From owner-freebsd-net@FreeBSD.ORG Sun Oct 19 09:22:34 2003 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 501AD16A4B3 for ; Sun, 19 Oct 2003 09:22:34 -0700 (PDT) Received: from mta06-svc.ntlworld.com (mta06-svc.ntlworld.com [62.253.162.46]) by mx1.FreeBSD.org (Postfix) with ESMTP id 472C143FB1 for ; Sun, 19 Oct 2003 09:22:33 -0700 (PDT) (envelope-from dan@ntlbusiness.com) Received: from cpc3-ches1-4-0-cust213.lutn.cable.ntl.com ([213.105.213.213]) by mta06-svc.ntlworld.comESMTP <20031019162228.FJKT12263.mta06-svc.ntlworld.com@cpc3-ches1-4-0-cust213.lutn.cable.ntl.com>; Sun, 19 Oct 2003 17:22:28 +0100 From: Dan To: Barney Wolff Date: Sun, 19 Oct 2003 17:21:06 +0100 User-Agent: KMail/1.5 References: <200310191532.40136.dan@ntlbusiness.com> <200310191704.42446.dan@ntlbusiness.com> <20031019161948.GB46989@pit.databus.com> In-Reply-To: <20031019161948.GB46989@pit.databus.com> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Content-Disposition: inline Message-Id: <200310191721.06509.dan@ntlbusiness.com> cc: freebsd-net@freebsd.org Subject: Re: IPFW. X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 19 Oct 2003 16:22:34 -0000 On Sunday 19 October 2003 5:19 pm, you wrote: > First, as somebody else suggested, either use numbers on every rule > or none at all. Second, you want to keep-state only on setup, not > on every tcp packet going in either direction, as that will be wide > open. Third, you don't seem to have any rule allowing udp, so dns > lookups are not likely to work. Fourth, did you actually put the > rules into effect? If so, you should see entries in the logs when > packets are denied. Fifth, the rule with 192.168 in it will never > fire, as the address will have been translated by natd before it > gets there. > > Doing ipfw list will show you the rules that exist, and ipfw -atde list > will show you which rules have matched and when. Hmm .. Ok thanks again for your reply. I probably understood 5% of that though ;) I will go and search on google for some of the pointers you've given me .. but I am finding this really hard..it took me absolutely ages just to get that far. Once again thanks for your help!