From owner-freebsd-ipfw Sun Oct 8 23:36:59 2000 Delivered-To: freebsd-ipfw@freebsd.org Received: from sentry.granch.com (sentry.granch.com [212.109.197.55]) by hub.freebsd.org (Postfix) with ESMTP id C737437B503 for ; Sun, 8 Oct 2000 23:36:54 -0700 (PDT) Received: from sentry.granch.ru (IDENT:shelton@localhost [127.0.0.1]) by sentry.granch.com (8.9.3/8.9.3) with ESMTP id NAA15801; Mon, 9 Oct 2000 13:34:00 +0700 (NOVST) Message-ID: <39E166D8.8F9662AC@sentry.granch.ru> Date: Mon, 09 Oct 2000 13:34:00 +0700 From: "Rashid N. Achilov" Reply-To: achilov@granch.ru Organization: Granch Ltd. X-Mailer: Mozilla 4.74 [en] (X11; U; Linux 2.2.12 i386) X-Accept-Language: ru, en MIME-Version: 1.0 To: Nick Rogness Cc: freebsd-ipfw@freebsd.org Subject: Re: Where I was wrong? References: Content-Type: text/plain; charset=koi8-r Content-Transfer-Encoding: 7bit Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG Nick Rogness wrote: > > On Fri, 6 Oct 2000, Rashid N. Achilov wrote: > > > > > ipfw add 100 fwd 10.0.0.2 ip from 10.0.2.2 to any out xmit rl0 > > Hmmm, take out the "out via rl0". I have given simplified network model. Really this box has 6 (six) network interfaces, which binded parts of internal network structure and Internet too. If I take out "via" and then go to internal network, I'll find myself at external interface :-( > > > > > and next rule to stop all other to Internet > > > > ipfw add 200 deny log tcp from 10.0.2.0/24 to any 80 > > > > And now I deny too! Why? Where I'm wrong? > > > > WHat does the deny log entry look like? > Deny TCP 10.0.0.2:XXXX YYY.YYY.YYY.YYY:80 in via ed0 Deny TCP 10.0.0.2:XXXX YYY.YYY.YYY.YYY:80 out via rl0 -- With Best Regards. Rashid N. Achilov (RNA1-RIPE), Brainbench ID: 28514 Granch Ltd. lead engineer, e-mail: achilov@granch.ru tel/fax (383-2) 24-2363 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Sun Oct 8 23:54:30 2000 Delivered-To: freebsd-ipfw@freebsd.org Received: from sentry.granch.com (sentry.granch.com [212.109.197.55]) by hub.freebsd.org (Postfix) with ESMTP id D17BE37B502 for ; Sun, 8 Oct 2000 23:54:21 -0700 (PDT) Received: from sentry.granch.ru (IDENT:shelton@localhost [127.0.0.1]) by sentry.granch.com (8.9.3/8.9.3) with ESMTP id NAA15845; Mon, 9 Oct 2000 13:51:36 +0700 (NOVST) Message-ID: <39E16AF8.C9856E4@sentry.granch.ru> Date: Mon, 09 Oct 2000 13:51:36 +0700 From: "Rashid N. Achilov" Reply-To: achilov@granch.ru Organization: Granch Ltd. X-Mailer: Mozilla 4.74 [en] (X11; U; Linux 2.2.12 i386) X-Accept-Language: ru, en MIME-Version: 1.0 To: cjclark@alum.mit.edu Cc: freebsd-ipfw@FreeBSD.ORG Subject: Re: Where I was wrong? References: <39DDFB0B.22E04412@sentry.granch.ru> <20001006211946.O25121@149.211.6.64.reflexcom.com> Content-Type: text/plain; charset=koi8-r Content-Transfer-Encoding: 7bit Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG "Crist J . Clark" wrote: > > On Fri, Oct 06, 2000 at 11:17:15PM +0700, Rashid N. Achilov wrote: > > > > Default gateway to all is 10.0.1.2 (second ISP other side) > > > > I wish I could forward all traffic from 10.0.2.2 to first ISP. I made > > this rule: > > > > ipfw add 100 fwd 10.0.0.2 ip from 10.0.2.2 to any out xmit rl0 > > The 'fwd' command probably does not do what you think. Read ipfw(8) > again. > > I don't understand what you want to do when you say you wish to > 'forward all traffic to the first ISP.' Are we just talking about > routing here? I try to explain. We have 2 different ISP's. One in 212.20.5.0 and two in 212.109.197.0. Router box has 6 (six) network interfaces - 4 ethernets to parts of internal network, 1 ethernet to PairGain to first ISP, 1 SBNI card to second ISP. 10.0.0.2 in example is a proxy-server. For a some time I thougth "What can I do that proxy will go to Internet via first ISP, and all other via second" and decided to make this through "fwd" command. Default gateway on router box is to second ISP and all boxes have second ISP's IP. Proxy has frist-and-second IP's and must go through first ISP. As I understand "fwd" forward packet to a remote address, and than it delivers as usual. Or I wrong somewhere? -- With Best Regards. Rashid N. Achilov (RNA1-RIPE), Brainbench ID: 28514 Granch Ltd. lead engineer, e-mail: achilov@granch.ru tel/fax (383-2) 24-2363 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Mon Oct 9 0:44:31 2000 Delivered-To: freebsd-ipfw@freebsd.org Received: from web1405.mail.yahoo.com (web1405.mail.yahoo.com [128.11.23.169]) by hub.freebsd.org (Postfix) with SMTP id 49E2937B502 for ; Mon, 9 Oct 2000 00:44:28 -0700 (PDT) Received: (qmail 19210 invoked by uid 60001); 9 Oct 2000 07:44:27 -0000 Message-ID: <20001009074427.19209.qmail@web1405.mail.yahoo.com> Received: from [159.148.130.2] by web1405.mail.yahoo.com; Mon, 09 Oct 2000 00:44:27 PDT Date: Mon, 9 Oct 2000 00:44:27 -0700 (PDT) From: John Braun