From owner-freebsd-questions Wed Jan 25 01:53:41 1995 Return-Path: questions-owner Received: (from root@localhost) by freefall.cdrom.com (8.6.9/8.6.6) id BAA06968 for questions-outgoing; Wed, 25 Jan 1995 01:53:41 -0800 Received: from NS.netvision.net.il (root@ns.NetVision.net.il [192.114.201.5]) by freefall.cdrom.com (8.6.9/8.6.6) with ESMTP id BAA06958 for ; Wed, 25 Jan 1995 01:53:35 -0800 Received: from ugen.NetManage.co.il (ugen.netmanage.co.il [192.114.78.165]) by NS.netvision.net.il (8.6.9/8.6.9) with SMTP id LAA26949; Wed, 25 Jan 1995 11:53:07 +0200 Date: Wed, 25 Jan 95 11:47:28 IST From: "Ugen J.S.Antsilevich" Subject: RE: firewalls on freebsd To: danny@TFS.COM Cc: freebsd-questions@freefall.cdrom.com X-Mailer: Chameleon 4.00-Arm-25, TCP/IP for Windows, NetManage Inc. Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: questions-owner@FreeBSD.org Precedence: bulk > >Ugen, > >I am using is a PC 386-33, with two SMC network cards running >FreeBSD 2.0. I'm getting "ipfw: setsocket failed." when doing an "ipfw flush". >ipfw seems to take my "addb" commands, but when I try to do a "list" I get >no output. This makes me think none of my filters have been taken. Already have seen this...Actually the main problemm can be that IP_FW_ADD defines are not synched betwin kernel file netinet/raw_ip.c and ipfw.c utility code..check this...the simplest way is to add printf's to utility and raw_ip.c and see what's happens... > >I am using the generic "IPFIREWALL" kernel that comes in the "/usr/src/sys/i386/conf" directory. I have also asked Poul-Henning Kamp, and Julian Elischer (two >of the contributors to FreeBSD) for help and as of yet neither can find the >problem. > >My goal is to block everything but telnet and ftp accross this connection. So that kernel should work..after my last changes there is no addb commands and there is only one firewall chain and one accounting chain.All commands syntacs left intact except that instead of addb[locking] or addf[orwarding] yoou have now addf[irewall] and so delf[irewall].If your utility still accepts addb this is true sign that it needs recompile. To block everything but ftp and telnet from outside you can use in simplest case addf deny all from 0 to addf accept tcp from 0 telnet,ftp to You can make it a bit more sofisticated by adding via to the end of last command like: addf accept tcp from 0 telnet,ftp to via This takes ride of last CERT security advisory about possibility to use local insite IP from outside... > >Any help or suggestion would be very very much appreciated. > >Danny E. Reid email: danny@tfs.com >TRW Financial Systems Phone: (510) 645-3406 >300 Lakeside Drive Fax: (510) 465-4943 >Oakland, CA 94612-3540 > > > >----- End Included Message ----- > > -- -=Ugen J.S.Antsilevich=- NetVision - Israeli Commercial Internet | Learning E-mail: ugen@NetVision.net.il | To Fly. [c] Phone : +972-4-550330 |