From owner-freebsd-questions Wed May 1 11: 9:46 2002 Delivered-To: freebsd-questions@freebsd.org Received: from snowstorm.mail.pipex.net (snowstorm.mail.pipex.net [158.43.192.97]) by hub.freebsd.org (Postfix) with SMTP id A311337B400 for ; Wed, 1 May 2002 11:09:23 -0700 (PDT) Received: (qmail 21843 invoked from network); 1 May 2002 17:47:38 -0000 Received: from userhh092.dsl.pipex.com (HELO ThisAddressDoesNotExist) (62.190.215.92) by smtp-5.dial.pipex.com with SMTP; 1 May 2002 17:47:38 -0000 Subject: Firewall config and logs From: "S. Roberts" Reply-To: sroberts@dsl.pipex.com To: freebsd-questions@freebsd.org Content-Type: multipart/mixed; boundary="=-p7jwmyqj9/ShV9Ck2xMF" X-Mailer: Ximian Evolution 1.0.3 Date: 01 May 2002 18:43:52 +0100 Message-Id: <1020275032.292.16.camel@Demon.Strobe.org> Mime-Version: 1.0 Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG --=-p7jwmyqj9/ShV9Ck2xMF Content-Type: text/plain Content-Transfer-Encoding: 7bit Hello, I have a question about my firewall configs. I've progressed from connecting over user ppp via 56k dial-up external modem with a firewall rule-set (and Portsentry as per the mention in Unleashed) that I thought worked well enough. I've since moved on the connecting via DSL (dynamic IP) - PPPoE with a new ISP. What I've done is simply *added* relevant entries to my firewall rules so as to cater for new IP addresses provided by my new ISP. I still have the dial-up account with the first ISP, I just don't use it as often. Here's what I figured: Seeing that I now connect via my nic, I might be able to remove entries for tun0 in my rules and replace them with that for my nic card that's connected to my router. What I found is that I could no longer ping my router, the nic, nor anything over the Internet. I'm somewhat confused by this. If I'm using my nic, why should removing entries for tun0 (previously set up for my serial modem) cause the firewall to prevent