IPFW rules being weird?

Q q_dolan at yahoo.com.au
Thu Oct 23 20:35:05 PDT 2003 

The easiest way I have found to quickly resolve these kinds of problems
is to put a "permit all' rule at the bottom and start it up from there a
rule at a time until it works. When you work out which rule is causing
the problem, check out what it's blocking that you need and replace the
'permit all' with an appropriate rule. This method lets you get to the
heart of the problem quickly without a lot of head scratching.

Seeya...Q

On Fri, 2003-10-24 at 11:10, Dan wrote:

> Hello there.
> Odd query for you.
> 
> My setup is that sis0 is the ethernet which has the business cable modem 
> attached to it - which serves as a gateway. sis1 is the Ethernet which my 
> laptop connects to (wirelessly through a HE501 wireless pc card, and HE102 
> access point (both by Netgear)).
> 
> The problem that is occuring, is that if I have the IPFW rules below, 
> everything works GREAT!
> 
> fwcmd="/sbin/ipfw"
> $fwcmd -f flush
> $fwcmd add divert natd all from any to any via sis0
> $fwcmd add allow all from any to any 
> $fwcmd add allow icmp from any to any icmptypes 0,3,8,11,12,13,14
> 
> 
> However, the above is not "secure" as you might say.
> The script below stops the laptop from being able to access th enet and i have 
> NO idea why!
> 
> # Define the firewall command (as in /etc/rc.firewall) for easy
> # reference.  Helps to make it easier to read.
> fwcmd="/sbin/ipfw"
> 
> # Force a flushing of the current rules before we reload.
> $fwcmd -f flush
> 
> # Divert all packets through the tunnel interface.
> $fwcmd add 50 divert natd all from any to any via sis0
> 
> # Allow all connections that have dynamic rules built for them,
> # but deny established connections that don't have a dynamic rule.
> # See ipfw(8) for details.
> $fwcmd add check-state
> $fwcmd add pass tcp from any to any established
> 
> # Allow all localhost connections
> ${fwcmd} add 100 pass all from any to any via lo0
> ${fwcmd} add 200 deny all from any to 127.0.0.0/8
> ${fwcmd} add 300 deny ip from 127.0.0.0/8 to any
> 
> # Allow all connections from my network card that I initiate
> $fwcmd add allow tcp from me to any out xmit any setup keep-state
> $fwcmd add deny  tcp from me to any
> $fwcmd add allow ip from me to any out xmit any keep-state
> $fwcmd add allow all from 192.168.0.0/24 to any
> 
> # Everyone on the Internet is allowed to connect to the following
> # services on the machine.  This example specifically allows connections
> # to sshd and a webserver.
> $fwcmd add allow tcp from any to any established
> $fwcmd add allow tcp from any to me 80 setup
> $fwcmd add allow tcp from any to me 21 setup
> $fwcmd add allow tcp from any to me 22 setup
> 
> # This sends a RESET to all ident packets.
> $fwcmd add reset log tcp from any to me 113 in recv any
> 
> # Enable ICMP: remove type 8 if you don't want your host to be pingable
> $fwcmd add allow icmp from any to any icmptypes 0,3,8,11,12,13,14
> 
> # Deny all the rest.
> $fwcmd add deny log ip from any to any
> 
> 
> If you can help with this it'd be much appreciated.
> Thanks!!!
> 
> Running FreeBSD 4.8-RELEASE.
> _______________________________________________
> freebsd-net at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-net
> To unsubscribe, send any mail to "freebsd-net-unsubscribe at freebsd.org"nsubscribe, send any mail to "freebsd-net-unsubscribe at freebsd.org"

More information about the freebsd-net mailing list