Skip site navigation (1)Skip section navigation (2) 
Date:      Sat, 10 Jun 2000 14:46:20 -0400 (EDT)
From:      Greg Hormann <ghormann@alumni.indiana.edu>
To:        John F Cuzzola <vdrifter@ocis.ocis.net>
Cc:        security@freebsd.org
Subject:   Re: Setting up simple firewall with ipfw
Message-ID:  <Pine.BSF.4.05.10006101434190.1793-100000@hormann.tzo.cc>
In-Reply-To: <Pine.LNX.4.21.0006101100070.19094-100000@ocis.ocis.net>
next in thread | previous in thread | raw e-mail | index | archive | help 

Thanks.  ssh/ftp now work correctly through the firewall.

Logging still doesn't work.  (Its not showing up in /var/log/* or the
console. I've tried playing with net.inet.ip.fw.verbose_limit, but that
didn't help either.

As for the first question, I think I may have figured it out.  Haven't
tried it yet, but I could have my firewall script figure out the current 
ip from ifconfig.  Then, I would just need to call my firewall script each
time a new IP address was assigned. (Should be easy using hooks from
dhclient)

Thanks again.

Greg.

On Sat, 10 Jun 2000, John F Cuzzola wrote:

> 
> *** by default firewall messages are logged in /var/log/messages(I
> think). I usually create a seperate file for firewall logging
> (/var/log/firewall.log) then change /etc/syslogd.conf appropriately

> 
> *** you have rules with the same numbers (two rules 100 & 200). In my
> experience with FreeBSD 4 this sometimes causes problems. Renumber your
> rules so each one has its own unique rule number. Your ssh setup looks
> like it should work. SSH only uses tcp so the rule:
> > 00500   0     0 allow udp from any to any 22
> can be deleted.
> 
> as for ftp. When you are using true ftp (instead of passive) a connection
> is made FROM a computer port 20 TO you on some port. So the rules:
> 
> > 00700   0     0 allow tcp from any to any 20 via ed0
> > 00800   0     0 allow tcp from any to any 21 via ed0
> 
> are almost right. Rule 700 should read:
> ipfw add 700 allow tcp from any 20 to any via ed0
> (the port 20 comes from the host you are contacting it doesn't connect
> back to you on port 20)



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.05.10006101434190.1793-100000>