Subject: Need for allow FTP via fw To: freebsd-ipfw@FreeBSD.ORG MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG I need to allow connect from my local network (192.168.168.0/255.255.255.240) to external host (IP=123.123.123.123) I have changed rc.firewall rules. But with these changes it works very slowly. May be my changes it no so correct?? Where is a problem? /////////////////////////////////////////////////////// # Stop spoofing ${fwcmd} add deny all from ${inet}:${imask} to any in via ${oif} ${fwcmd} add deny all from ${onet}:${omask} to any in via ${iif} # Stop RFC1918 nets on the outside interface ${fwcmd} add pass tcp from 123.123.123.123 to any ${fwcmd} add pass tcp from any to 123.123.123.123 ${fwcmd} add deny all from 10.0.0.0/8 to any via ${oif} ${fwcmd} add deny all from any to 10.0.0.0/8 via ${oif} ${fwcmd} add deny all from 172.16.0.0/12 to any via ${oif} ${fwcmd} add deny all from any to 172.16.0.0/12 via ${oif} ${fwcmd} add deny all from 192.168.0.0/16 to any via ${oif} ${fwcmd} add deny all from any to 192.168.0.0/16 via ${oif} # Stop draft-manning-dsua-01.txt nets on the outside interface ${fwcmd} add deny all from 0.0.0.0/8 to any via ${oif} ${fwcmd} add deny all from any to 0.0.0.0/8 via ${oif} ${fwcmd} add deny all from 169.254.0.0/16 to any via ${oif} ${fwcmd} add deny all from any to 169.254.0.0/16 via ${oif} ${fwcmd} add deny all from 192.0.2.0/24 to any via ${oif} ${fwcmd} add deny all from any to 192.0.2.0/24 via ${oif} ${fwcmd} add deny all from 224.0.0.0/4 to any via ${oif} ${fwcmd} add deny all from any to 224.0.0.0/4 via ${oif} ${fwcmd} add deny all from 240.0.0.0/4 to any via ${oif} ${fwcmd} add deny all from any to 240.0.0.0/4 via ${oif} #Allow anything to internal network ${fwcmd} add pass all from ${inet}:${imask} to ${inet}:${imask} via ${iif} # Allow TCP through if setup succeeded ${fwcmd} add pass tcp from any to any established #Allow ICMP ${fwcmd} add pass icmp from any to any icmptypes 8,0,11,3 # Allow IP fragments to pass through ${fwcmd} add pass all from any to any frag # Allow setup of incoming email ${fwcmd} add pass tcp from any to ${oip} 25 setup # For FTP ${fwcmd} add pass tcp from any to ${oip} 21 setup # Reject&Log all setup of incoming connections from the outside ${fwcmd} add deny log tcp from any to any in via ${oif} setup # Allow setup of any other TCP connection ${fwcmd} add pass tcp from any to any setup # Allow DNS queries out in the world ${fwcmd} add pass udp from any 53 to ${oip} ${fwcmd} add pass udp from ${oip} to any 53 # Allow NTP queries out in the world ${fwcmd} add pass udp from any 123 to ${oip} ${fwcmd} add pass udp from ${oip} to any 123 ////////////////////////////////////////////////////// __________________________________________________ Do You Yahoo!? Yahoo! Photos - 35mm Quality Prints, Now Get 15 Free! http://photos.yahoo.com/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Mon Oct 9 4:10:24 2000 Delivered-To: freebsd-ipfw@freebsd.org Received: from sentry.granch.com (sentry.granch.com [212.109.197.55]) by hub.freebsd.org (Postfix) with ESMTP id EEBBB37B66D for ; Mon, 9 Oct 2000 04:10:19 -0700 (PDT) Received: from sentry.granch.ru (IDENT:shelton@localhost [127.0.0.1]) by sentry.granch.com (8.9.3/8.9.3) with ESMTP id SAA16313 for ; Mon, 9 Oct 2000 18:07:53 +0700 (NOVST) Message-ID: <39E1A709.CAC1A5B7@sentry.granch.ru> Date: Mon, 09 Oct 2000 18:07:53 +0700 From: "Rashid N. Achilov" Reply-To: achilov@granch.ru Organization: Granch Ltd. X-Mailer: Mozilla 4.74 [en] (X11; U; Linux 2.2.12 i386) X-Accept-Language: ru, en MIME-Version: 1.0 To: freebsd-ipfw@freebsd.org Subject: FWD rules Content-Type: text/plain; charset=koi8-r Content-Transfer-Encoding: 7bit Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG When the packet match the "fwd" rule, search terminates or to it apply next rules? (I still about my problem...) -- With Best Regards. Rashid N. Achilov (RNA1-RIPE), Brainbench ID: 28514 Granch Ltd. lead engineer, e-mail: achilov@granch.ru tel/fax (383-2) 24-2363 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Mon Oct 9 6:34:31 2000 Delivered-To: freebsd-ipfw@freebsd.org Received: from rapidnet.com (rapidnet.com [205.164.216.1]) by hub.freebsd.org (Postfix) with ESMTP id 270C337B502 for ; Mon, 9 Oct 2000 06:34:28 -0700 (PDT) Received: from localhost (nick@localhost) by rapidnet.com (8.9.3/8.9.3) with ESMTP id HAA59767; Mon, 9 Oct 2000 07:34:16 -0600 (MDT) Date: Mon, 9 Oct 2000 07:34:16 -0600 (MDT) From: Nick Rogness To: achilov@granch.ru Cc: freebsd-ipfw@freebsd.org Subject: Re: Where I was wrong? In-Reply-To: <39E166D8.8F9662AC@sentry.granch.ru> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG On Mon, 9 Oct 2000, Rashid N. Achilov wrote: > Nick Rogness wrote: > > > > On Fri, 6 Oct 2000, Rashid N. Achilov wrote: > > > > > > > > ipfw