dec 25 19:42:25 ServerBSD kernel: ipfw: 999 Deny UDP 212.216.112.112:53 192.168.1.100:51271 in via rl0
Dec 25 19:42:30 ServerBSD kernel: ipfw: 999 Deny UDP 212.216.172.62:53 192.168.1.100:52630 in via rl0
Dec 25 19:42:32 ServerBSD kernel: ipfw: 999 Deny UDP 212.216.112.112:53 192.168.1.100:51271 in via rl0
Dec 25 19:42:36 ServerBSD kernel: ipfw: 999 Deny P:2 192.168.1.1 224.0.0.1 in via rl0
Dec 25 19:42:42 ServerBSD kernel: ipfw: 999 Deny UDP 212.216.172.62:53 192.168.1.100:52630 in via rl0
Dec 25 19:42:47 ServerBSD kernel: ipfw: 999 Deny UDP 212.216.112.112:53 192.168.1.100:48546 in via rl0
Dec 25 19:42:52 ServerBSD kernel: ipfw: 999 Deny UDP 212.216.172.62:53 192.168.1.100:43106 in via rl0
Dec 25 19:42:54 ServerBSD kernel: ipfw: 999 Deny UDP 212.216.112.112:53 192.168.1.100:48546 in via rl0
Dec 25 19:43:04 ServerBSD kernel: ipfw: 999 Deny UDP 212.216.172.62:53 192.168.1.100:43106 in via rl0
Dec 25 19:43:09 ServerBSD kernel: ipfw: 999 Deny UDP 212.216.112.112:53 192.168.1.100:52427 in via rl0
Dec 25 19:43:14 ServerBSD kernel: ipfw: 999 Deny UDP 212.216.172.62:53 192.168.1.100:29709 in via rl0
Dec 25 19:43:16 ServerBSD kernel: ipfw: 999 Deny UDP 212.216.112.112:53 192.168.1.100:52427 in via rl0
Dec 25 19:43:26 ServerBSD kernel: ipfw: 999 Deny UDP 212.216.172.62:53 192.168.1.100:29709 in via rl0
Dec 25 19:43:31 ServerBSD kernel: ipfw: 999 Deny UDP 212.216.112.112:53 192.168.1.100:56734 in via rl0
Dec 25 19:43:36 ServerBSD kernel: ipfw: 999 Deny UDP 212.216.172.62:53 192.168.1.100:48420 in via rl0
Dec 25 19:43:38 ServerBSD kernel: ipfw: 999 Deny UDP 212.216.112.112:53 192.168.1.100:56734 in via rl0
Dec 25 19:43:48 ServerBSD kernel: ipfw: 999 Deny UDP 212.216.172.62:53 192.168.1.100:48420 in via rl0
Dec 25 19:44:41 ServerBSD kernel: ipfw: 999 Deny P:2 192.168.1.1 224.0.0.1 in via rl0
 
Ok, almost there...

Add this line to allow DNS queries, place it after the commented 00299

Code: 
# Allow DNS queries out in the world
$cmd 00299 add pass udp from me to any 53 keep-state
 
when i reboot:

ipfw: invalid action add

i wrote
Code: 
$cmd 00110 allow tcp from any to 212.212.112.112 53 out via $pif setup keep-state
$cmd 00111 allow udp from any to 212.212.112.112 53 out via $pif keep-state
$cmd 00110 allow tcp from any to 212.212.172.67 53 out via $pif setup keep-state
$cmd 00111 allow udp from any to 212.212.172.67 53 out via $pif keep-state

there are my DNS, there are in /resolv.conf too.
but my DNS server are 192.168.1.1
 
there is ADD more

Code: 
# Allow DNS queries out in the world
$cmd 00299 pass udp from me to any 53 keep-state
i correct but nothing

I have not even said thanks for everything
 
BlackWolf said:
there is ADD more

Code: 
# Allow DNS queries out in the world
$cmd 00299 pass udp from me to any 53 keep-state
Click to expand...

Replace "from me" by "from all" in that rule, that should fix DNS queries not originating from the server.

Basicly the configuration you started with was ok, except that DNS rules were missing and you filtered out 10/24 and 192.168/16 traffic.

In your current setup the only thing not yet working is DNS, ping and browser traffic to IP-addresses should already work.
 