connection? I'd appreciate someone clearing this up for me, please. Further to this, I would also be grateful for assistance in setting up logging for my firewall operations (record entries of denied packets / connection attempts). I've included a sanitized copy of my rules here for clarity. Should you require more info, please let me know. Uname: $ uname -a FreeBSD 4.5-STABLE FreeBSD 4.5-STABLE #0: Sun Apr 28 12:24:07 BST 2002 :/usr/src/sys/compile/IRON i386 $ Firewall options in rc.conf: firewall_enable="YES" firewall_script="/etc/firewall/fwrules" natd_enable="YES" natd_interface="tun0" natd_flags="-dynamic" Thanks for the time, Stacey -- Stacey Roberts B.Sc. (HONS) Computer Science Network Systems Engineer --=-p7jwmyqj9/ShV9Ck2xMF Content-Disposition: attachment; filename=rules.abw Content-Type: application/x-abiword; name=rules.abw Content-Transfer-Encoding: base64 PD94bWwgdmVyc2lvbj0iMS4wIj8+CjwhRE9DVFlQRSBhYml3b3JkIFBVQkxJQyAiLS8vQUJJU09V UkNFLy9EVEQgQVdNTCAxLjAgU3RyaWN0Ly9FTiIgImh0dHA6Ly93d3cuYWJpc291cmNlLmNvbS9h d21sLmR0ZCI+CjxhYml3b3JkIHhtbG5zPSJodHRwOi8vd3d3LmFiaXNvdXJjZS5jb20vYXdtbC5k dGQiIHhtbG5zOmF3bWw9Imh0dHA6Ly93d3cuYWJpc291cmNlLmNvbS9hd21sLmR0ZCIgeG1sbnM6 eGxpbms9Imh0dHA6Ly93d3cudzMub3JnLzE5OTkveGxpbmsiIHhtbG5zOnN2Zz0iaHR0cDovL3d3 dy53My5vcmcvMjAwMC9zdmciIHhtbG5zOmZvPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5L1hTTC9G b3JtYXQiIHhtbG5zOm1hdGg9Imh0dHA6Ly93d3cudzMub3JnLzE5OTgvTWF0aC9NYXRoTUwiIHht bG5zOmRjPSJodHRwOi8vcHVybC5vcmcvZGMvZWxlbWVudHMvMS4xLyIgdmVyc2lvbj0iMS4wLjAi IGZpbGVmb3JtYXQ9IjEuMCIgc3R5bGVzPSJ1bmxvY2tlZCI+CjwhLS0gPT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09ICAt LT4KPCEtLSBUaGlzIGZpbGUgaXMgYW4gQWJpV29yZCBkb2N1bWVudC4gICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgIC0tPgo8IS0tIEFiaVdvcmQgaXMgYSBmcmVlLCBPcGVuIFNv dXJjZSB3b3JkIHByb2Nlc3Nvci4gICAgICAgICAgICAgICAgICAgICAgICAgLS0+CjwhLS0gWW91 IG1heSBvYnRhaW4gbW9yZSBpbmZvcm1hdGlvbiBhYm91dCBBYmlXb3JkIGF0IHd3dy5hYmlzb3Vy