From owner-freebsd-questions Sat Jan 11 15:36:45 2003 Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C48B437B401 for ; Sat, 11 Jan 2003 15:36:42 -0800 (PST) Received: from colossus.systems.pipex.net (colossus.systems.pipex.net [62.241.160.73]) by mx1.FreeBSD.org (Postfix) with ESMTP id 216DB43F13 for ; Sat, 11 Jan 2003 15:36:41 -0800 (PST) (envelope-from stacey@vickiandstacey.com) Received: from [192.168.1.8] (81-86-129-77.dsl.pipex.com [81.86.129.77]) by colossus.systems.pipex.net (Postfix) with ESMTP id 47B3616000093; Sat, 11 Jan 2003 23:36:37 +0000 (GMT) Subject: Re: Problems w NIC From: Stacey Roberts Reply-To: stacey@vickiandstacey.com To: Nikolaj Farrell Cc: FreeBSD Questions In-Reply-To: <003701c2b9c4$db6e6950$0100a8c0@athlon> References: <001701c2b987$9fdf72e0$0100a8c0@athlon> <1042300066.51041.227.camel@localhost> <002a01c2b989$f2099e90$1200a8c0@gsicomp.on.ca> <000b01c2b98a$df9981c0$0100a8c0@athlon> <1042301568.51041.233.camel@localhost> <001201c2b98e$063311e0$0100a8c0@athlon> <1042303096.51041.237.camel@localhost> <000301c2b993$55e70610$0100a8c0@athlon> <20030111171152.GH25529@sub21-156.member.dsl-only.net> <001b01c2b995$0dbf6d30$0100a8c0@athlon> <1042305860.51041.240.camel@localhost> <001801c2b999$95567000$0100a8c0@athlon> <1042310110.51041.250.camel@localhost> <002b01c2b9c3$56722e40$0100a8c0@athlon> <1042325630.51041.257.camel@localhost> <003701c2b9c4$db6e6950$0100a8c0@athlon> Content-Type: text/plain Organization: Message-Id: <1042328202.51041.268.camel@localhost> Mime-Version: 1.0 X-Mailer: Ximian Evolution 1.2.0 Date: 11 Jan 2003 23:36:42 +0000 Content-Transfer-Encoding: 7bit Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Hi, On Sat, 2003-01-11 at 22:57, Nikolaj Farrell wrote: > > Thanks for clarifying things. > > > > I think I understand now. Here's what I (and others as well) believe is > > the root of the problem - its ipfw. > > > > By default its got a rule that reads DENY EVERYTHING. If you run "ipfw > > show" then it'll be right at the bottom. Unless you expressly allow > > traffic with ipfw statements, then you'll get packets not being > > forwarded onto respective destinations. Also if you've not actually > > configured the rule-set (E.G. for logging) then that explains why > > nothing appears in the logs. > > > > You mentioned that you've not configured any rules for the internal > > network, so you've answered you own questions here. Post the output from > > the above ipfw cmd, and I'm sure there'll be lots of assistance for you. > > > > Regards, > > > > Stacey > > > > > Actually... I have compiled ipfw _default to accept_...... and besides, no > other computers on my LAN would work otherwise either. Just for the sake of > it though, here is my ruleset > > su-2.05b# ipfw list > 00190 divert 8668 ip from any to any via xl0 > 00301 deny log logamount 100 tcp from any to any 515 in recv xl0 > 00310 allow tcp from 212.181.54.2 53 to any in recv xl0 > 00311 allow tcp from 212.181.54.3 53 to any in recv xl0 > 00320 allow log logamount 100 tcp from any to any 22 in recv xl0 > 00321 allow log logamount 100 tcp from any to any 21 in recv xl0 > 00322 allow log logamount 100 tcp from any to any 113 in recv xl0 setup > 00323 allow log logamount 100 tcp from any to any 80 in recv xl0 > 00324 allow tcp from any to any 25 via xl0 > 00325 allow tcp from any to any 995 via xl0 > 00395 deny log logamount 100 tcp from any to any 0-1024 in recv xl0 setup > 00396 deny log logamount 100 tcp from any to any 2049 in recv xl0 > 00400 allow udp from 212.181.54.2 53 to any in recv xl0 > 00401 allow udp from 212.181.54.3 53 to any in recv xl0 > 00410 allow udp from any to any 123 in recv xl0 > 00499 deny log logamount 100 udp from any to any in recv xl0 > 00610 allow icmp from 212.181.54.2 to any in recv xl0 > 00611 allow icmp from 212.181.54.3 to any in recv xl0 > 00620 allow log logamount 100 icmp from any to any in recv xl0 icmptype 3 > 00621 allow log logamount 100 icmp from any to any in recv xl0 icmptype 8 > 65535 allow ip from any to any So, you're saying that with this configuration, you: 1] Cannot ping any hosts on the internal network 2] No internal hosts can ping the internal IP address of the g'way. Do this for me:- 1] tail /var/log/security 2] Back-up your current ipfw ruleset - and disconnect (physically) from the internet 3] create a new rule set that reads ipfw add allow log ip any to any 4] reload the new ruleset into place 5] Try connecting to and from other internal hosts 6] Post logs here. Regards, Stacey > > regards > /Nikolaj > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-questions" in the body of the message -- Stacey Roberts B.Sc (HONS) Computer Science Web: www.vickiandstacey.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message