Date: Fri, 16 Apr 2004 18:15:14 +0200 From: "RazorOnFreeBSD" <yann.luppo@attglobal.net> To: "Mark" <boxend@redtick.homeunix.com>, <freebsd-questions@freebsd.org> Subject: Re: firewall rules error Message-ID: <00d301c423ce$005a4e90$0f01a8c0@razor> References: <005401c4238f$f4d9dab0$0f01a8c0@razor> <20040416161243.GA8785@redtick.homeunix.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Whatever the rules I'm using I get this message when booting and starting ipfw : ipfw: bad arguments, for usage summary "ipfw" except if I use the /etc/rc.firewall file but that's another "I don't know why?" it doesn't work with the "SIMPLE" argument in /etc/rc.conf and modified with the right values. Do you think this message come from the fwcmd="/sbin/ipfw" line ? I also verified because I was curious, the ipfw executable file of course exists in my /sbin directory.... > read man ipfw and look at this http://www.freebsd.org/doc/en_US.ISO8859-1/articles/dialup-firewall/rules.html > for a basic pattern to follow. > Untill you get the basics down keep it simple. > > > ### basic rules, ipfw > ## fxp0 lan helps you remember later what you are working with > ## dc0 wan > ## lo0 loop > ############### first match rule applies ############# > > # Define the firewall command (as in /etc/rc.firewall) for easy > # reference. Helps to make it easier to read. > fwcmd="/sbin/ipfw" > > # Force a flushing of the current rules before we reload. > $fwcmd -f flush > > > > # Divert all packets through the tunnel interface. > $fwcmd add divert natd all from any to any via dc0 > > # Allow all data from my network card and localhost. > $fwcmd add allow ip from any to any via lo0 > $fwcmd add allow ip from any to any via fxp0 > > # Allow all connections that I initiate. > $fwcmd add allow tcp from any to any out xmit dc0 setup > > # Once connections are made, allow them to stay open. > $fwcmd add allow tcp from any to any via dc0 established > > # RESET ident packets. > #$fwcmd add reset log tcp from any to any 113 in recv dc0 > > # Allow outgoing DNS queries ONLY to the specified servers. > $fwcmd add allow udp from any to x.x.x.x 53 out xmit dc0 > > # Allow them back in with the answer > $fwcmd add allow udp from x.x.x.x 53 to any in recv dc0 > > # Allow ICMP (for ping and traceroute to work). You may wish to > # disallow this, but I feel it suits my needs to keep them in. > $fwcmd add allow icmp from any to any > > # Deny all the rest. > $fwcmd add deny log ip from any to any > ######################################## end of rules > > > On Fri, Apr 16, 2004 at 10:51:05AM +0200, RazorOnFreeBSD wrote: > > Hi everyone, > > > > I'm trying to write my own rules for ipfw under 4.9 STABLE. > > But everytime I try to use the file with my rules .... my network is totally blocked and the "ipfw show" command returns : > > > > 65535 38 2311 deny ip from any to any > > > > I think there's a problem in my rules file and the system replaces my rules by this one, but I can't figure out what is the problem, my rules file is really short compared to what I saw sometimes on Internet : > > > > -------------------------------------------------------------------------- -------------------------------------------- > > fwcmd="/sbin/ipfw" > > oif="dc0" > > iif="dc1" > > > > ${fwcmd} -f flush > > ${fwcmd} add check-state > > > > ${fwcmd} add deny ip from any to any in via $oif verrevpath > > > > add 050 divert natd all from any to any via $oif > > add 100 pass all from any to any via lo0 > > add 200 deny all from any to 127.0.0.0/8 > > add 300 deny ip from 127.0.0.0/8 to any > > > > ${fwcmd} add allow ip from me to any via $oif keep-state > > > > ${fwcmd} add allow icmp from any to any via $oif icmptypes 0,3,11,12 > > > > ${fwcmd} add allow tcp from any to me dst-port 22 in via $iif setup keep-state > > > > ${fwcmd} add deny log ip from any to any > > -------------------------------------------------------------------------- -------------------------------------------- > > > > Can anybody tell me what's wrong ? > > > > Thanks. > > > > razor. > > _______________________________________________ > > freebsd-questions@freebsd.org mailing list > > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > > To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.org" >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?00d301c423ce$005a4e90$0f01a8c0>