From owner-freebsd-questions@FreeBSD.ORG Fri Nov 21 15:56:06 2003 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A1C2A16A4CE for ; Fri, 21 Nov 2003 15:56:06 -0800 (PST) Received: from lakemtao05.cox.net (lakemtao05.cox.net [68.1.17.116]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2A3CC43FEC for ; Fri, 21 Nov 2003 15:56:05 -0800 (PST) (envelope-from micheal@tsgincorporated.com) Received: from dredster ([68.12.79.37]) by lakemtao05.cox.net (InterMail vM.5.01.06.05 201-253-122-130-105-20030824) with SMTP id <20031121235605.YPST29834.lakemtao05.cox.net@dredster>; Fri, 21 Nov 2003 18:56:05 -0500 Message-ID: <04ec01c3b08b$1ceaabb0$0201a8c0@dredster> From: "Micheal Patterson" To: "Alex de Kruijff" , "Chip" References: <3FBC535A.6020904@wiegand.org> <20031120140340.GA505@dds.nl> <3FBD59FD.2020604@wiegand.org> <20031121192449.GB2898@dds.nl> Date: Fri, 21 Nov 2003 17:49:44 -0600 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2800.1158 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165 cc: FreeBSD Questions List Subject: Re: firewall rules do not get read X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 21 Nov 2003 23:56:06 -0000 ----- Original Message ----- From: "Alex de Kruijff" To: "Chip" Cc: "FreeBSD Questions List" Sent: Friday, November 21, 2003 1:24 PM Subject: Re: firewall rules do not get read > On Thu, Nov 20, 2003 at 04:19:09PM -0800, Chip wrote: > > > > > > Alex de Kruijff wrote: > > > > >On Wed, Nov 19, 2003 at 09:38:34PM -0800, Chip wrote: > > > > > >>I noticed my firewall rules are not being read. I have rc.conf set to > > >>read the file rc.firewall. In rc.firewall the first line is add divert > > >>natd etc etc. that is followed by pass all from any to any etc etc. Then > > >>nothing after that is read, it is all ignored. > > >>If I comment out the line pass all from any to any then nothing works to > > >>access the internet. > > >>I don't know what to do to make it read past those first two lines. > > >>Any suggestions? > > > > > > > > >Can you give me the output of 'ipfw s'. If that one doesn't work then > > >try 'ipfw l'? > > > > No problem, below are the results of the two commands. Question - do I > > have to use rc.firewall? > > No you can create your own configuration file for ipfw. You need these > two line in rc.conf: > > firewall_enable="YES" > firewall_type="/etc/firewall.conf" > > The configuration file looks something like: > add divert natd ip from any to any via xl1 > add allow ip from any to any > > > Or is it just a generic ruleset that can be > > replaced by a custom ruleset, as I have done (called firewall.rules > > pasted in below)? > > Its posible to place your own ruleset in the default script, but i would > adive *not* to do this, because when you update this file can be > overriden in the process. It is also possible to simply create an ipfw.sh script in /usr/local/etc/rc.d and add all of your rules to that script. ipfw.sh ipfw -f flush #NATD Rules here ipfw add 3 divert natd all from any to any via xl1 etc.. I've used both rc.conf and this method but I prefer to number my rule sets so that I can easily tell which one is causing an issue should I inadvertantly block traffic that needs to get through. To my knowledge, either method works well, it's just that what I do is generally not mentioned. :) -- Micheal Patterson Network Administration Cancer Care Network 405-917-0600