Date: Sun, 17 Oct 1999 15:54:10 -0400 From: "Ken Kyler" <ken@kyler.com> To: "Francisco Reyes" <fran@reyes.somos.net> Cc: "FreeBSD questions" <questions@freebsd.org> Subject: RE: Firewalls for Morons Message-ID: <001501bf18d9$60f98b80$0200a8c0@cheat> In-Reply-To: <199910171804.OAA24082@sanson.reyes.somos.net>
next in thread | previous in thread | raw e-mail | index | archive | help
<snip> > One thing at a time. > Ping uses ICMP packets which the "simple" setup doesn't allow by default. > > Add to /etc/rc.firewall > #Allow pinging > ${fwcmd} add pass icmp from any to any > > After that try pinging again and check if you can ping from the > FreeBSD box the outside world and if you > can ping from the internal network to the FreeBSd box. Did that - didn't change anything. Don't know if this has anything to do with anything, but the following line appears when I boot... "IP packet filtering initialized, divert enabled, rule-based forwarding disabled, default to accept, unlimited logging" btw, pardon the stupid question - but which file holds the log? > Again simple is somewhat closed, but some services should work. > If nothing works I tend to think the > variables to your interfaces may not have been set properly. here's the guts of the rc.firewall file # set these to your outside interface network and netmask and ip oif="fxp0" onet="aaa.bbb.cc.0" omask="255.255.255.0" oip="aaa.bb.cc.dd" # set these to your inside interface network and netmask and ip iif="xl0" inet="192.168.0.0" imask="255.255.255.0" iip="192.168.0.1" # log eveything $fwcmd add allow log ip from any to any # Stop spoofing $fwcmd add deny all from ${inet}:${imask} to any in via ${oif} $fwcmd add deny all from ${onet}:${omask} to any in via ${iif} # Stop RFC1918 nets on the outside interface $fwcmd add deny all from 192.168.0.0:255.255.0.0 to any via ${oif} $fwcmd add deny all from any to 192.168.0.0:255.255.0.0 via ${oif} $fwcmd add deny all from 172.16.0.0:255.240.0.0 to any via ${oif} $fwcmd add deny all from any to 172.16.0.0:255.240.0.0 via ${oif} #$fwcmd add deny all from 10.0.0.0:255.0.0.0 to any via ${oif} #$fwcmd add deny all from any to 10.0.0.0:255.0.0.0 via ${oif} # Allow TCP through if setup succeeded $fwcmd add pass tcp from any to any established # Allow Ping $fwcmd add pass icmp from any to any # Allow setup of incoming email $fwcmd add pass tcp from any to ${oip} 25 setup # Allow access to our DNS $fwcmd add pass tcp from any to ${oip} 53 setup # Allow access to our WWW $fwcmd add pass tcp from any to ${oip} 80 setup # Reject&Log all setup of incoming connections from the outside #$fwcmd add deny log tcp from any to any in via ${oif} setup # Allow setup of any other TCP connection $fwcmd add pass tcp from any to any setup # Allow DNS queries out in the world $fwcmd add pass udp from any 53 to ${oip} $fwcmd add pass udp from ${oip} to any 53 # Allow NTP queries out in the world $fwcmd add pass udp from any 123 to ${oip} $fwcmd add pass udp from ${oip} to any 123 # Everything else is denied as default. > After you add the icmp line then try to get ping working from > your internal network to your FreeBSD and > from the FreeBSD to the outside world. Once that is working then > you can try to get the rest of thing to > work. still no joy... :( Ken To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?001501bf18d9$60f98b80$0200a8c0>