On 2004-08-04 20:31, Srot BULL <[EMAIL PROTECTED]> wrote:
On 2004-08-04 17:13, Srot BULL <[EMAIL PROTECTED]> wrote:
Why are the above firewall logs telling me that it has denied my TCP packets and yet I am not experiencing some problems in my emails and access to the internet through port 80. [...]
Giorgos Keramidas wrote: Show us the full ruleset. Otherwise we're just guessing...
$CMD 00240 allow tcp from me to any out via $IFN setup keep-state uid rootHmm. I'm not sure if this is a good idea, but it's unrelated to the denied packets you're seeing :-/
I will RTFM about this...Thank you.
$CMD 00300 deny all from 192.168.0.0/16 to any in via $IFN
$CMD 00301 deny all from 172.16.0.0/12 to any in via $IFN
$CMD 00302 deny all from 10.0.0.0/8 to any in via $IFNYou might want to also deny incoming packets from these addresses, or fall back to the default firewall rule -- whatever that rule is ("deny log all" in your case).
I think I can do this...I guess...
$CMD 00305 deny all from 169.254.0.0/16 to any in via $IFNHmmm, what is this address block supposed to be here for?
I am sorry, I only copied this ruleset from the article...I really need to get back in RTFM and read again the article...maybe I missed something.
#reserved for doc's#And this one?
$CMD 00307 deny all from 204.152.64.0/23 to any in via $IFN
This one too...
A better approach that will avoid forcing everyone to wait until their connections times out is to reply with an RST packet, which is the standard way TCP would reply if no auth/ident service was running at all.
I need some reading to understand what you just advised...Thank you.
Fragments are not late-arriving packets ;-)
This one is redundant, since it will only do the same as the one below:#* Reject & Log all incoming connections from the outside *# $CMD 00499 deny log all from any to any in via $IFN
OK...
# Everything else is denied by default # DENY and LOG all packets that fell through to see what they are $CMD 00999 deny log all from any to any
AFAIK, the author of the page is a reader of the list too. I can't findMy basis for my rulesets are taken from: http://freebsd.a1poweruser.com:6088/FBSD_firewall/
anything wrong with the syntax of your rules. The only weird thing I noticed
were the two hard-wired address blocks I mentioned above. Perhaps the author
of the initial ruleset can help you more ;)
It was kind enough for the author to drop me an email...
and, thank you for your advices too...I will base my rulesets from yours and other peoples' advices, and re-read that article for a better understanding...and maybe I can tune my rulesets more to better fit my system.
Have a nice day...
SrotBULL _______________________________________________ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
