Date: Sun, 17 Oct 1999 15:54:10 -0400 From: "Ken Kyler" <ken@kyler.com> To: "Francisco Reyes" <fran@reyes.somos.net> Cc: "FreeBSD questions" <questions@freebsd.org> Subject: RE: Firewalls for Morons Message-ID: <001501bf18d9$60f98b80$0200a8c0@cheat> In-Reply-To: <199910171804.OAA24082@sanson.reyes.somos.net>
next in thread | previous in thread | raw e-mail | index | archive | help
<snip>
> One thing at a time.
> Ping uses ICMP packets which the "simple" setup doesn't allow by default.
>
> Add to /etc/rc.firewall
> #Allow pinging
> ${fwcmd} add pass icmp from any to any
>
> After that try pinging again and check if you can ping from the
> FreeBSD box the outside world and if you
> can ping from the internal network to the FreeBSd box.
Did that - didn't change anything.
Don't know if this has anything to do with anything, but the following line
appears when I boot...
"IP packet filtering initialized, divert enabled, rule-based forwarding
disabled, default to accept, unlimited logging"
btw, pardon the stupid question - but which file holds the log?
> Again simple is somewhat closed, but some services should work.
> If nothing works I tend to think the
> variables to your interfaces may not have been set properly.
here's the guts of the rc.firewall file
# set these to your outside interface network and netmask and ip
oif="fxp0"
onet="aaa.bbb.cc.0"
omask="255.255.255.0"
oip="aaa.bb.cc.dd"
# set these to your inside interface network and netmask and ip
iif="xl0"
inet="192.168.0.0"
imask="255.255.255.0"
iip="192.168.0.1"
# log eveything
$fwcmd add allow log ip from any to any
# Stop spoofing
$fwcmd add deny all from ${inet}:${imask} to any in via ${oif}
$fwcmd add deny all from ${onet}:${omask} to any in via ${iif}
# Stop RFC1918 nets on the outside interface
$fwcmd add deny all from 192.168.0.0:255.255.0.0 to any via ${oif}
$fwcmd add deny all from any to 192.168.0.0:255.255.0.0 via ${oif}
$fwcmd add deny all from 172.16.0.0:255.240.0.0 to any via ${oif}
$fwcmd add deny all from any to 172.16.0.0:255.240.0.0 via ${oif}
#$fwcmd add deny all from 10.0.0.0:255.0.0.0 to any via ${oif}
#$fwcmd add deny all from any to 10.0.0.0:255.0.0.0 via ${oif}
# Allow TCP through if setup succeeded
$fwcmd add pass tcp from any to any established
# Allow Ping
$fwcmd add pass icmp from any to any
# Allow setup of incoming email
$fwcmd add pass tcp from any to ${oip} 25 setup
# Allow access to our DNS
$fwcmd add pass tcp from any to ${oip} 53 setup
# Allow access to our WWW
$fwcmd add pass tcp from any to ${oip} 80 setup
# Reject&Log all setup of incoming connections from the outside
#$fwcmd add deny log tcp from any to any in via ${oif} setup
# Allow setup of any other TCP connection
$fwcmd add pass tcp from any to any setup
# Allow DNS queries out in the world
$fwcmd add pass udp from any 53 to ${oip}
$fwcmd add pass udp from ${oip} to any 53
# Allow NTP queries out in the world
$fwcmd add pass udp from any 123 to ${oip}
$fwcmd add pass udp from ${oip} to any 123
# Everything else is denied as default.
> After you add the icmp line then try to get ping working from
> your internal network to your FreeBSD and
> from the FreeBSD to the outside world. Once that is working then
> you can try to get the rest of thing to
> work.
still no joy... :(
Ken
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?001501bf18d9$60f98b80$0200a8c0>