add 100 fwd 10.0.0.2 ip from 10.0.2.2 to any out xmit rl0 > > > > Hmmm, take out the "out via rl0". > > I have given simplified network model. Really this box has 6 (six) > network interfaces, which binded parts of internal network structure and > Internet too. If I take out "via" and then go to internal network, I'll > find myself at external interface :-( # Allow internal net to other internal net ipfw add 100 allow ip from 10.0.2.0/24 to INTERNAL#1 ipfw add 101 allow ip from 10.0.2.0/24 to INTERNAL#2 ipfw add 102 allow ip from 10.0.2.0/24 to INTERNAL#3 # Forward all other traffic from 10.0.2.2 out 10.0.0.2 ipfw add 105 fwd 10.0.0.2 ip from 10.0.2.2 to any > > > > > > and next rule to stop all other to Internet > > > > > > ipfw add 200 deny log tcp from 10.0.2.0/24 to any 80 > > > > > > And now I deny too! Why? Where I'm wrong? > > > > > > > WHat does the deny log entry look like? > > > > Deny TCP 10.0.0.2:XXXX YYY.YYY.YYY.YYY:80 in via ed0 > Deny TCP 10.0.0.2:XXXX YYY.YYY.YYY.YYY:80 out via rl0 The reason it is getting denied is ipfw is not matching the "out via rl0" (IMO) part of your fwd command above. I have this exact (almost) thing running and would be glad to help more...but I need more details on how your internal net is laid out (Interfaces,IP's,etc). Nick Rogness - Drive defensively. Buy a tank. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Mon Oct 9 8:12:10 2000 Delivered-To: freebsd-ipfw@freebsd.org Received: from sentry.granch.com (sentry.granch.com [212.109.197.55]) by hub.freebsd.org (Postfix) with ESMTP id 8A62537B66C for ; Mon, 9 Oct 2000 08:12:03 -0700 (PDT) Received: from sentry.granch.ru (IDENT:shelton@localhost [127.0.0.1]) by sentry.granch.com (8.9.3/8.9.3) with ESMTP id WAA16716; Mon, 9 Oct 2000 22:09:35 +0700 (NOVST) Message-ID: <39E1DFAF.8FC8A80C@sentry.granch.ru> Date: Mon, 09 Oct 2000 22:09:35 +0700 From: "Rashid N. Achilov" Reply-To: achilov@granch.ru Organization: Granch Ltd. X-Mailer: Mozilla 4.74 [en] (X11; U; Linux 2.2.12 i386) X-Accept-Language: ru, en MIME-Version: 1.0 To: Nick Rogness Cc: freebsd-ipfw@freebsd.org Subject: Re: Where I was wrong? References: Content-Type: text/plain; charset=koi8-r Content-Transfer-Encoding: 7bit Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG Nick Rogness wrote: > > > I have this exact (almost) thing running and would be glad to help > more...but I need more details on how your internal net is laid > out (Interfaces,IP's,etc). > More common model (I repeat here previous description and add some to it): --- was --- I have a some FreeBSD box, connected to two different ISPs and my own private network. For example first ISP is 10.0.0.0/24, second 10.0.1.0/24 and my own network is 10.0.2.0/24, and FreeBSD router has: 10.0.0.1 to first ISP (10.0.0.2 other side, interface fxp0), 10.0.1.1 to second (10.0.1.2 other side, interface rl0) and 10.0.2.1 to private (interface ed0). My box in private is 10.0.2.2 and there are some other Windozes... --- was --- Now: 10.0.2.2 isn't my box, it is a proxy server. In their net no more boxes. Router has 2 additive NIC's - fxp1 (10.0.3.0/24, router here is a 10.0.3.1) in our private network (my box here is 10.0.3.2), some more Windozes here aslo... and fxp2 (10.0.4.0/24, router here is a 10.0.4.1) to our sub-division. I'd like deny ALL traffic without proxy (exclude my own box :-) and proxy itself) and paritally deny proxy access from 10.0.4.0, paritally allow all, except WWW (port 80) So, I have written: # Stop RFC1918 nets on the outside interface $fwcmd add 105 deny log all from 192.168.0.0/16 to any via rl0 [skip some similar rules...] # Our boss! :-) $fwcmd add 1210 allow ip from 10.0.3.3 to any $fwcmd add 1215 allow ip from 10.0.3.4 to any $fwcmd add 1220 fwd 10.0.0.2 ip from 10.0.2.2 to any out xmit rl0 $fwcmd add 1225 fwd 10.0.0.2 ip from 10.0.3.2 to any out xmit rl0 # Here I must insert there damned rules $fwcmd add 1226 allow ip from 10.0.2.2 to any $fwcmd add 1227 allow ip from 10.0.3.2 to any # Take control on the WWW traffic $fwcmd add 1230 deny log tcp from 10.0.3.0/24 to any 80 # Some of our sub-division allow to Internet $fwcmd add 1305 allow all from 10.0.4.2 to any # Rest are denied $fwcmd add 1355 deny log tcp from 10.0.4.0/24 to any 3128-3130 # Deny all non-excluded sub-division external traffic (internal is allowed) $fwcmd add 1450 deny log all from 10.0.4.0/24 to any out xmit rl0 # Allow all local traffic # Here was allow all local traffic. Now it comment in, because I needn't it now. # Non-exclusive forward from private - allow all, except WWW $fwcmd add 1550 fwd 10.0.0.2 ip from 10.0.3.10 to any out xmit rl0 -- With Best Regards. Rashid N. Achilov (RNA1-RIPE), Brainbench ID: 28514 Granch Ltd. lead engineer, e-mail: achilov@granch.ru tel/fax (383-2) 24-2363 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Mon