Y2UuY29tICAgICAtLT4KPCEtLSBZb3Ugc2hvdWxkIG5vdCBlZGl0IHRoaXMgZmlsZSBieSBoYW5k LiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC0tPgo8IS0tID09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PSAg LS0+Cgo8c3R5bGVzPgo8cyB0eXBlPSJQIiBuYW1lPSJOb3JtYWwiIGJhc2Vkb249IiIgZm9sbG93 ZWRieT0iQ3VycmVudCBTZXR0aW5ncyIgcHJvcHM9ImZvbnQtZmFtaWx5OlRpbWVzIE5ldyBSb21h bjsgbWFyZ2luLXRvcDowcHQ7IGZvbnQtdmFyaWFudDpub3JtYWw7IG1hcmdpbi1sZWZ0OjBwdDsg dGV4dC1pbmRlbnQ6MGluOyB3aWRvd3M6MjsgZm9udC1zdHlsZTpub3JtYWw7IGZvbnQtd2VpZ2h0 Om5vcm1hbDsgdGV4dC1kZWNvcmF0aW9uOm5vbmU7IGNvbG9yOjAwMDAwMDsgbGluZS1oZWlnaHQ6 MS4wOyB0ZXh0LWFsaWduOmxlZnQ7IG1hcmdpbi1ib3R0b206MHB0OyB0ZXh0LXBvc2l0aW9uOm5v cm1hbDsgbWFyZ2luLXJpZ2h0OjBwdDsgYmdjb2xvcjp0cmFuc3BhcmVudDsgZm9udC1zaXplOjEy cHQ7IGZvbnQtc3RyZXRjaDpub3JtYWwiLz4KPC9zdHlsZXM+CjxwYWdlc2l6ZSBwYWdldHlwZT0i TGV0dGVyIiBvcmllbnRhdGlvbj0icG9ydHJhaXQiIHdpZHRoPSI4LjUwMDAwMCIgaGVpZ2h0PSIx MS4wMDAwMDAiIHVuaXRzPSJpbiIgcGFnZS1zY2FsZT0iMS4wMDAwMDAiLz4KPHNlY3Rpb24gcHJv cHM9InBhZ2UtbWFyZ2luLWZvb3RlcjowLjVpbjsgcGFnZS1tYXJnaW4taGVhZGVyOjAuNWluIj4K PHAgc3R5bGU9Ik5vcm1hbCI+PGMgcHJvcHM9Imxhbmc6ZW4tVVMiPiMgRmlyZXdhbGwgUnVsZXMg PC9jPjwvcD4KPHAgc3R5bGU9Ik5vcm1hbCI+PGMgcHJvcHM9Imxhbmc6ZW4tVVMiPiMgRGVmaW5l IEZpcmV3YWxsIENvbW1hbmQ8L2M+PC9wPgo8cCBzdHlsZT0iTm9ybWFsIj48YyBwcm9wcz0ibGFu Zzplbi1VUyI+ZndjbWQ9Ii9zYmluL2lwZnciPC9jPjwvcD4KPHAgc3R5bGU9Ik5vcm1hbCI+PGMg cHJvcHM9Imxhbmc6ZW4tVVMiPjwvYz48L3A+CjxwIHN0eWxlPSJOb3JtYWwiPjxjIHByb3BzPSJs YW5nOmVuLVVTIj4jIEZvcmNlIEZsdXNoaW5nIG9mIEN1cnJlbnQgUnVsZS1TZXQgQmVmb3JlIFJl bG9hZDwvYz48L3A+CjxwIHN0eWxlPSJOb3JtYWwiPjxjIHByb3BzPSJsYW5nOmVuLVVTIj4kZndj bWQgLWYgZmx1c2g8L2M+PC9wPgo8cCBzdHlsZT0iTm9ybWFsIj48YyBwcm9wcz0ibGFuZzplbi1V UyI+PC9jPjwvcD4KPHAgc3R5bGU9Ik5vcm1hbCI+PGMgcHJvcHM9Imxhbmc6ZW4tVVMiPiMgRGl2 ZXJ0IEFsbCBQYWNrZXRzIFRocm91Z2ggVHVubmVsIERldmljZTwvYz48L3A+CjxwIHN0eWxlPSJO b3JtYWwiPjxjIHByb3BzPSJsYW5nOmVuLVVTIj4kZndjbWQgYWRkIGRpdmVydCBuYXRkIGFsbCBm