From owner-freebsd-questions Thu Jan 25 10:51:47 2001 Delivered-To: freebsd-questions@freebsd.org Received: from siafu.iconnect.co.ke (upagraha.iconnect.co.ke [209.198.248.2]) by hub.freebsd.org (Postfix) with ESMTP id 6C45737B6AD for ; Thu, 25 Jan 2001 10:51:08 -0800 (PST) Received: from [64.110.74.50] (helo=poeza.iconnect.co.ke) by siafu.iconnect.co.ke with esmtp (Exim 2.12 #1) id 14LrSm-0009i0-00; Thu, 25 Jan 2001 21:49:42 +0300 Received: from wash by poeza.iconnect.co.ke with local (Exim 3.20 #1) id 14LrTn-000IJe-00; Thu, 25 Jan 2001 21:50:43 +0300 Date: Thu, 25 Jan 2001 21:50:43 +0300 From: Odhiambo Washington To: freebsd-questions@freebsd.org Cc: wizard@sybaweb.co.za Subject: Re: IPFW blocking users Message-ID: <20010125215043.A70366@poeza.iconnect.co.ke> Mail-Followup-To: Odhiambo Washington , freebsd-questions@freebsd.org, wizard@sybaweb.co.za References: <010901c086f8$ba60eea0$0200a8c0@ait.co.za> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <010901c086f8$ba60eea0$0200a8c0@ait.co.za>; from "Peter Salvage" on Thu, Jan 25, 2001 at 08:00:40PM +0200 X-Operating-System: FreeBSD poeza.iconnect.co.ke 4.2-STABLE FreeBSD 4.2-STABLE X-Mailer: Mutt http://www.mutt.org/ X-Location: Mombasa, KE, East Africa Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG * Peter Salvage [20010125 21:01]: writing on the subject 'IPFW blocking users' Peter> Hi all Peter> Peter> If this is an inappropriate forum, please point me (gently) in the correct Peter> direction. Peter> Peter> Peter> Setup: Peter> 2 x /24 networks, both variably subnetted Peter> PortMaster PM2E30 for dialup Peter> FreeBSD running IPFW rules Peter> Peter> Problem: Peter> None of our dialup users can get past our home page. They can log onto our Peter> authentication server and receive/send mail fine though. The gurus will want to see your ipfw rules, but I can guess that you are not allowing them any access outside your network, right? I'm just in the process of reading about this very interesting tool called IPFW. My advise to you would be a novice one but I see in the man page of ipfw: A first and efficient way to limit access (not using dynamic rules) is the use of the following rules: ipfw add allow tcp from any to any established ipfw add allow tcp from net1 portlist1 to net2 portlist2 setup ipfw add allow tcp from net3 portlist3 to net3 portlist3 setup ... ipfw add deny tcp from any to any The first rule will be a quick match for normal TCP packets, but it will not match the initial SYN packet, which will be matched by the setup rules only for selected source/destination pairs. All other SYN packets will be rejected by the final deny rule. ### Some of your rules might be conflicting: Show the rules to the gurus.... -Wash -- Odhiambo Washington Inter-Connect Ltd., wash@iconnect.co.ke 5th Flr Furaha Plaza Tel: 254 11 222604 Nkrumah Rd., Fax: 254 11 222636 PO Box 83613 MOMBASA, KE. If all else fails, immortality can always be assured by spectacular error. -John Kenneth Galbraith (contributed by Chris Johnston) To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message