From owner-freebsd-questions Fri Feb 5 19:50:56 1999 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id TAA18617 for freebsd-questions-outgoing; Fri, 5 Feb 1999 19:50:56 -0800 (PST) (envelope-from owner-freebsd-questions@FreeBSD.ORG) Received: from starfire.mn.org (starfire.skypoint.net [199.86.35.134]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id TAA18612 for ; Fri, 5 Feb 1999 19:50:53 -0800 (PST) (envelope-from john@starfire.mn.org) Received: (from john@localhost) by starfire.mn.org (8.8.5/1.1) id VAA14046; Fri, 5 Feb 1999 21:50:43 -0600 (CST) Message-ID: Date: Fri, 5 Feb 1999 21:50:43 -0600 From: john@dexter.starfire.mn.org (John Lind) To: dan@dpcsys.com (Dan Busarow) Cc: freebsd-questions@FreeBSD.ORG Subject: Re: Fwd: Re: ipfw question References: X-Mailer: Mutt 0.53 Mime-Version: 1.0 In-Reply-To: ; from Dan Busarow on Feb 2, 1999 15:51:19 -0800 Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG Please reply directly, as I do not currently subscribe to this list. Dan Busarow writes: [ lots of historical stuff deleted] > > Help??? > > Try this. Reboot the system to clear any ipfw counters. > Try making the outbound connection and then run > > # ipfw show > > That should show you which rule is causing the problem. > > Send the output of ipfw show and netstat -rn Wow I am REALLY convinced that something is REALLY broken. Having tried what Dan suggested and not learning much (everything looked like it SHOULD have worked) I've gone to a TRIVIAL ruleset, and even THAT doesn't work! Since the rc.firewall code does an ipfw -f flush each time it is run, I haven't had to reboot to clear the counters. All the counters except for the permanent rule (65536 deny ip from any to any) get cleared -- this may be a "feature", since that rule is never flushed. The new ruleset should simply allow unrestricted access to the gateway machine itself on the external interface. What actually happens is that the telnet session that I have open to enable the firewall continues to work (and this accounts for the counter activity on the in the "established" rule), a new telnet session never gives me the banner and prompt, even though the "setup" rule counter gets incremented. Right now, I only see three possibilities: 1) The operation of the firewall code has changed in some subtle way that I am unable to infer or discern from examining the example code. 2) I am missing something so obvious that I am staring right at it. 3) FreeBSD 2.2.7 ipfw and/or kernel code is BROKEN. Following is the information requested: 01000 6 363 allow tcp from any to any established 01250 1 68 allow tcp from any to 137.192.130.29 setup 01251 0 0 allow tcp from 137.192.130.29 to any 01420 0 0 allow tcp from any to any 53 setup 01421 3 216 allow udp from any to any 53 01430 0 0 allow icmp from any to any 65535 4 813 deny ip from any to any Routing tables Internet: Destination Gateway Flags Refs Use Netif Expire default 137.192.130.30 UGSc 3 387 ed0 127.0.0.1 127.0.0.1 UH 0 0 lo0 137.192.130.16/29 link#2 UC 0 0 137.192.130.20 0:a0:c9:32:2:df UHLW 1 466 ed1 842 137.192.130.24/29 link#1 UC 0 0 137.192.130.30 0:e0:d0:0:d8:60 UHLW 4 0 ed0 798 Please reply directly, as I do not currently subscribe to this list. John Lind, Starfire Consulting Services E-mail: john@starfire.MN.ORG USnail: PO Box 17247, Mpls MN 55417 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message