Date: Sat, 9 Aug 2003 00:53:24 +0000 From: Daniela <dgw@liwest.at> To: Mick Walker <mick@materialised.hopto.org>, freebsd-config@freebsd.org Subject: Re: IPFW Help Message-ID: <200308090053.24606.dgw@liwest.at> In-Reply-To: <1060106496.1360.7.camel@materialised.hopto.org> References: <1060106496.1360.7.camel@materialised.hopto.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tuesday 05 August 2003 18:01, Mick Walker wrote: > Hi everyone, > Im a totally new user to freeBSD and am currentyly running 5.1 release 2 > on a Intel based machine. > I have been a linux user for many years and am quite familier with > ipchains/tables. However migrating to freebsd is proving to be quite a > challenge to me. > Up until this point I have got everything working as it did on my linux > gateway, I have configured natd to masquerade connections for the > internal network, and set x to start up at boot. > > However one thing is evading me, I cant seem to add any firewall rules. > Here is the contents of my /etc/rc.firewall file which is called by > rc.local on boot, ... > > I have been told that I should rearrange these things so the deny and > allow rules are before the pass all from any to any rule, however when I > do this the whole system doesnt seem to have any internet access, I cant > ping any system over the internet or connect to any services. > > Could someone please point out where I am going wrong? Look into your firewall logfile. I suspect you are denying outgoing DNS packets. Look for packets denied by rule 00499. If this doesn't lead to a solution, try posting your question to ipfw@freebsd.org. My personal recommendations (not necessary to solve your problem): Put the following line into your rc.conf: firewall_type="/etc/ipfw.rules" Put your firewall rules into the /etc/ipfw.rules file, instead of messing with rc.firewall (without the /sbin/ipfw in front of them). Be careful, it is insecure to allow everything not explicitly denied. Don't do it unless you absolutely need to. Instead, add "keep-state" to the end of all your TCP allow rules. Put the rule "add check-state" right after the divert rule. If you have something to protect, or don't want unnecessary downtime caused by attacks, follow the advice. It can possibly save you lots of headaches. Regards, Daniela
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200308090053.24606.dgw>