From owner-freebsd-questions@FreeBSD.ORG Tue May 3 21:21:21 2005 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 855C016A4CE for ; Tue, 3 May 2005 21:21:21 +0000 (GMT) Received: from mta13.adelphia.net (mta13.mail.adelphia.net [68.168.78.44]) by mx1.FreeBSD.org (Postfix) with ESMTP id E874A43D6A for ; Tue, 3 May 2005 21:21:19 +0000 (GMT) (envelope-from bob@a1poweruser.com) Received: from barbish ([69.172.31.81]) by mta13.adelphia.net (InterMail vM.6.01.04.01 201-2131-118-101-20041129) with SMTP id <20050503212113.IROR4191.mta13.adelphia.net@barbish>; Tue, 3 May 2005 17:21:13 -0400 From: To: "Nicholas Henry" , Date: Tue, 3 May 2005 17:21:08 -0400 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.6604 (9.0.2911.0) Importance: Normal In-Reply-To: X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1409 Subject: RE: IPFW custom rules file not loading X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: bob@a1poweruser.com List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 03 May 2005 21:21:21 -0000 You did not follow handbook instruction close enough. Your rc.conf statements are not correct. Use the ones from the handbook just like they are printed. -----Original Message----- From: owner-freebsd-questions@freebsd.org [mailto:owner-freebsd-questions@freebsd.org]On Behalf Of Nicholas Henry Sent: Tuesday, May 03, 2005 3:18 PM To: freebsd-questions@freebsd.org Subject: IPFW custom rules file not loading FreeBSD 5.3-RELEASE #0: Fri Nov 5 04:19:18 UTC 2004 I'm a new BSD user installing the OS for the first time. Everything is running well except the firewall. IPFW is not loading the custom rules set I have created at startup/boot (although it does say it has but when I ipfw list it only gives me the one default rule). I assume it is related to this area that I received on the console: May 3 14:25:22 babe kernel: firewall_enable: not found May 3 14:25:22 babe kernel: ipfw2 initialized, divert disabled, rule-based forwarding dis$ May 3 14:25:22 babe kernel: Flushed all rules. May 3 14:25:22 babe kernel: Line 3: May 3 14:25:22 babe kernel: bad command `ipfw' May 3 14:25:22 babe kernel: May 3 14:25:22 babe kernel: Firewall rules loaded, starting divert daemons: May 3 14:25:22 babe kernel: firewall_enable: not found May 3 14:25:22 babe kernel: . May 3 14:25:22 babe kernel: net.inet.ip.fw.enable: May 3 14:25:22 babe kernel: 1 May 3 14:25:22 babe kernel: -> May 3 14:25:22 babe kernel: 1 I'm refering to the "bad command 'ipfw'" line. I'm also concerned about the "firewall_enable" not found message. I have included the relevant rc.conf setting and the custom rules file (based on the ruleset from the handbook). I'm currently setting up a firewall for this machine that is connected to a D-Link router. My questions are: Why am I getting the bad command msg? Do I need to be concerned about the "firewall_enabled: not found" Any help would be much appreciated, thank you. ** start rc.conf snippet ** firewall_enable="YES" firewall_script="/etc/rc.firewall" firewall_type="/etc/ipfw.rules" firewall_quiet="NO" firewall_logging="NO" firewall_flags="" ** send rc.conf snippet ** ** start ipfw.rules ** #!/bin/sh # Flush out the list before we begin. ipfw -q -f flush # Set rules command prefix cmd="ipfw -q add" skip="skipto 801" pif="fxp0" #found by doing a ifconfig or netstat -nr # public interface name of NIC ################################################################# # No restrictions on Inside LAN Interface for private network # Change xl0 to your LAN NIC interface name ################################################################# # $cmd 005 allow all from any to any via xl0 # don't have a separate interface so won't worry about this ################################################################# # No restrictions on Loopback Interface ################################################################# $cmd 010 allow all from any to any via lo0 ################################################################# # check if packet is inbound and nat address if it is ################################################################# # $cmd 014 divert natd ip from any to any in via $pif ################################################################# # Allow the packet through if it has previous been added to the # the "dynamic" rules table by a allow keep-state statement. ################################################################# $cmd 015 check-state ################################################################# # Interface facing Public Internet (Outbound Section) # Interrogate session start requests originating from behind the # firewall on the private network or from this gateway server # destine for the public Internet. ################################################################# # Allow out access to my ISP's Domain name server. # x.x.x.x must be the IP address of your ISP's DNS # Dup these lines if your ISP has more than one DNS server # Get the IP addresses from /etc/resolv.conf file $cmd 020 $skip tcp from any