From owner-freebsd-questions  Sun Jan 13 13:47:34 2002
Delivered-To: freebsd-questions@freebsd.org
Received: from mail1.toronto.istar.net (mail1.toronto.istar.net [209.89.75.17])
	by hub.freebsd.org (Postfix) with ESMTP id 014A437B417
	for <freebsd-questions@freebsd.org>; Sun, 13 Jan 2002 13:47:32 -0800 (PST)
Received: from d226-39-102.home.cgocable.net ([24.226.39.102] helo=x1-6-00-50-ba-de-36-33.kico1.on.home.com)
	by mail1.toronto.istar.net with esmtp (Exim 2.02 #1)
	id 16PsU5-00031G-00; Sun, 13 Jan 2002 16:48:09 -0500
Received: from localhost (genisis@localhost)
	by x1-6-00-50-ba-de-36-33.kico1.on.home.com (8.11.6/8.11.6) with ESMTP id g0DLrR900714;
	Sun, 13 Jan 2002 16:53:32 -0500 (EST)
	(envelope-from genisis@istar.ca)
X-Authentication-Warning: x1-6-00-50-ba-de-36-33.kico1.on.home.com: genisis owned process doing -bs
Date: Sun, 13 Jan 2002 16:53:26 -0500 (EST)
From: Dru <genisis@istar.ca>
X-X-Sender:  <genisis@x1-6-00-50-ba-de-36-33.kico1.on.home.com>
To: Steve Brown <freebsd@prayforwind.com>
Cc: freebsd-questions <freebsd-questions@freebsd.org>
Subject: Re: Dru's Onlamp article on IPFW rulesets
In-Reply-To: <3C41FE47.8010407@prayforwind.com>
Message-ID: <20020113165059.I347-100000@x1-6-00-50-ba-de-36-33.kico1.on.home.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-questions@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-questions.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-questions>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-questions>
X-Loop: FreeBSD.ORG

On Sun, 13 Jan 2002, Steve Brown wrote:

> Hey thanks Dru, looks like I lucked out
>
> Here's what I get. I suspect the 1'st 3 lines causing trouble, they're
> in rc.firewall. But what do I do about it?
>
> 00100  0    0 allow ip from any to any via lo0
> 00200  0    0 deny ip from any to 127.0.0.0/8
> 00300  0    0 deny ip from 127.0.0.0/8 to any
> 00300  0    0 check-state
> 00301  0    0 deny tcp from any to any in established
> 00302  0    0 allow tcp from any to any keep-state out setup
> 00400  0    0 allow udp from 209.226.175.223 53 to any in recv vr0
> 00401  0    0 allow udp from 198.235.216.134 53 to any in recv vr0
> 00402  0    0 allow udp from 207.236.176.9 53 to any in recv vr0
> 00403  0    0 allow udp from 198.235.216.111 53 to any in recv vr0
> 00404  0    0 allow udp from 207.236.176.10 53 to any in recv vr0
> 00405  0    0 allow udp from 198.235.216.112 53 to any in recv vr0
> 00406  0    0 allow udp from 209.197.128.2 53 to any in recv vr0
> 00407  0    0 allow udp from 209.197.128.5 53 to any in recv vr0
> 00409 20 1260 allow udp from any to any out
> 65535 21 4059 deny ip from any to any
<snip>

Hi Steve,

Nope, 1st three lines are a good thing. I suspect rule 00409 is what
solved your problem. How many DNS servers do you have? 8 rules seems to be
a bit much :)

Dru


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message