From owner-freebsd-questions@FreeBSD.ORG Wed Jul 2 09:24:07 2003 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8781C37B401 for ; Wed, 2 Jul 2003 09:24:07 -0700 (PDT) Received: from floyd.gnulife.org (floyd.gnulife.org [199.86.41.27]) by mx1.FreeBSD.org (Postfix) with ESMTP id B468443FA3 for ; Wed, 2 Jul 2003 09:24:06 -0700 (PDT) (envelope-from jamie@gnulife.org) Received: by floyd.gnulife.org (Postfix, from userid 1000) id 980D94330F; Wed, 2 Jul 2003 11:35:42 -0500 (CDT) Received: from localhost (localhost [127.0.0.1]) by floyd.gnulife.org (Postfix) with ESMTP id 915444330D; Wed, 2 Jul 2003 11:35:42 -0500 (CDT) Date: Wed, 2 Jul 2003 11:35:42 -0500 (CDT) From: Jamie To: "Kevin Kinsey, DaleCo, S.P." In-Reply-To: <03e401c3403b$959b58e0$1b41d5cc@nitanjared> Message-ID: <20030702113331.W7723-100000@floyd.gnulife.org> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII cc: freebsd-questions@freebsd.org Subject: Re: setting up ipfw X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 02 Jul 2003 16:24:07 -0000 On Tue, 1 Jul 2003, Kevin Kinsey, DaleCo, S.P. wrote: > CORRECTION: > > That last rule I quoted is actually: > > 00050 allow tcp from any to my.ip.ad.res 22 setup > ^^ > Makes it work much better for SSH... > Well, I finally met with success this morning. The box is up to the point where I can start playing around with rulesets. I was able to get things rolling with the config Kevin sent, but I had to add a couple of udp entries for port 53 like David suggested as ssh has to resolve the IP before it allows connections to port 22. Thanks for the help. - Jamie > ----- Original Message ----- > From: "Kevin Kinsey, DaleCo, S.P." > To: "Jamie" ; > Sent: Tuesday, July 01, 2003 8:29 PM > Subject: Re: setting up ipfw > > > > From: "Jamie" > > To: > > Sent: Tuesday, July 01, 2003 8:01 PM > > Subject: setting up ipfw > > > > > > > I am having a very difficult time setting up ipfw on a 4.8 > > > installation. Was wondering if anyone might be able to shed some > > light on > > > this. > > > > > > I followed the directions in the handbook, and I compiled a > new > > kernel > > > with these options, ( am going for a deny all by default, open > > services > > > as necessary philosophy): > > > > > > options IPFIREWALL > > > options IPFIREWALL_VERBOSE > > > options IPFIREWALL_VERBOSE_LIMIT=10 > > > > > > Upon rebooting, I was unable to access the machine from > > anywhere, which > > > is fine, because I have console access. > > > > > > Output of ifconfig -a looks like this: > > > > > > ifconfig -a > > > fxp0: flags=8843 mtu 1500 > > > inet 200.88.54.93 netmask 0xffffff00 broadcast > > 200.88.54.255 > > > inet6 fe80::203:47ff:fe77:8169%fxp0 prefixlen 64 scopeid > > 0x1 > > > ether 00:03:47:77:81:69 > > > media: Ethernet autoselect (100baseTX ) > > > status: active > > > lp0: flags=8810 mtu 1500 > > > lo0: flags=8049 mtu 16384 > > > inet6 ::1 prefixlen 128 > > > inet6 fe80::1%lo0 prefixlen 64 scopeid 0x3 > > > inet 127.0.0.1 netmask 0xff000000 > > > ppp0: flags=8010 mtu 1500 > > > sl0: flags=c010 mtu 552 > > > faith0: flags=8002 mtu 1500 > > > > > > the name of the machine is power.bar.com > > > > > > > > > I want to ssh in from another machine: foo.bar.com with IP > > address > > > 200.88.34.12. > > > > > > > > > > > > This is the rule I am adding: > > > > > > > > > ipfw add allow tcp from 200.88.34.12 to power.bar.com 22 > > > > > > > > > It tells me it can't resolve power.bar.com! > > > > > > So, I try: > > > > > > ipfw add allow tcp from 200.88.34.12 to 200.88.54.93 22 > > > > > > It accepts the rule, but I still cannot connect from > > foo.bar.com. > > > > > > Anyone have any ideas? > > > > Are you allowing ip OUT from 200.88.54.93? > > > > Please post output of "ipfw show" (not that it's > > not implicit, I guess...) and describe your network > > topography. > > > > FWIW, here's my top few rules: > > > > 00010 allow ip from my.ip.ad.dres to any out > > 00020 deny log logamount 20 ip from any to any out > > 00030 allow tcp from any to any established > > 00040 allow ip from any to any frag > > 00050 allow tcp from any to my.ip.ad.res setup > > > > Kevin Kinsey > > DaleCo, S.P. > > > > > > _______________________________________________ > > freebsd-questions@freebsd.org mailing list > > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > > To unsubscribe, send any mail to > "freebsd-questions-unsubscribe@freebsd.org" > > > > > "A friend is someone who lets you have total freedom to be yourself."