Skip site navigation (1)Skip section navigation (2)
Date:      Tue, 21 Jun 2005 16:46:40 -0600
From:      RYAN vAN GINNEKEN <luck@computerking.ca>
To:        freebsd-questions@freebsd.org
Subject:   Re: ipf not working correctly???
Message-ID:  <42B898D0.7090804@computerking.ca>
In-Reply-To: <MIEPLLIBMLEEABPDBIEGEEFEHHAA.fbsd_user@a1poweruser.com>
References:  <MIEPLLIBMLEEABPDBIEGEEFEHHAA.fbsd_user@a1poweruser.com>

next in thread | previous in thread | raw e-mail | index | archive | help
Ok thank you for your reply I have followed the newest handbook to the 
letter did you read my email?? which part is incorrect the ipf stuff is 
comment out of my kernel and also turned off in rc.conf.    I have had 
to re enable ipfw in the kernel to get  natd and my server to work 
properly again.  If i remove firewall and ipdivert options my server 
will no longer route packages to my LAN.  I will recompile my kernel one 
more time with no firewall option at all and comment out all the natd 
and ipfw lines from rc.conf just to humor you and because i am desperate 
for this to work.  Note i have already tried this but will try again.

also you  can have both enabled  however i do only want  ipf  for now. 

fbsd_user wrote:

>Your first problem is you have ipfw and ipf both turned on in kernel
>and rc.conf.
>You can only have one firewall on at a time.
>Remove all "firewall" and ipf statements from the kernel and
>recompile or just use the generic kernel. Then remove all "firewall"
>and "natd' statements from rc.conf.
>
>Then go back and read the FreeBSD handbook section on firewalls it's
>been updated to give detailed instructions on what to do. Follow
>then to the letter and you will be all set.
>
>
>-----Original Message-----
>From: owner-freebsd-questions@freebsd.org
>[mailto:owner-freebsd-questions@freebsd.org]On Behalf Of RYAN vAN
>GINNEKEN
>Sent: Tuesday, June 21, 2005 3:58 PM
>To: freebsd-questions@freebsd.org
>Subject: ipf not working correctly???
>
>
>Hello all i use FreeBSD stable 4.11 and wish to use built in ipf
>version
>3.x something.i have been using ipfw with type set to open however i
>have recently been attacked and need to beef up security.
>
>
>
>I have followed the basic setup that is in the freebsd handbook and
>read
>through the world famous ipf howto lots of times.
>
>
>
>Currently I have the below options compiled into my kernel the docs
>I
>have read say you do not need to compile ipfilter options into the
>kernel to use it.  I was going to uncomment the ipfilter stuff and
>comment out the ipfirewall options when I got ipfilter working.  Is
>it
>necessary to recompile the kernel without ipfirewall options to make
>ipfilter work.
>
>
>
>Kernel OPTIONS========================
>
>
>
>options         IPFIREWALL
>
>options         IPFIREWALL_VERBOSE
>
>options         IPFIREWALL_VERBOSE_LIMIT=100
>
>options         IPDIVERT
>
>
>
>#options                IPFILTER
>
>#options                IPFILTER_LOG
>
>#options                IPFILTER_DEFAULT_BLOCK
>
>
>
>IN MY /etc/rc.conf==========================
>
>#IPF & IPNAT
>
>ipfilter_enable="YES"             # Start ipf firewall
>
>#ipfilter_rules="/etc/ipf.rules"   # loads rules definition text
>file
>
>ipfilter_rules="/etc/ipfopen.rules"
>
>
>
>ipmon_enable="YES"                # Start IP monitor log
>
>ipmon_flags="-Ds"                 # D = start as daemon, s = log to
>syslog, v =
>
>
>
>ipnat_enable="YES"                # Start ipnat function
>
>ipnat_rules="/etc/ipnat.rules"    # rules definition file for ipnat
>
>
>
>AS WELL AS THIS TO TURN OF IPFILTER AND NATD
>
>
>
>#IPFW & NATD
>
>firewall_enable="NO
>
>firewall_type="OPEN"
>
>firewall_quiet="NO"
>
>#firewall_scrYESt="/etc/rc.firewall"
>
>
>
>natd_enable="NO
>
>natd_interface="xl0"
>
>natd_flags="-f /etc/natd.conf"
>
>HERE IS
>/etc/ipnat.rules=============================================
>
># the rule that forwards everthing
>
>map xl0 192.168.0.0/16 -> 0/32
>
>#VNC HOSTS
>#HOST 1
>#java
>rdr xl0 0/32 port 5801 -> 192.168.0.1 port 5801
>#no java
>rdr xl0 0/32 port 5901 -> 192.168.0.1 port 5901
>
>#HOST 2
>#java
>rdr xl0 0/32 port 5802 -> 192.168.0.1 port 5802
>#no java
>rdr xl0 0/32 port 5902 -> 192.168.0.1 port 5902
>
>===============================================================
>
>PLEASE FIND MY ipf.rules ATTACHED TO this email I have even tried to
>use
>the following rules set to see if I could get ipf to work as an open
>firewall but it still seems to block to much.
>
>===============================================================
>
>pass out quick on lo0 all
>
>pass in quick on lo0 all
>
>
>
>pass out quick on xl1 all
>
>pass in quick on xl1 all
>
>
>
>pass out quick on xl0 all
>
>pass in quick on xl0 all
>
>
>when I ping google.ca I get errors about unknown hostname.  When I
>ping
>googles ipaddress I get permission denied over and over again.  When
>I
>try to use lynx I get alert destination host unreachable.  Seems
>like
>dns?? When I turn off ipf and use ipfw set to open everything works
>fine
>again.  Please someone help what is going wrong.  ipmon/ipfstat do
>not
>seem to help but mabey i need some guidance with these tools.
>
>
>
>_______________________________________________
>freebsd-questions@freebsd.org mailing list
>http://lists.freebsd.org/mailman/listinfo/freebsd-questions
>To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.org"
>  
>




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?42B898D0.7090804>