From owner-freebsd-questions Thu Mar 29 20:28:23 2001 Delivered-To: freebsd-questions@freebsd.org Received: from wantadilla.lemis.com (wantadilla.lemis.com [192.109.197.80]) by hub.freebsd.org (Postfix) with ESMTP id 03E7437B71F for ; Thu, 29 Mar 2001 20:28:17 -0800 (PST) (envelope-from grog@lemis.com) Received: by wantadilla.lemis.com (Postfix, from userid 1004) id 810ED6A918; Fri, 30 Mar 2001 13:58:15 +0930 (CST) Date: Fri, 30 Mar 2001 13:58:15 +0930 From: Greg Lehey To: Chip Wiegand , nomad@netrail.net Cc: FreeBSD Questions Subject: Re: IPFW rules problem Message-ID: <20010330135815.M61395@wantadilla.lemis.com> References: <20010329200130.1f844009.chip@wiegand.org> <20010329200130.1f844009.chip@wiegand.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20010329200130.1f844009.chip@wiegand.org>; from chip@wiegand.org on Thu, Mar 29, 2001 at 08:01:30PM -0800 Organization: LEMIS, PO Box 460, Echunga SA 5153, Australia Phone: +61-8-8388-8286 Fax: +61-8-8388-8725 Mobile: +61-418-838-708 WWW-Home-Page: http://www.lemis.com/~grog X-PGP-Fingerprint: 6B 7B C3 8C 61 CD 54 AF 13 24 52 F8 6D A4 95 EF Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG On Thursday, 29 March 2001 at 20:01:30 -0800, Chip Wiegand wrote: > I have used Greg Lehey's book, the chapter on firewalls, to set up my > firewall. I basically copied his firewall rules to my machine, figured > that'd be a good place to learn from. Anyway, now that I have done that > I get the following error when doing ipfw show - > ----------------------------------------------------- > Flushed all rules. > 00000 divert 8668 ip from any to any via xl1 > 00000 allow ip from any to any > [: missing ] > [: missing ] > [: missing ] > ----------------------------------------------------- > > I cannot for the life of me find where to put the missing :'s. These aren't missing :'s, they're missing ]s. The name of the program reporting them is [. > I have included the rc.firewall file, maybe someone with sharper > eyes than mine can tell me where the missing :'s belong - > ----------------------------------------------------- > > /sbin/ipfw -f flush "Flushed all rules." > /sbin/ipfw add divert natd all from any to any via xl1 "00000 divert 8668 ip from any to any via xl1" > /sbin/ipfw add pass all from any to any "00000 allow ip from any to any" Must be coming soon... > # Allow everything in and out, completely wide open > if [ "${firewall}" = "open"]; then > /sbin/ipfw add 65000 pass all from any to any I don't see any ipfw output here. The missing ] must be above. The real problem here is that you need a space before the ]. If you look at the book, you'll see it there. But you don't need to type this stuff in, it's already there in /etc/rc.firewall (slightly changed since the book was printed). On Thursday, 29 March 2001 at 23:05:38 -0500, Christian S. wrote: > > I dunno if it helps, but I always use my rules in the > xxx.xxx.xxx.xxx/yy notation for network/netmask rather than > xxx.xxx.xxx.xxx:yy.. no idea if it helps/hurts, but that's what I > use.. Just an idea.. :/ The / convention specifies the number of bits in the mask, not the mask itself. You can either write 223.147.37.0:255.255.255.0, or 223.147.37.0/24. I prefer the latter, but /etc/rc.firewall uses the : construct. But as I said, that's not the issue here. Greg -- When replying to this message, please copy the original recipients. If you don't, I may ignore the reply. For more information, see http://www.lemis.com/questions.html Finger grog@lemis.com for PGP public key See complete headers for address and phone numbers To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message