Date: Fri, 23 May 2003 13:48:36 -0400 From: "Bob Hall" <rjhalljr@starpower.net> To: freebsd-questions@freebsd.org Subject: FBSD 4.8 & CLIENT firewall Message-ID: <20030523174836.GA700@sten.alder.net>
next in thread | raw e-mail | index | archive | help
I've just completed an upgrade from FBSD 4.4 to 4.8. I've got a cable connection to my ISP and therefore want a firewall that provides some protection. Since I'm not providing any services on the Internet, I'm using CLIENT (ipfw) instead of SIMPLE. However, if I choose anything except OPEN, I can't even ping on the LAN. I haven't modified rc.firewall except to enter info on the LAN, so the firewall script has the default rules. I don't see anything in the rules that suggests a problem to me. Can someone point me toward the cause of the problem? Relevent config info: uname -a ############################################# FreeBSD sten.alder.net 4.8-STABLE FreeBSD 4.8-STABLE #0: Fri May 23 01:30:50 EDT 2003 root@sten.alder.net:/usr/src/sys/compile/STEN0 i386 config ############################################# fxp0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500 inet 192.168.0.1 netmask 0xffffff00 broadcast 192.168.0.255 inet6 fe80::2a0:c9ff:fe72:e2df%fxp0 prefixlen 64 scopeid 0x1 ether 00:a0:c9:72:e2:df media: Ethernet autoselect (100baseTX <full-duplex>) status: active rl0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500 inet6 fe80::240:5ff:fe80:444b%rl0 prefixlen 64 scopeid 0x2 inet XX.XX.XX.XX netmask 0xfffff000 broadcast 68.100.111.255 ether 00:40:05:80:44:4b media: Ethernet autoselect (100baseTX <full-duplex>) status: active lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 16384 inet6 ::1 prefixlen 128 inet6 fe80::1%lo0 prefixlen 64 scopeid 0x4 inet 127.0.0.1 netmask 0xff000000 ipfw ############################################# 00050 0 0 divert 8668 ip from any to any via rl0 00100 0 0 allow ip from any to any via lo0 00200 0 0 deny ip from any to 127.0.0.0/8 00300 0 0 deny ip from 127.0.0.0/8 to any 00400 0 0 allow ip from 192.168.0.1 to 192.168.0.0/24 00500 0 0 allow ip from 192.168.0.0/24 to 192.168.0.1 00600 0 0 allow tcp from any to any established 00700 0 0 allow ip from any to any frag 00800 0 0 allow tcp from any to 192.168.0.1 25 setup 00900 0 0 allow tcp from 192.168.0.1 to any setup 01000 0 0 deny tcp from any to any setup 01100 0 0 allow udp from 192.168.0.1 to any 53 keep-state 01200 0 0 allow udp from 192.168.0.1 to any 123 keep-state 65535 1 328 deny ip from any to any rc.conf ############################################# gateway_enable="YES" hostname="sten.alder.net" #------------------ # Network interfaces defaultrouter="192.168.0.1" network_interfaces="rl0 fxp0 lo0" ifconfig_rl0="DHCP" ifconfig_fxp0="inet 192.168.0.1 netmask 255.255.255.0" ifconfig_lo0="127.0.0.1" #------------------- # NAT natd_enable="YES" natd_interface="rl0" natd_flags="-dynamic" # Firewall #------------------ firewall_enable="YES" firewall_script="/etc/rc.firewall firewall_type="CLIENT" #------------------- # Security kern_securelevel_enable="NO" #------------------ # DNS named_enable="YES"
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20030523174836.GA700>