From owner-freebsd-questions Sun Oct 17 12:54:24 1999 Delivered-To: freebsd-questions@freebsd.org Received: from dbasecentral.com (prod1.dbasecentral.com [205.243.161.30]) by hub.freebsd.org (Postfix) with ESMTP id A740014A2D for ; Sun, 17 Oct 1999 12:54:20 -0700 (PDT) (envelope-from ken@kyler.com) Received: from cheat (adsl-151-200-15-77.bellatlantic.net [151.200.15.77]) by dbasecentral.com (8.9.3/8.9.3) with SMTP id OAA32505; Sun, 17 Oct 1999 14:51:21 -0500 From: "Ken Kyler" To: "Francisco Reyes" Cc: "FreeBSD questions" Subject: RE: Firewalls for Morons Date: Sun, 17 Oct 1999 15:54:10 -0400 Message-ID: <001501bf18d9$60f98b80$0200a8c0@cheat> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook 8.5, Build 4.71.2173.0 X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2314.1300 In-Reply-To: <199910171804.OAA24082@sanson.reyes.somos.net> Importance: Normal Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG > One thing at a time. > Ping uses ICMP packets which the "simple" setup doesn't allow by default. > > Add to /etc/rc.firewall > #Allow pinging > ${fwcmd} add pass icmp from any to any > > After that try pinging again and check if you can ping from the > FreeBSD box the outside world and if you > can ping from the internal network to the FreeBSd box. Did that - didn't change anything. Don't know if this has anything to do with anything, but the following line appears when I boot... "IP packet filtering initialized, divert enabled, rule-based forwarding disabled, default to accept, unlimited logging" btw, pardon the stupid question - but which file holds the log? > Again simple is somewhat closed, but some services should work. > If nothing works I tend to think the > variables to your interfaces may not have been set properly. here's the guts of the rc.firewall file # set these to your outside interface network and netmask and ip oif="fxp0" onet="aaa.bbb.cc.0" omask="255.255.255.0" oip="aaa.bb.cc.dd" # set these to your inside interface network and netmask and ip iif="xl0" inet="192.168.0.0" imask="255.255.255.0" iip="192.168.0.1" # log eveything $fwcmd add allow log ip from any to any # Stop spoofing $fwcmd add deny all from ${inet}:${imask} to any in via ${oif} $fwcmd add deny all from ${onet}:${omask} to any in via ${iif} # Stop RFC1918 nets on the outside interface $fwcmd add deny all from 192.168.0.0:255.255.0.0 to any via ${oif} $fwcmd add deny all from any to 192.168.0.0:255.255.0.0 via ${oif} $fwcmd add deny all from 172.16.0.0:255.240.0.0 to any via ${oif} $fwcmd add deny all from any to 172.16.0.0:255.240.0.0 via ${oif} #$fwcmd add deny all from 10.0.0.0:255.0.0.0 to any via ${oif} #$fwcmd add deny all from any to 10.0.0.0:255.0.0.0 via ${oif} # Allow TCP through if setup succeeded $fwcmd add pass tcp from any to any established # Allow Ping $fwcmd add pass icmp from any to any # Allow setup of incoming email $fwcmd add pass tcp from any to ${oip} 25 setup # Allow access to our DNS $fwcmd add pass tcp from any to ${oip} 53 setup # Allow access to our WWW $fwcmd add pass tcp from any to ${oip} 80 setup # Reject&Log all setup of incoming connections from the outside #$fwcmd add deny log tcp from any to any in via ${oif} setup # Allow setup of any other TCP connection $fwcmd add pass tcp from any to any setup # Allow DNS queries out in the world $fwcmd add pass udp from any 53 to ${oip} $fwcmd add pass udp from ${oip} to any 53 # Allow NTP queries out in the world $fwcmd add pass udp from any 123 to ${oip} $fwcmd add pass udp from ${oip} to any 123 # Everything else is denied as default. > After you add the icmp line then try to get ping working from > your internal network to your FreeBSD and > from the FreeBSD to the outside world. Once that is working then > you can try to get the rest of thing to > work. still no joy... :( Ken To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message