From owner-freebsd-questions Sun Jan 13 13:11: 2 2002 Delivered-To: freebsd-questions@freebsd.org Received: from smtp.hccnet.nl (smtp.hccnet.nl [62.251.0.13]) by hub.freebsd.org (Postfix) with ESMTP id 793E337B404 for ; Sun, 13 Jan 2002 13:10:47 -0800 (PST) Received: from there by smtp.hccnet.nl via fia168-94.dsl.hccnet.nl [62.251.94.168] with SMTP id WAA02031 (8.8.8/1.13); Sun, 13 Jan 2002 22:10:42 +0100 (MET) Message-Id: <200201132110.WAA02031@smtp.hccnet.nl> Content-Type: text/plain; charset="iso-8859-1" From: Simon Siemonsma To: Steve Brown Subject: Re: Dru's Onlamp article on IPFW rulesets Date: Sun, 13 Jan 2002 22:15:56 +0000 X-Mailer: KMail [version 1.3.2] References: <3C41E6FF.7020108@prayforwind.com> In-Reply-To: <3C41E6FF.7020108@prayforwind.com> Cc: freebsd-questions@freebsd.org MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Sunday 13 January 2002 19:58, you wrote: > Hi Dru, or anyone who can help me out please? > > I'm still completely blocked from the internet after applying the > ruleset in the following article: > http://www.onlamp.com/pub/a/bsd/2001/05/09/FreeBSD_Basics.html > I got through the previous article > http://www.onlamp.com/pub/a/bsd/2001/04/25/FreeBSD_Basics.html > just fine. > > In order to get back on internet at all I keep having to comment out my > kernel & rc.conf firewall options and re-compiling my kernel; it's > getting frustrating. Can anyone tell me what I'm doing wrong? > > Here's my kernel options, rc.conf options, ipfw.rules. I'm using > FreeBSD4.4-RELEASE and I've not modified /etc/rc.firewall. I'm using > DHCP from a BB router which is connected to DSL > > ################# Kernel options####################### > options IPFIREWALL > options IPFIREWALL_VERBOSE > options IPFIREWALL_VERBOSE_LIMIT=10 > options IPSTEALTH # Hide from traceroute > # To hide from nmap, don't use if running web server (I am doing so) > # options TCP_DROP_SYNFIN > # # To hide from portscans. causes "config MYKERNEL" > # # to display "unknown option" error on my system > # # options TCP_RESTRICT_RST This is right. For FreeBSD 4.3 it worked exactly ad described in the article. In the release notes of 4.4. it states that this option is not supported anymore because equal functionality can be achieved with the sysctl blackhole option. So during my upgrade to 4.4 before recompiling my kernel I removed this option and added the following lines to my /etc/rc.local: sysctl -w net.inet.tcp.blackhole=2 sysctl -w net.inet.udp.blackhole=1 > > ################# rc.conf additions ################### > > firewall_enable="YES" > firewall_script="/etc/rc.firewall" > firewall_type="/etc/ipfw.rules" > firewall_quiet="NO" #change to YES once happy with rules > firewall_logging_enable="YES"log_in_vain="YES" > tcp_drop_synfin="NO" #change to YES if no webserver > # tcp_restrict_rst="YES" > icmp_drop_redirect="YES" > > #################### ipfw.rules ###################### > # allow tcp/ip outgoing, and appropriate answerback's > add 00300 check-state > add 00301 deny tcp from any to any in established > add 00302 allow tcp from any to any out setup keep-state > > # allow DNS > add 0400 allow udp from 209.226.175.223 53 to any in recv vr0 > add 0401 allow udp from 198.235.216.134 53 to any in recv vr0 > add 0402 allow udp from 207.236.176.9 53 to any in recv vr0 > add 0403 allow udp from 198.235.216.111 53 to any in recv vr0 > add 0404 allow udp from 207.236.176.10 53 to any in recv vr0 > add 0405 allow udp from 198.235.216.112 53 to any in recv vr0 > add 0406 allow udp from 209.197.128.2 53 to any in recv vr0 > add 0407 allow udp from 209.197.128.5 53 to any in recv vr0 > > add 00409 allow udp from any to any out > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-questions" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message