to 24.153.22.67 53 out via $pif setup keep-state $cmd 020 $skip tcp from any to 24.153.22.66 53 out via $pif setup keep-state # Allow out access to my ISP's DHCP server for cable/DSL configurations. # This is for the internal router $cmd 030 $skip udp from any to 198.168.1.1 67 out via $pif keep-state # Allow out non-secure standard www function $cmd 040 $skip tcp from any to any 80 out via $pif setup keep-state $cmd 040 $skip tcp from any to any 8989 out via $pif setup keep-state # Allow out secure www function https over TLS SSL $cmd 050 $skip tcp from any to any 443 out via $pif setup keep-state # Allow out send & get email function $cmd 060 $skip tcp from any to any 25 out via $pif setup keep-state $cmd 061 $skip tcp from any to any 110 out via $pif setup keep-state # Allow out FreeBSD (make install & CVSUP) functions # Basically give user root "GOD" privileges. $cmd 070 $skip tcp from me to any out via $pif setup keep-state uid root # Allow out ping $cmd 080 $skip icmp from any to any out via $pif keep-state # Allow out Time $cmd 090 $skip tcp from any to any 37 out via $pif setup keep-state # Allow out nntp news (i.e. news groups) $cmd 100 $skip tcp from any to any 119 out via $pif setup keep-state # Allow out secure FTP, Telnet, and SCP # This function is using SSH (secure shell) $cmd 110 $skip tcp from any to any 22 out via $pif setup keep-state # Allow out whois $cmd 120 $skip tcp from any to any 43 out via $pif setup keep-state # Allow ntp time server $cmd 130 $skip udp from any to any 123 out via $pif keep-state ################################################################# # Interface facing Public Internet (Inbound Section) # Interrogate packets originating from the public Internet # destine for this gateway server or the private network. ################################################################# # Deny all inbound traffic from non-routable reserved address spaces #$cmd 300 deny all from 192.168.0.0/16 to any in via $pif #RFC 1918 #private IP #$cmd 301 deny all from 172.16.0.0/12 to any in via $pif #RFC 1918 #private IP #$cmd 302 deny all from 10.0.0.0/8 to any in via $pif #RFC 1918 #private IP #$cmd 303 deny all from 127.0.0.0/8 to any in via $pif #loopback #$cmd 304 deny all from 0.0.0.0/8 to any in via $pif #loopback #$cmd 305 deny all from 169.254.0.0/16 to any in via $pif #DHCP #auto-config #$cmd 306 deny all from 192.0.2.0/24 to any in via $pif #reserved for #docs #$cmd 307 deny all from 204.152.64.0/23 to any in via $pif #Sun cluster #$cmd 308 deny all from 224.0.0.0/3 to any in via $pif #Class D & E #multicast # Deny ident $cmd 315 deny tcp from any to any 113 in via $pif # Deny all Netbios service. 137=name, 138=datagram, 139=session # Netbios is MS/Windows sharing services. # Block MS/Windows hosts2 name server requests 81 $cmd 320 deny tcp from any to any 137 in via $pif $cmd 321 deny tcp from any to any 138 in via $pif $cmd 322 deny tcp from any to any 139 in via $pif $cmd 323 deny tcp from any to any 81 in via $pif # Deny any late arriving packets $cmd 330 deny all from any to any frag in via $pif # Deny ACK packets that did not match the dynamic rule table $cmd 332 deny tcp from any to any established in via $pif # Allow traffic in from ISP's DHCP server. This rule must contain # the IP address of your ISP's DHCP server as it's the only # authorized source to send this packet type. # Only necessary for cable or DSL configurations. # This rule is not needed for 'user ppp' type connection to # the public Internet. This is the same IP address you captured # and used in the outbound section. $cmd 360 allow udp from 24.153.23.66 to any 68 in via $pif keep-state $cmd 360 allow udp from 24.153.23.67 to any 68 in via $pif keep-state # Allow in standard www function because I have Apache server $cmd 370 allow tcp from any to me 80 in via $pif setup limit src-addr 2 $cmd 370 allow tcp from any to me 8989 in via $pif setup limit src-addr 2 # Allow in secure FTP, Telnet, and SCP from public Internet $cmd 380 allow tcp from any to me 22 in via $pif setup limit src-addr 2 # Allow in non-secure Telnet session from public Internet # labeled non-secure because ID & PW are passed over public # Internet as clear text. # Delete this sample group if you do not have telnet server enabled. $cmd 390 allow tcp from any to me 23 in via $pif setup limit src-addr 2 # Reject & Log all unauthorized incoming connections from the public Internet $cmd 400 deny log all from any to any in via $pif # Reject & Log all unauthorized out going connections to the public Internet $cmd 450 deny log all from any to any out via $pif # This is skipto location for outbound stateful rules # $cmd 800 divert natd ip from any to any out via $pif $cmd 801 allow ip from any to any # Everything else is denied by default # deny and log all packets that fell through to see what they are $cmd 999 deny log all from any to any ** end ipfw.rules ** _______________________________________________ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.org"