Submit Hint Search The Forums LinksStatsPollsHeadlinesRSS
14,000 hints and counting!


Click here to return to the 'Just a few more questions' hint
The following comments are owned by whoever posted them. This site is not responsible for what they say.
Just a few more questions
Authored by: ppatoray on Sep 04, '03 05:55:43PM

Thanks, You guys are a wealth of information.

I had changed it from 'deny' to 'drop' a couple of hours ago, when I last posted. Since then, this is what my 'sudo ipfw show' shows me:

01000 8136 1130846 allow ip from any to any via lo*
01001 0 0 deny ip from 127.0.0.0/8 to any
01002 0 0 deny ip from any to 127.0.0.0/8
01003 0 0 deny ip from 224.0.0.0/3 to any
01004 0 0 deny tcp from any to 224.0.0.0/3
01005 0 0 check-state
01006 33 7920 allow tcp from any to any established
01007 0 0 allow ip from any to any frag
01090 0 0 allow icmp from any to any icmptype 3,4
01091 0 0 allow icmp from any to any in icmptype 11
01092 0 0 allow icmp from any to any out icmptype 8
01093 0 0 allow icmp from any to any in icmptype 0
02000 371 126658 allow udp from any 67-68 to any 67-68 via en0
02001 0 0 allow udp from any to 255.255.255.255 67-68 via en0
02002 0 0 unreach host log ip from any to any via en0 ipopt ssrr,lsrr
02003 0 0 allow udp from any 123 to any 1024-65535,123 via en0
02004 1 60 reset tcp from any to any 113
02006 100 15002 allow udp from any to any 53 keep-state out
02007 46 28840 allow tcp from any to any 80 keep-state in recv en0 setup
02008 9 552 allow tcp from any to any 20-21 keep-state in recv en0 setup
02008 0 0 allow tcp from any to any 25,110,143,993 keep-state in recv en0 setup
02020 0 0 deny udp from any 2222 to any
02021 70 8540 deny udp from any to any 2222
02022 210 19651 deny udp from any to any 137,138
52009 21909 11309907 allow ip from any to any keep-state out
52010 13 3444 deny log ip from any to any
65535 744 99863 allow ip from any to any

The way I read this, it looks like my 52010 rule, which is in my ipfw.rules as 'drop', is being rewritten as deny. Any ideas as to why?

Also, I dont understand exactly what rule 65535 is for. I don't have it in my rules, so I am assuming that it is some sort of default. I had done a search on google for this rule at one point and came across some text referring to rebuilding the kernel on a unix box to change this rule from allow to deny.

I would expect for the count for rule 65535 to be zero, instead of showing logged traffic? Shouldn't rule 52010 deny this traffic before rule 65535 kicks in?



[ Reply to This | # ]
Just a few more questions
Authored by: yellow on Sep 04, '03 06:25:04PM

It is indeed a default rule built into ipfw. Don't worry about it.



[ Reply to This | # ]
Just a few more questions
Authored by: Anonymous on Sep 04, '03 06:35:36PM

Patrick,

Read my post a few minutes ago about drop vs deny.. they're the same thing. Whichever one you right, they come out as "deny".. the man page for ipfw says so, too.

Rule 65535 is compiled into the kernel by default... think about it this way, if you don't configure your firewall, it's still enabled and running-- so rule 65535 means that every packet will pass through unless you say otherwise.

Rule 65535 has a non-zero count because packets go through your system (especially on the loopback interface) before you load your firewall rules.. if you want to zero it out, go to Terminal and type "ipfw zero 65535".

Hope that helps!

Best of luck,
Matt



[ Reply to This | # ]
Just a few more questions
Authored by: bluehz on Sep 06, '03 12:53:14AM

I tried this ruleset and it cutoff access to the other macs via AppleShare on my LAN. Watching the log I could see it was the last two rules. I had to disable these two rules to get access again.

#################################################
## * * * Default Filter Policies * * *
#################################################
## Allow All Outgoing Services
#add 52009 allow all from any to any keep-state out

## Deny All Incoming Services
#add 52010 drop log all from any to any

Disabled those and my AppleShare worked again. Thats not right is it? Also followed the directions for setting up a StartupItem but it never startsup.



[ Reply to This | # ]
Just a few more questions
Authored by: bluehz on Sep 06, '03 10:08:47AM

Few more questions:

* I like to use LittleSnitch to notify me of outgoing connections and create rules - will using this IPFW method affect LittleSnitch

* I would like to send the firewall log info to a seperate firewall.log so I followed instructions listed here and added this to my syslog.conf

authpriv,remoteauth,ftp.none;kern.debug /var/log/firewall.log

but it doesn't seem to be loggin any info to firewall.log. How can I set this up to log to a seperate firewall.log.

* how do I fix the AppleShare problem, noted above



[ Reply to This | # ]
Just a few more questions
Authored by: ppatoray on Sep 08, '03 08:31:06AM

Instead of removing the blanket rules, you should figure out what port your network needs to be allowed on and then add a rule allowing that port access. I don't use appleshare, so my rules probably don't allow for the traffic.



[ Reply to This | # ]