Date: Fri, 31 Jan 2003 12:21:18 -0500 From: Jason Morgan <jwm-freebsd@sentinelchicken.net> To: Steve Bertrand <iaccounts@northnetworks.ca>, freebsd-questions@freebsd.org Subject: Re: IPFW2 setup Message-ID: <20030131172118.GA1046@sentinelchicken.net> In-Reply-To: <3E3AAAA2.4010205@northnetworks.ca> References: <20030131163752.GC354@sentinelchicken.net> <3E3AAAA2.4010205@northnetworks.ca>
next in thread | previous in thread | raw e-mail | index | archive | help
Kernel firewall settings: options IPFW2 options IPFIREWALL #Firewall options IPFIREWALL_VERBOSE #print info about dropped packets options IPFIREWALL_VERBOSE_LIMIT="10" #limit verbosity options IPV6FIREWALL options IPV6FIREWALL_VERBOSE options IPV6FIREWALL_VERBOSE_LIMIT="10" options IPDIVERT #Divert sockets options IPSTEALTH #support stealth forwarding options ICMP_BANDLIM #Rate limit bad replies options ACCEPT_FILTER_DATA options ACCEPT_FILTER_HTTP I can't reach the web from the inside, nor can I ssh to my server. Everything seems to be getting hung up on rules 310 and 410. I, of course, want to do away with 32000. In order to get through, I have temporarily added an 'allow all from any to any' at 210. I'll start logging the denys and see what happens. -jason On Fri, Jan 31, 2003 at 11:56:02AM -0500, Steve Bertrand wrote: > What part is not working? Can you nat through? Perhaps you could add > some logging to see which packets are failing and why. > Do you have the following in the kernel? > > options IPFIREWALL > options IPFIREWALL_VERBOSE > options IPDIVERT > > Let us know. > > Steve > > Jason Morgan wrote: > > >OK, I've read the man page for IPFW a couple times and I am still having > >difficulty setting up a working firewall. The firewall acts as a gateway > >to my inside network as well as a web server and mail server. I also > >need ssh connectivity from inside and out. Also, one odd thing is that I > >have a Zyxel Prestige 643 acting as an additional router between me and > >my DSL connection (I couldn't figure out how to get the router in pure > >bridging mode). It comes in handy, though, as it has a 4-port switch > >built in and can also act a firewall and does the PPPoE easy enough. > > > >NICs: > >xl0 as 192.168.1.101 (to Zyxel and outside) > >dc0 as 10.0.0.1 (inside) > > > >Current IPFW config: > > > >--------------------------------------------------------- > > > ># Basics > >add 00010 pass all from any to any via lo0 > >add 00020 deny all from any to 127.0.0.0/8 > >add 00030 deny ip from 127.0.0.0/8 to any > >add 00040 deny ip from any to any frag > > > ># Spoofing Check > >add 00050 deny all from 10.0.0.0/8 to any in via xl0 > >add 00060 deny all from 172.16.0.0/12 to any in via xl0 > > > >add 00080 allow all from 192.168.1.1 to any in via xl0 > >add 00085 deny all from 192.168.0.0/16 to any in via xl0 > > > ># Divert > >add 00100 divert natd all from any to any via xl0 > > > ># Allowances > >add 00200 allow all from any to any in via dc0 > > > ># Check state of dynamic rules > >add 00220 check-state > > > ># UDP > >add 00300 allow udp from any to any out setup > >add 00310 deny udp from any to any established > >add 00320 allow udp from any to any 53 in via xl0 setup keep-state > > > ># TCP > >add 00400 allow tcp from any to any out setup keep-state > >add 00410 deny tcp from any to any established > >add 00420 allow tcp from any to any 22,25,80 in setup keep-state > > > > > >add 32000 allow all from any to any > > > >------------------------------------------------------------ > > > >Could anyone offer some advice? > > > >Regards, > > > >Jason > > > >To Unsubscribe: send mail to majordomo@FreeBSD.org > >with "unsubscribe freebsd-questions" in the body of the message > > > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20030131172118.GA1046>