From owner-freebsd-questions Sun Oct 17 13:17:51 1999 Delivered-To: freebsd-questions@freebsd.org Received: from sanson.reyes.somos.net (freyes.static.inch.com [207.240.212.43]) by hub.freebsd.org (Postfix) with ESMTP id 277041511C for ; Sun, 17 Oct 1999 13:17:45 -0700 (PDT) (envelope-from fran@reyes.somos.net) Received: from tomasa (tomasa.reyes.somos.net [10.0.0.11]) by sanson.reyes.somos.net (8.9.3/8.9.3) with SMTP id QAA24290; Sun, 17 Oct 1999 16:15:07 -0400 (EDT) (envelope-from fran@reyes.somos.net) Message-Id: <199910172015.QAA24290@sanson.reyes.somos.net> From: "Francisco Reyes" To: "Ken Kyler" Cc: "FreeBSD questions" Date: Sun, 17 Oct 1999 16:16:28 -0400 Reply-To: "Francisco Reyes" X-Mailer: PMMail 98 Professional (2.01.1600) For Windows 98 (4.10.1998) MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Subject: RE: Firewalls for Morons Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG On Sun, 17 Oct 1999 15:54:10 -0400, Ken Kyler wrote: >> Add to /etc/rc.firewall >> #Allow pinging >> ${fwcmd} add pass icmp from any to any >> >> After that try pinging >Did that - didn't change anything. After you change your rc.firewall how are you re-initialising the firewall? One way is to "cd /etc; sh rc.firewall" >"IP packet filtering initialized, divert enabled, rule-based forwarding >disabled, default to accept, unlimited logging" That seems ok. Also as far as I understand the "default accept" means that you setup your firewall to accept any packet which was not trapped by a rule. This also implies that one of your rules must be screwing you up or there is still something wrong with the way the setup for the varies is done. >btw, pardon the stupid question - but which file holds the log? /var/log/messages >> Again simple is somewhat closed, but some services should work. >> If nothing works I tend to think the >> variables to your interfaces may not have been set properly. > >here's the guts of the rc.firewall file > > # set these to your outside interface network and netmask and ip > oif="fxp0" > onet="aaa.bbb.cc.0" > omask="255.255.255.0" > oip="aaa.bb.cc.dd" > > # set these to your inside interface network and netmask and ip > iif="xl0" > inet="192.168.0.0" > imask="255.255.255.0" > iip="192.168.0.1" Are the cards up? Check with ifconfig -a Are you connected to the net through ethernet? fxp0 sounds familiar, but not xl0. What is xl0? > # log eveything > $fwcmd add allow log ip from any to any Good. that should allow all traffic through. > # Stop spoofing > $fwcmd add deny all from ${inet}:${imask} to any in via ${oif} > $fwcmd add deny all from ${onet}:${omask} to any in via ${iif} > > # Stop RFC1918 nets on the outside interface > $fwcmd add deny all from 192.168.0.0:255.255.0.0 to any via ${oif} > $fwcmd add deny all from any to 192.168.0.0:255.255.0.0 via ${oif} > $fwcmd add deny all from 172.16.0.0:255.240.0.0 to any via ${oif} > $fwcmd add deny all from any to 172.16.0.0:255.240.0.0 via ${oif} > #$fwcmd add deny all from 10.0.0.0:255.0.0.0 to any via ${oif} > #$fwcmd add deny all from any to 10.0.0.0:255.0.0.0 via ${oif} Note that your internal network is 192.168, so you would want to comment those lines instead of the 10.0 from my example. With that "allow from any to any" I would tend to think that your problem must be either one of your cards is not up or you are copying something wrong when typing the addresses in the rc.firewall variables initialization. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message