From owner-freebsd-security@FreeBSD.ORG Fri Feb 4 20:02:18 2005 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B5FAF16A4CE for ; Fri, 4 Feb 2005 20:02:18 +0000 (GMT) Received: from mtiwmhc13.worldnet.att.net (mtiwmhc13.worldnet.att.net [204.127.131.117]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1F56A43D41 for ; Fri, 4 Feb 2005 20:02:16 +0000 (GMT) (envelope-from dwinner-lists@worldnet.att.net) Received: from [10.10.100.49] (unknown[216.113.237.29]) by worldnet.att.net (mtiwmhc13) with ESMTP id <2005020420020611300o2vtve> (Authid: duanewinner); Fri, 4 Feb 2005 20:02:06 +0000 Message-ID: <4203D4BC.30409@att.net> Date: Fri, 04 Feb 2005 15:02:04 -0500 From: Duane Winner User-Agent: Mozilla Thunderbird 1.0 (X11/20050125) X-Accept-Language: en-us, en MIME-Version: 1.0 To: Roberto Nunnari References: <42028032.2020701@att.net> <4202834D.7030000@supsi.ch> In-Reply-To: <4202834D.7030000@supsi.ch> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit cc: freebsd-security@freebsd.org Subject: Re: need ipfw clarification X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 04 Feb 2005 20:02:18 -0000 Thanks Roberto, Just to make sure I understand though, I only need to be concerned "forwarding" and "forward rules" if I'm setting up a multi-homed host (i.e., router), is this correct? If I'm just using ipfw for single-host based firewall protection, then forwarding doesn't apply, right? Thanks again, Duane Roberto Nunnari wrote: > Hi Duane. > > I had the same problem.. With 5.2.1 I had working forward rules > and that were broke with 5.3 > > after some fiddling I managed to have that work again.. just > add them to your kernel: > > options IPFIREWALL > options IPFIREWALL_DEFAULT_TO_ACCEPT > options IPFIREWALL_VERBOSE > options IPFIREWALL_FORWARD > > if you don't add them to your kernel, forwarding in ipfw will > be disabled. > > Ciao. > > > Duane Winner wrote: > >> Hello, >> >> I noticed that after enabling firewall in my kernel (5.3-release), my >> dmesg now gives me this: >> >> ipfw2 initialized, divert disabled, rule-based forwarding disabled, >> default to accept, logging limited to 5 packets/entry by default >> >> >> On 5.2.1, I used to get this: >> >> ipfw2 initialized, divert disabled, rule-based forwarding enabled, >> default to accept, logging disabled >> >> If both cases, I am adding this to my KERNEL config: >> >> options IPFIREWALL >> options IPFIREWALL_DEFAULT_TO_ACCEPT >> >> >> It seems that the major difference between 5.2.1 and 5.3 is that now >> rule-based forwarding is disabled. >> >> Is this correct? And what exactly is rule-based forwarding? I'm >> guessing that it doesn't really apply to my situation, as in these >> cases, I am using IPFW to create a deny all inbound to my laptop when >> I'm on the road. But I just want to make sure. >> >> Thanks, >> DW >> _______________________________________________ >> freebsd-security@freebsd.org mailing list >> http://lists.freebsd.org/mailman/listinfo/freebsd-security >> To unsubscribe, send any mail to >> "freebsd-security-unsubscribe@freebsd.org" > > >