From owner-freebsd-questions@FreeBSD.ORG Sun Sep 14 02:24:41 2003 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4FA5E16A4BF for ; Sun, 14 Sep 2003 02:24:41 -0700 (PDT) Received: from msr2.hinet.net (msr2.hinet.net [168.95.4.102]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3001E43FAF for ; Sun, 14 Sep 2003 02:24:40 -0700 (PDT) (envelope-from y2kbug@ms25.hinet.net) Received: from sonic.utopia.com (61-227-219-165.HINET-IP.hinet.net [61.227.219.165]) by msr2.hinet.net (8.9.3/8.9.3) with SMTP id RAA08837 for ; Sun, 14 Sep 2003 17:24:37 +0800 (CST) Date: Sun, 14 Sep 2003 17:27:15 +0800 From: Robert Storey To: freebsd-questions@freebsd.org Message-Id: <20030914172715.20a91c69.y2kbug@ms25.hinet.net> X-Mailer: Sylpheed version 0.8.11 (GTK+ 1.2.10; i386-debian-linux-gnu) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Subject: firewall X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 14 Sep 2003 09:24:41 -0000 Dear All, I'm having a hard time configuring a firewall. I ALMOST understand it, but I've run into one problem. I think I don't actually have my /etc/rc.firewall set up properly. Maybe I don't really understand what the "ip" setting should be, and I've made it the same as my "net" setting. Anyway, what I can say is that with the configuration I have, I can access my internal (ethernet) network, but ppp is totally blocked, which of course I don't want. Below are the configuration settings I've made, and the results I get. I hope that somebody can help. best regards, Robert Storey FROM /etc/rc.conf: firewall_enable="YES" firewall_script="/etc/rc.firewall" firewall_type="client" FROM /etc/rc.firewall: # set these to your network and netmask and ip net="192.168.0.2" mask="255.255.255.0" ip="192.168.0.2" CONTENT OF /etc/hosts: # ::1 localhost localhost.utopia.com 127.0.0.1 localhost localhost.utopia.com # 192.168.0.3 ibm.utopia.com ibm 192.168.0.2 sonic.utopia.com sonic 192.168.0.1 pro.utopia.com pro OUTPUT OF "ipfw -a list": 00100 0 0 allow ip from any to any via lo0 00200 0 0 deny ip from any to 127.0.0.0/8 00300 0 0 deny ip from 127.0.0.0/8 to any 00400 0 0 allow ip from 192.168.0.2 to 192.168.0.0/24 00500 0 0 allow ip from 192.168.0.0/24 to 192.168.0.2 00600 0 0 allow tcp from any to any established 00700 0 0 allow ip from any to any frag 00800 0 0 allow tcp from any to 192.168.0.2 dst-port 25 setup 00900 0 0 allow tcp from 192.168.0.2 to any setup 01000 0 0 deny tcp from any to any setup 01100 0 0 allow udp from 192.168.0.2 to any dst-port 53 keep-state 01200 0 0 allow udp from 192.168.0.2 to any dst-port 123 keep-state 65535 0 0 deny ip from any to any