From owner-freebsd-questions  Wed Mar  5 14:26: 9 2003
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id D488A37B401
	for <freebsd-questions@freebsd.org>; Wed,  5 Mar 2003 14:26:07 -0800 (PST)
Received: from c001.snv.cp.net (h021.c001.snv.cp.net [209.228.32.135])
	by mx1.FreeBSD.org (Postfix) with SMTP id 0D28243F75
	for <freebsd-questions@freebsd.org>; Wed,  5 Mar 2003 14:26:05 -0800 (PST)
	(envelope-from jeff@walters.name)
Received: (cpmta 2117 invoked from network); 5 Mar 2003 14:26:04 -0800
Received: from 24.216.194.242 (HELO jerry.localdomain)
  by smtp.register-admin.com (209.228.32.135) with SMTP; 5 Mar 2003 14:26:04 -0800
X-Sent: 5 Mar 2003 22:26:04 GMT
From: Jeff Walters <jeff@walters.name>
Reply-To: jeff@walters.name
To: "Brian Henning" <b1henning@hotmail.com>
Subject: Re: firewall revisited
Date: Wed, 5 Mar 2003 17:26:03 -0500
User-Agent: KMail/1.5
References: <OE14i67EKRuYDlrjbud000010a0@hotmail.com> <200303051114.25796.jeff@walters.name> <OE40IkLeoOWGMhLPBLY0001f008@hotmail.com>
In-Reply-To: <OE40IkLeoOWGMhLPBLY0001f008@hotmail.com>
Cc: freebsd-questions@freebsd.org
MIME-Version: 1.0
Content-Type: text/plain;
  charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
Message-Id: <200303051726.03515.jeff@walters.name>
Sender: owner-freebsd-questions@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-questions.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-questions>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-questions>
X-Loop: FreeBSD.ORG

On Wednesday 05 March 2003 02:48 pm, Brian Henning wrote:

> Jeff,
>
> you must have your firewall_type set to the default then in rc.conf or
> /etc/defaults/rc.conf. does you setup not run the standard rc.firewall file
> in /etc?
>
> does this rule allow any access to the outside network?
> ipfw add 00100 allow tcp from any to any via ed0 established
>
> thanks,
>
> brian

I don't set firewall_type in rc.conf (ie. leaving it at the default), because 
it would be ignored.  When you change firewall_script in /etc/rc.conf, 
/etc/rc.firewall will no longer run at boot automatically.

The ipfw rule above allows all packets for established connections to pass the 
firewall.  This is determined only by the flags in each inbound packet, not 
because of any memory of the state of connections.  You would also need rules 
dealing with the setup packets to allow the TCP connections to be created.  
It's in the ipfw man page and probably the FreeBSD Handbook also with better 
examples, but a quick additional rule to allow you to get out on ed0 with any 
possible TCP connection would be:

ipfw add 00200 allow tcp from any to any out xmit ed0 setup

Jeff

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message