From owner-freebsd-config@FreeBSD.ORG Tue Aug 5 11:03:21 2003 Return-Path: Delivered-To: freebsd-config@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8D63537B401 for ; Tue, 5 Aug 2003 11:03:21 -0700 (PDT) Received: from materialised.hopto.org (pc2-stoc3-6-cust153.midd.cable.ntl.com [80.6.223.153]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3FEAA43FB1 for ; Tue, 5 Aug 2003 11:03:20 -0700 (PDT) (envelope-from mick@materialised.hopto.org) Received: from materialised.hopto.org (materialised.hopto.org [198.168.1.1]) by materialised.hopto.org (8.12.9/8.12.9) with ESMTP id h75I1b0c001446 for ; Tue, 5 Aug 2003 19:01:45 +0100 (BST) (envelope-from mick@materialised.hopto.org) X-Authentication-Warning: materialised.hopto.org: materialised.hopto.org [198.168.1.1] didn't use HELO protocol From: Mick Walker To: freebsd-config@freebsd.org Content-Type: text/plain Message-Id: <1060106496.1360.7.camel@materialised.hopto.org> Mime-Version: 1.0 X-Mailer: Ximian Evolution 1.3.3 (Preview Release) Date: 05 Aug 2003 19:01:37 +0100 Content-Transfer-Encoding: 7bit Subject: IPFW Help X-BeenThere: freebsd-config@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Installation and Configuration List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 05 Aug 2003 18:03:21 -0000 Hi everyone, Im a totally new user to freeBSD and am currentyly running 5.1 release 2 on a Intel based machine. I have been a linux user for many years and am quite familier with ipchains/tables. However migrating to freebsd is proving to be quite a challenge to me. Up until this point I have got everything working as it did on my linux gateway, I have configured natd to masquerade connections for the internal network, and set x to start up at boot. However one thing is evading me, I cant seem to add any firewall rules. Here is the contents of my /etc/rc.firewall file which is called by rc.local on boot, bash-2.05b$ cat /etc/rc.firewall /sbin/ipfw flush /sbin/ipfw add divert natd all from any to any via sis0 /sbin/ipfw add pass all from any to any /sbin/ipfw add 00322 deny log tcp from any to any 6000 in recv sis0 /sbin/ipfw add 00322 deny log tcp from any to any 0-1000 in recv sis0 setup /sbin/ipfw add 00499 deny log udp from any to any in recv sis0 /sbin/ipfw add 00322 deny log tcp from any to any 3306 in recv sis0 /sbin/ipfw add 00322 deny log tcp from any to any 587 in recv sis0 /sbin/ipfw add 00322 deny log tcp from any to any 135-140 in recv sis0 /sbin/ipfw add 00310 allow tcp from 62.254.64.21 53 to any in recv sis0 /sbin/ipfw add 00322 allow log tcp from any to any 23 in recv sis0 setup /sbin/ipfw add 00322 allow log tcp from any to any 22 in recv sis0 setup /sbin/ipfw add 00322 allow log tcp from any to any 21 in recv sis0 setup /sbin/ipfw add 00322 allow log tcp from any to any 80 in recv sis0 setup /sbin/ipfw add 00322 allow log tcp from any to any 25 in recv sis0 setup /sbin/ipfw add 00322 allow log tcp from any to any 110 in recv sis0 setup /sbin/ipfw add 00400 allow udp from 62.254.64.21 53 to any in recv sis0 /sbin/ipfw add 00600 allow icmp from 62.254.64.21 to any in recv sis0 /sbin/ipfw add 00310 allow tcp from 62.254.64.21 53 to any in recv sis0 I have been told that I should rearrange these things so the deny and allow rules are before the pass all from any to any rule, however when I do this the whole system doesnt seem to have any internet access, I cant ping any system over the internet or connect to any services. Could someone please point out where I am going wrong? Thanks in advance Mick