Date: Sat, 11 Mar 2000 12:35:42 -0500 From: "Crist J. Clark" <cjc@cc942873-a.ewndsr1.nj.home.com> To: Sam Carleton <scarleton@miltonstreet.com> Cc: freebsd-questions@FreeBSD.ORG Subject: Re: ipfw is not working Message-ID: <20000311123542.B23514@cc942873-a.ewndsr1.nj.home.com> In-Reply-To: <38C9D32F.E8F2254A@miltonstreet.com>; from scarleton@miltonstreet.com on Sat, Mar 11, 2000 at 12:02:36AM -0500 References: <38C9D32F.E8F2254A@miltonstreet.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sat, Mar 11, 2000 at 12:02:36AM -0500, Sam Carleton wrote:
> I am working on building a firewall script. First off, I have a
> ipchains script that is working fine in Linux, is there some way to
> eaily convert that over to ipfw?
As long as you have not built any custom chains, I think ipchains
rules can be converted to ipfw rules in a one-to-one manner (they are
both stateless packet filters) for a firewall that does not do NAT.
I'm not sure what happens when you start doing NAT (or as Linux calls
it, IP masquerading).
> Here is the ipfw script I have so far,
> real simple in my option:
> -----------------------------------------
> ############
> # Setup system for firewall service.
>
> if [ -f /etc/defaults/rc.conf ]; then
> . /etc/defaults/rc.conf
> elif [ -f /etc/rc.conf ]; then
> . /etc/rc.conf
> fi
>
> ############
> # Set quiet mode if requested
> if [ "x$firewall_quiet" = "xYES" ]; then
> fwcmd="/sbin/ipfw -q"
> else
> fwcmd="/sbin/ipfw"
> fi
>
> EXTERNAL_INTERFACE="ep0" # whichever you use
> LOOPBACK_INTERFACE="lo0"
> LOCAL_INTERFACE_1="ex0" # whichever you use
If that makes it more clear to you... but that's a lot of typing. ;)
> IPADDR="10.226.46.56/29"
> LOCALNET_1="192.168.0.0/24" # whatever private range you use
>
> LOOPBACK="127.0.0.0/8"
>
> ############
> # Flush out the list before we begin.
> $fwcmd -f flush
>
> $fwcmd add 100 pass all from any to any via ${LOOPBACK_INTERFACE}
> $fwcmd add 200 deny all from any to ${LOOPBACK}
>
> $fwcmn add deny all from ${LOCALNET_1} to any in via ${EXTERNAL_INTERFACE}
^
> $fwcmn add deny all from ${IPADDR} to any in via ${LOCAL_INTERFACE_1}
^
>
> $fwcmd add 65000 pass all from any to any
> -----------------------------------------
> Here is the output:
> -----------------------------------------
> Flushed all rules.
> 00100 allow ip from any to any via lo0
> 00200 deny ip from any to 127.0.0.0/8
> add: not found
> add: not found
> 65000 allow ip from any to any
> -----------------------------------------
>
> I cannot figure out what is wrong the two deny lines that have the
> output "add: not found". What am I doing wrong?
You mispelled '$fwcmd' as '$fwcmn'. Since the variable does not exist,
it returns a null string and the shell tries to execute the line,
add deny all ...
And like the error message says, there is no 'add' command.
--
Crist J. Clark cjclark@home.com
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20000311123542.B23514>