Site Navigation

Date:      Fri, 02 Nov 2007 15:01:25 -0500
From:      Jack Barnett <jackbarnett@gmail.com>
To:        jackbarnett@gmail.com
Cc:        Bob Hall <rjhjr@cox.net>, Freebsd questions <freebsd-questions@freebsd.org>
Subject:   Re: IPFW Rules and Games
Message-ID:  <472B8215.4090209@gmail.com>
In-Reply-To: <472B8005.9090602@gmail.com>
References:  <472AF4FF.9000803@gmail.com> <20071102191207.GA79177@kongemord.krig.net> <472B7DDB.7040606@gmail.com> <472B7E57.8050003@gmail.com> <472B8005.9090602@gmail.com>

---

next in thread | previous in thread | raw e-mail | index | archive | help

---

   Jack Barnett wrote:

   Jack Barnett wrote:

   Jack Barnett wrote:

   Bob Hall wrote:

On Fri, Nov 02, 2007 at 04:59:27AM -0500, Jack Barnett wrote:
  

I added this for a temporary fix:
   ${fwcmd} add pass all from any to any

I don't think that is the right answer; That allows to much in?
    

Yes.
 
  

I've tried these per the docs:

   ${fwcmd} add allow all from any to any out via {$iip} setup
   ${fwcmd} add allow all from any to any out via {$iip} established
   ${fwcmd} add allow all from any to any in via {$iip} established

and also a bunch of others; but none of them worked.
    

Try oip instead of iip. iip is your internal IP address, so anything
going out from iip is going to your lan, and anything coming in to iip
is coming from your lan. You want to control packets communicating with
the outside world, so you want to control them at oip.
  

   Sorry, that didn't work.
   I also tried this:
           ${fwcmd} add allow tcp from any to any via ${oip} setup
           ${fwcmd} add allow udp from any to any via ${oip} setup
           ${fwcmd} add allow tcp from any to any via ${oip} established
           ${fwcmd} add allow udp from any to any via ${oip} established
   That also blocks it. :(
   Even tried this and still doesn't work.
           ${fwcmd} add allow tcp from any to any via ${oip}
           ${fwcmd} add allow udp from any to any via ${oip}
   Grrr, this doesn't work either:
           # statefull
           ${fwcmd} add check-state
           ${fwcmd} add allow tcp from any to any established
           ${fwcmd} add allow all from any to any out keep-state
           ${fwcmd} add allow icmp from any to any
   This thread talks about the same problem:
   [1]http://lists.freebsd.org/pipermail/freebsd-ipfw/2005-December/00225
   8.html
       "You will most likely find that dynamic rules will allow this
   ingress traffic, without the need to explicitly allow it."
   But unfortunately there is no follow up reply in that archive.

References

   1. http://lists.freebsd.org/pipermail/freebsd-ipfw/2005-December/002258.html

---

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?472B8215.4090209>

Legal Notices | © 1995-2024 The FreeBSD Project. All rights reserved.

Contact