BlackWolf said:
when i reboot:

ipfw: invalid action add

i wrote
Code: 
$cmd 00110 allow tcp from any to 212.212.112.112 53 out via $pif setup keep-state
$cmd 00111 allow udp from any to 212.212.112.112 53 out via $pif keep-state
$cmd 00110 allow tcp from any to 212.212.172.67 53 out via $pif setup keep-state
$cmd 00111 allow udp from any to 212.212.172.67 53 out via $pif keep-state

there are my DNS, there are in /resolv.conf too.
but my DNS server are 192.168.1.1
Click to expand...

I'm not sure those 4 rules help, and they will overrule later rules in the same configuration. Processing stops at the first matching rule, so you better remove them.

You were getting eg blocked DNS replies from 212.216/16 and I'm not sure the keep-state works for replies from different addresses in rules with an explicit to.

Better would be
Code: 
$cmd 00110 allow tcp from any to any 53 out via $pif setup keep-state
$cmd 00111 allow udp from any to any 53 out via $pif keep-state

which could replace my suggestion
Code: 
$cmd 00299 pass udp from me to any 53 keep-state
because it is stricter and more secure.
 
there are the roules

Code: 
################ Start of IPFW rules file ###############################
# Flush out the list before we begin.
ipfw -q -f flush
# Set rules command prefix
cmd="/sbin/ipfw add"
pif="rl0"     

$cmd 00005 allow all from any to any via fxp0
$cmd 00010 allow all from any to any via lo0
$cmd 00015 check-state

#################################################################
# Outbound Section
#################################################################

$cmd 00110 allow tcp from any to any 53 out via $pif setup keep-state
$cmd 00111 allow udp from any to any 53 out via $pif keep-state

# Allow out non-secure standard www function
$cmd 00200 allow tcp from any to any 80 out via $pif setup keep-state

# Allow out secure www function https over TLS SSL
$cmd 00220 allow tcp from any to any 443 out via $pif setup keep-state

# Allow out send & get email function
$cmd 00230 allow tcp from any to any 25 out via $pif setup keep-state
$cmd 00231 allow tcp from any to any 110 out via $pif setup keep-state

# Allow out FBSD (make install & CVSUP) functions
# Basically give user root "GOD" privileges.
$cmd 00240 allow tcp from me to any out via $pif setup keep-state uid root

# Allow out ping
$cmd 00250 allow icmp from any to any out via $pif keep-state

# Allow out Time
$cmd 00260 allow tcp from any to any 37 out via $pif setup keep-state

# Allow out nntp news (i.e. news groups)
$cmd 00270 allow tcp from any to any 119 out via $pif setup keep-state

# Allow out secure FTP, Telnet, and SCP
# This function is using SSH (secure shell)
$cmd 00280 allow tcp from any to any 22 out via $pif setup keep-state

# Allow out whois
$cmd 00290 allow tcp from any to any 43 out via $pif setup keep-state

# Allow DNS queries out in the world
$cmd 00299 pass udp from all to any 53 keep-state

#################################################################
# Inbound Section
#################################################################

# Allow all icmp traffic for a start
$cmd 00300 allow log icmp from any to any

# Allow all outbound traffic for a start
$cmd 00301 allow all from any to any out via $pif

# Deny public pings
$cmd 00310 deny icmp from any to any in via $pif

# Deny ident
$cmd 00315 deny tcp from any to any 113 in via $pif

# Deny all Netbios service. 137=name, 138=datagram, 139=session
# Netbios is MS/Windows sharing services.
# Block MS/Windows hosts2 name server requests 81
$cmd 00320 deny tcp from any to any 137 in via $pif
$cmd 00321 deny tcp from any to any 138 in via $pif
$cmd 00322 deny tcp from any to any 139 in via $pif
$cmd 00323 deny tcp from any to any 81 in via $pif

# Deny any late arriving packets
$cmd 00330 deny all from any to any frag in via $pif

# Deny ACK packets that did not match the dynamic rule table
$cmd 00332 deny tcp from any to any established in via $pif

# Allow in standard www function because I have apache server
$cmd 00400 allow tcp from any to me 80 in via $pif setup limit src-addr 2

# Allow in secure FTP, Telnet, and SCP from public Internet
$cmd 00410 allow tcp from any to me 22 in via $pif setup limit src-addr 2

# Reject & Log all incoming connections from the outside
$cmd 00499 deny log all from any to any in via $pif


$cmd 00999 deny log all from any to any
################ End of IPFW rules file ###############################

security
Code: 
Dec 26 10:01:12 ServerBSD kernel: ipfw: 499 Deny P:2 192.168.1.1 224.0.0.1 in via rl0
 
So, is it working now?

