Date: Thu, 29 Apr 1999 13:22:18 +1000 From: Andrew Johns <A_Johns@TurnAround.com.au> To: Christoff Snijders <hjcs@home.com> Cc: Guy Helmer <ghelmer@scl.ameslab.gov>, freebsd-questions@FreeBSD.ORG Subject: Re: ipfw rules Message-ID: <3727D06A.23DECCAA@TurnAround.com.au> References: <Pine.SGI.4.10.9904281932230.4039-100000@demios.scl.ameslab.gov> <3727B56C.2D8D0ED1@home.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Christoff Snijders wrote:
>
> Guy Helmer wrote:
> >
> > On Wed, 28 Apr 1999, Christoff Snijders wrote:
>
> [snip]
>
> > > ...
> > > # divert traffic to natd (I added this)
> > > /sbin/ipfw add divert natd all from any to any via ed2
> >
> > Hmm, isn't there a divert rule at the beginning of /etc/rc.firewall?
>
> It doesn't look like it in 2.2.5-RELEASE.
>
>
> > > ...
> > > # Stop RFC1918 nets on the outside interface
> > > $fwcmd add deny all from 192.168.0.0:255.255.0.0 to any via ${oif}
> > > $fwcmd add deny all from 172.16.0.0:255.240.0.0 to any via ${oif}
> > > $fwcmd add deny all from 10.0.0.0:255.0.0.0 to any via ${oif}
> >
> > I've replaced those three rules with these six rules on my 2.2.8 firewall:
> >
> > # Stop RFC1918 nets on the outside interface
> > $fwcmd add deny all from 192.168.0.0:255.255.0.0 to any in via ${oif}
> > $fwcmd add deny all from any to 192.168.0.0:255.255.0.0 out via ${oif}
> > $fwcmd add deny all from 172.16.0.0:255.240.0.0 to any in via ${oif}
> > $fwcmd add deny all from any to 172.16.0.0:255.240.0.0 out via ${oif}
> > $fwcmd add deny all from 10.0.0.0:255.0.0.0 to any in via ${oif}
> > $fwcmd add deny all from any to 10.0.0.0:255.0.0.0 out via ${oif}
> >
> > Hope this helps,
>
> Thanks for the info. I actually tried this (but I tried it now again,
> to be sure) when I found one of your postings to this mailing list in
> the archives. It seems that if I remove the rule
>
> ipfw 65000 allow ip from any to any
>
> my internal network can't see the Internet (even with the changes you
> suggest). I would ideally like to be able to remove rule 65000, and have
> explicit rules to allow traffic in, but then again, I don't really know
> what I'm doing here, and maybe what I've got is okay, given the deny
> rules that appear higher up in the list. :-)
>
What you could try is to enable logging - when I was unsure of what
was happening, I retained the existing rules that I was using and
added a rule such as:
ipfw add 65530 deny log all from any to any
so that it was the last rule before the default 'deny all from any to
any' - this _logs_ the denied packets to the console so that you can
see _exactly_ what is being denied. It's hard indeed to debug
rulesets when you can't 'see' what is being denied.
You will probably also want to limit the number of log lines by
setting options IPFIREWALL_VERBOSE_LIMIT=number in your kernel config
file and rebuilding your kernel - you'll need to add options
IPFIREWALL_VERBOSE as well to enable the logging to the console.
HTH
--
Regards | _/\_/\
Andrew Johns BSc (Comp Sci) | / \
TurnAround Solutions Pty Ltd | \_...__/
http://www.turnaround.com.au/ | \/
"The box said 'Requires Windows 98, NT, Linux or better' so I
installed FreeBSD."
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3727D06A.23DECCAA>