ipfw: firewall.sh don't work!

Chris racerx at makeworld.com
Fri Oct 7 06:04:46 PDT 2005 

On Fri, 7 Oct 2005, çÏÒÓÔËÉÎ éÌØÑ wrote:

> Hi all!
> FreeBSD 5.4 p7.
>
> ipfw works in a mode - firewall_type="open" only.
> At attempt to apply firewall_script="/etc/firewall.sh" the system
> forbids the traffic even if firewall.sh configured as "allow all any to
> any"
>
> my kernel:
> options IPFIREWALL
> options IPFIREWALL_VERBOSE
> options IPFIREWALL_VERBOSE_LIMIT=100
> options IPFIREWALL_FORWARD
> options IPFIREWALL_FORWARD_EXTENDED
> options IPDIVERT
> options DUMMYNET
>
> rc.conf:
> gateway_enable="YES"
> ifconfig_bge0="inet 192.168.1.1"
> ifconfig_xl0="inet xxxx.xxxx.xxxx.xxxx"
> icmp_drop_redirect="YES"
> icmp_log_redirect="YES"
> icmp_bmcastecho="NO"
> firewall_enable="YES"
> #firewall_type="OPEN"
> firewall_script="/etc/firewall.sh"
> firewall_logging="YES"
> natd_enable="YES"
> natd_interface="xl0"
> natd_flags="-s"
>
> /etc/firewall.sh:
> #!/bin/sh
>
> ipfw='/sbin/ipfw -q'
> inet='xl0'
> lan='bge0'
>
> ${ipfw} -a flush
> ${ipfw} add 100 allow all from any to any via lo0
>
>
> ${ipfw} add 300 divert natd tcp from any to any via ${inet}
> ${ipfw} add 310 divert natd udp from any to any via ${inet}
>
> ${ipfw} add 400 deny icmp from any to any in icmptype
> 5,9,13,14,15,16,17
> ${ipfw} add 410 deny icmp from any to any frag
> ${ipfw} add 420 allow icmp from any to any
> ${ipfw} add 500 deny tcp from any to 192.168.1.0/24 137-139 via ${inet}
> ${ipfw} add 510 deny udp from any to 192.168.1.0/24 137-139 via ${inet}
> ${ipfw} add 520 deny ip from 192.168.1.0/24 to any in via ${inet}
> ${ipfw} add 530 allow tcp from 192.168.1.1 to any 5999
> ${ipfw} add 540 allow udp from any 53 to any
> ${ipfw} add 550 allow udp from any to any 53
>
> ${ipfw} add 600 allow tcp from 192.168.1.0/24 to any
> 20,21,25,80,110,443,5190
> ${ipfw} add 610 allow tcp from any 20,21,25,80,110,443,5190 to
> 192.168.1.0/24
>
> where a problem?
> thanks!

Go back to the HAndbook and read it again. You'll see that you are NOT 
making the proper references for LAN traffic and internet traffic.


Best regards,
Chris

A little ambiguity never hurt anyone.

More information about the freebsd-stable mailing list