From owner-freebsd-questions@FreeBSD.ORG Thu Apr 24 15:47:56 2003 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1B2AE37B401 for ; Thu, 24 Apr 2003 15:47:56 -0700 (PDT) Received: from server1.shellworld.net (server1.shellworld.net [64.39.15.178]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4792C43F93 for ; Thu, 24 Apr 2003 15:47:55 -0700 (PDT) (envelope-from tforrest@server1.shellworld.net) Received: from server1.shellworld.net (tforrest@LOCALHOST [127.0.0.1]) h3OMlsNw044225 for ; Thu, 24 Apr 2003 17:47:54 -0500 (CDT) (envelope-from tforrest@server1.shellworld.net) Received: (from tforrest@localhost) by server1.shellworld.net (8.12.8/8.12.8/Submit) id h3OMlsPu044224; Thu, 24 Apr 2003 17:47:54 -0500 (CDT) (envelope-from tforrest) Message-Id: <200304242247.h3OMlsPu044224@server1.shellworld.net> From: "Tommy Forrest - KE4PYM" To: "freebsd-questions@freebsd.org" Date: Thu, 24 Apr 2003 18:48:08 -0400 Priority: Normal X-Mailer: PMMail98 with Bandit Tagger98 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Tag: Bandit Tagger98 - Registered to : KE4PYM Subject: 4.8 Firewall timing out X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 24 Apr 2003 22:47:56 -0000 Hi all. Still having some issues with IPFW in 4.8. My main problem right now is the firewall times out ALL activity within 1-3 minutes of establishing a connection. I'm pretty happy with the rule base. I've got the connectivity I need. I just need that connectivity to stay alive. All stay-alive problems disappear with a ipfw add allow all from any to any. So I know its not the network thats the problem. IPDIVERT, IPFIREWALL, IPFIREWALL_VERBOSE, and IPFIREWALL_VERBOSE_LIMIT=100 are built in the kernel with default to deny. I'd been working with someone off the list who'd helped me quite a lot with these rules. But I guess they got too busy before they could finish helping me (which I can appreciate). Rulebase follows. #!/bin/sh fw="/sbin/ipfw" ifout='xl0' ifin='xl1' $fw -q -f flush $fw add divert natd all from any to any via "${ifout}" # loopback traffic $fw add pass all from 127.0.0.1/32 to 127.0.0.1/32 via lo0 $fw add deny all from any to 127.0.0.0/8 $fw add deny ip from 127.0.0.0/8 to any # pass icmp or evil things can happen $fw add allow icmp from any to any # stateful rules follow $fw add check-state # inside interface isn't limited in any way $fw add allow all from any to any via "${ifin}" keep-state #------------------# # outbound section # #------------------# # You might want to allow *any* sort of dns/ntp traffic, but the following # seems to work fine if you increase net.inet.ip.fw.dyn_udp_lifetime a # bit. Its default is too short for some slow links (like my dialup). $fw add allow udp from any to any 53,123 keep-state # Allow outgoing connections: ftp, ssh, telnet, mail, web, ntp and msn-chat. $fw add allow tcp from any to any 21,22,23,25,80,110,123,443,1863,6667 out xmit "${ifout}" setup keep-state # irc $fw add allow tcp from any to any 6667,6668,7325,10000 out xmit "${ifout}" setup keep-state limit src-addr 4 #-----------------# # inbound section # #-----------------# $fw add allow tcp from any to any 21,22,25 in recv "${ifout}" setup keep-state limit src-addr 4 $fw add allow tcp from any 20 to any 1024-49151 in recv "${ifout}" setup keep-state limit src-addr 4 # kazaa & msn file transfers $fw add allow tcp from any to any 1214 in recv "${ifout}" setup keep-state $fw add allow tcp from any to any 6891-6900 in recv "${ifout}" setup keep-state # irc $fw add allow tcp from any to any 6667,6668,7325,10000 in recv "${ifout}" setup keep-state limit src-addr 4 # fast reset of all auth/ident requests. $fw add unreach port tcp from any to any 113 in recv "${ifout}" setup Tommy Forrest - KE4PYM - tforrest@shellworld.net My two cents: They call it "PMS" because "Mad Cow Disease" was already taken