Oct 9 13:10:29 2000 Delivered-To: freebsd-ipfw@freebsd.org Received: from jade.chc-chimes.com (jade.chc-chimes.com [216.28.46.6]) by hub.freebsd.org (Postfix) with ESMTP id 029C037B66D for ; Mon, 9 Oct 2000 13:10:28 -0700 (PDT) Received: by jade.chc-chimes.com (Postfix, from userid 1001) id 7C8811C64; Mon, 9 Oct 2000 16:10:27 -0400 (EDT) Date: Mon, 9 Oct 2000 16:10:27 -0400 From: Bill Fumerola To: achilov@granch.ru Cc: freebsd-ipfw@freebsd.org Subject: Re: FWD rules Message-ID: <20001009161027.M38472@jade.chc-chimes.com> References: <39E1A709.CAC1A5B7@sentry.granch.ru> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0i In-Reply-To: <39E1A709.CAC1A5B7@sentry.granch.ru>; from shelton@sentry.granch.ru on Mon, Oct 09, 2000 at 06:07:53PM +0700 X-Operating-System: FreeBSD 3.3-STABLE i386 Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG On Mon, Oct 09, 2000 at 06:07:53PM +0700, Rashid N. Achilov wrote: > When the packet match the "fwd" rule, search terminates or to it apply > next rules? (I still about my problem...) case IP_FW_F_FWD: if (next_hop != NULL /* Make sure, first... */ && (q == NULL || direction == MATCH_FORWARD) ) *next_hop = &(f->fw_fwd_ip); return(0); /* Allow the packet */ Packet is manipulated and then allowed. The result of the manipulation is that it gets forwarded. So the answer is "the search terminates". -- Bill Fumerola - Network Architect, BOFH / Chimes, Inc. billf@chimesnet.com / billf@FreeBSD.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Tue Oct 10 3:22:31 2000 Delivered-To: freebsd-ipfw@freebsd.org Received: from sentry.granch.com (sentry.granch.com [212.109.197.55]) by hub.freebsd.org (Postfix) with ESMTP id E9AFD37B503 for ; Tue, 10 Oct 2000 03:22:25 -0700 (PDT) Received: from sentry.granch.ru (IDENT:shelton@localhost [127.0.0.1]) by sentry.granch.com (8.9.3/8.9.3) with ESMTP id RAA19618 for ; Tue, 10 Oct 2000 17:20:07 +0700 (NOVST) Message-ID: <39E2ED57.A51C7F0E@sentry.granch.ru> Date: Tue, 10 Oct 2000 17:20:07 +0700 From: "Rashid N. Achilov" Reply-To: achilov@granch.ru Organization: Granch Ltd. X-Mailer: Mozilla 4.74 [en] (X11; U; Linux 2.2.12 i386) X-Accept-Language: ru, en MIME-Version: 1.0 To: freebsd-ipfw@freebsd.org Subject: To be continued... Content-Type: text/plain; charset=koi8-r Content-Transfer-Encoding: 7bit Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG part of `ipfw list | less` output: 01225 fwd 212.109.195.137 log logamount 100 ip from 212.109.197.55 to any out xmit sbni1 01226 allow log logamount 100 tcp from 212.109.197.55 to any 80 part of kernel log: rnel: ipfw: 1226 Accept TCP 212.109.197.55:3710 216.136.204.21:80 in via fxp0 rnel: ipfw: 1225 Forward to 212.109.195.137 TCP 212.109.197.55:3710 216.136.204.21:80 out via sbni1 rnel: ipfw: 1226 Accept TCP 212.109.197.55:3710 216.136.204.21:80 in via fxp0 rnel: ipfw: 1225 Forward to 212.109.195.137 TCP 212.109.197.55:3710 216.136.204.21:80 out via sbni1 Legend: 212.109.197.55 - my box FreeBSD 4.1-RELEASE 212.109.195.137 - first ISP leased line channel other side (our 212.109.195.138) sbni1 - iface name of second ISP leased line channel (assumed FreeBSD router box 3.4-RELEASE) Why 1226 rule in log BEFORE 1225? It means that 1226 scan before 1225? Or vice versa? And why, if 1225 succesfull, scans 1226 rule? I'm totally lost :-( -- With Best Regards. Rashid N. Achilov (RNA1-RIPE), Brainbench ID: 28514 Granch Ltd. lead engineer, e-mail: achilov@granch.ru tel/fax (383-2) 24-2363 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Tue Oct 10 19:50:25 2000 Delivered-To: freebsd-ipfw@freebsd.org Received: from mailhost01.reflexnet.net (mailhost01.reflexnet.net [64.6.192.82]) by hub.freebsd.org (Postfix) with ESMTP id 719A237B66C for ; Tue, 10 Oct 2000 19:50:23 -0700 (PDT) Received: from 149.211.6.64.reflexcom.com ([64.6.211.149]) by mailhost01.reflexnet.net with Microsoft SMTPSVC(5.5.1877.197.19); Tue, 10 Oct 2000 19:49:05 -0700 Received: (from cjc@localhost) by 149.211.6.64.reflexcom.com (8.11.0/8.11.0) id e9B2oC201077; Tue, 10 Oct 2000 19:50:12 -0700 (PDT) (envelope-from cjc) Date: Tue, 10 Oct 2000 19:50:12 -0700 From: "Crist J . Clark" To: achilov@granch.ru Cc: freebsd-ipfw@FreeBSD.ORG Subject: Re: To be continued... Message-ID: <20001010195012.F25121@149.211.6.64.reflexcom.com> Reply-To: cjclark@alum.mit.edu References: <39E2ED57.A51C7F0E@sentry.granch.ru> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0i In-Reply-To: <39E2ED57.A51C7F0E@sentry.granch.ru>; from shelton@sentry.granch.ru on Tue, Oct 10, 2000 at 05:20:07PM +0700 Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG On Tue, Oct 10, 2000 at 05:20:07PM +0700, Rashid N. Achilov wrote: > part of `ipfw list | less` output: > > 01225 fwd 212.109.195.137 log logamount 100 ip from 212.109.197.55 to > any out xmit sbni1 > 01226 allow log logamount 100 