From owner-freebsd-questions Tue Feb 2 03:47:38 1999 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id DAA28781 for freebsd-questions-outgoing; Tue, 2 Feb 1999 03:47:38 -0800 (PST) (envelope-from owner-freebsd-questions@FreeBSD.ORG) Received: from neptune.psn.net (neptune.psn.net [207.211.58.16]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id DAA28776 for ; Tue, 2 Feb 1999 03:47:36 -0800 (PST) (envelope-from chemtechweb@psn.net) Received: from 3-74.phx.psn.net ([209.63.183.104] helo=psn.net) by neptune.psn.net with esmtp (PSN Internet Service 2.10 #1) for freebsd-questions@freebsd.org id 107eIn-0007hl-00; Tue, 2 Feb 1999 04:47:33 -0700 Message-ID: <36B6E626.2C67786A@psn.net> Date: Tue, 02 Feb 1999 04:48:54 -0700 From: Emmanuel Gravel Reply-To: chemtechweb@psn.net Organization: Orbit Communications X-Mailer: Mozilla 4.08 [en] (Win98; I) MIME-Version: 1.0 To: freebsd-questions@FreeBSD.ORG Subject: Firewall rules Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG I've been trying to setup a firewall. I barely modified the simple ruleset (just changed the IP addresses and interfaces). I have a few computers connected on an internal LAN. The FreeBSD machine will serve as a gateway. I set up the oip to a bogus address since I don't know how to set it up to a dynamically allocated address (if someone could tell me how, I'd appreciate it :) My problem, however, isn't the oif or oip (not for now at least). I've been trying to ping out to my LAN and get a permission denied. I try to ping in from the LAN and don't get a response. I try connecting to the named server from the LAN and don't get anything either. Only the FreeBSD machine has access to the web server, no others. They don't even really know the machine exists, except for the fact that I set it as the primary name server on the NIC. I'd also like to get SAMBA to be useful (I've already set up the scripts, all I need is to open up the connection to the LAN while keeping it closed to the world). I' also like to use Exceed on the LAN (Win98 machines) therefore I need to have X opened to the LAN and closed to the world. Here are my firewall rules: oif="tun0" onet="222.168.0.0" omask="255.255.255.0" oip="222.168.0.11" iif="ep0" inet="192.168.0.0" imask="255.255.255.0" iip="192.168.0.11" $fwcmd add deny all from ${inet}:${imask} to any in via ${oif} $fwcmd add deny all from ${onet}:${omask} to any in via ${iif} $fwcmd add deny all from 192.168.0.0:255.255.0.0 to any via ${oif} $fwcmd add deny all from any to 192.168.0.0:255.255.0.0 via ${oif} $fwcmd add deny all from 172.16.0.0:255.240.0.0 to any via ${oif} $fwcmd add deny all from any to 172.16.0.0:255.240.0.0 via ${oif} $fwcmd add deny all from 10.0.0.0:255.0.0.0 to any via ${oif} $fwcmd add deny all from any to 10.0.0.0:255.0.0.0 via ${oif} $fwcmd add pass tcp from any to any established $fwcmd add pass tcp from any to ${oip} 25 setup $fwcmd add pass tcp from any to ${oip} 53 setup $fwcmd add pass tcp from any to ${oip} 80 setup $fwcmd add deny log tcp from any to any in via ${oif} setup $fwcmd add pass tcp from any to any setup $fwcmd add pass udp from any 53 to ${oip} $fwcmd add pass udp from ${oip} to any 53 $fwcmd add pass udp from any 123 to ${oip} $fwcmd add pass udp from ${oip} to any 123 I've tried to understand why my machine is still so closed, but nothing seems to work (mind you it's also very late and my mind is mush, but I should have at least understood why it's not open to simple tasks with these rules). I'm sure I need to add more rules, I just don't know how to formulate them properly yet. BTW, this is FreeBSD R 2.2.7 straight off of CD's, and I do have Greg's book, and have looked through the pages on how to setup the firewall, but no more than that and the man pages for docs on ipfw. Thanks, Manu To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message