Lost connection to server after enable IPFW

[Ricky]

Hi,
I have rented a dedicated server which have FreeBSD 8.1. I'm having some troubles configuring my IPFW Rules.

Here is my actual ipfw rule script

IPF="ipfw -q add"
ipfw -q -f flush

#loopback
$IPF 10 allow all from any to any via lo0
$IPF 20 deny all from any to 127.0.0.0/8
$IPF 30 deny all from 127.0.0.0/8 to any
$IPF 40 deny tcp from any to any frag

# statefull
$IPF 50 check-state
$IPF 60 allow ip from any to any out keep-state
$IPF 70 allow all from any to me in limit src-addr 10

#Apache
$IPF 120 allow tcp from any to me 80

#PuTTy
$IPF 100 allow tcp from any to me 22

I guess my machine is connected to their data center trough some ip address like this: 10.0.0.1

Is there anyway that I can see all the IP addresses connected to me?

 

[gordon@]

% netstat -an will give you all of the connections your systems currently has.

 

[gkontos]

You can also use:

[CMD=""]# sockstat -4[/CMD]

But the best way to troubleshoot any firewall related issues is tcpdump(1)()

 

[Ricky]

Thank you both for your help.

Problem solved

EDIT:
Just one last thing.

$IPF 70 allow all from any to me in limit src-addr 10

I want to limit 10 connections per ip.

Is this rule right?

 

[francis]

Hi Ricky! Please remember and note that on 31 July (it will be on Tuesday, if I'm not mistaken), the support for FreeBSD 8.1 will be ended - Estimated EoL (end-of-life). You should consider upgrading to one of available versions, except the 8.2-RELEASE, because also on July 31, the support will ends. So you have to choose e.g. 8.3-RELEASE (which is Extended Release) or 9-RELEASE. More info; Supported FreeBSD Releases.

Best regards!

Oh, I noticed you have posted the question about the connection limit. According to ipfw(8) man page it is possible with setup limit options, which - in fact - are already in your rule;

[cmd=]ipfw add allow tcp from 192.168.0.0/24 to any 80 limit src-addr 10 e.g. rule that allows to establish up to 10 TCP connections on port 80 from "our" network[/cmd]

The src-addr determines out connections made from our network. You can also define the inverse limit - connections to the 192.168.0.0/24 network address.

[cmd=]ipfw add allow tcp from any to me setup limit src-addr 4[/cmd]

In the above example client does not use more than 4 simultaneous connections. Your rule appears to be correct, but notice that you have added in between to me and limit. I do not know whether it is a difference, because I do not use ipfw firewall for a long time.

 

[Ricky]

in means all incoming connections. This way I can have few incoming connections and still be able to send whatever my server want to. No one can send more than 10 connections to my server. I guess this will protect me against some DoS attacks.

I would love to have FreeBSD 9.0-RELEASE in my rented dedicated server but they don't support it. Already tried it at home and it seems pretty nice

Thank you for your help.

 

[gkontos]

I would love to have FreeBSD 9.0-RELEASE in my rented dedicated server but they don't support it.

If this is a dedicated server you can install any OS you want.