tcp from 212.109.197.55 to any 80 > > part of kernel log: > > rnel: ipfw: 1226 Accept TCP 212.109.197.55:3710 216.136.204.21:80 in via > fxp0 > rnel: ipfw: 1225 Forward to 212.109.195.137 TCP 212.109.197.55:3710 > 216.136.204.21:80 out via sbni1 > rnel: ipfw: 1226 Accept TCP 212.109.197.55:3710 216.136.204.21:80 in via > fxp0 > rnel: ipfw: 1225 Forward to 212.109.195.137 TCP 212.109.197.55:3710 > 216.136.204.21:80 out via sbni1 > > Legend: 212.109.197.55 - my box FreeBSD 4.1-RELEASE > 212.109.195.137 - first ISP leased line channel other side (our > 212.109.195.138) > sbni1 - iface name of second ISP leased line channel > (assumed FreeBSD router box 3.4-RELEASE) > > Why 1226 rule in log BEFORE 1225? It means that 1226 scan before 1225? > Or vice versa? And why, if 1225 succesfull, scans 1226 rule? I'm totally > lost :-( man ipfw fwd ipaddr[,port] ...If the IP is not a local ad- dress then the port number (if specified) is ignored and the rule only applies to packets leaving the system. ^^^ ^^^^ ^^^^ ^^^^^^^ ^^ ^^^^^^^ ^^^^^^^ ^^^ ^^^^^^ The first time it hits the rule is when it is entering the system on the inner interface. The fwd rule is skipped for the incoming packet, so it passes the next rule which it happens to match. The packet is again processed as it is leaving. At this point it hits the fwd rule and is accepted. -- Crist J. Clark cjclark@alum.mit.edu To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Wed Oct 11 5:58:17 2000 Delivered-To: freebsd-ipfw@freebsd.org Received: from bart.esiee.fr (bart.esiee.fr [147.215.1.20]) by hub.freebsd.org (Postfix) with ESMTP id 80F8337B66D for ; Wed, 11 Oct 2000 05:58:15 -0700 (PDT) Received: (from bonnetf@localhost) by bart.esiee.fr (8.10.1/8.10.1) id e9B8SMX20371 for freebsd-ipfw@FreeBSD.ORG; Wed, 11 Oct 2000 10:28:22 +0200 (MEST) From: Frank Bonnet Message-Id: <200010110828.e9B8SMX20371@bart.esiee.fr> Subject: recommended kernel options ? To: freebsd-ipfw@FreeBSD.ORG Date: Wed, 11 Oct 2000 10:28:22 MEST X-Mailer: Elm [revision: 212.5] Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG Hi I need advices from experienced ipfw admins which options would be useful to add/remove from the kernel of an ipfw machines ? I've read the doc and the LINT exemple but some options are a little bit obscure for me. Someone to help ? thanks -- Frank Bonnet To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Wed Oct 11 6:53:15 2000 Delivered-To: freebsd-ipfw@freebsd.org Received: from mail0.lig.bellsouth.net (mail0.lig.bellsouth.net [205.152.0.90]) by hub.freebsd.org (Postfix) with ESMTP id D2B0D37B502 for ; Wed, 11 Oct 2000 06:53:07 -0700 (PDT) Received: from prokyon.com (adsl-61-148-46.int.bellsouth.net [208.61.148.46]) by mail0.lig.bellsouth.net (3.3.5alt/0.75.2) with ESMTP id JAA05444; Wed, 11 Oct 2000 09:52:53 -0400 (EDT) Message-ID: <39E47060.E66B094@prokyon.com> Date: Wed, 11 Oct 2000 09:51:28 -0400 From: Chris Browning X-Mailer: Mozilla 4.73 [en] (X11; I; Linux 2.2.12 i386) X-Accept-Language: en MIME-Version: 1.0 To: Frank Bonnet Cc: freebsd-ipfw@FreeBSD.ORG Subject: Re: recommended kernel options ? References: <200010110828.e9B8SMX20371@bart.esiee.fr> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG Frank Bonnet wrote: > > Hi > > I need advices from experienced ipfw admins > which options would be useful to add/remove > from the kernel of an ipfw machines ? > > I've read the doc and the LINT exemple but some > options are a little bit obscure for me. > > Someone to help ? > > thanks > -- > Frank Bonnet > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-ipfw" in the body of the message Have you compiled a kernel before? -- ------------------------ Chris Browning brownicm@prokyon.com ------------------------ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Wed Oct 11 8: 9:30 2000 Delivered-To: freebsd-ipfw@freebsd.org Received: from whale.sunbay.crimea.ua (whale.sunbay.crimea.ua [212.110.138.65]) by hub.freebsd.org (Postfix) with ESMTP id 3475637B503; Wed, 11 Oct 2000 08:08:04 -0700 (PDT) Received: (from ru@localhost) by whale.sunbay.crimea.ua (8.11.0/8.11.0) id e9BF7gB85848; Wed, 11 Oct 2000 18:07:42 +0300 (EEST) (envelope-from ru) Date: Wed, 11 Oct 2000 18:07:42 +0300 From: Ruslan Ermilov To: luigi@FreeBSD.org Cc: ipfw@FreeBSD.org Subject: CFR: patch for bin/18351: ipfw add with no rule number returns the wrong rule number Message-ID: <20001011180742.A85291@sunbay.com> Mail-Followup-To: luigi@FreeBSD.org, ipfw@FreeBSD.org References: <200010111440.HAA89914@freefall.freebsd.org> Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="5mCyUwZo2JvN/JJP" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <200010111440.HAA89914@freefall.freebsd.org>; from ru@FreeBSD.org on Wed, Oct 11, 2000 at 07:40:48AM -0700 Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG --5mCyUwZo2JvN/JJP