From owner-freebsd-questions@FreeBSD.ORG Tue Feb 15 12:18:11 2005 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9DFE016A4CE for ; Tue, 15 Feb 2005 12:18:11 +0000 (GMT) Received: from python.netsource.ie (python.netsource.ie [212.17.32.53]) by mx1.FreeBSD.org (Postfix) with ESMTP id D37A443D48 for ; Tue, 15 Feb 2005 12:18:10 +0000 (GMT) (envelope-from domain.admin@online.ie) Received: from web2.www.online.ie (www.online.ie [213.159.130.72] (may be forged)) by python.netsource.ie (8.12.3/8.12.10) with ESMTP id j1FCI8HV016789 for ; Tue, 15 Feb 2005 12:18:09 GMT Received: (from nobody@localhost)freebsd-questions@freebsd.org; Tue, 15 Feb 2005 12:18:08 GMT Received: from 194-152-247-50.adsl.net.t-com.hr (194-152-247-50.adsl.net.t-com.hr [194.152.247.50]) by mail.online.ie (IMP) with HTTP for ; Tue, 15 Feb 2005 13:18:08 +0100 Message-ID: <1108469888.4211e880197ca@mail.online.ie> Date: Tue, 15 Feb 2005 13:18:08 +0100 From: Hiram Abiff To: freebsd-questions@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 8bit User-Agent: Internet Messaging Program (IMP) 3.2.4 X-Originating-IP: 194.152.247.50 X-CanItPRO-Stream: webmail X-Spam-Score: 0 () X-Bayes-Prob: 0.5 (Score 0) X-Canit-Stats-ID: 4805344 - fda6c833e15a X-Scanned-By: CanIt (www . roaringpenguin . com) on 212.17.32.57 Subject: Operation: "ipfw on a gateway box" X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 15 Feb 2005 12:18:11 -0000 I followed your advice and rewrote my firewall rules. Although, even now, there are some major difficulties. I still, can't acces the net from my 2 other computers via my FreeBSD firewalled gateway. Although I set up on it to allow traffic on ports 21, 22, 53, 8080 I can only telent to port 21, all the others report a "connection refused" error. I can ping the FreeBSD box, but i cannot ping any outside IP addresseses from the FreeBSD box or the other boxes on my home LAN. Also when FreeBSD is booting I caught some error messages that said unknow command "setup" for some of my firewall rules. I'm getting desperate please assist me in any way possible. Here's my fwrules file: > fwcmd="/sbin/ipfw" > > > #Outside interface > oif="tun0" > > > #Inside interface > iif="rl0" > > > # Force a flushing of the current rules before reload > $fwcmd -f flush > > > #Check the state of all packets > $fwcmd add check-state > > > #Divert all packets through the tunnel interface. > $fwcmd add divert natd ip from any to any via $oif > > > # Allow all data from my network card and localhost > $fwcmd add allow all from any to any via lo0 > $fwcmd add allow ip from any to any via $iif > > # Allow all connections that I initiate > $fwcmd add allow tcp from any to any out xmit $oif setup > > > # Once connections are made, allow them to stay open > $fwcmd add allow tcp from any to any via $oif established > > > # Everyone on the internet is allowed to connect > $fwcmd add allow tcp from any to any 22 setup > $fwcmd add allow tcp from any to any 21 setup > $fwcmd add allow tcp from any to any 8080 setup > $fwcmd add allow tcp from any to any 53 setup > $fwcmd add allow tcp from any to any 4662 setup > $fwcmd add allow udp from any to any 4672 setup > > > # This sends a RESET to all ident packets > $fwcmd add reset log tcp from any to any 113 in recv $oif > > > # Allow outgoing DNS queries ONLY to the specified servers > > > $fwcmd add allow udp from any to 161.53.114.135 53 out xmit tun0 > $fwcmd add allow udp from any to 161.53.114.145 53 out xmit tun0 > > > # Allow them back in with the answers > > > $fwcmd add allow udp from 161.53.114.135 53 to any in recv $oif > $fwcmd add allow udp from 161.53.114.145 53 to any in recv $oif > > > # Allow ICMP > $fwcmd add 65435 allow icmp from any to any > > > # Deny all the rest. > #$fwcmd add 65435 deny log ip from any to any -- "It was as though a veil had been rent. I saw on that ivory face the expression of sombre pride, of ruthless power, of craven terror -- of an intense and hopeless despair. Did he live his life again in every detail of desire, temptation, and surrender during that supreme moment of complete knowledge?"