From owner-freebsd-questions@FreeBSD.ORG Fri Apr 16 15:14:37 2004 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id ED34A16A4CE for ; Fri, 16 Apr 2004 15:14:36 -0700 (PDT) Received: from prserv.net (asmtp2.prserv.net [32.97.166.52]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9CAC943D49 for ; Fri, 16 Apr 2004 15:14:36 -0700 (PDT) (envelope-from yann.luppo@attglobal.net) Received: from razor (130.wf21.bltm.wswdc01r18.dsl.att.net[12.103.21.130]) by prserv.net (asmtp2) with SMTP id <2004041622143525202bm66se> (Authid: yann.luppo@attglobal.net); Fri, 16 Apr 2004 22:14:35 +0000 Message-ID: <00d301c423ce$005a4e90$0f01a8c0@razor> From: "RazorOnFreeBSD" To: "Mark" , References: <005401c4238f$f4d9dab0$0f01a8c0@razor> <20040416161243.GA8785@redtick.homeunix.com> Date: Fri, 16 Apr 2004 18:15:14 +0200 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2800.1409 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1409 Subject: Re: firewall rules error X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 16 Apr 2004 22:14:37 -0000 Whatever the rules I'm using I get this message when booting and starting ipfw : ipfw: bad arguments, for usage summary "ipfw" except if I use the /etc/rc.firewall file but that's another "I don't know why?" it doesn't work with the "SIMPLE" argument in /etc/rc.conf and modified with the right values. Do you think this message come from the fwcmd="/sbin/ipfw" line ? I also verified because I was curious, the ipfw executable file of course exists in my /sbin directory.... > read man ipfw and look at this http://www.freebsd.org/doc/en_US.ISO8859-1/articles/dialup-firewall/rules.html > for a basic pattern to follow. > Untill you get the basics down keep it simple. > > > ### basic rules, ipfw > ## fxp0 lan helps you remember later what you are working with > ## dc0 wan > ## lo0 loop > ############### first match rule applies ############# > > # Define the firewall command (as in /etc/rc.firewall) for easy > # reference. Helps to make it easier to read. > fwcmd="/sbin/ipfw" > > # Force a flushing of the current rules before we reload. > $fwcmd -f flush > > > > # Divert all packets through the tunnel interface. > $fwcmd add divert natd all from any to any via dc0 > > # Allow all data from my network card and localhost. > $fwcmd add allow ip from any to any via lo0 > $fwcmd add allow ip from any to any via fxp0 > > # Allow all connections that I initiate. > $fwcmd add allow tcp from any to any out xmit dc0 setup > > # Once connections are made, allow them to stay open. > $fwcmd add allow tcp from any to any via dc0 established > > # RESET ident packets. > #$fwcmd add reset log tcp from any to any 113 in recv dc0 > > # Allow outgoing DNS queries ONLY to the specified servers. > $fwcmd add allow udp from any to x.x.x.x 53 out xmit dc0 > > # Allow them back in with the answer > $fwcmd add allow udp from x.x.x.x 53 to any in recv dc0 > > # Allow ICMP (for ping and traceroute to work). You may wish to > # disallow this, but I feel it suits my needs to keep them in. > $fwcmd add allow icmp from any to any > > # Deny all the rest. > $fwcmd add deny log ip from any to any > ######################################## end of rules > > > On Fri, Apr 16, 2004 at 10:51:05AM +0200, RazorOnFreeBSD wrote: > > Hi everyone, > > > > I'm trying to write my own rules for ipfw under 4.9 STABLE. > > But everytime I try to use the file with my rules .... my network is totally blocked and the "ipfw show" command returns : > > > > 65535 38 2311 deny ip from any to any > > > > I think there's a problem in my rules file and the system replaces my rules by this one, but I can't figure out what is the problem, my rules file is really short compared to what I saw sometimes on Internet : > > > > -------------------------------------------------------------------------- -------------------------------------------- > > fwcmd="/sbin/ipfw" > > oif="dc0" > > iif="dc1" > > > > ${fwcmd} -f flush > > ${fwcmd} add check-state > > > > ${fwcmd} add deny ip from any to any in via $oif verrevpath > > > > add 050 divert natd all from any to any via $oif > > add 100 pass all from any to any via lo0 > > add 200 deny all from any to 127.0.0.0/8 > > add 300 deny ip from 127.0.0.0/8 to any > > > > ${fwcmd} add allow ip from me to any via $oif keep-state > > > > ${fwcmd} add allow icmp from any to any via $oif icmptypes 0,3,11,12 > > > > ${fwcmd} add allow tcp from any to me dst-port 22 in via $iif setup keep-state > > > > ${fwcmd} add deny log ip from any to any > > -------------------------------------------------------------------------- -------------------------------------------- > > > > Can anybody tell me what's wrong ? > > > > Thanks. > > > > razor. > > _______________________________________________ > > freebsd-questions@freebsd.org mailing list > > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > > To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.org" >