Content-Type: text/plain; charset=us-ascii Content-Disposition: inline On Wed, Oct 11, 2000 at 07:40:48AM -0700, ru@FreeBSD.org wrote: > Synopsis: ipfw add with no rule number returns the wrong rule number > > Responsible-Changed-From-To: luigi->ru > Responsible-Changed-By: ru > Responsible-Changed-When: Wed Oct 11 07:40:11 PDT 2000 > Responsible-Changed-Why: > I have a working patch. > This patch simply changes the IP_FW_ADD sockopt from SOPT_SET to SOPT_GET, thus allowing IPFW to return the assigned rule number back to userland in case it was not specified explicitly. Does this patch look OK to you? Do I need to bump the __FreeBSD_version or not? -- Ruslan Ermilov Oracle Developer/DBA, ru@sunbay.com Sunbay Software AG, ru@FreeBSD.org FreeBSD committer, +380.652.512.251 Simferopol, Ukraine http://www.FreeBSD.org The Power To Serve http://www.oracle.com Enabling The Information Age --5mCyUwZo2JvN/JJP Content-Type: text/plain; charset=us-ascii Content-Disposition: attachment; filename=p Index: ipfw/ipfw.c =================================================================== RCS file: /home/ncvs/src/sbin/ipfw/ipfw.c,v retrieving revision 1.96 diff -u -p -r1.96 ipfw.c --- ipfw/ipfw.c 2000/10/11 13:02:30 1.96 +++ ipfw/ipfw.c 2000/10/11 14:42:47 @@ -2131,11 +2131,11 @@ badviacombo: rule.fw_loghighest = rule.fw_logamount; } done: + i = sizeof(rule); + if (getsockopt(s, IPPROTO_IP, IP_FW_ADD, &rule, &i) == -1) + err(EX_UNAVAILABLE, "getsockopt(%s)", "IP_FW_ADD"); if (!do_quiet) show_ipfw(&rule, 10, 10); - i = setsockopt(s, IPPROTO_IP, IP_FW_ADD, &rule, sizeof rule); - if (i) - err(EX_UNAVAILABLE, "setsockopt(%s)", "IP_FW_ADD"); } static void Index: sys_netinet/ip_fw.c =================================================================== RCS file: /home/ncvs/src/sys/netinet/ip_fw.c,v retrieving revision 1.144 diff -u -p -r1.144 ip_fw.c --- sys_netinet/ip_fw.c 2000/10/06 12:12:09 1.144 +++ sys_netinet/ip_fw.c 2000/10/11 14:42:50 @@ -1512,7 +1512,7 @@ add_entry(struct ip_fw_head *chainptr, s } if (nbr < IPFW_DEFAULT_RULE - 100) nbr += 100; - ftmp->fw_number = nbr; + ftmp->fw_number = frwl->fw_number = nbr; } /* Got a valid number; now insert it, keeping the list ordered */ @@ -1928,6 +1928,8 @@ ip_fw_ctl(struct sockopt *sopt) error = EINVAL; } else { error = add_entry(&ip_fw_chain, &frwl); + if (!error) + error = sooptcopyout(sopt, &frwl, sizeof frwl); } break; Index: sys_netinet/raw_ip.c =================================================================== RCS file: /home/ncvs/src/sys/netinet/raw_ip.c,v retrieving revision 1.69 diff -u -p -r1.69 raw_ip.c --- sys_netinet/raw_ip.c 2000/09/14 14:42:03 1.69 +++ sys_netinet/raw_ip.c 2000/10/11 14:42:51 @@ -259,6 +259,7 @@ rip_ctloutput(so, sopt) error = sooptcopyout(sopt, &optval, sizeof optval); break; + case IP_FW_ADD: case IP_FW_GET: if (ip_fw_ctl_ptr == 0) error = ENOPROTOOPT; @@ -305,7 +306,6 @@ rip_ctloutput(so, sopt) inp->inp_flags &= ~INP_HDRINCL; break; - case IP_FW_ADD: case IP_FW_DEL: case IP_FW_FLUSH: case IP_FW_ZERO: --5mCyUwZo2JvN/JJP-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Wed Oct 11 14: 4:28 2000 Delivered-To: freebsd-ipfw@freebsd.org Received: from whistle.com (s205m131.whistle.com [207.76.205.131]) by hub.freebsd.org (Postfix) with ESMTP id F0A0D37B503; Wed, 11 Oct 2000 14:04:25 -0700 (PDT) Received: (from smap@localhost) by whistle.com (8.10.0/8.10.0) id e9BL4PO28323; Wed, 11 Oct 2000 14:04:25 -0700 (PDT) Received: from bubba.whistle.com( 207.76.205.7) by whistle.com via smap (V2.0) id xma028318; Wed, 11 Oct 2000 14:04:24 -0700 Received: (from archie@localhost) by bubba.whistle.com (8.11.0/8.11.0) id e9BL4Oe54091; Wed, 11 Oct 2000 14:04:24 -0700 (PDT) (envelope-from archie) From: Archie Cobbs Message-Id: <200010112104.e9BL4Oe54091@bubba.whistle.com> Subject: Re: CFR: patch for bin/18351: ipfw add with no rule number returns the wrong rule number In-Reply-To: <20001011180742.A85291@sunbay.com> "from Ruslan Ermilov at Oct 11, 2000 06:07:42 pm" To: Ruslan Ermilov Date: Wed, 11 Oct 2000 14:04:24 -0700 (PDT) Cc: luigi@FreeBSD.ORG, ipfw@FreeBSD.ORG X-Mailer: ELM [version 2.4ME+ PL82 (25)] MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset=US-ASCII Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG Ruslan Ermilov writes: > > Responsible-Changed-From-To: luigi->ru > > Responsible-Changed-By: ru > > Responsible-Changed-When: Wed Oct 11 07:40:11 PDT 2000 > > Responsible-Changed-Why: > > I have a working patch. > > > This patch simply changes the IP_FW_ADD sockopt from SOPT_SET to SOPT_GET, > thus allowing IPFW to return the assigned rule number back to userland in > case it was not specified explicitly. Does this patch look OK to you? Ugh.. 