strange problem with ipfw and rc.conf

fbsd_user fbsd_user at a1poweruser.com
Thu Jan 26 17:56:28 PST 2006 

Your problem is you have rc.conf loading 2 different firewalls
at same time.
IPFW which is compiled into your kernel as firewall and
ipfilter which you have rc.conf starting. You don't need to
compile either one of the firewalls into the kernel to work.

You need to read the firewall section of the handbook.
It contains a very complete usage description of the 3 firewalls
that come with FreeBSD.

I would recommend you use ipfilter as your firewall.
IPFW is for the experienced firewall user who has FW
requirements needing functions not provided by one of the
other FW's delivered with the base FreeBSD install.

And since it looks like you have 3 private circuits on your
LAN you will need NAT function and nat in ipfilter is so much
easier to set up than ipfw when using the keep state function
in your rules file.

The handbook ipfilter sample rules sets work as is.
Just copy and past into your own rules file and your pretty
much good to go after following the comments.


And another thing, its not acceptable behavior to cross post
to 2 lists with same question.
This question does not belong in freebsd-security at freebsd.org.


-----Original Message-----
From: owner-freebsd-questions at freebsd.org
[mailto:owner-freebsd-questions at freebsd.org]On Behalf Of gahn
Sent: Thursday, January 26, 2006 6:35 PM
To: freebsd security; freebsd general questions
Subject: strange problem with ipfw and rc.conf


Hi all:

I have strange probelm with rc.conf. I set up ipfw
(compiled into kernel) on freebsd-5.4 and it doesn't
seem to load ipfw rulesets (it uses default ruleset
65335 locking out everything). I have to do "sh
/etc/ipfw.rules" in order to load the rulesets, once I
did that, I can access the box from remote locations

here is my rc.conf:

host# more /etc/rc.conf

network_interfaces="lo0 em0 dc0 rl0 plip0"
kern_securelevel="2"
kern_securelevel_enable="YES"
linux_enable="YES"
named_enable="YES"
nisdomainname="NO"
sshd_enable="YES"
usbd_enable="YES"
hostname="sis"
tcp_keepalive="YES"
tcp_extensions="YES"
ifconfig_em0="inet 192.168.128.222/24"
ifconfig_dc0="inet 192.168.1.4/24"
ifconfig_rl0="inet 10.10.75.126/24"
defaultrouter="192.168.128.1"
static_routes="net1 net2"
route_net1="-net 192.168.0.0/22 192.168.1.1"
route_net2="-net 10.10.0.0/16 10.10.128.1"
firewall_script="/etc/ipfw.rules"
firewall_type="simple"
firewall_quiet="YES"
ipfilter_enable="YES"
ipfilter_rules="/etc/ipf.rules"
ipmon_enable="YES"
ipmon_flags="-Ds"
mpd_enable="YES"

also my customized kernel (partial):

options         IPFIREWALL
#firewall
options         IPFIREWALL_VERBOSE
#enable logging to syslogd(8)
options         IPFIREWALL_VERBOSE_LIMIT=10     #limit
verbosity
#options        IPFIREWALL_DEFAULT_TO_ACCEPT    #allow
everything by default
options         IPFIREWALL_FORWARD
#packet destination changes
options         IPFIREWALL_FORWARD_EXTENDED     #all
packet dest changes
options         IPDIVERT
#divert sockets

TIA


__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around
http://mail.yahoo.com
_______________________________________________
freebsd-questions at freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to
"freebsd-questions-unsubscribe at freebsd.org"

More information about the freebsd-questions mailing list