From owner-freebsd-questions Wed Nov 27 10:42:43 2002 Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 24E9737B401 for ; Wed, 27 Nov 2002 10:42:39 -0800 (PST) Received: from mail.bg (dialup211.varna.spnet.net [213.169.38.211]) by mx1.FreeBSD.org (Postfix) with ESMTP id 02EE643EAF for ; Wed, 27 Nov 2002 10:42:35 -0800 (PST) (envelope-from dpenev@mail.bg) Received: from mail.bg (localhost [127.0.0.1]) by mail.bg (8.12.5/8.12.5) with ESMTP id gARIfNrR000537; Wed, 27 Nov 2002 20:41:24 +0200 (EET) (envelope-from dpenev@mail.bg) Received: (from dpenev@localhost) by mail.bg (8.12.5/8.12.5/Submit) id gARIfI8e000536; Wed, 27 Nov 2002 20:41:18 +0200 (EET) Date: Wed, 27 Nov 2002 20:41:18 +0200 From: Dancho Penev To: Phierce Cc: freebsd-questions@FreeBSD.org Subject: Re: IPFW Help Message-ID: <20021127184118.GA240@earth.dpsca.bg> Mail-Followup-To: Phierce , freebsd-questions@FreeBSD.org References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii; format=flowed Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.4i Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Mon, Nov 25, 2002 at 08:57:15PM -0500, Phierce wrote: >From: "Phierce" >To: >Subject: IPFW Help >Date: Mon, 25 Nov 2002 20:57:15 -0500 > >Hello All, > > New to the FreeBSD os, but learning... havint some trouble with IPFW >below is what it looks like I can sh rc.firewall with no errors, but yet my >root account is still unable to ping out I recieve permission denied. >Wondering if anyone could help me out. How did you run script? I suposse you forgot parameter and in rc.conf firewall_type is not set. # sh /etc/rc.firewall custom or in /etc/rc.conf firewall_type="custom" > ># ># Suck in the configuration variables. >if [ -z "${source_rc_confs_defined}" ]; then > if [ -r /etc/defaults/rc.conf ]; then > . /etc/defaults/rc.conf > source_rc_confs > elif [ -r /etc/rc.conf ]; then > . /etc/rc.conf > fi >fi ># > >if [ -n "${1}" ]; then > firewall_type="${1}" >fi ># Set quiet mode if requested ># >case ${firewall_quiet} in >[Yy][Ee][Ss]) > fwcmd="/sbin/ipfw -q" > ;; >*) > fwcmd="/sbin/ipfw" > ;; >esac > >####################################################### ># Flush out the list before we begin. ># >${fwcmd} -f flush > >case ${firewall_type} in >[Cc][Uu][Ss][Tt][Oo][Mm]) > # set these to your network netmask and ip > net="192.168.1.1" > mask="255.255.255.0" > ip="192.168.1.10" > ># Deny all fragments as bogus packets >${fwcmd} add 00100 deny log all from any to any frag > >#Allow any TCP UDP traffic from my own net. >${fwcmd} add 00200 allow all from any to any via lo0 >${fwcmd} add 00300 deny log ip from any to 127.0.0.1/8 > >#We should allow in&out some TCP and udp ports. >${fwcmd} add 00400 allow tcp from any to any 32000-65535 >${fwcmd} add 00500 allow udp from any to any 32000-65535 > >#Allow TCP through if setup succeeded >${fwcmd} add 00600 allow tcp from any to any established > >#Allow access to FTPD >${fwcmd} add 00700 allow tcp from any to ${ip} 21 >${fwcmd} add 00800 allow tcp from any 20 to any 1024-49151 out > >#Allow access to OPENSSH >${fwcmd} add 00900 allow tcp from any to ${ip} 22 > >#Allow access to SENDMAIL >${fwcmd} add 01000 allow tcp from any to any 25 > >#Allow access to BIND >${fwcmd} add 01100 allow udp from ${ip} to any >${fwcmd} add 01200 allow udp from any to ${ip} > > >#Allow access to FINGER >${fwcmd} add 01300 allow tcp from any to any 79 > >#Allow access to HTTP >${fwcmd} add 01400 allow tcp from any to any 80 > >#Allow access to POP3 >${fwcmd} add 01500 allow tcp from any to any 110 > >#Allow access to IDENT >${fwcmd} add 01600 allow tcp from any to any 113 >${fwcmd} add 01700 allow udp from any to any 113 > >#Allow access to IMAP >${fwcmd} add 01800 allow tcp from any to any 143 > >#Allow access to HTTPS >${fwcmd} add 01900 allow tcp from any to any 443 > >#Allow access to SUBMISSION >${fwcmd} add 02000 allow udp from any to any 512 >${fwcmd} add 02100 allow udp from any to any 520 > >#Allow access to IRC >${fwcmd} add 02200 allow tcp from any to any 6667 >${fwcmd} add 02300 allow tcp from any to any 6668 >${fwcmd} add 02400 allow tcp from any to any 6669 > >#Extended account access >${fwcmd} add 02500 allow all from any to any uid USERNAME >${fwcmd} add 02600 allow icmp from any to any uid USERNAME >${fwcmd} add 02700 allow tcp from any to any uid USERNAME >${fwcmd} add 02800 allow icmp from any to any uid USERNAME > >#root access non-restrictive >${fwcmd} add 02900 allow all from any to any uid root >${fwcmd} add 03000 allow icmp from any to any uid root > >#lastly we deny everything by default here as well as in the kernel. >${fwcmd} add 03100 deny log all from any to any > > ;; >esac > > >Thanks > >-Zack >--- >Outgoing mail is certified Virus Free. >Checked by AVG anti-virus system (http://www.grisoft.com). >Version: 6.0.419 / Virus Database: 235 - Release Date: 11/13/2002 > > >To Unsubscribe: send mail to majordomo@FreeBSD.org >with "unsubscribe freebsd-questions" in the body of the message -- Regards, D. Penev To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message