From owner-freebsd-questions@FreeBSD.ORG Fri Feb 6 19:24:42 2004 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 61DCC16A4CE for ; Fri, 6 Feb 2004 19:24:42 -0800 (PST) Received: from mta11.adelphia.net (mta11.adelphia.net [68.168.78.205]) by mx1.FreeBSD.org (Postfix) with ESMTP id 04E4043D53 for ; Fri, 6 Feb 2004 19:24:41 -0800 (PST) (envelope-from Barbish3@adelphia.net) Received: from barbish ([67.20.101.119]) by mta11.adelphia.net (InterMail vM.5.01.06.05 201-253-122-130-105-20030824) with SMTP id <20040207032440.CNQN7858.mta11.adelphia.net@barbish>; Fri, 6 Feb 2004 22:24:40 -0500 From: "JJB" To: "Chris Nowlin" , Date: Fri, 6 Feb 2004 22:24:39 -0500 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.6604 (9.0.2911.0) In-reply-to: Importance: Normal X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165 Subject: RE: firewall rule(s) for ports and packages X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: Barbish3@adelphia.net List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 07 Feb 2004 03:24:42 -0000 The cvsup process uses port 5999 add this rule to # Allow out FBSD (make install & CVSUP) functions # Basically give user root "GOD" privileges. allow tcp from me to any out via $pif setup keep-state uid root $pif = interface facing the public internet -----Original Message----- From: owner-freebsd-questions@freebsd.org [mailto:owner-freebsd-questions@freebsd.org]On Behalf Of Chris Nowlin Sent: Friday, February 06, 2004 11:58 AM To: freebsd-questions@freebsd.org Subject: firewall rule(s) for ports and packages I'm trying out 5.1 and 5.2, and with each, I utilize IPFW2 for the firewall. My rules allow passive FTP from the server, but often this does not seem to cover me when adding ports. To temporarily solve this (each time with the intention to find the correct solution) I just add a rule at the top to allow tcp from any to any via any. When the port install is done, I delete that rule. This is certainly the way I've had to do it when adding ports inside a jail - even things that worked from the main server, don't get past the firewall from inside the jail. I use "to me" and "from me" to identify the server, which only has one network interface. It's listening on two IPs (after creating the jail, I had to ifconfig an alias for the interface) but I thought that "me" would imply any IP address the interface was listening to. Surely there is a better way. For the "me" part I can always have two rules, one allowing the appropriate traffic for each IP address (instead of just using "me") but what about a solution for the quick-fix when adding ports? Thanks, Chris _______________________________________________ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.org"