From owner-freebsd-questions Sat Mar 11 9:30:13 2000 Delivered-To: freebsd-questions@freebsd.org Received: from cc942873-a.ewndsr1.nj.home.com (cc942873-a.ewndsr1.nj.home.com [24.2.89.207]) by hub.freebsd.org (Postfix) with ESMTP id CA25637BCA9 for ; Sat, 11 Mar 2000 09:30:09 -0800 (PST) (envelope-from cjc@cc942873-a.ewndsr1.nj.home.com) Received: (from cjc@localhost) by cc942873-a.ewndsr1.nj.home.com (8.9.3/8.9.3) id MAA23622; Sat, 11 Mar 2000 12:35:42 -0500 (EST) (envelope-from cjc) Date: Sat, 11 Mar 2000 12:35:42 -0500 From: "Crist J. Clark" To: Sam Carleton Cc: freebsd-questions@FreeBSD.ORG Subject: Re: ipfw is not working Message-ID: <20000311123542.B23514@cc942873-a.ewndsr1.nj.home.com> Reply-To: cjclark@home.com References: <38C9D32F.E8F2254A@miltonstreet.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0i In-Reply-To: <38C9D32F.E8F2254A@miltonstreet.com>; from scarleton@miltonstreet.com on Sat, Mar 11, 2000 at 12:02:36AM -0500 Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG On Sat, Mar 11, 2000 at 12:02:36AM -0500, Sam Carleton wrote: > I am working on building a firewall script. First off, I have a > ipchains script that is working fine in Linux, is there some way to > eaily convert that over to ipfw? As long as you have not built any custom chains, I think ipchains rules can be converted to ipfw rules in a one-to-one manner (they are both stateless packet filters) for a firewall that does not do NAT. I'm not sure what happens when you start doing NAT (or as Linux calls it, IP masquerading). > Here is the ipfw script I have so far, > real simple in my option: > ----------------------------------------- > ############ > # Setup system for firewall service. > > if [ -f /etc/defaults/rc.conf ]; then > . /etc/defaults/rc.conf > elif [ -f /etc/rc.conf ]; then > . /etc/rc.conf > fi > > ############ > # Set quiet mode if requested > if [ "x$firewall_quiet" = "xYES" ]; then > fwcmd="/sbin/ipfw -q" > else > fwcmd="/sbin/ipfw" > fi > > EXTERNAL_INTERFACE="ep0" # whichever you use > LOOPBACK_INTERFACE="lo0" > LOCAL_INTERFACE_1="ex0" # whichever you use If that makes it more clear to you... but that's a lot of typing. ;) > IPADDR="10.226.46.56/29" > LOCALNET_1="192.168.0.0/24" # whatever private range you use > > LOOPBACK="127.0.0.0/8" > > ############ > # Flush out the list before we begin. > $fwcmd -f flush > > $fwcmd add 100 pass all from any to any via ${LOOPBACK_INTERFACE} > $fwcmd add 200 deny all from any to ${LOOPBACK} > > $fwcmn add deny all from ${LOCALNET_1} to any in via ${EXTERNAL_INTERFACE} ^ > $fwcmn add deny all from ${IPADDR} to any in via ${LOCAL_INTERFACE_1} ^ > > $fwcmd add 65000 pass all from any to any > ----------------------------------------- > Here is the output: > ----------------------------------------- > Flushed all rules. > 00100 allow ip from any to any via lo0 > 00200 deny ip from any to 127.0.0.0/8 > add: not found > add: not found > 65000 allow ip from any to any > ----------------------------------------- > > I cannot figure out what is wrong the two deny lines that have the > output "add: not found". What am I doing wrong? You mispelled '$fwcmd' as '$fwcmn'. Since the variable does not exist, it returns a null string and the shell tries to execute the line, add deny all ... And like the error message says, there is no 'add' command. -- Crist J. Clark cjclark@home.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message