From owner-freebsd-stable@FreeBSD.ORG Fri Oct 7 13:04:46 2005 Return-Path: X-Original-To: freebsd-stable@freebsd.org Delivered-To: freebsd-stable@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0A0FF16A41F for ; Fri, 7 Oct 2005 13:04:46 +0000 (GMT) (envelope-from racerx@makeworld.com) Received: from makeworld.com (makeworld.com [216.201.118.142]) by mx1.FreeBSD.org (Postfix) with ESMTP id 691C343D45 for ; Fri, 7 Oct 2005 13:04:45 +0000 (GMT) (envelope-from racerx@makeworld.com) Received: from localhost (localhost.com [127.0.0.1]) by makeworld.com (Postfix) with ESMTP id BD2D96126; Fri, 7 Oct 2005 08:04:44 -0500 (CDT) Received: from makeworld.com ([127.0.0.1]) by localhost (makeworld.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 32561-07; Fri, 7 Oct 2005 08:04:41 -0500 (CDT) Received: by makeworld.com (Postfix, from userid 1001) id DFF80611C; Fri, 7 Oct 2005 08:04:40 -0500 (CDT) Received: from localhost (localhost [127.0.0.1]) by makeworld.com (Postfix) with ESMTP id D3649610B; Fri, 7 Oct 2005 08:04:40 -0500 (CDT) Date: Fri, 7 Oct 2005 08:04:40 -0500 (CDT) From: Chris To: =?koi8-r?Q?=E7=CF=D2=D3=D4=CB=C9=CE_?= =?koi8-r?Q?=E9=CC=D8=D1?= In-Reply-To: <1128689902.653.28.camel@hp.tbnbykovo.ru> Message-ID: <20051007080347.N32724@makeworld.com> References: <1128689902.653.28.camel@hp.tbnbykovo.ru> MIME-Version: 1.0 Content-Type: MULTIPART/MIXED; BOUNDARY="0-1918198972-1128690280=:32724" X-Virus-Scanned: by amavisd-new-2.3.3 (20050822) at makeworld.com - Isn't it ironic Cc: freebsd-stable@freebsd.org Subject: Re: ipfw: firewall.sh don't work! X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 07 Oct 2005 13:04:46 -0000 This message is in MIME format. The first part should be readable text, while the remaining parts are likely unreadable without MIME-aware tools. --0-1918198972-1128690280=:32724 Content-Type: TEXT/PLAIN; charset=X-UNKNOWN; format=flowed Content-Transfer-Encoding: QUOTED-PRINTABLE On Fri, 7 Oct 2005, =E7=CF=D2=D3=D4=CB=C9=CE =E9=CC=D8=D1 wrote: > Hi all! > FreeBSD 5.4 p7. > > ipfw works in a mode - firewall_type=3D"open" only. > At attempt to apply firewall_script=3D"/etc/firewall.sh" the system > forbids the traffic even if firewall.sh configured as "allow all any to > any" > > my kernel: > options IPFIREWALL > options IPFIREWALL_VERBOSE > options IPFIREWALL_VERBOSE_LIMIT=3D100 > options IPFIREWALL_FORWARD > options IPFIREWALL_FORWARD_EXTENDED > options IPDIVERT > options DUMMYNET > > rc.conf: > gateway_enable=3D"YES" > ifconfig_bge0=3D"inet 192.168.1.1" > ifconfig_xl0=3D"inet xxxx.xxxx.xxxx.xxxx" > icmp_drop_redirect=3D"YES" > icmp_log_redirect=3D"YES" > icmp_bmcastecho=3D"NO" > firewall_enable=3D"YES" > #firewall_type=3D"OPEN" > firewall_script=3D"/etc/firewall.sh" > firewall_logging=3D"YES" > natd_enable=3D"YES" > natd_interface=3D"xl0" > natd_flags=3D"-s" > > /etc/firewall.sh: > #!/bin/sh > > ipfw=3D'/sbin/ipfw -q' > inet=3D'xl0' > lan=3D'bge0' > > ${ipfw} -a flush > ${ipfw} add 100 allow all from any to any via lo0 > > > ${ipfw} add 300 divert natd tcp from any to any via ${inet} > ${ipfw} add 310 divert natd udp from any to any via ${inet} > > ${ipfw} add 400 deny icmp from any to any in icmptype > 5,9,13,14,15,16,17 > ${ipfw} add 410 deny icmp from any to any frag > ${ipfw} add 420 allow icmp from any to any > ${ipfw} add 500 deny tcp from any to 192.168.1.0/24 137-139 via ${inet} > ${ipfw} add 510 deny udp from any to 192.168.1.0/24 137-139 via ${inet} > ${ipfw} add 520 deny ip from 192.168.1.0/24 to any in via ${inet} > ${ipfw} add 530 allow tcp from 192.168.1.1 to any 5999 > ${ipfw} add 540 allow udp from any 53 to any > ${ipfw} add 550 allow udp from any to any 53 > > ${ipfw} add 600 allow tcp from 192.168.1.0/24 to any > 20,21,25,80,110,443,5190 > ${ipfw} add 610 allow tcp from any 20,21,25,80,110,443,5190 to > 192.168.1.0/24 > > where a problem? > thanks! Go back to the HAndbook and read it again. You'll see that you are NOT=20 making the proper references for LAN traffic and internet traffic. Best regards, Chris A little ambiguity never hurt anyone. --0-1918198972-1128690280=:32724--