From owner-freebsd-questions@FreeBSD.ORG Fri Nov 21 11:24:53 2003 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2CF5E16A4CE for ; Fri, 21 Nov 2003 11:24:53 -0800 (PST) Received: from smtp09.wxs.nl (smtp09.wxs.nl [195.121.6.38]) by mx1.FreeBSD.org (Postfix) with ESMTP id CA27C43F93 for ; Fri, 21 Nov 2003 11:24:49 -0800 (PST) (envelope-from akruijff@www.kruijff.org) Received: from kruij557.speed.planet.nl (ipd50a97ba.speed.planet.nl [213.10.151.186])18questions@freebsd.org; Fri, 21 Nov 2003 20:22:39 +0100 (MET) Received: from Alex.lan (localhost [127.0.0.1]) by kruij557.speed.planet.nl (8.12.9p2/8.12.9) with ESMTP id hALJOoLg003089; Fri, 21 Nov 2003 20:24:50 +0100 (CET envelope-from akruijff@Alex.lan) Received: (from akruijff@localhost) by Alex.lan (8.12.9p2/8.12.9/Submit) id hALJOnx0003088; Fri, 21 Nov 2003 20:24:49 +0100 (CET envelope-from akruijff) Date: Fri, 21 Nov 2003 20:24:49 +0100 From: Alex de Kruijff In-reply-to: <3FBD59FD.2020604@wiegand.org> To: Chip Message-id: <20031121192449.GB2898@dds.nl> MIME-version: 1.0 Content-type: text/plain; charset=us-ascii Content-transfer-encoding: 7BIT Content-disposition: inline User-Agent: Mutt/1.4.1i References: <3FBC535A.6020904@wiegand.org> <20031120140340.GA505@dds.nl> <3FBD59FD.2020604@wiegand.org> cc: FreeBSD Questions List Subject: Re: firewall rules do not get read X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 21 Nov 2003 19:24:53 -0000 On Thu, Nov 20, 2003 at 04:19:09PM -0800, Chip wrote: > > > Alex de Kruijff wrote: > > >On Wed, Nov 19, 2003 at 09:38:34PM -0800, Chip wrote: > > > >>I noticed my firewall rules are not being read. I have rc.conf set to > >>read the file rc.firewall. In rc.firewall the first line is add divert > >>natd etc etc. that is followed by pass all from any to any etc etc. Then > >>nothing after that is read, it is all ignored. > >>If I comment out the line pass all from any to any then nothing works to > >>access the internet. > >>I don't know what to do to make it read past those first two lines. > >>Any suggestions? > > > > > >Can you give me the output of 'ipfw s'. If that one doesn't work then > >try 'ipfw l'? > > No problem, below are the results of the two commands. Question - do I > have to use rc.firewall? No you can create your own configuration file for ipfw. You need these two line in rc.conf: firewall_enable="YES" firewall_type="/etc/firewall.conf" The configuration file looks something like: add divert natd ip from any to any via xl1 add allow ip from any to any > Or is it just a generic ruleset that can be > replaced by a custom ruleset, as I have done (called firewall.rules > pasted in below)? Its posible to place your own ruleset in the default script, but i would adive *not* to do this, because when you update this file can be overriden in the process. > here is ipfw s results - > > 00100 1571924 1218317046 divert 8668 ip from any to any via xl1 > 00200 3144909 2436915536 allow ip from any to any > 00300 0 0 divert 8668 ip from any to any via xl1 > 00400 0 0 allow ip from any to any > 00500 0 0 divert 8668 ip from any to any via xl1 > 65535 0 0 deny ip from any to any The result of rc.firewall can be seen with ipfw l and ipfw s (show). The later gives the same information as ipfw l (list). The two values are number of packets and the number of bytes that applied to a rule. A couple of comments 1. Here you have tree rules with divert natd. Normaly you want a packet to pass natd only one time. 2. Rule 200 is to allow everyting so the others aren't looked at. 3. This firewall allows every packed to pass. You may like to have a look at my home page. I have an artile about how to setup a firewall, that may proof to be usefull to you. -- Alex Articles based on solutions that I use: http://www.kruijff.org/alex/index.php?dir=docs/FreeBSD/