IPFW confusion

[Philip Payne]

Hi,


> > However, I can't get the config to work. I've commented out 
> all the deny 
> > rules. In this instance, I can browse the web via SQUID 
> that's installed 
> > on the IPFW box. I can't browse the web directly, though. 
> That is the 
> > only external access I get. I can't ping any sites, DNS 
> lookups fail 
> > (I've set the DNS servers on the client workstation to be 
> that my ISP's. 
> > I also tried setting it to look at the IPFW box first, with no luck)
> > 
> > Can anyone offer help on this one? I'm getting stuck in a muddle of 
> > mis-understanding
> > 

At work so I don't have time to debug a whole policy or anything but....

Firstly, I agree with the comments about logging a deny all at the end of
your policy.

If you start logging too much rubbish insert specific deny rules that do NOT
log just above the deny all to filter out things you don't want to see. To
be honest, it's good practice to keep this approach permantently.

Secondly, a handy tool is at fwbuilder.org . This provides a GUI interface
for generating your policy. It's not perfect and theres the whole thing of
sacrificing all the command line options for a GUI interface but I've found
it more than useful on my own gateway device. 

Unfortunately, the NAT part is not working so you need to script how the
rules are installed once compiled to ensure you get a NAT rule in place. I
have posted a script to do this in previous emails but feel free to drop me
a reply in future if you need to.

Thanks,
Phil.