From owner-freebsd-questions@FreeBSD.ORG  Wed Jul  2 17:01:55 2003
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id A126537B401
	for <questions@freebsd.org>; Wed,  2 Jul 2003 17:01:55 -0700 (PDT)
Received: from odin.ac.hmc.edu (Odin.AC.HMC.Edu [134.173.32.75])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 2E7BC43FFD
	for <questions@freebsd.org>; Wed,  2 Jul 2003 17:01:55 -0700 (PDT)
	(envelope-from dphiffer@hmc.edu)
Received: from odin.ac.hmc.edu (IDENT:dphiffer@odin.ac.hmc.edu
	[134.173.32.75])
	by odin.ac.hmc.edu (8.12.9/8.12.3) with ESMTP id h6301qq8021730
	for <questions@freebsd.org>; Wed, 2 Jul 2003 17:01:52 -0700
Date: Wed, 2 Jul 2003 17:01:52 -0700 (PDT)
From: Dan Phiffer <dphiffer@hmc.edu>
X-X-Sender: <dphiffer@odin.ac.hmc.edu>
To: <questions@freebsd.org>
Message-ID: <Pine.LNX.4.33.0307021429340.22146-100000@odin.ac.hmc.edu>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
X-Virus-Scanned: by amavisd-milter (http://amavis.org/) on odin.ac.hmc.edu
Subject: ipfw troubles
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>,
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>,
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 03 Jul 2003 00:01:55 -0000

Hello,

I'm having some difficulty getting ipfw to work properly. I currently have
it configured in "simple" mode. The box is running 4.8-STABLE and offers
NAT, DHCP and backup DNS, and acts as a connector between the internal LAN
and the Internet.

The main problem is my SSH connections are getting terminated regularly.
Attempting to reconnect is met with a "host unreachable" error for a few
seconds after being disconnected. I'm also having difficulties with a
certain IMAP server, but I'm not sure if that's a firewall-related issue.

Further, I keep getting the following logged to /var/log/messages:

Jul  2 16:30:21 firewall dhcpd: send_packet: Permission denied
Jul  2 16:30:53 firewall last message repeated 14 times
Jul  2 16:32:46 firewall last message repeated 14 times
Jul  2 16:38:38 firewall last message repeated 83 times
Jul  2 16:38:38 firewall dhcpd: icmp_echorequest 192.168.1.224: Permission
denied
Jul  2 16:38:48 firewall dhcpd: send_packet: Permission denied
Jul  2 16:39:20 firewall last message repeated 8 times
Jul  2 16:41:21 firewall last message repeated 38 times
Jul  2 16:42:48 firewall last message repeated 11 times
Jul  2 16:42:50 firewall dhcpd: icmp_echorequest 192.168.1.214: Permission
denied

I guess this means I'm not serving DHCP - what kind of rule would fix
that? I read somewhere that simply using natd adds statefulness to an
otherwise stateless ipfw configuration. Would an unstateful ipfw setup be
less secure in this case?

Thanks,
-Dan