Date: Sun, 17 Oct 1999 16:16:28 -0400 From: "Francisco Reyes" <fran@reyes.somos.net> To: "Ken Kyler" <ken@kyler.com> Cc: "FreeBSD questions" <questions@freebsd.org> Subject: RE: Firewalls for Morons Message-ID: <199910172015.QAA24290@sanson.reyes.somos.net>
next in thread | raw e-mail | index | archive | help
On Sun, 17 Oct 1999 15:54:10 -0400, Ken Kyler wrote:
>> Add to /etc/rc.firewall
>> #Allow pinging
>> ${fwcmd} add pass icmp from any to any
>>
>> After that try pinging
>Did that - didn't change anything.
After you change your rc.firewall how are you re-initialising the firewall?
One way is to "cd /etc; sh rc.firewall"
>"IP packet filtering initialized, divert enabled, rule-based forwarding
>disabled, default to accept, unlimited logging"
That seems ok. Also as far as I understand the "default accept" means that you setup your firewall to
accept any packet which was not trapped by a rule. This also implies that one of your rules must be
screwing you up or there is still something wrong with the way the setup for the varies is done.
>btw, pardon the stupid question - but which file holds the log?
/var/log/messages
>> Again simple is somewhat closed, but some services should work.
>> If nothing works I tend to think the
>> variables to your interfaces may not have been set properly.
>
>here's the guts of the rc.firewall file
>
> # set these to your outside interface network and netmask and ip
> oif="fxp0"
> onet="aaa.bbb.cc.0"
> omask="255.255.255.0"
> oip="aaa.bb.cc.dd"
>
> # set these to your inside interface network and netmask and ip
> iif="xl0"
> inet="192.168.0.0"
> imask="255.255.255.0"
> iip="192.168.0.1"
Are the cards up? Check with ifconfig -a
Are you connected to the net through ethernet? fxp0 sounds familiar, but not xl0. What is xl0?
> # log eveything
> $fwcmd add allow log ip from any to any
Good. that should allow all traffic through.
> # Stop spoofing
> $fwcmd add deny all from ${inet}:${imask} to any in via ${oif}
> $fwcmd add deny all from ${onet}:${omask} to any in via ${iif}
>
> # Stop RFC1918 nets on the outside interface
> $fwcmd add deny all from 192.168.0.0:255.255.0.0 to any via ${oif}
> $fwcmd add deny all from any to 192.168.0.0:255.255.0.0 via ${oif}
> $fwcmd add deny all from 172.16.0.0:255.240.0.0 to any via ${oif}
> $fwcmd add deny all from any to 172.16.0.0:255.240.0.0 via ${oif}
> #$fwcmd add deny all from 10.0.0.0:255.0.0.0 to any via ${oif}
> #$fwcmd add deny all from any to 10.0.0.0:255.0.0.0 via ${oif}
Note that your internal network is 192.168, so you would want to comment those lines instead of the 10.0
from my example.
With that "allow from any to any" I would tend to think that your problem must be either one of your
cards is not up or you are copying something wrong when typing the addresses in the rc.firewall
variables initialization.
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199910172015.QAA24290>