Date: Thu, 8 Jan 2004 11:04:41 -0000 From: Philip Payne <philip.payne@uk.mci.com> To: "'W. Ryan Merrick'" <sandshrimp@comcast.net>, Ben Quick <general@benquick.f9.co.uk> Cc: freebsd-questions@freebsd.org Subject: RE: IPFW confusion Message-ID: <A0A204EE2E51BC41BCDE3C1DD86D35ED2FC4A2@gblon1exch06.uk.mcilink.com>
next in thread | raw e-mail | index | archive | help
Hi, > > However, I can't get the config to work. I've commented out > all the deny > > rules. In this instance, I can browse the web via SQUID > that's installed > > on the IPFW box. I can't browse the web directly, though. > That is the > > only external access I get. I can't ping any sites, DNS > lookups fail > > (I've set the DNS servers on the client workstation to be > that my ISP's. > > I also tried setting it to look at the IPFW box first, with no luck) > > > > Can anyone offer help on this one? I'm getting stuck in a muddle of > > mis-understanding > > At work so I don't have time to debug a whole policy or anything but.... Firstly, I agree with the comments about logging a deny all at the end of your policy. If you start logging too much rubbish insert specific deny rules that do NOT log just above the deny all to filter out things you don't want to see. To be honest, it's good practice to keep this approach permantently. Secondly, a handy tool is at fwbuilder.org . This provides a GUI interface for generating your policy. It's not perfect and theres the whole thing of sacrificing all the command line options for a GUI interface but I've found it more than useful on my own gateway device. Unfortunately, the NAT part is not working so you need to script how the rules are installed once compiled to ensure you get a NAT rule in place. I have posted a script to do this in previous emails but feel free to drop me a reply in future if you need to. Thanks, Phil.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?A0A204EE2E51BC41BCDE3C1DD86D35ED2FC4A2>