Date: Thu, 8 Jun 2000 08:43:32 +0200 From: Marc Silver <marcs@draenor.org> To: timothyr@timothyr.net Cc: freebsd-questions@freebsd.org Subject: Re: Some Network Traffic Not Getting Through Firewall Message-ID: <20000608084332.J81376@draenor.org> In-Reply-To: <NBBBKMLFOGDDKEFBFEAFKEMMEPAA.tlrobertson@mindspring.com>; from tlrobertson@mindspring.com on Wed, Jun 07, 2000 at 09:35:03PM -0700 References: <NBBBKMLFOGDDKEFBFEAFKEMMEPAA.tlrobertson@mindspring.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Taken from LINT: # IPFIREWALL_DEFAULT_TO_ACCEPT causes the default rule (at boot) to # allow everything. Use with care, if a cracker can crash your # firewall machine, they can get to your protected machines. However, # if you are using it as an as-needed filter for specific problems as # they arise, then this may be for you. Changing the default to 'allow' # means that you won't get stuck if the kernel and /sbin/ipfw binary get # out of sync. I'm not entirely sure that you can run ipfw correctly with this option in the kernel. The only options _you_ (in your specific case) would need would be: IPFIREWALL IPFIREWALL_VERBOSE IPDIVERT Then, using your rule base, you should be able to get to those pages. tcpdump might show you more info though. Hope this helps...your problem is ...interesting... :) Oh, and with regards to your terminal question, I think the general consensus is either to use putty (http://www.chiark.greenend.org.uk/~sgtatham/putty/) or SecureCRT. Cheers, Marc On Wed, Jun 07, 2000 at 09:35:03PM -0700, Timothy L. Robertson wrote: > Hello Everyone, > > I have just set up a FreeBSD 4.0-RELEASE machine to act as a router/firewall > between my DSL modem and three Windoze boxes. I have user ppp connecting to > Mindspring via PPPoE, with nat doing the address translation to make my one > dynamic IP address suffice for all four machines. > > Things mostly work; I can load most webpages and use most network services > from the win boxes, but some things don't get through. I compiled my kernel > with the IPFIREWALL_DEFAULT_TO_ACCEPT option and my rc.firewall is just > /sbin/ipfw -f flush > #/sbin/ipfw add pass all from 127.0.0.1 to 127.0.0.1 > /sbin/ipfw add divert natd all from any to any via tun0 > /sbin/ipfw add pass all from any to any > so I don't expect it to be blocking any traffic. Yet when I try to load a > page like http://us.f22.mail.yahoo.com I'm left with a gray screen that > never loads any data, or if I go to http:://www.citibank.com I get 4 > "Transfer interrupted!" messages. I've verified that I can ping to the > addresses from behind the firewall, and that everything works fine, i.e. I > can load the pages, from the firewall machine, and have no idea what makes > these pages fail. > > A few other random bits of information which might clue in someone more > knowledgeable: > *The windows machines can pop3 mail over from a certain mail server, but > cannot send mail out to it via SMTP. Other mail severs work fine. > *Many web pages hang the first time I try to access them. The host is > resolved, and then it keeps "waiting for reply." The second time I try to > access them they come right up. > *I get the same behavior from WinNT and Win98. > > If any one knows what is going on or can suggest how to figure out where the > problem is I would appreciate the help. At this point I don't even know if > it is a BSD or Microsoft issue. I suspect I have to install a packet > sniffer to figure out what is happening to the datagrams, but have never > done this before. A few files are attached below in case the might be > helpful. > > Thanks, > -Tim > timothyr@timothyr.net > > P.S. Anyone know a decent telnet/terminal for WinNT? To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20000608084332.J81376>