firewall

Nathan Kinkade nkinkade at fastmail.fm
Sun Sep 14 07:52:48 PDT 2003


On Sun, Sep 14, 2003 at 05:27:15PM +0800, Robert Storey wrote:
> Dear All,
> 
> I'm having a hard time configuring a firewall. I ALMOST understand it,
> but I've run into one problem. I think I don't actually have my
> /etc/rc.firewall set up properly. Maybe I don't really understand what
> the "ip" setting should be, and I've made it the same as my "net"
> setting. Anyway, what I can say is that with the configuration I have, I
> can access my internal (ethernet) network, but ppp is totally blocked,
> which of course I don't want.
> 
> Below are the configuration settings I've made, and the results I get. I
> hope that somebody can help.
> 
> best regards,
> Robert Storey
> 
> FROM /etc/rc.conf:
> 
>   firewall_enable="YES"
>   firewall_script="/etc/rc.firewall"
>   firewall_type="client"
> 
> FROM /etc/rc.firewall:
> 
> 	# set these to your network and netmask and ip
> 	net="192.168.0.2"
> 	mask="255.255.255.0"
> 	ip="192.168.0.2"
> 
> CONTENT OF /etc/hosts:
> #
> ::1			localhost localhost.utopia.com
> 127.0.0.1		localhost localhost.utopia.com
> #
> 192.168.0.3	ibm.utopia.com	ibm
> 192.168.0.2	sonic.utopia.com	sonic
> 192.168.0.1	pro.utopia.com	pro
> 
> 
> OUTPUT OF "ipfw -a list":
> 
> 00100 0 0 allow ip from any to any via lo0
> 00200 0 0 deny ip from any to 127.0.0.0/8
> 00300 0 0 deny ip from 127.0.0.0/8 to any
> 00400 0 0 allow ip from 192.168.0.2 to 192.168.0.0/24
> 00500 0 0 allow ip from 192.168.0.0/24 to 192.168.0.2
> 00600 0 0 allow tcp from any to any established
> 00700 0 0 allow ip from any to any frag
> 00800 0 0 allow tcp from any to 192.168.0.2 dst-port 25 setup
> 00900 0 0 allow tcp from 192.168.0.2 to any setup
> 01000 0 0 deny tcp from any to any setup
> 01100 0 0 allow udp from 192.168.0.2 to any dst-port 53 keep-state
> 01200 0 0 allow udp from 192.168.0.2 to any dst-port 123 keep-state
> 65535 0 0 deny ip from any to any

It doesn't look it's really made a diff, but your "net" settings should
be 192.168.0.0.  The rules you pasted would appear to allow your local
machine (192.168.0.2) out - the other interesting thing is that all of
the counters in your listing are 0.  If everything was totally broken I
would still expect to see the counters for rule 65535 with values.  Is
this box a gateway on your network or just another machine on the LAN?
What is the output of `ifconfig -a'?

Nathan
-- 
gpg --keyserver pgp.mit.edu --recv-keys D8527E49
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-questions/attachments/20030914/f6a169b4/attachment.bin


More information about the freebsd-questions mailing list