Date: Sun, 14 Sep 2003 08:52:27 +0000 From: Nathan Kinkade <nkinkade@fastmail.fm> To: Robert Storey <y2kbug@ms25.hinet.net> Cc: freebsd-questions@freebsd.org Subject: Re: firewall Message-ID: <20030914085227.GB20261@npkfbsd> In-Reply-To: <20030914172715.20a91c69.y2kbug@ms25.hinet.net> References: <20030914172715.20a91c69.y2kbug@ms25.hinet.net>
next in thread | previous in thread | raw e-mail | index | archive | help
--l76fUT7nc3MelDdI Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Sun, Sep 14, 2003 at 05:27:15PM +0800, Robert Storey wrote: > Dear All, >=20 > I'm having a hard time configuring a firewall. I ALMOST understand it, > but I've run into one problem. I think I don't actually have my > /etc/rc.firewall set up properly. Maybe I don't really understand what > the "ip" setting should be, and I've made it the same as my "net" > setting. Anyway, what I can say is that with the configuration I have, I > can access my internal (ethernet) network, but ppp is totally blocked, > which of course I don't want. >=20 > Below are the configuration settings I've made, and the results I get. I > hope that somebody can help. >=20 > best regards, > Robert Storey >=20 > FROM /etc/rc.conf: >=20 > firewall_enable=3D"YES" > firewall_script=3D"/etc/rc.firewall" > firewall_type=3D"client" >=20 > FROM /etc/rc.firewall: >=20 > # set these to your network and netmask and ip > net=3D"192.168.0.2" > mask=3D"255.255.255.0" > ip=3D"192.168.0.2" >=20 > CONTENT OF /etc/hosts: > # > ::1 localhost localhost.utopia.com > 127.0.0.1 localhost localhost.utopia.com > # > 192.168.0.3 ibm.utopia.com ibm > 192.168.0.2 sonic.utopia.com sonic > 192.168.0.1 pro.utopia.com pro >=20 >=20 > OUTPUT OF "ipfw -a list": >=20 > 00100 0 0 allow ip from any to any via lo0 > 00200 0 0 deny ip from any to 127.0.0.0/8 > 00300 0 0 deny ip from 127.0.0.0/8 to any > 00400 0 0 allow ip from 192.168.0.2 to 192.168.0.0/24 > 00500 0 0 allow ip from 192.168.0.0/24 to 192.168.0.2 > 00600 0 0 allow tcp from any to any established > 00700 0 0 allow ip from any to any frag > 00800 0 0 allow tcp from any to 192.168.0.2 dst-port 25 setup > 00900 0 0 allow tcp from 192.168.0.2 to any setup > 01000 0 0 deny tcp from any to any setup > 01100 0 0 allow udp from 192.168.0.2 to any dst-port 53 keep-state > 01200 0 0 allow udp from 192.168.0.2 to any dst-port 123 keep-state > 65535 0 0 deny ip from any to any It doesn't look it's really made a diff, but your "net" settings should be 192.168.0.0. The rules you pasted would appear to allow your local machine (192.168.0.2) out - the other interesting thing is that all of the counters in your listing are 0. If everything was totally broken I would still expect to see the counters for rule 65535 with values. Is this box a gateway on your network or just another machine on the LAN? What is the output of `ifconfig -a'? Nathan --=20 gpg --keyserver pgp.mit.edu --recv-keys D8527E49 --l76fUT7nc3MelDdI Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (FreeBSD) iD8DBQE/ZCxLO0ZIEthSfkkRAvsSAKCfwe3+mHNCY/rVZonuy/AA5P6R1ACfe4Wu sqRxx1j3+6cBwb2RNGwJs+I= =lCkL -----END PGP SIGNATURE----- --l76fUT7nc3MelDdI--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20030914085227.GB20261>