From owner-freebsd-questions Wed Oct 10 19:56:49 2001 Delivered-To: freebsd-questions@freebsd.org Received: from chmls05.mediaone.net (chmls05.mediaone.net [24.147.1.143]) by hub.freebsd.org (Postfix) with ESMTP id 550F237B40F for ; Wed, 10 Oct 2001 19:56:42 -0700 (PDT) Received: from acadia.ne.mediaone.net (acadia.ne.mediaone.net [65.96.185.189]) by chmls05.mediaone.net (8.11.1/8.11.1) with ESMTP id f9B2uTr06249 for ; Wed, 10 Oct 2001 22:56:30 -0400 (EDT) Received: (from leblanc@localhost) by acadia.ne.mediaone.net (8.11.6/8.11.6) id f9B2uLw06864 for freebsd-questions@FreeBSD.ORG; Wed, 10 Oct 2001 22:56:21 -0400 (EDT) (envelope-from leblanc) Date: Wed, 10 Oct 2001 22:56:21 -0400 From: Louis LeBlanc To: freebsd-questions@FreeBSD.ORG Subject: Re: IPFW, natd, and one big headache Message-ID: <20011010225621.B1037@acadia.ne.mediaone.net> Reply-To: Louis LeBlanc Mail-Followup-To: freebsd-questions@FreeBSD.ORG References: <20011010212942.A1037@acadia.ne.mediaone.net> <200110110210.f9B2Atw99386@grumpy.dyndns.org> Mime-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: <200110110210.f9B2Atw99386@grumpy.dyndns.org> User-Agent: Mutt/1.3.22.1i X-bright-idea: Lets abolish HTML mail! Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On 10/10/01 09:10 PM, David Kelly sat at the `puter and typed: > [. . .] > > What does the above script say about ports 67 and 68? Hint: > > # allow DHCP stuff > ${fwcmd} add pass udp from 24.214.63.26 67 to any 68 in via ${nic} > ${fwcmd} add pass udp from me 68 to 24.214.63.26 67 out via ${nic} This is what I have: ipfw add allow udp from ${dhcp_s} 67 to ${oip} 68 via ${oif} in ipfw add allow udp from ${oip} 68 to ${dhcp_s} 67 via ${oif} out ipfw add allow udp from ${dhcp_s} 67 to ${bcast_d} 68 via ${oif} in ipfw add allow udp from ${bcast_s} 68 to ${dhcp_s} 67 via ${oif} out right now, dhcp_s is "any", and the bcast_* are the broadcast addresses for the ping that is apparently still not getting out. I think I'll try your lines. I wasn't real familiar with the 'me' key. I did read somewhere that there was a security flaw of some kind - I don't remember the details of the flaw, except that it was fixed sometime in the last couple months. But I digress. Thanks for those hints. > [. . .] > > I suggest adding "-log_facility security" to natd so that both natd and > ipfw report to the same place. Namely /var/log/security. Ok, I'll do that. > The best way to debug ipfw that I've found is to throw "log" modifiers > at all suspected blocking rules. Is easy to insert a new copy of the > rule with "log" added just before the current rule. > > Doesn't hurt anything to have two identical rules in a row. Later for > cleanup you can simply delete the debugging log rules. I let my rules > autonumber on insert. Steps by 100. So temporary debugging rules are > often xx50 or xx90. Easy to spot and remove. Ahh! Excellent. No more banging my head around blind. I'll try to get in the habit of doing just that. Thanks! > No need to reboot to debug your firewall and dhclient. Simply kill > dhclient and start it again with "dhclient xl0" How will this affect natd if it is running? > Use "ipfw zero" just before you restart dhclient. Then if you didn't > log the problems, "ipfw -a list" should indicate which rules got hits > since the zero. Then you have an idea where the dhcp packets are > being stopped. Awesome. I knew there had to be a way to get an idea where you needed a hole that wasn't there. I appreciate the suggestions - REALLY. I'll probably spend a day or so kicking them around. Cheers. Lou -- Louis LeBlanc leblanc@acadia.ne.mediaone.net Fully Funded Hobbyist, KeySlapper Extrordinaire :) http://acadia.ne.mediaone.net ԿԬ furbling, v.: Having to wander through a maze of ropes at an airport or bank even when you are the only person in line. -- Rich Hall, "Sniglets" To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message