From owner-freebsd-security Tue Jul 10 4:11:56 2001 Delivered-To: freebsd-security@freebsd.org Received: from x1-6-00-50-ba-de-36-33.kico1.on.home.com (d141-119-162.home.cgocable.net [24.141.119.162]) by hub.freebsd.org (Postfix) with ESMTP id AEAD137B405 for ; Tue, 10 Jul 2001 04:11:44 -0700 (PDT) (envelope-from genisis@istar.ca) Received: from localhost (genisis@localhost) by x1-6-00-50-ba-de-36-33.kico1.on.home.com (8.11.3/8.11.3) with ESMTP id f6ABFYZ00402; Tue, 10 Jul 2001 07:15:34 -0400 (EDT) (envelope-from genisis@istar.ca) X-Authentication-Warning: x1-6-00-50-ba-de-36-33.kico1.on.home.com: genisis owned process doing -bs Date: Tue, 10 Jul 2001 07:15:34 -0400 (EDT) From: Dru X-X-Sender: To: Francisco Reyes Cc: Subject: Re: Cant ping/nslookup In-Reply-To: <20010710005648.F21477-100000@zoraida.natserv.net> Message-ID: <20010710071252.D345-100000@x1-6-00-50-ba-de-36-33.kico1.on.home.com> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hi Francisco, I don't see any rules to allow UDP. There's a step-by-step article on what's required here: http://www.onlamp.com/pub/a/bsd/2001/05/09/FreeBSD_Basics.html?page=2 Cheers, Dru On Tue, 10 Jul 2001, Francisco Reyes wrote: > setup: > client --> fxp0 (internal NIC FBSD) --> ed0 (external NIC) > > I am trying to find why an internal machine/client can't ping or do > nslookups on my home network. > > I used sample rules I found on the archives to let icmp/dns through, but > they failed to let the client ping or do dns lookups. > > I added the "log" option to all my deny statements, yet I don't see any > entries in /var/log/security after I try to ping an external machine from > the internal client and it fails. > > ipfw list|grep deny > 00200 deny log logamount 50 ip from any to 127.0.0.0/8 > 00300 deny log logamount 50 ip from 127.0.0.0/8 to any > 02100 deny log logamount 50 ip from 192.168.10.0/24 to any in recv ed0 > 02200 deny log logamount 50 ip from 66.114.65.0/24 to any in recv fxp0 > 02300 deny log logamount 50 ip from any to 10.0.0.0/8 via ed0 > 02400 deny log logamount 50 ip from any to 172.16.0.0/12 via ed0 > 02500 deny log logamount 50 ip from any to 0.0.0.0/8 via ed0 > 02600 deny log logamount 50 ip from any to 169.254.0.0/16 via ed0 > 02700 deny log logamount 50 ip from any to 192.0.2.0/24 via ed0 > 02800 deny log logamount 50 ip from any to 224.0.0.0/4 via ed0 > 02900 deny log logamount 50 ip from any to 240.0.0.0/4 via ed0 > 03100 deny log logamount 50 ip from 10.0.0.0/8 to any via ed0 > 03200 deny log logamount 50 ip from 172.16.0.0/12 to any via ed0 > 03300 deny log logamount 50 ip from 0.0.0.0/8 to any via ed0 > 03400 deny log logamount 50 ip from 169.254.0.0/16 to any via ed0 > 03500 deny log logamount 50 ip from 192.0.2.0/24 to any via ed0 > 03600 deny log logamount 50 ip from 224.0.0.0/4 to any via ed0 > 03700 deny log logamount 50 ip from 240.0.0.0/4 to any via ed0 > 05000 deny log logamount 50 tcp from any to any in recv ed0 setup > 05400 deny log logamount 50 ip from any to any > 65535 deny ip from any to any > > Any ideas why failed connections are not logged even though all deny > clauses have the log option? > > Since I couldn't get the "log" parameter to help I then tried to add > rules to let everything through: > 00100 allow ip from any to any via lo0 > 00150 allow icmp from any to any > 00160 allow ip from any to any > > That still didn't help. > > If I set the firewall to open in rc.conf then the client machine can ping > and do dns lookups. > > Any thoughts? > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message