Date: Mon, 21 Oct 2002 20:46:31 -0500 From: Redmond Militante <r-militante@northwestern.edu> To: Dan Pelleg <daniel+fbsdq@pelleg.org> Cc: freebsd-questions@freebsd.org Subject: Re: need help with ipfw rules Message-ID: <20021022014631.GA477@darkpossum> In-Reply-To: <15796.42740.862970.400286@gs166.sp.cs.cmu.edu>
index | next in thread | previous in thread | raw e-mail
[-- Attachment #1 --] -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 hi thanks for responding On Mon, Oct 21, 2002 at 09:16:36PM -0400, Dan Pelleg expatiated with great perspicuity: > > > hi all > > > > my apologies, this could get long as i'm including the text of various > > config files: > > > > i've been trying to learn ipfw. i've recompiled a kernel with the > > following options > > > > ipfw add allow ip from any to any > typo > Do you really want to allow everything in, or is this just a typo? > If this rule is really in effect, the rest of the rules are > not doing anything. > > > ipfw add allow ip from 127.0.0.1 to 127.0.0.1 vua lo0 > > I'm assuming "vua" is a typo - should be "via". > typo again > > ipfw add allow udp from any to any 53 > > ipfw add check-state > > You're not letting DNS replies to come back. You are allowing the queries > to go *out*, but when the remote server's reply packets hit the firewall > they have port 53 on the *source* address, not on the destination. > So they don't match that rule anymore and are discarded. > > What you probably want instead is: > ipfw add allow udp from any to any 53 keep-state > > i changed this line. boots up fine. webserver, ssh, nfs, mail, etc. work. there's only one problem i noticed right off the bat - it looks like ftp users can authenticate fine, but when their ftp client tries to bring up a list of files in their ftp directories, it hangs at 'getting file list...' any ideas on how to fix? thanks redmond > Another point: you're not using the "divert" rule for natd, > and I see you have NAT enabled in your rc.conf. This is likely to > be a problem later (well, you'll just not have NAT). > > A very good resource for this is /etc/rc.firewall. Just try > to follow what the "CLIENT", "SIMPLE" and "OPEN" targets > do, or even let them run, then output the generated ruleset > and use it as the skeleton of your own ruleset. > > Another useful debugging tool is "ipfw show" - typed repeatedly to watch > which counters increased and so to know which rules were hit. > Once you get into stateful filtering, you'll want "ipfw -d show". > > Having said that, good ol' tcpdump is always handy to have around. > Just fire up "tcpdump -ni XXX" with XXX for your external interface > and see what's going out and what's coming in. Once you start > firewalling for a network, a "tcpdump -ni III" with III being > the internal interface becomes useful as well, either in itself > or in addition to the external-watching tcpdump. > > -- > Dan Pelleg > > > -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (FreeBSD) iD8DBQE9tK3rFNjun16SvHYRAnSNAJ9RPPcFelXQwS3R7ELFN+A8UdEWDwCgsJWS 3TUBFhcGrtRa9eCIrhrnv0w= =07L+ -----END PGP SIGNATURE----- [-- Attachment #2 --] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (FreeBSD) iD8DBQE9tK32FNjun16SvHYRArjaAJ4qvmPoLiNQh7iyNleDt5odagLZsQCcDPV5 33PDawW50BMxVnyM+oukyLY= =MoxY -----END PGP SIGNATURE-----home | help
Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20021022014631.GA477>