From owner-freebsd-questions@FreeBSD.ORG Tue Jul 1 18:45:23 2003 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A0B5837B401 for ; Tue, 1 Jul 2003 18:45:23 -0700 (PDT) Received: from [204.213.64.2] (firewall.tiadon.com [204.213.64.2]) by mx1.FreeBSD.org (Postfix) with ESMTP id AA40D43F75 for ; Tue, 1 Jul 2003 18:45:22 -0700 (PDT) (envelope-from kdk@daleco.biz) Received: from rmc.tiadon.com by [204.213.64.2] ESMTP; Tue, 1 Jul 2003 20:45:22 -0500 Received: from applications.tiadon.com (mail.tiadon.com [172.16.18.172]) by bcec01.tiadon.net with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2653.13) id M49GAZYX; Tue, 1 Jul 2003 20:45:22 -0500 Received: from firewall.tiadon.com ([204.213.65.143]) by applications.tiadon.com with Microsoft SMTPSVC(5.5.1877.197.19); Tue, 1 Jul 2003 20:45:21 -0500 Received: from [204.213.65.143] by firewall.tiadon.com via smtpd (for mail.tiadon.com [172.16.18.172]) with ESMTP; Tue, 1 Jul 2003 20:45:20 -0500 Message-ID: <03e401c3403b$959b58e0$1b41d5cc@nitanjared> From: "Kevin Kinsey, DaleCo, S.P." To: "Kevin Kinsey, DaleCo, S.P." , "Jamie" , References: <20030701194934.J6454-100000@floyd.gnulife.org> <03ac01c34039$6e32c380$1b41d5cc@nitanjared> Date: Tue, 1 Jul 2003 20:45:13 -0500 Organization: DaleCo, S.P.---"the solutions people" MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2800.1158 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106 Subject: Re: setting up ipfw X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: "Kevin Kinsey, DaleCo, S.P." List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 02 Jul 2003 01:45:24 -0000 CORRECTION: That last rule I quoted is actually: 00050 allow tcp from any to my.ip.ad.res 22 setup ^^ Makes it work much better for SSH... ----- Original Message ----- From: "Kevin Kinsey, DaleCo, S.P." To: "Jamie" ; Sent: Tuesday, July 01, 2003 8:29 PM Subject: Re: setting up ipfw > From: "Jamie" > To: > Sent: Tuesday, July 01, 2003 8:01 PM > Subject: setting up ipfw > > > > I am having a very difficult time setting up ipfw on a 4.8 > > installation. Was wondering if anyone might be able to shed some > light on > > this. > > > > I followed the directions in the handbook, and I compiled a new > kernel > > with these options, ( am going for a deny all by default, open > services > > as necessary philosophy): > > > > options IPFIREWALL > > options IPFIREWALL_VERBOSE > > options IPFIREWALL_VERBOSE_LIMIT=10 > > > > Upon rebooting, I was unable to access the machine from > anywhere, which > > is fine, because I have console access. > > > > Output of ifconfig -a looks like this: > > > > ifconfig -a > > fxp0: flags=8843 mtu 1500 > > inet 200.88.54.93 netmask 0xffffff00 broadcast > 200.88.54.255 > > inet6 fe80::203:47ff:fe77:8169%fxp0 prefixlen 64 scopeid > 0x1 > > ether 00:03:47:77:81:69 > > media: Ethernet autoselect (100baseTX ) > > status: active > > lp0: flags=8810 mtu 1500 > > lo0: flags=8049 mtu 16384 > > inet6 ::1 prefixlen 128 > > inet6 fe80::1%lo0 prefixlen 64 scopeid 0x3 > > inet 127.0.0.1 netmask 0xff000000 > > ppp0: flags=8010 mtu 1500 > > sl0: flags=c010 mtu 552 > > faith0: flags=8002 mtu 1500 > > > > the name of the machine is power.bar.com > > > > > > I want to ssh in from another machine: foo.bar.com with IP > address > > 200.88.34.12. > > > > > > > > This is the rule I am adding: > > > > > > ipfw add allow tcp from 200.88.34.12 to power.bar.com 22 > > > > > > It tells me it can't resolve power.bar.com! > > > > So, I try: > > > > ipfw add allow tcp from 200.88.34.12 to 200.88.54.93 22 > > > > It accepts the rule, but I still cannot connect from > foo.bar.com. > > > > Anyone have any ideas? > > Are you allowing ip OUT from 200.88.54.93? > > Please post output of "ipfw show" (not that it's > not implicit, I guess...) and describe your network > topography. > > FWIW, here's my top few rules: > > 00010 allow ip from my.ip.ad.dres to any out > 00020 deny log logamount 20 ip from any to any out > 00030 allow tcp from any to any established > 00040 allow ip from any to any frag > 00050 allow tcp from any to my.ip.ad.res setup > > Kevin Kinsey > DaleCo, S.P. > > > _______________________________________________ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.org" >