From owner-freebsd-questions Wed Jan 5 11:18:54 2000 Delivered-To: freebsd-questions@freebsd.org Received: from mail11.jump.net (mail11.jump.net [207.8.124.20]) by hub.freebsd.org (Postfix) with ESMTP id 9BF5B14CA5 for ; Wed, 5 Jan 2000 11:18:50 -0800 (PST) (envelope-from kweiss@jump.net) Received: from enigma (ghost.animeniac.com [216.30.96.14]) by mail11.jump.net (8.9.0/) with SMTP id NAA00447; Wed, 5 Jan 2000 13:18:36 -0600 (CST) Message-Id: <4.1.20000105131943.00927dc0@pop.jump.net> X-Sender: kweiss@pop.jump.net X-Mailer: QUALCOMM Windows Eudora Pro Version 4.1 Date: Wed, 05 Jan 2000 13:20:09 -0600 To: -DAL- From: Kevin Weiss Subject: Re: ping and "simple" firewall conflict with internal IP's Cc: freebsd-questions@freebsd.org In-Reply-To: <20000105082658.A3375@cbl-dylanal.hs.earthlink.net> References: <4.1.20000104192010.00929100@pop.jump.net> <4.1.20000104192010.00929100@pop.jump.net> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG Thanks, that did it. At 08:26 AM 1/5/00 -0800, you wrote: >On Tue, Jan 04, 2000 at 07:30:51PM -0600, Kevin Weiss wrote: >> I just added the following ipfw command to my "simple" firewall: >> $fwcmd add pass icmp from any to any >> >> I can't ping out until I comment out: >> $fwcmd add deny all from 192.168.0.0:255.255.0.0 to any via ${oif} >> $fwcmd add deny all from any to 192.168.0.0:255.255.0.0 via ${oif} >> >> My internal hosts are using the 192.168.x.x addresses, but is there >> a way to allow the ping command while denying any external hosts >> with the 192.168.x.x addresses? >> >> Thanks in advance, >> >> Kevin Weiss >> kweiss@jump.net >> >> >> >> >> >> To Unsubscribe: send mail to majordomo@FreeBSD.org >> with "unsubscribe freebsd-questions" in the body of the message > >Kevin, when you added the: > >> $fwcmd add pass icmp from any to any > >command, did you add it before the deny commands? The code will go >through the rule list until it finds the first match, so if the deny >lines come before the icmp pass command, it will match the deny line >first and never get the icmp pass command. The solution, just ensure >the icmp command comes first so the icmp packets will match the icmp >line get passed through and never see the deny lines. > >It might help if you sent us the output of a ipfw list. > > HTH -DAL- > >-- >-DAL- >dylanal@NOSPAMearthlink.net > > >To Unsubscribe: send mail to majordomo@FreeBSD.org >with "unsubscribe freebsd-questions" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message