No more dropped packets in the log (except that unimportant routing multicast), so browsing should work.

You should remove rules 299 (because it is replaced by rule 111), and 300 and 301 because they were only for debugging.
 
rules

Code: 
################ Start of IPFW rules file ###############################
# Flush out the list before we begin.
ipfw -q -f flush
# Set rules command prefix
cmd="/sbin/ipfw add"
pif="rl0"     

$cmd 00005 allow all from any to any via fxp0
$cmd 00010 allow all from any to any via lo0
$cmd 00015 check-state

#################################################################
# Outbound Section
#################################################################

$cmd 00110 allow tcp from any to any 53 out via $pif setup keep-state
$cmd 00111 allow udp from any to any 53 out via $pif keep-state

# Allow out non-secure standard www function
$cmd 00200 allow tcp from any to any 80 out via $pif setup keep-state

# Allow out secure www function https over TLS SSL
$cmd 00220 allow tcp from any to any 443 out via $pif setup keep-state

# Allow out send & get email function
$cmd 00230 allow tcp from any to any 25 out via $pif setup keep-state
$cmd 00231 allow tcp from any to any 110 out via $pif setup keep-state

# Allow out FBSD (make install & CVSUP) functions
# Basically give user root "GOD" privileges.
$cmd 00240 allow tcp from me to any out via $pif setup keep-state uid root

# Allow out ping
$cmd 00250 allow icmp from any to any out via $pif keep-state

# Allow out Time
$cmd 00260 allow tcp from any to any 37 out via $pif setup keep-state

# Allow out nntp news (i.e. news groups)
$cmd 00270 allow tcp from any to any 119 out via $pif setup keep-state

# Allow out secure FTP, Telnet, and SCP
# This function is using SSH (secure shell)
$cmd 00280 allow tcp from any to any 22 out via $pif setup keep-state

# Allow out whois
$cmd 00290 allow tcp from any to any 43 out via $pif setup keep-state

#################################################################
# Inbound Section
#################################################################

# Deny public pings
$cmd 00310 deny icmp from any to any in via $pif

# Deny ident
$cmd 00315 deny tcp from any to any 113 in via $pif

# Deny all Netbios service. 137=name, 138=datagram, 139=session
# Netbios is MS/Windows sharing services.
# Block MS/Windows hosts2 name server requests 81
$cmd 00320 deny tcp from any to any 137 in via $pif
$cmd 00321 deny tcp from any to any 138 in via $pif
$cmd 00322 deny tcp from any to any 139 in via $pif
$cmd 00323 deny tcp from any to any 81 in via $pif

# Deny any late arriving packets
$cmd 00330 deny all from any to any frag in via $pif

# Deny ACK packets that did not match the dynamic rule table
$cmd 00332 deny tcp from any to any established in via $pif

# Allow in standard www function because I have apache server
$cmd 00400 allow tcp from any to me 80 in via $pif setup limit src-addr 2

# Allow in secure FTP, Telnet, and SCP from public Internet
$cmd 00410 allow tcp from any to me 22 in via $pif setup limit src-addr 2

# Reject & Log all incoming connections from the outside
$cmd 00499 deny log all from any to any in via $pif


$cmd 00999 deny log all from any to any
################ End of IPFW rules file ###############################

security

Code: 
Dec 27 07:17:25 ServerBSD kernel: ipfw: 999 Deny TCP 10.10.10.2:57541 66.220.151.80:80 out via rl0
Dec 27 07:17:40 ServerBSD kernel: ipfw: 499 Deny P:2 192.168.1.1 224.0.0.1 in via rl0
Dec 27 07:17:47 ServerBSD kernel: ipfw: 999 Deny TCP 10.10.10.2:57541 66.220.151.80:80 out via rl0
Dec 27 07:18:33 ServerBSD kernel: ipfw: 999 Deny TCP 10.10.10.2:57541 66.220.151.80:80 out via rl0

nothing
 
The setup keyword matches TCP packets that have the SYN bit but no ACK bit, according to
Code: 
man ipfw

You might try temporarily adding a rule to allow out established packets on port 80. At least something to help you diagnose why some packets to port 80 are not allowed out.. Once you know why they're denied you can then take action to allow them (or not).
 
