From owner-freebsd-questions Fri Feb 2 14:30:15 2001 Delivered-To: freebsd-questions@freebsd.org Received: from gdmckee.local (gdm.demon.co.uk [193.237.88.62]) by hub.freebsd.org (Postfix) with ESMTP id 5905137B401 for ; Fri, 2 Feb 2001 14:29:54 -0800 (PST) Received: from [192.168.0.5] (helo=p300) by gdmckee.local with smtp (Exim 3.16 #1) id 14OoiB-0000MZ-00; Fri, 02 Feb 2001 22:29:47 +0000 Message-ID: <001001c08d67$9d394d20$0500a8c0@gdmckee.local> From: "G D McKee" To: "Lowell Gilbert" Cc: "freebsd-questions" References: <018101c08d5b$be140fa0$0500a8c0@gdmckee.local> <44k878aib2.fsf@lowellg.ne.mediaone.net> Subject: Re: [freebsd-questions] Permissions Problem Date: Fri, 2 Feb 2001 22:29:32 -0000 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4522.1200 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200 Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG Hi This is wat my Firewall config file looks like. I don't think there is anything wrong. I want it to enable anything going out but only incoming for the ports listed below and stuff sent out by one of the machines. I need to add ntp as well. # Firewall rules # Define the firewall command (as in /etc/rc.firewall) for easy # reference. Helps to make it easier to read. fwcmd="/sbin/ipfw" # Force a flushing of the current rules before we reload. $fwcmd -f flush # Divert all packets through the tunnel interface. $fwcmd add divert natd all from any to any via tun0 # Allow all data from my network card and localhost. Make sure you # change your network card (mine was fxp0) before you reboot. :) $fwcmd add allow ip from any to any via lo0 $fwcmd add allow ip from any to any via ep1 # Allow all connections that I initiate. $fwcmd add allow tcp from any to any out xmit tun0 setup # Once connections are made, allow them to stay open. $fwcmd add allow tcp from any to any via tun0 established # Everyone on the internet is allowed to connect to the following # services on the machine. This example shows that people may connect # to ssh and apache. $fwcmd add allow tcp from any to any 80 setup $fwcmd add allow tcp from any to any 22 setup $fwcmd add allow tcp from any to any 25 setup # This sends a RESET to all ident packets. $fwcmd add reset log tcp from any to any 113 in recv tun0 # Allow outgoing DNS queries ONLY to the specified servers. $fwcmd add allow udp from any to 194.72.6.57 53 out xmit tun0 # Allow them back in with the answers... :) $fwcmd add allow udp from 194.72.6.57 53 to any in recv tun0 # Allow ICMP (for ping and traceroute to work). You may wish to # disallow this, but I feel it suits my needs to keep them in. $fwcmd add 65435 allow icmp from any to any # Deny all the rest. $fwcmd add 65435 deny log ip from any to any Gordon ----- Original Message ----- From: "Lowell Gilbert" To: "G D McKee" Sent: Friday, February 02, 2001 9:25 PM Subject: Re: [freebsd-questions] Permissions Problem > freebsd@gdmckee.com (G D McKee) writes: > > > How can I get rid of this message. > > > > Feb 2 20:58:05 kursk natd[146]: failed to write packet back (Permission > > denied) > > Fix your firewall rules. A packet is being denied after being > rewritten, which is virtually never what you want. > > > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message