IPFW [Solved] Blocking Connections

D

Deleted member 62636

Guest
(Sorry for being a noob, It's my first time on the forums)
Hi, I am using a custom firewall rules script, It supposed to block all connections other than the ones specified here but well, it doesn't
here is my script:
Bash: 
IPF="ipfw -q add"
ipfw -q -f flush

#loopback
$IPF 10 allow all from any to any via lo0
$IPF 15 allow all from any to any via lo1
$IPF 20 deny all from any to 127.0.0.0/8
$IPF 30 deny all from 127.0.0.0/8 to any
$IPF 40 deny tcp from any to any frag

# statefull
$IPF 50 check-state
$IPF 60 allow tcp from any to any established
$IPF 70 allow all from any to any out keep-state
$IPF 80 allow log icmp from any to any


$IPF 110 allow tcp from any to any 21 in
$IPF 120 allow tcp from any to any 21 out
$IPF 130 allow log tcp from any to any 22 in
$IPF 140 allow log tcp from any to any 22 out

$IPF 170 allow udp from any to any 53 in
$IPF 175 allow tcp from any to any 53 in
$IPF 180 allow udp from any to any 53 out
$IPF 185 allow tcp from any to any 53 out
$IPF 200 allow log tcp from any to any 80 in
$IPF 210 allow log tcp from any to any 80 out
$IPF 215 allow tcp from any to any 445 in
$IPF 216 allow tcp from any to any 445 out
# Jails


# deny everything
$IPF 500 deny all from any to any
It blocks most of them like smb, ssh etc. But When I examine the log file, I view weird connections from ports like 123, 37 etc. It should block them too right?

Is this line responsible for it? because when I comment it out all connections are blocked:
Code: 
$IPF 60 allow tcp from any to any established

Thanks!

Edit: This script blocks from hosting http, but doesn't block for connecting to http. (I can do
Code: 
pkg update -f
without any problems)
 
fedqx said:
It blocks most of them like smb, ssh etc. But When I examine the log file, I view weird connections from ports like 123, 37 etc. It should block them too right?
Click to expand...
Not if they originated on the machine itself. Your rule 70 allows everything to go out, so you can expect some return traffic in response. That return traffic is allowed by rule 60. Port 123 is commonly used for NTP, 37 is less common but also time related.

Not only check your logs but also use tcpdump(1) to look at the actual traffic. Make sure you understand the direction of a connection.

fedqx said:
This script blocks from hosting http, but doesn't block for connecting to http.
Click to expand...
That's exactly what I mean with direction. Are the connections coming in or are they going out? That's a very important distinction when it comes to firewalling.
 
I solved it by removing rule 60 and 70 and adding setup keep-state at the end of the rules
 
Last edited by a moderator:
jb_fvwm2 said:
At rule 217 or 81?
Click to expand...
from rule 110 to 216 (both included) like
Code: 
$IPF X allow tcp from any to any Y in setup keep-state
but keep in mind you have to only add
Code: 
keep-state
to UDP connections
 
fedqx said:
(Sorry for being a noob, It's my first time on the forums)
Hi, I am using a custom firewall rules script, It supposed to block all connections other than the ones specified here but well, it doesn't
here is my script:
Bash: 
IPF="ipfw -q add"
ipfw -q -f flush

#loopback
$IPF 10 allow all from any to any via lo0
$IPF 15 allow all from any to any via lo1
$IPF 20 deny all from any to 127.0.0.0/8
$IPF 30 deny all from 127.0.0.0/8 to any
$IPF 40 deny tcp from any to any frag

# statefull
$IPF 50 check-state
$IPF 60 allow tcp from any to any established
$IPF 70 allow all from any to any out keep-state
$IPF 80 allow log icmp from any to any


$IPF 110 allow tcp from any to any 21 in
$IPF 120 allow tcp from any to any 21 out
$IPF 130 allow log tcp from any to any 22 in
$IPF 140 allow log tcp from any to any 22 out

$IPF 170 allow udp from any to any 53 in
$IPF 175 allow tcp from any to any 53 in
$IPF 180 allow udp from any to any 53 out
$IPF 185 allow tcp from any to any 53 out
$IPF 200 allow log tcp from any to any 80 in
$IPF 210 allow log tcp from any to any 80 out
$IPF 215 allow tcp from any to any 445 in
$IPF 216 allow tcp from any to any 445 out
# Jails


# deny everything
$IPF 500 deny all from any to any
It blocks most of them like smb, ssh etc. But When I examine the log file, I view weird connections from ports like 123, 37 etc. It should block them too right?

Is this line responsible for it? because when I comment it out all connections are blocked:
Code: 
$IPF 60 allow tcp from any to any established

Thanks!

Edit: This script blocks from hosting http, but doesn't block for connecting to http. (I can do
Code: 
pkg update -f
without any problems)
Click to expand...

Hi
I need to edit the ipfw which file
please tell me
Thank you
 
You must log in or register to reply here.
Back
Top