From owner-freebsd-questions@FreeBSD.ORG Mon Feb 14 13:50:11 2005 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E269416A4CE for ; Mon, 14 Feb 2005 13:50:10 +0000 (GMT) Received: from monty.netsource.ie (monty.netsource.ie [212.17.32.52]) by mx1.FreeBSD.org (Postfix) with ESMTP id F3DB343D3F for ; Mon, 14 Feb 2005 13:50:09 +0000 (GMT) (envelope-from domain.admin@online.ie) Received: from web2.www.online.ie (www.online.ie [213.159.130.72] (may be forged)) by monty.netsource.ie (8.12.3/8.12.10) with ESMTP id j1EDo7wJ030241 for ; Mon, 14 Feb 2005 13:50:07 GMT Received: (from nobody@localhost)freebsd-questions@freebsd.org; Mon, 14 Feb 2005 13:50:01 GMT Received: from 217.68.80.52 ([217.68.80.52]) by mail.online.ie (IMP) with HTTP for ; Mon, 14 Feb 2005 14:50:01 +0100 Message-ID: <1108389001.4210ac89766a6@mail.online.ie> Date: Mon, 14 Feb 2005 14:50:01 +0100 From: Hiram Abiff To: freebsd-questions@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 8bit User-Agent: Internet Messaging Program (IMP) 3.2.4 X-Originating-IP: 217.68.80.52 X-CanItPRO-Stream: webmail X-Spam-Score: 0 () X-Bayes-Prob: 0.5 (Score 0) X-Canit-Stats-ID: 4802594 - c6c26144bbc0 X-Scanned-By: CanIt (www . roaringpenguin . com) on 212.17.32.57 Subject: ppp_mode and ipfw X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 14 Feb 2005 13:50:11 -0000 Hi! I've been trying to set up ipfw on my FreeBSD box which I use as a gateway to the Internet on my LAN. I compiled the kernel with options IPFIREWALL and IPDIVERT, edited rc.conf and some other files. Now I have 2 problems: 1.) Each time FreeBSD boots ppp automatically establishes a connection via ISDN. I do not want it to do that, I want the connection to be established when some of the other 2 boxes I have on my LAN run software that demands an internet connection. For Example, if I run firefox on my linux box, i want the FreeBSD box to receive the linux boxes request for a connection and dial my ISP via ISDN. In rc.conf I set ppp_mode="auto" because in ppp's man page it says that this is the correct mode for on-demand connection. 2.) Although I set up my firewall rules I cannot acces anything on the outside net anymore, and my other 2 boxes can't acces the Internet after setting aup the firewall. Also I cannot acces the squid proxy I set up on my FreeBSD box anymore. All of this was working before I set up the firewall. What am I doing wrong? Why can't I access the net outside my home LAN and why doesn't squid work anymore? Here's my firewall rule file: fwcmd="/sbin/ipfw" #Outside interface oif="tun0" #Inside interface iif="rl0" # Force a flushing of the current rules before reload $fwcmd -f flush #Check the state of all packets $fwcmd add check-state #Divert all packets through the tunnel interface. $fwcmd add divert natd all from any to any via oif # Allow all data from my network card and localhost $fwcmd add allow all from any to any via lo0 $fwcmd add allow ip from any to any via $ii0 # Allow all connections that I initiate $fwcmd add allow tcp from any to any out xmit oif setup # Once connections are made, allow them to stay open $fwcmd add allow tcp from any to any via oif established # Everyone on the internet is allowed to connect $fwcmd add allow tcp from any to any 22 setup $fwcmd add allow tcp from any to any 21 setup $fwcmd add allow tcp from any to any 8080 setup $fwcmd add allow tcp from any to any 53 setup $fwcmd add allow tcp from any to any 4662 setup $fwcmd add allow udp from any to any 4672 setup # This sends a RESET to all ident packets $fwcmd add reset log tcp from any to any 113 in recv oif # Allow outgoing DNS queries ONLY to the specified servers $fwcmd add allow udp from any to 161.53.114.135 53 out xmit tun0 $fwcmd add allow udp from any to 161.53.114.145 53 out xmit tun0 # Allow them back in with the answers $fwcmd add allow udp from 161.53.114.135 53 to any in recv oif $fwcmd add allow udp from 161.53.114.145 53 to any in recv oif # Allow ICMP $fwcmd add 65435 allow icmp from any to any # Deny all the rest. #$fwcmd add 65435 deny log ip from any to any -- "It was as though a veil had been rent. I saw on that ivory face the expression of sombre pride, of ruthless power, of craven terror -- of an intense and hopeless despair. Did he live his life again in every detail of desire, temptation, and surrender during that supreme moment of complete knowledge?"