From owner-freebsd-security  Tue Jul 10  2:48: 0 2001
Delivered-To: freebsd-security@freebsd.org
Received: from koza.acecape.com (koza2.acecape.com [66.9.36.222])
	by hub.freebsd.org (Postfix) with ESMTP id 8E31237B409
	for <freebsd-security@FreeBSD.ORG>; Tue, 10 Jul 2001 02:47:53 -0700 (PDT)
	(envelope-from lists@natserv.com)
Received: from p65-147.acedsl.com (p65-147.acedsl.com [66.114.65.147])
	by koza.acecape.com (8.10.1/8.9.3) with ESMTP id f6A9lre18569
	for <freebsd-security@FreeBSD.ORG>; Tue, 10 Jul 2001 05:47:53 -0400 (EDT)
Date: Tue, 10 Jul 2001 05:49:54 -0400 (EDT)
From: Francisco Reyes <lists@natserv.com>
X-X-Sender:  <fran@zoraida.natserv.net>
To: <freebsd-security@FreeBSD.ORG>
Subject: Cant ping/nslookup
In-Reply-To: <20010702082234.A3842@freebie.xs4all.nl>
Message-ID: <20010710005648.F21477-100000@zoraida.natserv.net>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org

setup:
client --> fxp0 (internal NIC FBSD) --> ed0 (external NIC)

I am trying to find why an internal machine/client can't ping or do
nslookups on my home network.

I used sample rules I found on the archives to let icmp/dns through, but
they failed to let the client ping or do dns lookups.

I added the "log" option to all my deny statements, yet I don't see any
entries in /var/log/security after I try to ping an external machine from
the internal client and it fails.

ipfw list|grep deny
00200 deny log logamount 50 ip from any to 127.0.0.0/8
00300 deny log logamount 50 ip from 127.0.0.0/8 to any
02100 deny log logamount 50 ip from 192.168.10.0/24 to any in recv ed0
02200 deny log logamount 50 ip from 66.114.65.0/24 to any in recv fxp0
02300 deny log logamount 50 ip from any to 10.0.0.0/8 via ed0
02400 deny log logamount 50 ip from any to 172.16.0.0/12 via ed0
02500 deny log logamount 50 ip from any to 0.0.0.0/8 via ed0
02600 deny log logamount 50 ip from any to 169.254.0.0/16 via ed0
02700 deny log logamount 50 ip from any to 192.0.2.0/24 via ed0
02800 deny log logamount 50 ip from any to 224.0.0.0/4 via ed0
02900 deny log logamount 50 ip from any to 240.0.0.0/4 via ed0
03100 deny log logamount 50 ip from 10.0.0.0/8 to any via ed0
03200 deny log logamount 50 ip from 172.16.0.0/12 to any via ed0
03300 deny log logamount 50 ip from 0.0.0.0/8 to any via ed0
03400 deny log logamount 50 ip from 169.254.0.0/16 to any via ed0
03500 deny log logamount 50 ip from 192.0.2.0/24 to any via ed0
03600 deny log logamount 50 ip from 224.0.0.0/4 to any via ed0
03700 deny log logamount 50 ip from 240.0.0.0/4 to any via ed0
05000 deny log logamount 50 tcp from any to any in recv ed0 setup
05400 deny log logamount 50 ip from any to any
65535 deny ip from any to any

Any ideas why failed connections are not logged even though all deny
clauses have the log option?

Since I couldn't get the "log" parameter to help I then  tried to add
rules to let everything through:
00100 allow ip from any to any via lo0
00150 allow icmp from any to any
00160 allow ip from any to any

That still didn't help.

If I set the firewall to open in rc.conf then the client machine can ping
and do dns lookups.

Any thoughts?


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message