From owner-freebsd-questions Sun Jan 13 12:19:28 2002 Delivered-To: freebsd-questions@freebsd.org Received: from mail1.toronto.istar.net (mail1.toronto.istar.net [209.89.75.17]) by hub.freebsd.org (Postfix) with ESMTP id C42FC37B41C for ; Sun, 13 Jan 2002 12:19:17 -0800 (PST) Received: from d226-39-102.home.cgocable.net ([24.226.39.102] helo=x1-6-00-50-ba-de-36-33.kico1.on.home.com) by mail1.toronto.istar.net with esmtp (Exim 2.02 #1) id 16Pr6h-00046y-00; Sun, 13 Jan 2002 15:19:55 -0500 Received: from localhost (genisis@localhost) by x1-6-00-50-ba-de-36-33.kico1.on.home.com (8.11.6/8.11.6) with ESMTP id g0DKTIv97731; Sun, 13 Jan 2002 15:29:19 -0500 (EST) (envelope-from genisis@istar.ca) X-Authentication-Warning: x1-6-00-50-ba-de-36-33.kico1.on.home.com: genisis owned process doing -bs Date: Sun, 13 Jan 2002 15:29:18 -0500 (EST) From: Dru X-X-Sender: To: Steve Brown Cc: Subject: Re: Dru's Onlamp article on IPFW rulesets In-Reply-To: <3C41E6FF.7020108@prayforwind.com> Message-ID: <20020113152814.D92561-100000@x1-6-00-50-ba-de-36-33.kico1.on.home.com> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Sun, 13 Jan 2002, Steve Brown wrote: > Hi Dru, or anyone who can help me out please? > > I'm still completely blocked from the internet after applying the > ruleset in the following article: > http://www.onlamp.com/pub/a/bsd/2001/05/09/FreeBSD_Basics.html > I got through the previous article > http://www.onlamp.com/pub/a/bsd/2001/04/25/FreeBSD_Basics.html > just fine. > > In order to get back on internet at all I keep having to comment out my > kernel & rc.conf firewall options and re-compiling my kernel; it's > getting frustrating. Can anyone tell me what I'm doing wrong? > > Here's my kernel options, rc.conf options, ipfw.rules. I'm using > FreeBSD4.4-RELEASE and I've not modified /etc/rc.firewall. I'm using > DHCP from a BB router which is connected to DSL > > ################# Kernel options####################### > options IPFIREWALL > options IPFIREWALL_VERBOSE > options IPFIREWALL_VERBOSE_LIMIT=10 > options IPSTEALTH # Hide from traceroute > # To hide from nmap, don't use if running web server (I am doing so) > # options TCP_DROP_SYNFIN > # # To hide from portscans. causes "config MYKERNEL" > # # to display "unknown option" error on my system > # # options TCP_RESTRICT_RST > > ################# rc.conf additions ################### > > firewall_enable="YES" > firewall_script="/etc/rc.firewall" > firewall_type="/etc/ipfw.rules" > firewall_quiet="NO" #change to YES once happy with rules > firewall_logging_enable="YES"log_in_vain="YES" > tcp_drop_synfin="NO" #change to YES if no webserver > # tcp_restrict_rst="YES" > icmp_drop_redirect="YES" > > #################### ipfw.rules ###################### > # allow tcp/ip outgoing, and appropriate answerback's > add 00300 check-state > add 00301 deny tcp from any to any in established > add 00302 allow tcp from any to any out setup keep-state > > # allow DNS > add 0400 allow udp from 209.226.175.223 53 to any in recv vr0 > add 0401 allow udp from 198.235.216.134 53 to any in recv vr0 > add 0402 allow udp from 207.236.176.9 53 to any in recv vr0 > add 0403 allow udp from 198.235.216.111 53 to any in recv vr0 > add 0404 allow udp from 207.236.176.10 53 to any in recv vr0 > add 0405 allow udp from 198.235.216.112 53 to any in recv vr0 > add 0406 allow udp from 209.197.128.2 53 to any in recv vr0 > add 0407 allow udp from 209.197.128.5 53 to any in recv vr0 > > add 00409 allow udp from any to any out Hi Steve, What's the output of "ipfw show"? Dru To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message