cm9tIGFueSB0byBhbnkgdmlhIHR1bjA8L2M+PC9wPgo8cCBzdHlsZT0iTm9ybWFsIj48YyBwcm9w cz0ibGFuZzplbi1VUyI+PC9jPjwvcD4KPHAgc3R5bGU9Ik5vcm1hbCI+PGMgcHJvcHM9Imxhbmc6 ZW4tVVMiPiMgQmxvY2sgYWxsIGluY29taW5nIEZyYWdtZW50ZWQgcGFja2V0czwvYz48L3A+Cjxw IHN0eWxlPSJOb3JtYWwiPjxjIHByb3BzPSJsYW5nOmVuLVVTIj4kZndjbWQgYWRkIGRlbnkgYWxs IGZyb20gYW55IHRvIGFueSBpbiBmcmFnPC9jPjwvcD4KPHAgc3R5bGU9Ik5vcm1hbCI+PGMgcHJv cHM9Imxhbmc6ZW4tVVMiPjwvYz48L3A+CjxwIHN0eWxlPSJOb3JtYWwiPjxjIHByb3BzPSJsYW5n OmVuLVVTIj4jIFJlamVjdCAmYW1wOyBMb2cgYWxsIHNldHVwIG9mIGluY29taW5nIGNvbm5lY3Rp b25zIGZyb20gb3V0c2lkZTwvYz48L3A+CjxwIHN0eWxlPSJOb3JtYWwiPjxjIHByb3BzPSJsYW5n OmVuLVVTIj4kZndjbWQgYWRkIGRlbnkgbG9nIHRjcCBmcm9tIGFueSB0byBhbnkgaW4gdmlhICZs dDtuaWMmZ3Q7IHNldHVwPC9jPjwvcD4KPHAgc3R5bGU9Ik5vcm1hbCI+PGMgcHJvcHM9Imxhbmc6 ZW4tVVMiPjwvYz48L3A+CjxwIHN0eWxlPSJOb3JtYWwiPjxjIHByb3BzPSJsYW5nOmVuLVVTIj4j IEFsbG93IEFsbCBEYXRhIGZyb20gbXkgTklDIGFuZCBMb2NhbGhvc3Q8L2M+PC9wPgo8cCBzdHls ZT0iTm9ybWFsIj48YyBwcm9wcz0ibGFuZzplbi1VUyI+JGZ3Y21kIGFkZCBhbGxvdyBpcCBmcm9t IGFueSB0byBhbnkgdmlhIGxvMDwvYz48L3A+CjxwIHN0eWxlPSJOb3JtYWwiPjxjIHByb3BzPSJs YW5nOmVuLVVTIj4kZndjbWQgYWRkIGFsbG93IGlwIGZyb20gYW55IHRvIGFueSB2aWEgJmx0O25p YyZndDs8L2M+PC9wPgo8cCBzdHlsZT0iTm9ybWFsIj48YyBwcm9wcz0ibGFuZzplbi1VUyI+PC9j PjwvcD4KPHAgc3R5bGU9Ik5vcm1hbCI+PGMgcHJvcHM9Imxhbmc6ZW4tVVMiPiMgQWxsb3cgQWxs IENvbm5lY3Rpb25zIEkgSW5pdGlhdGU8L2M+PC9wPgo8cCBzdHlsZT0iTm9ybWFsIj48YyBwcm9w cz0ibGFuZzplbi1VUyI+JGZ3Y21kIGFkZCBhbGxvdyB0Y3AgZnJvbSBhbnkgdG8gYW55IG91dCB4 bWl0ICZsdDtuaWMmZ3Q7IHNldHVwPC9jPjwvcD4KPHAgc3R5bGU9Ik5vcm1hbCI+PGMgcHJvcHM9 Imxhbmc6ZW4tVVMiPjwvYz48L3A+CjxwIHN0eWxlPSJOb3JtYWwiPjxjIHByb3BzPSJsYW5nOmVu LVVTIj4jIE9uY2UgQ29ubmVjdGlvbiBFc3RhYmxpc2hlZCwgQWxsb3cgVG8gU3RheSBPcGVuPC9j PjwvcD4KPHAgc3R5bGU9Ik5vcm1hbCI+PGMgcHJvcHM9Imxhbmc6ZW4tVVMiPiRmd2NtZCBhZGQg YWxsb3cgdGNwIGZyb20gYW55IHRvIGFueSB2aWEgJmx0O25pYyZndDsgZXN0YWJsaXNoZWQ8L2M+ PC9wPgo8cCBzdHlsZT0iTm9ybWFsIj48YyBwcm9wcz0ibGFuZzplbi1VUyI+PC9jPjwvcD4KPHAg