From owner-freebsd-questions@FreeBSD.ORG  Sun Sep 14 07:52:48 2003
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id E915E16A4BF
	for <freebsd-questions@freebsd.org>;
	Sun, 14 Sep 2003 07:52:47 -0700 (PDT)
Received: from mail.messagingengine.com (out2.smtp.messagingengine.com
	[66.111.4.26])	by mx1.FreeBSD.org (Postfix) with ESMTP id 7820543F93
	for <freebsd-questions@freebsd.org>;
	Sun, 14 Sep 2003 07:52:46 -0700 (PDT)
	(envelope-from nkinkade@[206.26.199.146])
Received: from mail.messagingengine.com (localhost [127.0.0.1])
	by localhost.localdomain (Postfix) with ESMTP
	id 8CBB21CCCC7; Sun, 14 Sep 2003 10:52:45 -0400 (EDT)
Received: from 10.202.2.150 ([10.202.2.150] helo=mail.messagingengine.com) by
	messagingengine.com  with SMTP; Sun, 14 Sep 2003 10:52:45 -0400
X-Epoch: 1063551165
X-Sasl-enc: Px9wEKq/iUyC4v4Z92fyCw
Received: from [206.26.199.146] (unknown [206.26.199.146])
	by www.fastmail.fm (Postfix) with ESMTP
	id 4D1321CCCAB; Sun, 14 Sep 2003 10:52:42 -0400 (EDT)
Received: from nkinkade by [206.26.199.146] with local (Exim 4.12)
	id 19yScN-0007AL-00; Sun, 14 Sep 2003 08:52:27 +0000
Date: Sun, 14 Sep 2003 08:52:27 +0000
From: Nathan Kinkade <nkinkade@fastmail.fm>
To: Robert Storey <y2kbug@ms25.hinet.net>
Message-ID: <20030914085227.GB20261@npkfbsd>
Mail-Followup-To: Robert Storey <y2kbug@ms25.hinet.net>,
	freebsd-questions@freebsd.org
References: <20030914172715.20a91c69.y2kbug@ms25.hinet.net>
Mime-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha1;
	protocol="application/pgp-signature"; boundary="l76fUT7nc3MelDdI"
Content-Disposition: inline
In-Reply-To: <20030914172715.20a91c69.y2kbug@ms25.hinet.net>
User-Agent: Mutt/1.4.1i
Sender: Nathan Kinkade <nkinkade@[206.26.199.146]>
cc: freebsd-questions@freebsd.org
Subject: Re: firewall
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
Reply-To: nkinkade@fastmail.fm
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>,
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>,
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sun, 14 Sep 2003 14:52:48 -0000


--l76fUT7nc3MelDdI
Content-Type: text/plain; charset=iso-8859-1
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Sun, Sep 14, 2003 at 05:27:15PM +0800, Robert Storey wrote:
> Dear All,
>=20
> I'm having a hard time configuring a firewall. I ALMOST understand it,
> but I've run into one problem. I think I don't actually have my
> /etc/rc.firewall set up properly. Maybe I don't really understand what
> the "ip" setting should be, and I've made it the same as my "net"
> setting. Anyway, what I can say is that with the configuration I have, I
> can access my internal (ethernet) network, but ppp is totally blocked,
> which of course I don't want.
>=20
> Below are the configuration settings I've made, and the results I get. I
> hope that somebody can help.
>=20
> best regards,
> Robert Storey
>=20
> FROM /etc/rc.conf:
>=20
>   firewall_enable=3D"YES"
>   firewall_script=3D"/etc/rc.firewall"
>   firewall_type=3D"client"
>=20
> FROM /etc/rc.firewall:
>=20
> 	# set these to your network and netmask and ip
> 	net=3D"192.168.0.2"
> 	mask=3D"255.255.255.0"
> 	ip=3D"192.168.0.2"
>=20
> CONTENT OF /etc/hosts:
> #
> ::1			localhost localhost.utopia.com
> 127.0.0.1		localhost localhost.utopia.com
> #
> 192.168.0.3	ibm.utopia.com	ibm
> 192.168.0.2	sonic.utopia.com	sonic
> 192.168.0.1	pro.utopia.com	pro
>=20
>=20
> OUTPUT OF "ipfw -a list":
>=20
> 00100 0 0 allow ip from any to any via lo0
> 00200 0 0 deny ip from any to 127.0.0.0/8
> 00300 0 0 deny ip from 127.0.0.0/8 to any
> 00400 0 0 allow ip from 192.168.0.2 to 192.168.0.0/24
> 00500 0 0 allow ip from 192.168.0.0/24 to 192.168.0.2
> 00600 0 0 allow tcp from any to any established
> 00700 0 0 allow ip from any to any frag
> 00800 0 0 allow tcp from any to 192.168.0.2 dst-port 25 setup
> 00900 0 0 allow tcp from 192.168.0.2 to any setup
> 01000 0 0 deny tcp from any to any setup
> 01100 0 0 allow udp from 192.168.0.2 to any dst-port 53 keep-state
> 01200 0 0 allow udp from 192.168.0.2 to any dst-port 123 keep-state
> 65535 0 0 deny ip from any to any

It doesn't look it's really made a diff, but your "net" settings should
be 192.168.0.0.  The rules you pasted would appear to allow your local
machine (192.168.0.2) out - the other interesting thing is that all of
the counters in your listing are 0.  If everything was totally broken I
would still expect to see the counters for rule 65535 with values.  Is
this box a gateway on your network or just another machine on the LAN?
What is the output of `ifconfig -a'?

Nathan
--=20
gpg --keyserver pgp.mit.edu --recv-keys D8527E49

--l76fUT7nc3MelDdI
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (FreeBSD)

iD8DBQE/ZCxLO0ZIEthSfkkRAvsSAKCfwe3+mHNCY/rVZonuy/AA5P6R1ACfe4Wu
sqRxx1j3+6cBwb2RNGwJs+I=
=lCkL
-----END PGP SIGNATURE-----

--l76fUT7nc3MelDdI--