Date: Mon, 29 Mar 1999 00:54:13 +0930 (CST) From: Kris Kennaway <kkennawa@physics.adelaide.edu.au> To: Remy Nonnenmacher <remy@synx.com> Cc: ru@ucb.crimea.ua, noor@netvision.net.il, freebsd-questions@freebsd.org Subject: Re: ipfw behavior, is it normal? Message-ID: <Pine.OSF.4.10.9903290046290.25034-100000@bragg> In-Reply-To: <199903281409.QAA22122@rt2.synx.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sun, 28 Mar 1999, Remy Nonnenmacher wrote:
> >> 00100 allow ip from any to any via lo0
> >> 00200 allow ip from [machine-a-ip] to [server-ip] via xl0
> >> 00300 allow ip from [machine-b-ip] to [server-ip] via xl0
> >> 00400 allow ip from any to [server-ip] 80 in via xl0
> >> 00500 allow ip from any to [server-ip] 21 in via xl0
> >> 65000 allow ip from any to any
> >> 65535 deny ip from any to any
Except for rule 65000, you are allowing IP traffic in one direction only
(outside -> server). This lets the packets in, butdoesn't let the return
packets out when you remove rule 65000.
To allow outbound packets part of an established (incoming) TCP connection,
use the 'established' keyword:
00100 allow tcp from any to any out xmit xl0 established
Configure your kernel with
options IPFIREWALL_VERBOSE
and it will log the packets which are bounced by the firewall - great for
tuning the configuration and seeing where things are going wrong.
This isn't really a -hackers question, follow-ups sent to -questions.
Kris
-----
The Feynman problem-solving algorithm: 1. Write down the problem
2. Think real hard
3. Write down the solution
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.OSF.4.10.9903290046290.25034-100000>