c3R5bGU9Ik5vcm1hbCI+PGMgcHJvcHM9Imxhbmc6ZW4tVVMiPiMgU2VuZCBSZXNldCBUbyBBbGwg SWRlbnQgUGFja2V0czwvYz48L3A+CjxwIHN0eWxlPSJOb3JtYWwiPjxjIHByb3BzPSJsYW5nOmVu LVVTIj4jIEFsbG93IE91dGdvaW5nIEROUyBRdWVyaWVzIE9OTFkgdG8gVGhlc2UgU3BlY2lmaWVk IFNlcnZlcnM8L2M+PC9wPgo8cCBzdHlsZT0iTm9ybWFsIj48YyBwcm9wcz0ibGFuZzplbi1VUyI+ JGZ3Y21kIGFkZCBhbGxvdyB1ZHAgZnJvbSBhbnkgdG8gJmx0O2lzcCBkbnMmZ3Q7IG91dCB4bWl0 IHNpczA8L2M+PC9wPgo8cCBzdHlsZT0iTm9ybWFsIj48YyBwcm9wcz0ibGFuZzplbi1VUyI+JGZ3 Y21kIGFkZCBhbGxvdyB1ZHAgZnJvbSBhbnkgdG8gJmx0O2lzcCBkbnMmZ3Q7IDUzIG91dCB4bWl0 IHNpczA8L2M+PC9wPgo8cCBzdHlsZT0iTm9ybWFsIj48YyBwcm9wcz0ibGFuZzplbi1VUyI+JGZ3 Y21kIGFkZCBhbGxvdyB1ZHAgZnJvbSBhbnkgdG8gJmx0O2lzcCBkbnMmZ3Q7IDUzIG91dCB4bWl0 IHR1bjA8L2M+PC9wPgo8cCBzdHlsZT0iTm9ybWFsIj48YyBwcm9wcz0ibGFuZzplbi1VUyI+JGZ3 Y21kIGFkZCBhbGxvdyB1ZHAgZnJvbSBhbnkgdG8gJmx0O2lzcCBkbnMmZ3Q7IDUzIG91dCB4bWl0 IHR1bjA8L2M+PC9wPgo8cCBzdHlsZT0iTm9ybWFsIj48YyBwcm9wcz0ibGFuZzplbi1VUyI+JGZ3 Y21kIGFkZCBhbGxvdyB1ZHAgZnJvbSBhbnkgdG8gJmx0O2lzcCBkbnMmZ3Q7IDUzIG91dCB4bWl0 IHR1bjA8L2M+PC9wPgo8cCBzdHlsZT0iTm9ybWFsIj48YyBwcm9wcz0ibGFuZzplbi1VUyI+JGZ3 Y21kIGFkZCBhbGxvdyB1ZHAgZnJvbSBhbnkgdG8gJmx0O2lzcCBkbnMmZ3Q7IDUzIG91dCB4bWl0 IHR1bjA8L2M+PC9wPgo8cCBzdHlsZT0iTm9ybWFsIj48YyBwcm9wcz0ibGFuZzplbi1VUyI+JGZ3 Y21kIGFkZCBhbGxvdyB1ZHAgZnJvbSBhbnkgdG8gJmx0O2lzcCBkbnMmZ3Q7IDUzIG91dCB4bWl0 IHR1bjA8L2M+PC9wPgo8cCBzdHlsZT0iTm9ybWFsIj48YyBwcm9wcz0ibGFuZzplbi1VUyI+JGZ3 Y21kIGFkZCBhbGxvdyB1ZHAgZnJvbSBhbnkgdG8gJmx0O2lzcCBkbnMmZ3Q7IDUzIG91dCB4bWl0 IHR1bjA8L2M+PC9wPgo8cCBzdHlsZT0iTm9ybWFsIj48YyBwcm9wcz0ibGFuZzplbi1VUyI+JGZ3 Y21kIGFkZCBhbGxvdyB1ZHAgZnJvbSBhbnkgdG8gJmx0O2lzcCBkbnMmZ3Q7IDUzIG91dCB4bWl0 IHR1bjA8L2M+PC9wPgo8cCBzdHlsZT0iTm9ybWFsIj48YyBwcm9wcz0ibGFuZzplbi1VUyI+PC9j PjwvcD4KPHAgc3R5bGU9Ik5vcm1hbCI+PGMgcHJvcHM9Imxhbmc6ZW4tVVMiPiMgQWxsb3cgRE5T IFF1ZXJpZXMgQmFjayBJbiBXaXRoIFJlc3VsdHM8L2M+PC9wPgo8cCBzdHlsZT0iTm9ybWFsIj48 YyBwcm9wcz0ibGFuZzplbi1VUyI+JGZ3Y21kIGFkZCBhbGxvdyB1ZHAgZnJvbSAmbHQ7aXNwIGRu