From owner-freebsd-questions Mon Oct 16 15:49:54 2000 Delivered-To: freebsd-questions@freebsd.org Received: from karon.dynas.se (karon.dynas.se [192.71.43.4]) by hub.freebsd.org (Postfix) with SMTP id 17CC837B66F for ; Mon, 16 Oct 2000 15:49:47 -0700 (PDT) Received: (qmail 91012 invoked from network); 16 Oct 2000 22:49:36 -0000 Received: from spirit.sto.dynas.se (HELO spirit.dynas.se) (172.16.1.10) by karon.sto.dynas.se with SMTP; 16 Oct 2000 22:49:36 -0000 Received: (qmail 6390 invoked from network); 16 Oct 2000 22:49:50 -0000 Received: from explorer.rsa.com (10.81.217.59) by spirit.dynas.se with SMTP; 16 Oct 2000 22:49:50 -0000 Received: (from mikko@localhost) by explorer.rsa.com (8.11.0/8.11.0) id e9GMnWK07783; Mon, 16 Oct 2000 15:49:32 -0700 (PDT) (envelope-from mikko) Date: Mon, 16 Oct 2000 15:49:32 -0700 (PDT) From: Mikko Tyolajarvi Message-Id: <200010162249.e9GMnWK07783@explorer.rsa.com> To: peter@sysadmin-inc.com Cc: freebsd-questions@freebsd.org Subject: Re: ipfw startup Newsgroups: local.freebsd-security References: <001601c037b6$189ea6c0$47010a0a@fire.sysadmininc.com> X-Newsreader: NN version 6.5.6 (NOV) Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG (Cc: brutally changed to -questions) In local.freebsd-security you write: >I'm having difficulty getting ipfw to look at my ruleset on a 4.1-release >box. >i've compiled in the options needed to the kernel but when the box starts up >i get >IP packet filtering initialized...rule-based forwarding disabled, default to >deny... >and of course everything is denied except the loop back device. >I've been unable to find any basic get-you-started type info. I'm new to >ipfw and just want to use the default rc.firewall for now. Put: firewall_enable="YES" firewall_type="open" # Or maybe "simple" in /etc/rc.conf, to let everything through, and give you a chance of experimenting with ipfw. When you think you have a good ruleset to load, put it in a file (say /etc/ipfw.rules) and put firewall_type="/etc/ipfw.rules" in rc.conf. Or, if you feel like a real expert, roll your own firewall initialization script and set firewall_script=/etc/yourscript, replacing rc.firewall. >I've read the entire security chapter as well as the article on dialup >firewall configuration. >pointers to any helpful how to info or advice is greatly appreciated. ipfw(8) and /etc/rc.firewall perhaps? $.02, /Mikko P.S. Hmm... you mention dialup? ppp(8) has some filtering capabilities as well. They may well be sufficient, and will handle dynamic IP resulting from PPP negotiation. -- Mikko Työläjärvi_______________________________________mikko@rsasecurity.com RSA Security To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message