Date: Fri, 30 Mar 2001 13:58:15 +0930 From: Greg Lehey <grog@lemis.com> To: Chip Wiegand <chip@wiegand.org>, nomad@netrail.net Cc: FreeBSD Questions <freebsd-questions@freebsd.org> Subject: Re: IPFW rules problem Message-ID: <20010330135815.M61395@wantadilla.lemis.com> In-Reply-To: <20010329200130.1f844009.chip@wiegand.org>; from chip@wiegand.org on Thu, Mar 29, 2001 at 08:01:30PM -0800 References: <20010329200130.1f844009.chip@wiegand.org> <MPEGJCJPPBKNCNBGOHGDCEKECPAA.cschreiber@netrail.net> <20010329200130.1f844009.chip@wiegand.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thursday, 29 March 2001 at 20:01:30 -0800, Chip Wiegand wrote:
> I have used Greg Lehey's book, the chapter on firewalls, to set up my
> firewall. I basically copied his firewall rules to my machine, figured
> that'd be a good place to learn from. Anyway, now that I have done that
> I get the following error when doing ipfw show -
> -----------------------------------------------------
> Flushed all rules.
> 00000 divert 8668 ip from any to any via xl1
> 00000 allow ip from any to any
> [: missing ]
> [: missing ]
> [: missing ]
> -----------------------------------------------------
>
> I cannot for the life of me find where to put the missing :'s.
These aren't missing :'s, they're missing ]s. The name of the program
reporting them is [.
> I have included the rc.firewall file, maybe someone with sharper
> eyes than mine can tell me where the missing :'s belong -
> -----------------------------------------------------
>
> /sbin/ipfw -f flush
"Flushed all rules."
> /sbin/ipfw add divert natd all from any to any via xl1
"00000 divert 8668 ip from any to any via xl1"
> /sbin/ipfw add pass all from any to any
"00000 allow ip from any to any"
Must be coming soon...
> # Allow everything in and out, completely wide open
> if [ "${firewall}" = "open"]; then
> /sbin/ipfw add 65000 pass all from any to any
I don't see any ipfw output here. The missing ] must be above.
The real problem here is that you need a space before the ]. If you
look at the book, you'll see it there. But you don't need to type
this stuff in, it's already there in /etc/rc.firewall (slightly
changed since the book was printed).
On Thursday, 29 March 2001 at 23:05:38 -0500, Christian S. wrote:
>
> I dunno if it helps, but I always use my rules in the
> xxx.xxx.xxx.xxx/yy notation for network/netmask rather than
> xxx.xxx.xxx.xxx:yy.. no idea if it helps/hurts, but that's what I
> use.. Just an idea.. :/
The / convention specifies the number of bits in the mask, not the
mask itself. You can either write 223.147.37.0:255.255.255.0, or
223.147.37.0/24. I prefer the latter, but /etc/rc.firewall uses the :
construct. But as I said, that's not the issue here.
Greg
--
When replying to this message, please copy the original recipients.
If you don't, I may ignore the reply.
For more information, see http://www.lemis.com/questions.html
Finger grog@lemis.com for PGP public key
See complete headers for address and phone numbers
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010330135815.M61395>