Date: Tue, 10 Jul 2001 05:49:54 -0400 (EDT) From: Francisco Reyes <lists@natserv.com> To: <freebsd-security@FreeBSD.ORG> Subject: Cant ping/nslookup Message-ID: <20010710005648.F21477-100000@zoraida.natserv.net> In-Reply-To: <20010702082234.A3842@freebie.xs4all.nl>
next in thread | previous in thread | raw e-mail | index | archive | help
setup: client --> fxp0 (internal NIC FBSD) --> ed0 (external NIC) I am trying to find why an internal machine/client can't ping or do nslookups on my home network. I used sample rules I found on the archives to let icmp/dns through, but they failed to let the client ping or do dns lookups. I added the "log" option to all my deny statements, yet I don't see any entries in /var/log/security after I try to ping an external machine from the internal client and it fails. ipfw list|grep deny 00200 deny log logamount 50 ip from any to 127.0.0.0/8 00300 deny log logamount 50 ip from 127.0.0.0/8 to any 02100 deny log logamount 50 ip from 192.168.10.0/24 to any in recv ed0 02200 deny log logamount 50 ip from 66.114.65.0/24 to any in recv fxp0 02300 deny log logamount 50 ip from any to 10.0.0.0/8 via ed0 02400 deny log logamount 50 ip from any to 172.16.0.0/12 via ed0 02500 deny log logamount 50 ip from any to 0.0.0.0/8 via ed0 02600 deny log logamount 50 ip from any to 169.254.0.0/16 via ed0 02700 deny log logamount 50 ip from any to 192.0.2.0/24 via ed0 02800 deny log logamount 50 ip from any to 224.0.0.0/4 via ed0 02900 deny log logamount 50 ip from any to 240.0.0.0/4 via ed0 03100 deny log logamount 50 ip from 10.0.0.0/8 to any via ed0 03200 deny log logamount 50 ip from 172.16.0.0/12 to any via ed0 03300 deny log logamount 50 ip from 0.0.0.0/8 to any via ed0 03400 deny log logamount 50 ip from 169.254.0.0/16 to any via ed0 03500 deny log logamount 50 ip from 192.0.2.0/24 to any via ed0 03600 deny log logamount 50 ip from 224.0.0.0/4 to any via ed0 03700 deny log logamount 50 ip from 240.0.0.0/4 to any via ed0 05000 deny log logamount 50 tcp from any to any in recv ed0 setup 05400 deny log logamount 50 ip from any to any 65535 deny ip from any to any Any ideas why failed connections are not logged even though all deny clauses have the log option? Since I couldn't get the "log" parameter to help I then tried to add rules to let everything through: 00100 allow ip from any to any via lo0 00150 allow icmp from any to any 00160 allow ip from any to any That still didn't help. If I set the firewall to open in rc.conf then the client machine can ping and do dns lookups. Any thoughts? To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010710005648.F21477-100000>