Date: Wed, 10 Oct 2001 22:56:21 -0400 From: Louis LeBlanc <leblanc@smtp.ne.mediaone.net> To: freebsd-questions@FreeBSD.ORG Subject: Re: IPFW, natd, and one big headache Message-ID: <20011010225621.B1037@acadia.ne.mediaone.net> In-Reply-To: <200110110210.f9B2Atw99386@grumpy.dyndns.org> References: <leblanc%2Bfreebsd@smtp.ne.mediaone.net> <20011010212942.A1037@acadia.ne.mediaone.net> <200110110210.f9B2Atw99386@grumpy.dyndns.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On 10/10/01 09:10 PM, David Kelly sat at the `puter and typed:
> [. . .]
>
> What does the above script say about ports 67 and 68? Hint:
>
> # allow DHCP stuff
> ${fwcmd} add pass udp from 24.214.63.26 67 to any 68 in via ${nic}
> ${fwcmd} add pass udp from me 68 to 24.214.63.26 67 out via ${nic}
This is what I have:
ipfw add allow udp from ${dhcp_s} 67 to ${oip} 68 via ${oif} in
ipfw add allow udp from ${oip} 68 to ${dhcp_s} 67 via ${oif} out
ipfw add allow udp from ${dhcp_s} 67 to ${bcast_d} 68 via ${oif} in
ipfw add allow udp from ${bcast_s} 68 to ${dhcp_s} 67 via ${oif} out
right now, dhcp_s is "any", and the bcast_* are the broadcast
addresses for the ping that is apparently still not getting out. I
think I'll try your lines. I wasn't real familiar with the 'me' key.
I did read somewhere that there was a security flaw of some kind - I
don't remember the details of the flaw, except that it was fixed
sometime in the last couple months.
But I digress. Thanks for those hints.
> [. . .]
>
> I suggest adding "-log_facility security" to natd so that both natd and
> ipfw report to the same place. Namely /var/log/security.
Ok, I'll do that.
> The best way to debug ipfw that I've found is to throw "log" modifiers
> at all suspected blocking rules. Is easy to insert a new copy of the
> rule with "log" added just before the current rule.
>
> Doesn't hurt anything to have two identical rules in a row. Later for
> cleanup you can simply delete the debugging log rules. I let my rules
> autonumber on insert. Steps by 100. So temporary debugging rules are
> often xx50 or xx90. Easy to spot and remove.
Ahh! Excellent. No more banging my head around blind. I'll try to
get in the habit of doing just that. Thanks!
> No need to reboot to debug your firewall and dhclient. Simply kill
> dhclient and start it again with "dhclient xl0"
How will this affect natd if it is running?
> Use "ipfw zero" just before you restart dhclient. Then if you didn't
> log the problems, "ipfw -a list" should indicate which rules got hits
> since the zero. Then you have an idea where the dhcp packets are
> being stopped.
Awesome. I knew there had to be a way to get an idea where you needed
a hole that wasn't there. I appreciate the suggestions - REALLY.
I'll probably spend a day or so kicking them around.
Cheers.
Lou
--
Louis LeBlanc leblanc@acadia.ne.mediaone.net
Fully Funded Hobbyist, KeySlapper Extrordinaire :)
http://acadia.ne.mediaone.net ԿԬ
furbling, v.:
Having to wander through a maze of ropes at an airport or bank
even when you are the only person in line.
-- Rich Hall, "Sniglets"
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20011010225621.B1037>