firewall rules error
RazorOnFreeBSD
yann.luppo at attglobal.net
Fri Apr 16 15:14:37 PDT 2004
Whatever the rules I'm using I get this message when booting and starting
ipfw :
ipfw: bad arguments, for usage summary "ipfw"
except if I use the /etc/rc.firewall file but that's another "I don't know
why?" it doesn't work with the "SIMPLE" argument in /etc/rc.conf and
modified with the right values.
Do you think this message come from the fwcmd="/sbin/ipfw" line ?
I also verified because I was curious, the ipfw executable file of course
exists in my /sbin directory....
> read man ipfw and look at this
http://www.freebsd.org/doc/en_US.ISO8859-1/articles/dialup-firewall/rules.html
> for a basic pattern to follow.
> Untill you get the basics down keep it simple.
>
>
> ### basic rules, ipfw
> ## fxp0 lan helps you remember later what you are working with
> ## dc0 wan
> ## lo0 loop
> ############### first match rule applies #############
>
> # Define the firewall command (as in /etc/rc.firewall) for easy
> # reference. Helps to make it easier to read.
> fwcmd="/sbin/ipfw"
>
> # Force a flushing of the current rules before we reload.
> $fwcmd -f flush
>
>
>
> # Divert all packets through the tunnel interface.
> $fwcmd add divert natd all from any to any via dc0
>
> # Allow all data from my network card and localhost.
> $fwcmd add allow ip from any to any via lo0
> $fwcmd add allow ip from any to any via fxp0
>
> # Allow all connections that I initiate.
> $fwcmd add allow tcp from any to any out xmit dc0 setup
>
> # Once connections are made, allow them to stay open.
> $fwcmd add allow tcp from any to any via dc0 established
>
> # RESET ident packets.
> #$fwcmd add reset log tcp from any to any 113 in recv dc0
>
> # Allow outgoing DNS queries ONLY to the specified servers.
> $fwcmd add allow udp from any to x.x.x.x 53 out xmit dc0
>
> # Allow them back in with the answer
> $fwcmd add allow udp from x.x.x.x 53 to any in recv dc0
>
> # Allow ICMP (for ping and traceroute to work). You may wish to
> # disallow this, but I feel it suits my needs to keep them in.
> $fwcmd add allow icmp from any to any
>
> # Deny all the rest.
> $fwcmd add deny log ip from any to any
> ######################################## end of rules
>
>
> On Fri, Apr 16, 2004 at 10:51:05AM +0200, RazorOnFreeBSD wrote:
> > Hi everyone,
> >
> > I'm trying to write my own rules for ipfw under 4.9 STABLE.
> > But everytime I try to use the file with my rules .... my network is
totally blocked and the "ipfw show" command returns :
> >
> > 65535 38 2311 deny ip from any to any
> >
> > I think there's a problem in my rules file and the system replaces my
rules by this one, but I can't figure out what is the problem, my rules file
is really short compared to what I saw sometimes on Internet :
> >
>
> --------------------------------------------------------------------------
--------------------------------------------
> > fwcmd="/sbin/ipfw"
> > oif="dc0"
> > iif="dc1"
> >
> > ${fwcmd} -f flush
> > ${fwcmd} add check-state
> >
> > ${fwcmd} add deny ip from any to any in via $oif verrevpath
> >
> > add 050 divert natd all from any to any via $oif
> > add 100 pass all from any to any via lo0
> > add 200 deny all from any to 127.0.0.0/8
> > add 300 deny ip from 127.0.0.0/8 to any
> >
> > ${fwcmd} add allow ip from me to any via $oif keep-state
> >
> > ${fwcmd} add allow icmp from any to any via $oif icmptypes 0,3,11,12
> >
> > ${fwcmd} add allow tcp from any to me dst-port 22 in via $iif setup
keep-state
> >
> > ${fwcmd} add deny log ip from any to any
>
> --------------------------------------------------------------------------
--------------------------------------------
> >
> > Can anybody tell me what's wrong ?
> >
> > Thanks.
> >
> > razor.
> > _______________________________________________
> > freebsd-questions at freebsd.org mailing list
> > http://lists.freebsd.org/mailman/listinfo/freebsd-questions
> > To unsubscribe, send any mail to
"freebsd-questions-unsubscribe at freebsd.org"
>
More information about the freebsd-questions
mailing list