From owner-freebsd-security Wed May 9 13: 3:38 2001 Delivered-To: freebsd-security@freebsd.org Received: from c000.sfo.cp.net (c004-h003.c004.snv.cp.net [209.228.33.67]) by hub.freebsd.org (Postfix) with SMTP id E34FD37B424 for ; Wed, 9 May 2001 13:03:35 -0700 (PDT) (envelope-from msharp@medmail.com) Received: (cpmta 7681 invoked from network); 9 May 2001 13:03:35 -0700 Date: 9 May 2001 13:03:35 -0700 Message-ID: <20010509200335.7680.cpmta@c000.sfo.cp.net> X-Sent: 9 May 2001 20:03:35 GMT Received: from [66.26.118.70] by mail.medmail.com with HTTP; 09 May 2001 13:03:35 PDT Content-Type: text/plain Content-Disposition: inline Mime-Version: 1.0 To: FreeBSD-security@FreeBSD.org From: Michael Sharp X-Mailer: Web Mail 3.7.1.9 Subject: ipfw Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org expanding on what Noel Fitzpatrick said... If I do ipfw -f flush I still have rule 65535 deny ip from any to any which allows NOTHING in or OUT. I can add DENY chains all day, but I cannot add any ALLOW chains unless I put in rule 65000 allow ip from any to any but this goes at the very top and is the first chain processed ( which allows ANYTHING in ) even if there are DENY chains below it. SO, from /etc/rc.firewall I added IPFIREWALL_DEFAULT_TO_ACCEPT to my kernel and recompiled In /etc/rc.conf, I have firewall_enable="YES" and firewall_type="open" and still I cannot get rid of that pesky 65535 DENY everything rule that wont let me do anything unless I add " ipfw add allow ip from any to any " which allows everything despite ANY DENY chains. ------------------------------------------------------- Get your free, secure email at http://www.medmail.com - the e-mail service for the medical community To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message