Try this conf

Code: 
################ Start of IPFW rules file ###############################
# Flush out the list before we begin.
ipfw -q -f flush
# Set rules command prefix
cmd="/sbin/ipfw add"
pif="rl0"     

$cmd 00005 allow all from any to any via fxp0
$cmd 00010 allow all from any to any via lo0
$cmd 00015 check-state

# Allow TCP through if setup succeeded
$cmd 00110 allow tcp from any to any established

#################################################################
# Outbound Section
#################################################################

$cmd 00110 allow tcp from any to any 53 out via $pif setup keep-state
$cmd 00111 allow udp from any to any 53 out via $pif keep-state

# Allow out non-secure standard www function
$cmd 00200 allow tcp from any to any 80 out via $pif setup keep-state

# Allow out secure www function https over TLS SSL
$cmd 00220 allow tcp from any to any 443 out via $pif setup keep-state

# Allow out send & get email function
$cmd 00230 allow tcp from any to any 25 out via $pif setup keep-state
$cmd 00231 allow tcp from any to any 110 out via $pif setup keep-state

# Allow out FBSD (make install & CVSUP) functions
# Basically give user root "GOD" privileges.
$cmd 00240 allow tcp from me to any out via $pif setup keep-state uid root

# Allow out ping
$cmd 00250 allow icmp from any to any out via $pif keep-state

# Allow out Time
$cmd 00260 allow tcp from any to any 37 out via $pif setup keep-state

# Allow out nntp news (i.e. news groups)
$cmd 00270 allow tcp from any to any 119 out via $pif setup keep-state

# Allow out secure FTP, Telnet, and SCP
# This function is using SSH (secure shell)
$cmd 00280 allow tcp from any to any 22 out via $pif setup keep-state

# Allow out whois
$cmd 00290 allow tcp from any to any 43 out via $pif setup keep-state

#################################################################
# Inbound Section
#################################################################

# Deny public pings
$cmd 00310 deny icmp from any to any in via $pif

# Deny ident
$cmd 00315 deny tcp from any to any 113 in via $pif

# Deny all Netbios service. 137=name, 138=datagram, 139=session
# Netbios is MS/Windows sharing services.
# Block MS/Windows hosts2 name server requests 81
$cmd 00320 deny tcp from any to any 137 in via $pif
$cmd 00321 deny tcp from any to any 138 in via $pif
$cmd 00322 deny tcp from any to any 139 in via $pif
$cmd 00323 deny tcp from any to any 81 in via $pif

# Deny any late arriving packets
$cmd 00330 deny log all from any to any frag in via $pif

# Deny ACK packets that did not match the dynamic rule table
$cmd 00332 deny log tcp from any to any established in via $pif

# Allow in standard www function because I have apache server
$cmd 00400 allow tcp from any to me 80 in via $pif setup limit src-addr 2

# Allow in secure FTP, Telnet, and SCP from public Internet
$cmd 00410 allow tcp from any to me 22 in via $pif setup limit src-addr 2

# Reject & Log all incoming connections from the outside
$cmd 00499 deny log all from any to any in via $pif


$cmd 00999 deny log all from any to any
################ End of IPFW rules file ###############################
 
Code: 
Dec 30 09:26:40 ServerBSD kernel: ipfw: 499 Deny P:2 192.168.1.1 224.0.0.1 in via rl0

nothing
this is SECURITY
 
BlackWolf said:
Code: 
Dec 30 09:26:40 ServerBSD kernel: ipfw: 499 Deny P:2 192.168.1.1 224.0.0.1 in via rl0

nothing
this is SECURITY
Click to expand...

You have zero dropped packets and log all dropping rules, so there is no reason to blame your FreeBSD firewall anymore.

My guess is that your upstream router (alice 192.168.1.1) is now the problem
and not doing NAT for your TCP streams originating from your 10/24 linux box.

Cannot help you with that...
 
You must log in or register to reply here.
Back
Top