Date: Wed, 5 Jan 2000 08:26:58 -0800 From: -DAL- <dylanal@earthlink.net> To: Kevin Weiss <kweiss@jump.net> Cc: freebsd-questions@FreeBSD.ORG Subject: Re: ping and "simple" firewall conflict with internal IP's Message-ID: <20000105082658.A3375@cbl-dylanal.hs.earthlink.net> In-Reply-To: <4.1.20000104192010.00929100@pop.jump.net>; from Kevin Weiss on Tue, Jan 04, 2000 at 07:30:51PM -0600 References: <4.1.20000104192010.00929100@pop.jump.net>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, Jan 04, 2000 at 07:30:51PM -0600, Kevin Weiss wrote:
> I just added the following ipfw command to my "simple" firewall:
> $fwcmd add pass icmp from any to any
>
> I can't ping out until I comment out:
> $fwcmd add deny all from 192.168.0.0:255.255.0.0 to any via ${oif}
> $fwcmd add deny all from any to 192.168.0.0:255.255.0.0 via ${oif}
>
> My internal hosts are using the 192.168.x.x addresses, but is there
> a way to allow the ping command while denying any external hosts
> with the 192.168.x.x addresses?
>
> Thanks in advance,
>
> Kevin Weiss
> kweiss@jump.net
>
>
>
>
>
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-questions" in the body of the message
Kevin, when you added the:
> $fwcmd add pass icmp from any to any
command, did you add it before the deny commands? The code will go
through the rule list until it finds the first match, so if the deny
lines come before the icmp pass command, it will match the deny line
first and never get the icmp pass command. The solution, just ensure
the icmp command comes first so the icmp packets will match the icmp
line get passed through and never see the deny lines.
It might help if you sent us the output of a ipfw list.
HTH -DAL-
--
-DAL-
dylanal@NOSPAMearthlink.net
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20000105082658.A3375>