From owner-freebsd-questions Thu Aug 16 14:28: 2 2001 Delivered-To: freebsd-questions@freebsd.org Received: from obsecurity.dyndns.org (adsl-63-207-60-193.dsl.lsan03.pacbell.net [63.207.60.193]) by hub.freebsd.org (Postfix) with ESMTP id 7F60037B40F for ; Thu, 16 Aug 2001 14:27:58 -0700 (PDT) (envelope-from kris@obsecurity.org) Received: by obsecurity.dyndns.org (Postfix, from userid 1000) id EA82866F68; Thu, 16 Aug 2001 14:27:57 -0700 (PDT) Date: Thu, 16 Aug 2001 14:27:57 -0700 From: Kris Kennaway To: Simon Williams Subject: Re: LINT & IPFIREWALL options Message-ID: <20010816142757.B79242@xor.obsecurity.org> References: Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="ZfOjI3PrQbgiZnxM" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from freebsd@sis-domain.demon.co.uk on Thu, Aug 16, 2001 at 09:55:14PM +0100 Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG --ZfOjI3PrQbgiZnxM Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Thu, Aug 16, 2001 at 09:55:14PM +0100, Simon Williams wrote: > Now when I booted this kernel, it recognised the network card, but a=20 > ping returned "No route to host." Because you haven't installed firewall rules, and the default behaviour (with the options you included above) is to deny all traffic. If you want to accept all traffic by default (less secure, because packets will make it through your firewall at boot time before the firewall rules are loaded), there's another kernel option to enable that behaviour. > From reading some past posts from this list, I saw that IPFilter is=20 > another (old?) firewall application. Does this mean those lines are for= =20 > ipfilter instead of ipfw? No, they're for ipfw. ipfilter isn't out of date -- it's just an alternative packet filter package which has a slightly different feature set. > Now that I have a working kernel & firewall, I just wanted to know why=20 > LINT shows firewall options that aren't in GENERIC, yet firewalling=20 > still works? Because LINT contains more options than GENERIC by definition. GENERIC is a kernel which "should be okay for most people", but LINT lists all possible options. > Also, this box will be doing firewalling/bandwidth > > limiting/routeing (for an IP block) in about a weeks time; is there > > anything I need to do to the kernel to support that or is it just > ipfw > commands from here? Well, you'll need DUMMYNET for bandwidth limiting. It's all described in the ipfw manpage. Kris --ZfOjI3PrQbgiZnxM Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE7fDrdWry0BWjoQKURAv7gAKDb1d/X9Wd6WCgzgMc7O76cm/UTuQCgscYF 1oxVxQBMofEJrT2jkv3gnjo= =3aP5 -----END PGP SIGNATURE----- --ZfOjI3PrQbgiZnxM-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message