Date: Fri, 19 Jul 2002 00:05:50 -0500 From: "David Merriman" <merriman@1s.net> To: <freebsd-questions@freebsd.org> Subject: RE: ppp Firewall - can't telnet/ftp from intranet Message-ID: <000001c22ee1$f5353760$0190a8c0@alpha> In-Reply-To: <MIEPLLIBMLEEABPDBIEGMENGCFAA.barbish@a1poweruser.com>
next in thread | previous in thread | raw e-mail | index | archive | help
> -----Original Message----- > From: Joe & Fhe Barbish [mailto:barbish@a1poweruser.com] > Sent: Thursday, July 18, 2002 8:00 PM > To: David Merriman > Subject: RE: ppp Firewall - can't telnet/ftp from intranet > > > Your rc.conf shows you are using both natd and ppp nat. You > can only use one > of those to do nat function. You do not have ipfw natd enabled in your > kernel so make following changes. > > Remove these statements from ipfw rule set. > $fwcmd add divert natd all from any to any via tun0 > $fwcmd add allow ip from any to any via tun0 Did this. > > change > $fwcmd add allow tcp from any to any 80 setup > $fwcmd add allow tcp from any to any 22 setup > to > $fwcmd add allow tcp from any to any 80 in via tun0 setup > $fwcmd add allow tcp from any to any 22 in via tun0 setup and this. > > In the follow rule dc0 must be your Nic card to your lan > If not change to correct Nic device name > $fwcmd add allow ip from any to any via dc0 It was already there :-) > > > Remove all rc.conf natd options, > natd_enable="YES" > natd_interface="tun0" > natd_flags="-dynamic" Did this, too. Looking at dmesg.today, I'm seeing the notation: Firewall rules loaded, starting divert daemons: natd FWIW, I have gateway_enabled="ON", as well as inetd_enabled="ON". > > Change ppp_profile="fwrules" to ppp_profile= Tried this, as well. > fwrules: > # Firewall rules > # Written by Marc Silver (marcs@draenor.org) > # http://draenor.org/ipfw > # Freely distributable > > > # Define the firewall command (as in /etc/rc.firewall) for easy > # reference. Helps to make it easier to read. > fwcmd="/sbin/ipfw" > > # Force a flushing of the current rules before we reload. > $fwcmd -f flush > > # Divert all packets through the tunnel interface. > $fwcmd add divert natd all from any to any via tun0 > > # Allow all data from my network card and localhost. > Make sure you > # change your network card (mine was fxp0) before you reboot. :) > $fwcmd add allow ip from any to any via tun0 > $fwcmd add allow ip from any to any via dc0 > > # Allow all connections that I initiate. > $fwcmd add allow tcp from any to any out xmit tun0 setup > > # Once connections are made, allow them to stay open. > $fwcmd add allow tcp from any to any via tun0 established > > # Everyone on the internet is allowed to connect to the following > # services on the machine. This example specifically allows > connections > # to ssh and apache. > $fwcmd add allow tcp from any to any 80 setup > $fwcmd add allow tcp from any to any 22 setup > > # This sends a RESET to all ident packets. > $fwcmd add reset log tcp from any to any 113 in recv tun0 > > # Allow outgoing DNS queries ONLY to the specified servers. > $fwcmd add allow udp from any to 206.104.144.4 53 out xmit tun0 > $fwcmd add allow udp from any to 206.104.144.3 53 out xmit tun0 > > # Allow them back in with the answers... :) > $fwcmd add allow udp from 206.104.144.4 53 to any in recv tun0 > $fwcmd add allow udp from 206.104.144.3 53 to any in recv tun0 > > # Allow ICMP (for ping and traceroute to work). You may wish to > # disallow this, but I feel it suits my needs to keep them in. > $fwcmd add allow icmp from any to any > > # Deny all the rest. > $fwcmd add deny log ip from any to any > > I've also compiled the following into the kernel > options IPFIREWALL > options IPFIREWALL_VERBOSE > options IPFIREWALL_VERBOSE_LIMIT=100 I've taken out IPFIREWALL stuff from the kernel while trying to troubleshoot the problem > > My system is dialing out on demand, I can FTP and all that from my BSD > box (daemon). Since getting ppp working with the above, I've lost the > ability to telnet or ftp into the BSD box from my intranet. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?000001c22ee1$f5353760$0190a8c0>