From owner-freebsd-security Wed May 9 13:49:28 2001 Delivered-To: freebsd-security@freebsd.org Received: from ns.yogotech.com (ns.yogotech.com [206.127.123.66]) by hub.freebsd.org (Postfix) with ESMTP id C69C737B423 for ; Wed, 9 May 2001 13:49:19 -0700 (PDT) (envelope-from nate@yogotech.com) Received: from nomad.yogotech.com (nomad.yogotech.com [206.127.123.131]) by ns.yogotech.com (8.9.3/8.9.3) with ESMTP id OAA08327; Wed, 9 May 2001 14:49:19 -0600 (MDT) (envelope-from nate@nomad.yogotech.com) Received: (from nate@localhost) by nomad.yogotech.com (8.8.8/8.8.8) id OAA17987; Wed, 9 May 2001 14:49:18 -0600 (MDT) (envelope-from nate) From: Nate Williams MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Message-ID: <15097.44366.138725.618271@nomad.yogotech.com> Date: Wed, 9 May 2001 14:49:18 -0600 (MDT) To: Michael Sharp Cc: FreeBSD-security@FreeBSD.ORG Subject: Re: ipfw In-Reply-To: <20010509200335.7680.cpmta@c000.sfo.cp.net> References: <20010509200335.7680.cpmta@c000.sfo.cp.net> X-Mailer: VM 6.75 under 21.1 (patch 12) "Channel Islands" XEmacs Lucid Reply-To: nate@yogotech.com (Nate Williams) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org [ Try to wrap your lines at 80 chars. please ] > If I do ipfw -f flush I still have rule 65535 deny ip from any to any This is the default rule, and can't be removed. > which allows NOTHING in or OUT. I can add DENY chains all day, but I > cannot add any ALLOW chains unless I put in rule 65000 allow ip from > any to any but this goes at the very top and is the first chain > processed ( which allows ANYTHING in ) even if there are DENY chains > below it. Not true. Rules are processed in order, and if you don't give a rule number I don't know the order that a rule is inserted on the list. 'ipfw list' should show you the process order though. (BTW, what is this talk about 'ALLOW' and 'DENY' chains? I think you're mixing up the FreeBSD implementation with the Linux 'chains' implementation. FreeBSD's implementation is all rule based...) > In /etc/rc.conf, I have firewall_enable="YES" and firewall_type="open" > and still I cannot get rid of that pesky 65535 DENY everything rule > that wont let me do anything unless I add " ipfw add allow ip from any > to any " which allows everything despite ANY DENY chains. If the 'allow/dny' *RULE* is processed before the other rule, then it will take precedence. IPFW processes rules in order from start until it finds a match, and then finishes. If a rule doesn't match, then the next rule will be processed. Nate To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message