From owner-freebsd-questions  Mon Nov 25 17:57:19 2002
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 0E91937B401
	for <freebsd-questions@FreeBSD.ORG>; Mon, 25 Nov 2002 17:57:16 -0800 (PST)
Received: from glock.phierce.com (dsl-64-192-83-137.telocity.com [64.192.83.137])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 7553043EC2
	for <freebsd-questions@FreeBSD.ORG>; Mon, 25 Nov 2002 17:57:14 -0800 (PST)
	(envelope-from phierce@phierce.com)
Received: from phierce ([192.168.1.2])
	by glock.phierce.com (8.12.6/8.12.3) with SMTP id gAQ22tD3011747
	for <freebsd-questions@FreeBSD.ORG>; Mon, 25 Nov 2002 21:02:55 -0500 (EST)
	(envelope-from phierce@phierce.com)
Reply-To: <phierce@phierce.com>
From: "Phierce" <phierce@phierce.com>
To: <freebsd-questions@FreeBSD.ORG>
Subject: IPFW Help
Date: Mon, 25 Nov 2002 20:57:15 -0500
Message-ID: <MBEJIFDOFDEFEJPKKKPKEEDDCDAA.phierce@phierce.com>
MIME-Version: 1.0
Content-Type: text/plain;
	charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
X-Priority: 3 (Normal)
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2910.0)
Importance: Normal
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106
Sender: owner-freebsd-questions@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-questions.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-questions>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-questions>
X-Loop: FreeBSD.ORG

Hello All,

	New to the FreeBSD os, but learning...   havint some trouble with IPFW
below is what it looks like I can sh rc.firewall with no errors, but yet my
root account is still unable to ping out  I recieve permission denied.
Wondering if anyone could help me out.

#
# Suck in the configuration variables.
if [ -z "${source_rc_confs_defined}" ]; then
        if [ -r /etc/defaults/rc.conf ]; then
                . /etc/defaults/rc.conf
                source_rc_confs
        elif [ -r /etc/rc.conf ]; then
                . /etc/rc.conf
        fi
fi
#

if [ -n "${1}" ]; then
        firewall_type="${1}"
fi
# Set quiet mode if requested
#
case ${firewall_quiet} in
[Yy][Ee][Ss])
        fwcmd="/sbin/ipfw -q"
        ;;
*)
        fwcmd="/sbin/ipfw"
        ;;
esac

#######################################################
# Flush out the list before we begin.
#
${fwcmd} -f flush

case ${firewall_type} in
[Cc][Uu][Ss][Tt][Oo][Mm])
        # set these to your network netmask and ip
        net="192.168.1.1"
        mask="255.255.255.0"
        ip="192.168.1.10"

# Deny all fragments as bogus packets
${fwcmd} add 00100 deny log all from any to any frag

#Allow any TCP UDP traffic from my own net.
${fwcmd} add 00200 allow all from any to any via lo0
${fwcmd} add 00300 deny log ip from any to 127.0.0.1/8

#We should allow in&out some TCP and udp ports.
${fwcmd} add 00400 allow tcp from any to any 32000-65535
${fwcmd} add 00500 allow udp from any to any 32000-65535

#Allow TCP through if setup succeeded
${fwcmd} add 00600 allow tcp from any to any established

#Allow access to FTPD
${fwcmd} add 00700 allow tcp from any to ${ip} 21
${fwcmd} add 00800 allow tcp from any 20 to any 1024-49151 out

#Allow access to OPENSSH
${fwcmd} add 00900 allow tcp from any to ${ip} 22

#Allow access to SENDMAIL
${fwcmd} add 01000 allow tcp from any to any 25

#Allow access to BIND
${fwcmd} add 01100 allow udp from ${ip} to any
${fwcmd} add 01200 allow udp from any to ${ip}


#Allow access to FINGER
${fwcmd} add 01300 allow tcp from any to any 79

#Allow access to HTTP
${fwcmd} add 01400 allow tcp from any to any 80

#Allow access to POP3
${fwcmd} add 01500 allow tcp from any to any 110

#Allow access to IDENT
${fwcmd} add 01600 allow tcp from any to any 113
${fwcmd} add 01700 allow udp from any to any 113

#Allow access to IMAP
${fwcmd} add 01800 allow tcp from any to any 143

#Allow access to HTTPS
${fwcmd} add 01900 allow tcp from any to any 443

#Allow access to SUBMISSION
${fwcmd} add 02000 allow udp from any to any 512
${fwcmd} add 02100 allow udp from any to any 520

#Allow access to IRC
${fwcmd} add 02200 allow tcp from any to any 6667
${fwcmd} add 02300 allow tcp from any to any 6668
${fwcmd} add 02400 allow tcp from any to any 6669

#Extended account access
${fwcmd} add 02500 allow all from any to any uid USERNAME
${fwcmd} add 02600 allow icmp from any to any uid USERNAME
${fwcmd} add 02700 allow tcp from any to any uid USERNAME
${fwcmd} add 02800 allow icmp from any to any uid USERNAME

#root access non-restrictive
${fwcmd} add 02900 allow all from any to any uid root
${fwcmd} add 03000 allow icmp from any to any uid root

#lastly we deny everything by default here as well as in the kernel.
${fwcmd} add 03100 deny log all from any to any

     ;;
esac


Thanks

-Zack
---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.419 / Virus Database: 235 - Release Date: 11/13/2002


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message