From owner-freebsd-ipfw Mon Apr 24 20:31:20 2000 Delivered-To: freebsd-ipfw@freebsd.org Received: from smtp11.bellglobal.com (smtp11.bellglobal.com [204.101.251.53]) by hub.freebsd.org (Postfix) with ESMTP id 6B4AD37B513 for ; Mon, 24 Apr 2000 20:31:16 -0700 (PDT) (envelope-from cybernetik@sympatico.ca) Received: from jordan (HSE-Toronto-ppp89908.sympatico.ca [216.209.36.143]) by smtp11.bellglobal.com (8.8.5/8.8.5) with SMTP id XAA21658 for ; Mon, 24 Apr 2000 23:37:08 -0400 (EDT) From: "Jordan Blanchard" Cc: Subject: RE: Firewall and the general Network Date: Mon, 24 Apr 2000 23:31:06 -0400 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2910.0) Importance: Normal X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2615.200 In-Reply-To: <20000424211721.A75100@cc942873-a.ewndsr1.nj.home.com> Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG > 00060 66545 35492707 allow ip from any to any > 00100 0 0 divert 8668 ip from any to any via tun0 > 00100 0 0 allow ip from any to any via lo0 > 00100 0 0 divert 8668 ip from any to any via tun0 > 00100 0 0 divert 8668 ip from any to any via tun0 > 00200 0 0 deny ip from any to 127.0.0.0/8 > 00210 0 0 deny icmp from any to any via ed0 > 65535 16 1000 deny ip from any to any :As Mike pointed out, these rules make no sense. They are not the :"simple" firewall rules either. Below is the new firewall.. 00100 divert 8668 ip from any to any via ed1 00100 allow ip from any to any via tun0 00130 allow tcp from any to any established 00140 allow ip from 10.10.10.0/24 to 1.1.1.1 00200 deny ip from 10.10.10.0/24 to any in recv ed1 00200 allow tcp from any to any 25 00300 deny ip from 1.1.1.0/24 to any in recv ed0 00315 allow udp from any 53 to any via tun0 00320 allow tcp from any to 1.1.1.1 110 00340 allow log logamount 10 udp from any to 10.10.10.1 123 00400 deny ip from 192.168.0.0/16 to any via ed1 00400 allow udp from any to 1.1.1.1 7070 00400 allow udp from any to 1.1.1.1 6770 00400 allow udp from any to 1.1.1.1 6070 00400 allow tcp from any to 1.1.1.1 554 00400 allow udp from any to 1.1.1.1 4000 00410 deny tcp from any to any 79 00420 deny ip from any to 127.0.0.0/8 00430 unreach host icmp from any to any via ed0 00440 deny log logamount 10 tcp from 10.10.10.12 to 1.1.1.1 20-23 00500 deny ip from any to 192.168.0.0/16 via ed1 00600 deny ip from 172.16.0.0/12 to any via ed1 00700 deny ip from any to 172.16.0.0/12 via ed1 00800 deny ip from 10.0.0.0/8 to any via ed1 00900 deny ip from any to 10.0.0.0/8 via ed1 01000 allow tcp from any to any established 01100 allow tcp from any to 1.1.1.1 25 setup 01200 allow tcp from any to 1.1.1.1 53 setup 01300 allow tcp from any to 1.1.1.1 80 setup 01400 deny log logamount 10 tcp from any to any in recv ed1 setup 01500 allow tcp from any to any setup 01600 allow udp from any 53 to any via ed1 01700 allow udp from any to any 53 via ed1 01800 allow udp from any 123 to any via ed1 01900 allow udp from 10.0.0.0/8 to any 123 via ed1 10155 deny log logamount 10 tcp from any to 10.10.10.1 2049 10160 deny log logamount 10 icmp from any to any via ed0 10160 deny log logamount 10 udp from any to 1.1.1.1 10200 allow ip from any to any 65535 deny ip from any to any as you now have noticed, there's been quite a few changes... There's only one problem now.. the ip 10.10.10.12, I've stop incoming telnets and ftps but can't telnet out??? should I be using the pass command? > # netstat -rn > Routing tables > > Internet: > Destination Gateway Flags Refs Use Netif > Expire > default 216.209.34.1 UGSc 10 9642 tun0 > 1 link#2 UC 0 0 ed1 > 10.10.10/24 link#1 UC 0 0 ed0 > 10.10.10.12 0:40:5:4d:3d:c8 UHLW 1 2260 ed0 144 > 10.10.10.120 0:80:c8:36:69:ed UHLW 2 4970 ed0 715 > 127.0.0.1 127.0.0.1 UH 0 2 lo0 > 216.209.34.1 216.209.34.202 UH 9 0 tun0 > 216.209.34.202 127.0.0.1 UH 0 0 lo0 OK. > # ifconfig -a > ed0: flags=8843 mtu 1500 > inet 10.10.10.1 netmask 0xffffff00 broadcast 10.10.10.255 > ether 00:20:18:65:a0:9f > ed1: flags=88c3 mtu 1500 > inet 1.1.1.1 netmask 0xff000000 broadcast 1.255.255.255 > ether 00:00:c0:df:fb:7f > tun0: flags=8051 mtu 1492 > inet 216.209.34.202 --> 216.209.34.1 netmask 0xffffff00 > ppp0: flags=8010 mtu 1500 > lo0: flags=8049 mtu 16384 > inet 127.0.0.1 netmask 0xff000000 :OK. > :And if you are running natd(8) or a routing daemon, the relevant > :info. Then we can probably help analyze your problem. > > I've got natd runing, from rc.conf.. > > 138 ?? Is 0:00.00 /sbin/natd -n tun0 :If you are doing NAT through PPP, you should probably use the '-nat' :option in ppp(8) rather than the natd(8) daemon. well, I have put in the nat enable yes command into the ppp.conf and I don't see ppp -auto -nat pppoe I see 95 ?? Ss 0:01.50 ppp -auto -quiet pppoe could it be something in my ppp.conf -- Crist J. Clark cjclark@home.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message