From owner-freebsd-questions Thu Mar 29 22:38: 1 2001 Delivered-To: freebsd-questions@freebsd.org Received: from pioneernet.net (mail.pioneernet.net [208.240.196.25]) by hub.freebsd.org (Postfix) with ESMTP id 8B2CD37B719 for ; Thu, 29 Mar 2001 22:37:56 -0800 (PST) (envelope-from chip@wiegand.org) Received: from chip.wiegand.org [208.194.173.26] by pioneernet.net (SMTPD32-6.05) id AB3E4CA0092; Thu, 29 Mar 2001 22:44:14 -0800 Date: Thu, 29 Mar 2001 22:42:05 -0800 From: Chip Wiegand To: Greg Lehey Cc: nomad@netrail.net, freebsd-questions@freebsd.org, ahl@austclear.com.au, Subject: Re: IPFW rules problem Message-Id: <20010329224205.7991d041.chip@wiegand.org> In-Reply-To: <20010330135815.M61395@wantadilla.lemis.com> References: <20010329200130.1f844009.chip@wiegand.org> <20010329200130.1f844009.chip@wiegand.org> <20010330135815.M61395@wantadilla.lemis.com> X-Mailer: Sylpheed version 0.4.61 (GTK+ 1.2.8; FreeBSD 4.2-RELEASE; i386) Organization: wiegand.org Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG Thankyou, I inserted the missing spaces and it works fine now. One more related question - I run nmap -sS against my firewall and it shows all ports are closed except 111-sunrpc. Why is that? Shouldn't it be closed by the default deny rule? How much faith do you all have in the port scan done online from www.grc.com? I used that also, and it shows a very differant story. Including port 80 open, others closed and others stealth. I just want all ports closed to incoming requests, except of course the natd takes care of it's job, which it does quite well. -- Chip On Fri, 30 Mar 2001 13:58:15 +0930 Greg Lehey surely must have wrote something like: > On Thursday, 29 March 2001 at 20:01:30 -0800, Chip Wiegand wrote: > > I have used Greg Lehey's book, the chapter on firewalls, to set up my > > firewall. I basically copied his firewall rules to my machine, figured > > that'd be a good place to learn from. Anyway, now that I have done that > > I get the following error when doing ipfw show - > > ----------------------------------------------------- > > Flushed all rules. > > 00000 divert 8668 ip from any to any via xl1 > > 00000 allow ip from any to any > > [: missing ] > > [: missing ] > > [: missing ] > > ----------------------------------------------------- > > > > I cannot for the life of me find where to put the missing :'s. > > These aren't missing :'s, they're missing ]s. The name of the program > reporting them is [. > > > I have included the rc.firewall file, maybe someone with sharper > > eyes than mine can tell me where the missing :'s belong - > > ----------------------------------------------------- > > > > /sbin/ipfw -f flush > > "Flushed all rules." > > > /sbin/ipfw add divert natd all from any to any via xl1 > > "00000 divert 8668 ip from any to any via xl1" > > > /sbin/ipfw add pass all from any to any > > "00000 allow ip from any to any" > > Must be coming soon... > > > # Allow everything in and out, completely wide open > > if [ "${firewall}" = "open"]; then > > /sbin/ipfw add 65000 pass all from any to any > > I don't see any ipfw output here. The missing ] must be above. > > The real problem here is that you need a space before the ]. If you > look at the book, you'll see it there. But you don't need to type > this stuff in, it's already there in /etc/rc.firewall (slightly > changed since the book was printed). > > On Thursday, 29 March 2001 at 23:05:38 -0500, Christian S. wrote: > > > > I dunno if it helps, but I always use my rules in the > > xxx.xxx.xxx.xxx/yy notation for network/netmask rather than > > xxx.xxx.xxx.xxx:yy.. no idea if it helps/hurts, but that's what I > > use.. Just an idea.. :/ > > The / convention specifies the number of bits in the mask, not the > mask itself. You can either write 223.147.37.0:255.255.255.0, or > 223.147.37.0/24. I prefer the latter, but /etc/rc.firewall uses the : > construct. But as I said, that's not the issue here. > > Greg > -- -- Chip Wiegand Alternative Operating Systems www.wiegand.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message