From owner-freebsd-questions Thu Mar 29 19:57:25 2001 Delivered-To: freebsd-questions@freebsd.org Received: from pioneernet.net (mail.pioneernet.net [208.240.196.25]) by hub.freebsd.org (Postfix) with ESMTP id 5589D37B719 for ; Thu, 29 Mar 2001 19:57:17 -0800 (PST) (envelope-from chip@wiegand.org) Received: from chip.wiegand.org [208.194.173.26] by pioneernet.net (SMTPD32-6.05) id A59E4C900EC; Thu, 29 Mar 2001 20:03:42 -0800 Date: Thu, 29 Mar 2001 20:01:30 -0800 From: Chip Wiegand To: FreeBSD Questions Subject: IPFW rules problem Message-Id: <20010329200130.1f844009.chip@wiegand.org> X-Mailer: Sylpheed version 0.4.61 (GTK+ 1.2.8; FreeBSD 4.2-RELEASE; i386) Organization: wiegand.org Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG I have used Greg Lehey's book, the chapter on firewalls, to set up my firewall. I basically copied his firewall rules to my machine, figured that'd be a good place to learn from. Anyway, now that I have done that I get the following error when doing ipfw show - ----------------------------------------------------- Flushed all rules. 00000 divert 8668 ip from any to any via xl1 00000 allow ip from any to any [: missing ] [: missing ] [: missing ] ----------------------------------------------------- I cannot for the life of me find where to put the missing :'s. I have included the rc.firewall file, maybe someone with sharper eyes than mine can tell me where the missing :'s belong - ----------------------------------------------------- /sbin/ipfw -f flush /sbin/ipfw add divert natd all from any to any via xl1 /sbin/ipfw add pass all from any to any # Allow everything in and out, completely wide open if [ "${firewall}" = "open"]; then /sbin/ipfw add 65000 pass all from any to any # A reasonably secure firewall # services to the net elif [ "${firewall}" = "client"]; then net = "192.168.1.0" mask = "255.255.255.0" ip = "192.168.1.10" # Allow any traffic to or from my own network. /sbin/ipfw add pass all from ${ip} to ${net}:${mask} /sbin/ipfw add pass all from ${net}:${mask} to ${ip} # Allow TCP through if setup succeeded /sbin/ipfw add pass tcp from any to any established # Allow setup of incoming mail /sbin/ipfw add pass tcp from any to ${ip} 25 setup # Allow setup of outgoing TCP connections only /sbin/ipfw add pass tcp from ${ip} to any setup # Do not allow setup of any other TCP connections /sbin/ipfw add deny tcp from any to any setup # Allow DNS queries out on the net /sbin/ipfw add pass udp from any 53 to ${ip} /sbin/ipfw add pass udp from ${ip} to any 53 # Allow NTP (Network Time Protocol) queries out on the net /sbin/ipfw add pass udp from any 123 to ${ip} /sbin/ipfw add pass udp form ${ip} to any 123 # Everything else is denied by default elif [ "${firewall}" = "simple" ]; then oif = "xl1" onet = "208.194.173.0" omask = "255.255.255.128" oip = "208.194.173.26" iif = "xl0" inet = "192.168.1.0" imask = "255.255.255.0" iip = "192.168.1.10" # Stop spoofing /sbin/ipfw add deny all from ${inet}:${imask} to any in via ${oif} /sbin/ipfw add deny all from ${onet}:${omask} to any in via ${iif} # Stop RFC1918 nets on the outside interface # RFC1918 networks are the private, unroutable nets /sbin/ipfw add deny all from 192.168.0.0:255.255.0.0 to any via ${oif} /sbin/ipfw add deny all from 172.16.0.0:255.240.0.0 to any via ${oif} /sbin/ipfw add deny all from 10.0.0.0:255.0.0.0 to any via ${oif} # Allow TCP through if it is established /sbin/ipfw add pass tcp from any to any established # Allow setup of incoming email /sbin/ipfw add pass tcp from any to ${oip} 25 setup # Reject and Log all setup of incoming connections from the outside /sbin/ipfw add deny log tcp from any to any in via ${oif} setup # Allow setup of any other TCP connection /sbin/ipfw add pass tcp from any to any setup # Allow DNS queries out in the world /sbin/ipfw add pass udp from any 53 to ${oip} /sbin/ipfw add pass udp from ${oip} to any 53 # Allow NTP queries out in the world /sbin/ipfw add pass udp from any 123 to ${oip} /sbin/ipfw add pass udp from ${oip} to any 123 # Everything else is denied by default elif [ "${firewall}" != "none" -a -r "${firewall}"]; then /sbin/ipfw ${firewall} fi --------------------------------------------------------- -- Chip Wiegand Alternative Operating Systems www.wiegand.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message