Date: Thu, 29 Mar 2001 22:42:05 -0800 From: Chip Wiegand <chip@wiegand.org> To: Greg Lehey <grog@lemis.com> Cc: nomad@netrail.net, freebsd-questions@freebsd.org, ahl@austclear.com.au, Subject: Re: IPFW rules problem Message-ID: <20010329224205.7991d041.chip@wiegand.org> In-Reply-To: <20010330135815.M61395@wantadilla.lemis.com> References: <20010329200130.1f844009.chip@wiegand.org> <MPEGJCJPPBKNCNBGOHGDCEKECPAA.cschreiber@netrail.net> <20010329200130.1f844009.chip@wiegand.org> <20010330135815.M61395@wantadilla.lemis.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Thankyou, I inserted the missing spaces and it works fine now. One more
related question - I run nmap -sS against my firewall and it shows all
ports are closed except 111-sunrpc. Why is that? Shouldn't it be closed
by the default deny rule?
How much faith do you all have in the port scan done online from
www.grc.com? I used that also, and it shows a very differant story.
Including port 80 open, others closed and others stealth. I just want
all ports closed to incoming requests, except of course the natd takes
care of it's job, which it does quite well.
--
Chip
On Fri, 30 Mar 2001 13:58:15 +0930
Greg Lehey <grog@lemis.com> surely must have wrote something like:
> On Thursday, 29 March 2001 at 20:01:30 -0800, Chip Wiegand wrote:
> > I have used Greg Lehey's book, the chapter on firewalls, to set up
my
> > firewall. I basically copied his firewall rules to my machine,
figured
> > that'd be a good place to learn from. Anyway, now that I have done
that
> > I get the following error when doing ipfw show -
> > -----------------------------------------------------
> > Flushed all rules.
> > 00000 divert 8668 ip from any to any via xl1
> > 00000 allow ip from any to any
> > [: missing ]
> > [: missing ]
> > [: missing ]
> > -----------------------------------------------------
> >
> > I cannot for the life of me find where to put the missing :'s.
>
> These aren't missing :'s, they're missing ]s. The name of the program
> reporting them is [.
>
> > I have included the rc.firewall file, maybe someone with sharper
> > eyes than mine can tell me where the missing :'s belong -
> > -----------------------------------------------------
> >
> > /sbin/ipfw -f flush
>
> "Flushed all rules."
>
> > /sbin/ipfw add divert natd all from any to any via xl1
>
> "00000 divert 8668 ip from any to any via xl1"
>
> > /sbin/ipfw add pass all from any to any
>
> "00000 allow ip from any to any"
>
> Must be coming soon...
>
> > # Allow everything in and out, completely wide open
> > if [ "${firewall}" = "open"]; then
> > /sbin/ipfw add 65000 pass all from any to any
>
> I don't see any ipfw output here. The missing ] must be above.
>
> The real problem here is that you need a space before the ]. If you
> look at the book, you'll see it there. But you don't need to type
> this stuff in, it's already there in /etc/rc.firewall (slightly
> changed since the book was printed).
>
> On Thursday, 29 March 2001 at 23:05:38 -0500, Christian S. wrote:
> >
> > I dunno if it helps, but I always use my rules in the
> > xxx.xxx.xxx.xxx/yy notation for network/netmask rather than
> > xxx.xxx.xxx.xxx:yy.. no idea if it helps/hurts, but that's what I
> > use.. Just an idea.. :/
>
> The / convention specifies the number of bits in the mask, not the
> mask itself. You can either write 223.147.37.0:255.255.255.0, or
> 223.147.37.0/24. I prefer the latter, but /etc/rc.firewall uses the :
> construct. But as I said, that's not the issue here.
>
> Greg
> --
--
Chip Wiegand
Alternative Operating Systems
www.wiegand.org
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010329224205.7991d041.chip>