From owner-freebsd-questions@FreeBSD.ORG  Fri May 23 10:51:13 2003
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 89DD137B401
	for <freebsd-questions@freebsd.org>;
	Fri, 23 May 2003 10:51:13 -0700 (PDT)
Received: from smtp02.mrf.mail.rcn.net (smtp02.mrf.mail.rcn.net
	[207.172.4.61])	by mx1.FreeBSD.org (Postfix) with ESMTP id E175E43F3F
	for <freebsd-questions@freebsd.org>;
	Fri, 23 May 2003 10:51:12 -0700 (PDT)
	(envelope-from rjhalljr@starpower.net)
Received: from 66-44-66-80.s80.tnt7.lnhva.md.dialup.rcn.com ([66.44.66.80]
	helo=sten.alder.net)
	by smtp02.mrf.mail.rcn.net with smtp (Exim 3.35 #4)
	id 19JGhB-0007cX-00
	for freebsd-questions@freebsd.org; Fri, 23 May 2003 13:51:10 -0400
Received: by sten.alder.net (sSMTP sendmail emulation);
	Fri, 23 May 2003 13:48:36 -0400
Date: Fri, 23 May 2003 13:48:36 -0400
From: "Bob Hall" <rjhalljr@starpower.net>
To: freebsd-questions@freebsd.org
Message-ID: <20030523174836.GA700@sten.alder.net>
Mail-Followup-To: Bob Hall <bob@FreeBSD.ORG>,
	freebsd-questions@freebsd.org
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.4i
Subject: FBSD 4.8 & CLIENT firewall
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>,
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>,
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 23 May 2003 17:51:13 -0000

I've just completed an upgrade from FBSD 4.4 to 4.8. I've got 
a cable connection to my ISP and therefore want a firewall that 
provides some protection. Since I'm not providing any services 
on the Internet, I'm using CLIENT (ipfw) instead of SIMPLE. 
However, if I choose anything except OPEN, I can't even ping 
on the LAN. I haven't modified rc.firewall except to enter 
info on the LAN, so the firewall script has the default rules.
I don't see anything in the rules that suggests a problem to me. 
Can someone point me toward the cause of the problem? 

Relevent config info:

uname -a #############################################
FreeBSD sten.alder.net 4.8-STABLE FreeBSD 4.8-STABLE #0: Fri May 23 01:30:50 EDT 2003     root@sten.alder.net:/usr/src/sys/compile/STEN0  i386

config #############################################
fxp0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
	inet 192.168.0.1 netmask 0xffffff00 broadcast 192.168.0.255
	inet6 fe80::2a0:c9ff:fe72:e2df%fxp0 prefixlen 64 scopeid 0x1 
	ether 00:a0:c9:72:e2:df
	media: Ethernet autoselect (100baseTX <full-duplex>)
	status: active
rl0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
	inet6 fe80::240:5ff:fe80:444b%rl0 prefixlen 64 scopeid 0x2 
	inet XX.XX.XX.XX netmask 0xfffff000 broadcast 68.100.111.255
	ether 00:40:05:80:44:4b
	media: Ethernet autoselect (100baseTX <full-duplex>)
	status: active
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 16384
	inet6 ::1 prefixlen 128 
	inet6 fe80::1%lo0 prefixlen 64 scopeid 0x4 
	inet 127.0.0.1 netmask 0xff000000 

ipfw #############################################
00050 0   0 divert 8668 ip from any to any via rl0
00100 0   0 allow ip from any to any via lo0
00200 0   0 deny ip from any to 127.0.0.0/8
00300 0   0 deny ip from 127.0.0.0/8 to any
00400 0   0 allow ip from 192.168.0.1 to 192.168.0.0/24
00500 0   0 allow ip from 192.168.0.0/24 to 192.168.0.1
00600 0   0 allow tcp from any to any established
00700 0   0 allow ip from any to any frag
00800 0   0 allow tcp from any to 192.168.0.1 25 setup
00900 0   0 allow tcp from 192.168.0.1 to any setup
01000 0   0 deny tcp from any to any setup
01100 0   0 allow udp from 192.168.0.1 to any 53 keep-state
01200 0   0 allow udp from 192.168.0.1 to any 123 keep-state
65535 1 328 deny ip from any to any

rc.conf #############################################
gateway_enable="YES"
hostname="sten.alder.net"
#------------------
# Network interfaces
defaultrouter="192.168.0.1"
network_interfaces="rl0 fxp0 lo0"
ifconfig_rl0="DHCP"
ifconfig_fxp0="inet 192.168.0.1  netmask 255.255.255.0"
ifconfig_lo0="127.0.0.1"
#-------------------
# NAT
natd_enable="YES"
natd_interface="rl0"
natd_flags="-dynamic"
# Firewall
#------------------
firewall_enable="YES"
firewall_script="/etc/rc.firewall
firewall_type="CLIENT"
#-------------------
# Security
kern_securelevel_enable="NO"
#------------------
# DNS
named_enable="YES"