'get' is not exactly intuitive.. though I agree knowing the rule number is nice... I think instead of overloading 'get' (and breaking all user-land programs that do 'set') a better approach would be to add a new sockopt IP_FW_RULENUM that would retrieve the previously used 'automatic' rule number. This would be backward compatible and also more intuitive. > Do I need to bump the __FreeBSD_version or not? In any case, YES. -Archie ___________________________________________________________________________ Archie Cobbs * Whistle Communications, Inc. * http://www.whistle.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Thu Oct 12 0:50:42 2000 Delivered-To: freebsd-ipfw@freebsd.org Received: from whale.sunbay.crimea.ua (whale.sunbay.crimea.ua [212.110.138.65]) by hub.freebsd.org (Postfix) with ESMTP id 340E237B66D; Thu, 12 Oct 2000 00:50:35 -0700 (PDT) Received: (from ru@localhost) by whale.sunbay.crimea.ua (8.11.0/8.11.0) id e9C7oQW13280; Thu, 12 Oct 2000 10:50:26 +0300 (EEST) (envelope-from ru) Date: Thu, 12 Oct 2000 10:50:26 +0300 From: Ruslan Ermilov To: Archie Cobbs Cc: luigi@FreeBSD.ORG, ipfw@FreeBSD.ORG Subject: Re: CFR: patch for bin/18351: ipfw add with no rule number returns the wrong rule number Message-ID: <20001012105026.A12636@sunbay.com> Mail-Followup-To: Archie Cobbs , luigi@FreeBSD.ORG, ipfw@FreeBSD.ORG References: <20001011180742.A85291@sunbay.com> <200010112104.e9BL4Oe54091@bubba.whistle.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <200010112104.e9BL4Oe54091@bubba.whistle.com>; from archie@whistle.com on Wed, Oct 11, 2000 at 02:04:24PM -0700 Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG On Wed, Oct 11, 2000 at 02:04:24PM -0700, Archie Cobbs wrote: > Ruslan Ermilov writes: > > > Responsible-Changed-From-To: luigi->ru > > > Responsible-Changed-By: ru > > > Responsible-Changed-When: Wed Oct 11 07:40:11 PDT 2000 > > > Responsible-Changed-Why: > > > I have a working patch. > > > > > This patch simply changes the IP_FW_ADD sockopt from SOPT_SET to SOPT_GET, > > thus allowing IPFW to return the assigned rule number back to userland in > > case it was not specified explicitly. Does this patch look OK to you? > > Ugh.. 'get' is not exactly intuitive.. though I agree knowing > the rule number is nice... > > I think instead of overloading 'get' (and breaking all user-land > programs that do 'set') a better approach would be to add a new > sockopt IP_FW_RULENUM that would retrieve the previously used > 'automatic' rule number. This would be backward compatible and > also more intuitive. > I instead have decided to allow for IP_FW_ADD to be used in both setsockopt(2) and getsockopt(2). In setsockopt() case we behave like it was before. In getsockopt() case we additionally return the rule back into userland, and it is backwards compatible. > > Do I need to bump the __FreeBSD_version or not? > > In any case, YES. > Don't you think that 420000 would be appropriate in this case, assuming I will MFC this before 4.2-RELEASE? -- Ruslan Ermilov Oracle Developer/DBA, ru@sunbay.com Sunbay Software AG, ru@FreeBSD.org FreeBSD committer, +380.652.512.251 Simferopol, Ukraine http://www.FreeBSD.org The Power To Serve http://www.oracle.com Enabling The Information Age To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Thu Oct 12 12: 8:24 2000 Delivered-To: freebsd-ipfw@freebsd.org Received: from whistle.com (s205m131.whistle.com [207.76.205.131]) by hub.freebsd.org (Postfix) with ESMTP id 6583B37B503; Thu, 12 Oct 2000 12:08:20 -0700 (PDT) Received: (from smap@localhost) by whistle.com (8.10.0/8.10.0) id e9CJ8Jw12347; Thu, 12 Oct 2000 12:08:19 -0700 (PDT) Received: from bubba.whistle.com( 207.76.205.7) by whistle.com via smap (V2.0) id xma012341; Thu, 12 Oct 2000 12:08:17 -0700 Received: (from archie@localhost) by bubba.whistle.com (8.11.0/8.11.0) id e9CJ8HR84792; Thu, 12 Oct 2000 12:08:17 -0700 (PDT) (envelope-from archie) From: Archie Cobbs Message-Id: <200010121908.e9CJ8HR84792@bubba.whistle.com> Subject: Re: CFR: patch for bin/18351: ipfw add with no rule number returns the wrong rule number In-Reply-To: <20001012105026.A12636@sunbay.com> "from Ruslan Ermilov at Oct 12, 2000 10:50:26 am" To: Ruslan Ermilov Date: Thu, 12 Oct 2000 12:08:17 -0700 (PDT) Cc: luigi@FreeBSD.ORG, ipfw@FreeBSD.ORG X-Mailer: ELM [version 2.4ME+ PL82 (25)] MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset=US-ASCII Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG Ruslan Ermilov writes: > > I think instead of overloading 'get' (and breaking all user-land > > programs that do 'set') a better approach would be to add a new > > sockopt IP_FW_RULENUM that would retrieve the previously used > > 'automatic' rule number. This would be backward compatible and > > also more intuitive. > > > I instead have decided to allow for IP_FW_ADD to be used in both > setsockopt(2) and getsockopt(2). In setsockopt() case we behave > like it was before. In getsockopt() case we additionally return > the rule back into userland, and it is backwards compatible. OK, that sounds fine to me. > > > Do I need to bump the __FreeBSD_version or not? > > > > In any case, YES. > > Don't you think that 420000 would be appropriate in this case, > assuming I will MFC this before 4.2-RELEASE? I don't think you can do that.. only Jordan should. You can only increase the "minor number", eg., update it from 500012 to 500013 or 411000 to 411001. -Archie ___________________________________________________________________________ Archie Cobbs * Whistle Communications, Inc. * http://www.whistle.