cyZndDsgNTMgdG8gYW55IGluIHJlY3Ygc2lzMDwvYz48L3A+CjxwIHN0eWxlPSJOb3JtYWwiPjxj IHByb3BzPSJsYW5nOmVuLVVTIj4kZndjbWQgYWRkIGFsbG93IHVkcCBmcm9tICZsdDtpc3AgZG5z Jmd0OyA1MyB0byBhbnkgaW4gcmVjdiBzaXMwPC9jPjwvcD4KPHAgc3R5bGU9Ik5vcm1hbCI+PGMg cHJvcHM9Imxhbmc6ZW4tVVMiPiRmd2NtZCBhZGQgYWxsb3cgdWRwIGZyb20gJmx0O2lzcCBkbnMm Z3Q7IDUzIHRvIGFueSBpbiByZWN2IHR1bjA8L2M+PC9wPgo8cCBzdHlsZT0iTm9ybWFsIj48YyBw cm9wcz0ibGFuZzplbi1VUyI+JGZ3Y21kIGFkZCBhbGxvdyB1ZHAgZnJvbSAmbHQ7aXNwIGRucyZn dDsgNTMgdG8gYW55IGluIHJlY3YgdHVuMDwvYz48L3A+CjxwIHN0eWxlPSJOb3JtYWwiPjxjIHBy b3BzPSJsYW5nOmVuLVVTIj4kZndjbWQgYWRkIGFsbG93IHVkcCBmcm9tICZsdDtpc3AgZG5zJmd0 OyA1MyB0byBhbnkgaW4gcmVjdiB0dW4wPC9jPjwvcD4KPHAgc3R5bGU9Ik5vcm1hbCI+PGMgcHJv cHM9Imxhbmc6ZW4tVVMiPiRmd2NtZCBhZGQgYWxsb3cgdWRwIGZyb20gJmx0O2lzcCBkbnMmZ3Q7 IDUzIHRvIGFueSBpbiByZWN2IHR1bjA8L2M+PC9wPgo8cCBzdHlsZT0iTm9ybWFsIj48YyBwcm9w cz0ibGFuZzplbi1VUyI+JGZ3Y21kIGFkZCBhbGxvdyB1ZHAgZnJvbSAmbHQ7aXNwIGRucyZndDsg NTMgdG8gYW55IGluIHJlY3YgdHVuMDwvYz48L3A+CjxwIHN0eWxlPSJOb3JtYWwiPjxjIHByb3Bz PSJsYW5nOmVuLVVTIj4kZndjbWQgYWRkIGFsbG93IHVkcCBmcm9tICZsdDtpc3AgZG5zJmd0OyA1 MyB0byBhbnkgaW4gcmVjdiB0dW4wPC9jPjwvcD4KPHAgc3R5bGU9Ik5vcm1hbCI+PGMgcHJvcHM9 Imxhbmc6ZW4tVVMiPiRmd2NtZCBhZGQgYWxsb3cgdWRwIGZyb20gJmx0O2lzcCBkbnMmZ3Q7IDUz IHRvIGFueSBpbiByZWN2IHR1bjA8L2M+PC9wPgo8cCBzdHlsZT0iTm9ybWFsIj48YyBwcm9wcz0i bGFuZzplbi1VUyI+PC9jPjwvcD4KPHAgc3R5bGU9Ik5vcm1hbCI+PGMgcHJvcHM9Imxhbmc6ZW4t VVMiPiMgQWxsb3cgSUNNUCBGb3IgUElORyBhbmQgVHJhY2Vyb3V0ZTwvYz48L3A+CjxwIHN0eWxl PSJOb3JtYWwiPjxjIHByb3BzPSJsYW5nOmVuLVVTIj4kZndjbWQgYWRkIGFsbG93IGljbXAgZnJv bSBhbnkgdG8gYW55PC9jPjwvcD4KPHAgc3R5bGU9Ik5vcm1hbCI+PGMgcHJvcHM9Imxhbmc6ZW4t VVMiPjwvYz48L3A+CjxwIHN0eWxlPSJOb3JtYWwiPjxjIHByb3BzPSJsYW5nOmVuLVVTIj4jIERl bnkgVGhlIFJlc3Q8L2M+PC9wPgo8cCBzdHlsZT0iTm9ybWFsIj48YyBwcm9wcz0ibGFuZzplbi1V UyI+JGZ3Y21kIGFkZCBkZW55IGxvZyBpcCBmcm9tIGFueSB0byBhbnk8L2M+PC9wPgo8L3NlY3Rp b24+CjwvYWJpd29yZD4K --=-p7jwmyqj9/ShV9Ck2xMF-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message