From owner-freebsd-net  Sun Aug 20 14:22:14 2000
Delivered-To: freebsd-net@freebsd.org
Received: from security1.noc.flyingcroc.net (security1.noc.flyingcroc.net [207.246.128.54])
	by hub.freebsd.org (Postfix) with ESMTP id 7236937B422
	for <freebsd-net@freebsd.org>; Sun, 20 Aug 2000 14:22:12 -0700 (PDT)
Received: from localhost (todd@localhost)
	by security1.noc.flyingcroc.net (8.9.3/8.9.3) with ESMTP id OAA31656;
	Sun, 20 Aug 2000 14:22:08 -0700 (PDT)
	(envelope-from todd@flyingcroc.net)
X-Authentication-Warning: security1.noc.flyingcroc.net: todd owned process doing -bs
Date: Sun, 20 Aug 2000 14:22:08 -0700 (PDT)
From: Todd Backman <todd@flyingcroc.net>
X-Sender: todd@security1.noc.flyingcroc.net
To: Dan Debertin <airboss@bitstream.net>
Cc: freebsd-net@freebsd.org
Subject: Re: Routing firewall w/ipfw questions
In-Reply-To: <Pine.SGI.4.21.0008201249430.11560-100000@copper.air-boss.net>
Message-ID: <Pine.BSF.4.21.0008201414370.31606-100000@security1.noc.flyingcroc.net>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-net@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org


On Sun, 20 Aug 2000, Dan Debertin wrote:

> On Sat, 19 Aug 2000, Todd Backman wrote:
> 
> > established connection) but no access from the outside could be
> > established even after adding as the last rulesets: 
> > 
> > allow ip from any to any
> 
> If you are inserting this rule onto the end of your ruleset, you're still
> going through all of your other rules before getting to this one. 

Yes, that hit me when I was on my way into town on the bus today. Amazing
what state of mental clarity I obtain while having 15 diff conversations
going on around me... ;^) (and without having 10 people calling me asking
when the net is going to be back up after an outage notice had been
posted)

> Given that we're just trying to get the routing working, you're better
> off turning off firewalling completely with:
> 
> sysctl -w net.inet.ip.fw.enable=0
> 
> Once we get routing working from inside out, and from outside in, we can
> throw ipfw back into the mix.

Cool. Will do. Thanks for the guidance. And I must say that sysctl rocks!

> 
> If that doesn't work, perhaps an ASCII drawing of your network, with the
> relevant addresses (converted into made-up ones, of course), etc., would
> be helpful.
> 
> 
> ~Dan D.
> --
> 
> ++ Dan Debertin
> ++ Senior Systems Administrator
> ++ Bitstream Underground, LLC
> ++ airboss@bitstream.net
> ++ (612)321-9290
> 
> 



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-net" in the body of the message