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Fri Oct 13 17:17:50 2000 Delivered-To: freebsd-ipfw@freebsd.org Received: from forrie.net (forrie.net [64.20.73.233]) by hub.freebsd.org (Postfix) with ESMTP id 47B0037B66D for ; Fri, 13 Oct 2000 17:17:47 -0700 (PDT) Received: from boom.forrie.com (getbent@forrie.ne.mediaone.net [24.147.129.124]) by forrie.net with id e9E0HjF77999 for ; Fri, 13 Oct 2000 20:17:45 -0400 (EDT) Message-Id: <5.0.0.25.2.20001013200816.022a81d0@64.20.73.233> X-Sender: forrie@64.20.73.233 X-Mailer: QUALCOMM Windows Eudora Version 5.0 Date: Fri, 13 Oct 2000 20:14:28 -0400 To: freebsd-ipfw@freebsd.org From: Forrest Aldrich Subject: Problem with ftp Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG Hi, I just installed a FreeBSD-4.1.1 system in co-lo, and am having a problem getting FTP to work. I -thought- I had this worked out prior to launch... I was able to get to and from the machine with no trouble. Now, I have to add the line: 02000 allow tcp from any to 216.67.14.69 1024-65535 setup to get it to work; however, I don't think this is as tight of a firewall as I could have -- minus, certainly, stateful inspection. Currently, the router prevents external access to this IP, but we can get to it from certain networks. I don't think the FTP problem is due to any router ACL. I wonder if someone might offer some pointers about how to fix this problem, or further tighten this up. I looked for a bit of a how-to, but most of them are very ipchains specific. I've not found a consultant who can take on this task either, and I'm certianly open to that if necessary. Thanks alot, Forrest My rules are (00.00.00.00 is substituted for the real ip address, symbolically here): 00100 allow ip from any to any via lo0 00200 deny ip from any to 127.0.0.0/8 00300 deny ip from any to 10.0.0.0/8 via fxp0 00400 deny ip from any to 172.16.0.0/12 via fxp0 00500 deny ip from any to 192.168.0.0/16 via fxp0 00600 deny ip from any to 0.0.0.0/8 via fxp0 00700 deny ip from any to 169.254.0.0/16 via fxp0 00800 deny ip from any to 192.0.2.0/24 via fxp0 00900 deny ip from any to 224.0.0.0/4 via fxp0 01000 deny ip from any to 240.0.0.0/4 via fxp0 01100 deny ip from 10.0.0.0/8 to any via fxp0 01200 deny ip from 172.16.0.0/12 to any via fxp0 01300 deny ip from 192.168.0.0/16 to any via fxp0 01400 deny ip from 0.0.0.0/8 to any via fxp0 01500 deny ip from 169.254.0.0/16 to any via fxp0 01600 deny ip from 192.0.2.0/24 to any via fxp0 01700 deny ip from 224.0.0.0/4 to any via fxp0 01800 deny ip from 240.0.0.0/4 to any via fxp0 01900 allow tcp from any to any established 02000 allow tcp from any to 00.00.00.00 1024-65535 setup 02100 allow ip from any to any frag 02200 allow tcp from any to 00.00.00.00 25 setup 02300 allow tcp from 00.00.00.00 to any 25 02400 allow tcp from any to 00.00.00.00 143 setup 02500 allow tcp from 00.00.00.00 to any 143 02600 allow tcp from any to 00.00.00.00 110 setup 02700 allow tcp from 00.00.00.00 to any 110 02800 allow tcp from any to 00.00.00.00 53 setup 02900 allow tcp from 00.00.00.00 to any 53 03000 allow udp from 00.00.00.00 to any 03100 allow udp from any to 00.00.00.00 1024-65535 03200 allow tcp from any to 00.00.00.00 80 setup 03300 allow tcp from 00.00.00.00 to any 80 03400 allow tcp from any to 00.00.00.00 443 setup 03500 allow tcp from 00.00.00.00 to any 443 03600 allow tcp from 216.67.14.0/24 to 00.00.00.00 111 setup 03700 allow tcp from 00.00.00.00 to any 111 03800 allow icmp from 00.00.00.00 to any icmptype 0,8 03900 allow icmp from 216.67.14.0/24 to 00.00.00.00 icmptype 0,8 04000 allow tcp from any to 00.00.00.00 113 setup 04100 allow tcp from 00.00.00.00 to any 113 04200 allow tcp from any to 00.00.00.00 22 setup 04300 allow tcp from 00.00.00.00 to any 22 04400 allow tcp from any to 00.00.00.00 20 setup 04500 allow tcp from 00.00.00.00 to any 20 04600 allow tcp from any to 00.00.00.00 21 setup 04700 allow tcp from 00.00.00.00 to any 04800 allow udp from any 123 to 00.00.00.00 04900 allow udp from 00.00.00.00 to any 123 05000 deny tcp from any to any in recv fxp0 setup 05100 deny udp from any to any in recv fxp0 65535 deny ip from any to any To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message