Date: Wed, 5 Jul 2000 15:57:22 -0500 (CDT) From: Chris Dillon <cdillon@wolves.k12.mo.us> To: openzero@bsdmail.com Cc: freebsd-security@FreeBSD.ORG Subject: Re: Firewalls and the endless story! Message-ID: <Pine.BSF.4.21.0007051544320.16422-100000@mail.wolves.k12.mo.us> In-Reply-To: <20000705202937.64113.qmail@bsdmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, 5 Jul 2000 openzero@bsdmail.com wrote: > Hm! > After posting, for some help with my sucky fireball > I upgraded from FreeBSD-2.2.8-RELEASE to FreeBSD-3.4-RELEASE > + SecureBSD1.0, in hope it will work now. > > But nothing happends! The firewall doesn't work > and FreeBSD-3.4 (and 4.0) is a boring unstable > system! Hardly. I have no problems using FreeBSD 3.x or 4.x in any of the many systems I use them in, including a large firewall. > So, I downloaded via cvsup the FreeBSD-2.2.8-STABLE! > It really rulez! > > But the firewall problem still exists, and with this > configuration I can't surf the web too! ;) > > Hm! Please I need help! It's very important! > > For you, who wants to help me. Here are some information > on what the firewall has to do! > > 1. I'm running an anonyous ftp- Server > 2. I need to browse the web > 3. Sendmail could be enabled (not needed!) > > Here is my actual configration, which still suckz! > At the momemt, I can only browse via: > # ipfw -f flush! > > --- CUT HERE --- > fwcmd="/sbin/ipfw" > > $fwcmd -f flush > > $fwcmd add allow ip from any to any via lo0 > $fwcmd add deny log ip from any to 127.0.0.1/8 > $fwcmd add allow ip from any to any via rl0 > > $fwcmd add divert 8668 all from any to any via tun0 > > $fwcmd add allow tcp from any to any out xmit tun0 setup > $fwcmd add allow tcp from any to any via tun0 established > > $fwcmd add allow log tcp from any to any 21 setup > $fwcmd add allow log tcp from any 20 to any setup # really needed ????? > > $fwcmd add reset log tcp from any to any 113 in recv tun0 > > $fwcmd add allow udp from any to 194.25.2.129 53 out xmit tun0 > $fwcmd add allow udp from 194.25.2.129 53 to any in recv tun0 > > $fwcmd add deny log icmp from any to any > > $fwcmd add deny log ip from any to any You have a lot of rules here that are redundant or won't work at all. You would be better off using the canned "open" ruleset and not try to make up your own until you're entirely sure about what you are doing. For one thing, all packets need to be diverted to natd, not just ones from tun0. But that doesn't matter since you need to remove natd from the picture anyway. > rc.conf: > natd_enable="YES" > natd_device="tun0" > natd_flags="-dynamic" You do not need to do this to get NAT to work when using the userland ppp program. Use ppp -alias instead. This and the incorrect ruleset regarding NAT is one reason why you can't do anything with your current setup. -- Chris Dillon - cdillon@wolves.k12.mo.us - cdillon@inter-linc.net FreeBSD: The fastest and most stable server OS on the planet. For Intel x86 and Alpha architectures. ( http://www.freebsd.org ) To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.21.0007051544320.16422-100000>