From owner-freebsd-questions Thu Jan 25 12:20:33 2001 Delivered-To: freebsd-questions@freebsd.org Received: from exodus.ait.co.za (exodus.ait.co.za [66.8.26.2]) by hub.freebsd.org (Postfix) with SMTP id 32C4137B698 for ; Thu, 25 Jan 2001 12:19:47 -0800 (PST) Received: from pm3ctn [66.8.26.4] by exodus.ait.co.za (SMTPD32-4.06) id A6FDEE0140; Thu, 25 Jan 2001 22:19:41 +0200 Message-ID: <01a501c0870c$2d6c3f40$0200a8c0@ait.co.za> Reply-To: "Peter Salvage" From: "Peter Salvage" To: Cc: References: <010901c086f8$ba60eea0$0200a8c0@ait.co.za> <20010125215043.A70366@poeza.iconnect.co.ke> Subject: Re: IPFW blocking users Date: Thu, 25 Jan 2001 22:19:53 +0200 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4133.2400 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG Hi all I'm a little hesitant about posting my ipfw rules here, but I'm getting rather desperate. Our FreeBSD guru has left on holiday for Switzerland today (of all days) and I've been lumped with this issue. Needless to say, fending off dialup users is _not_ my idea of fun :-( Would some kind soul be prepared to assist? Basically I have our Cisco router's eth0 hardwired to the rl1 interface on our FreeBSD box, with the rl0 interface connected to our switch. I'm really worried that a dynamic route was typed in at the command line, which is why it was lost when the box was rebooted. I'm more than happy to share the contents of the ipfw.conf and (if it would help) the rc.conf files off-list. Any assistance would be greatly appreciated. TIA /wiZZ ----- Original Message ----- From: "Odhiambo Washington" To: Cc: Sent: 25 January 2001 20:50 Subject: Re: IPFW blocking users > * Peter Salvage [20010125 21:01]: writing on the subject 'IPFW blocking users' > Peter> Hi all > Peter> > Peter> If this is an inappropriate forum, please point me (gently) in the correct > Peter> direction. > Peter> > Peter> > Peter> Setup: > Peter> 2 x /24 networks, both variably subnetted > Peter> PortMaster PM2E30 for dialup > Peter> FreeBSD running IPFW rules > Peter> > Peter> Problem: > Peter> None of our dialup users can get past our home page. They can log onto our > Peter> authentication server and receive/send mail fine though. > > The gurus will want to see your ipfw rules, but I can guess that you are > not allowing them any access outside your network, right? > > I'm just in the process of reading about this very interesting tool called > IPFW. My advise to you would be a novice one but I see in the man page of > ipfw: > > A first and efficient way to limit access (not using dynamic rules) is > the use of the following rules: > ipfw add allow tcp from any to any established > ipfw add allow tcp from net1 portlist1 to net2 portlist2 setup > ipfw add allow tcp from net3 portlist3 to net3 portlist3 setup > ... > ipfw add deny tcp from any to any > The first rule will be a quick match for normal TCP packets, but it > will > not match the initial SYN packet, which will be matched by the setup > rules only for selected source/destination pairs. All other SYN > packets > will be rejected by the final deny rule. > ### > > Some of your rules might be conflicting: Show the rules to the gurus.... > > -Wash > > -- > Odhiambo Washington Inter-Connect Ltd., > wash@iconnect.co.ke 5th Flr Furaha Plaza > Tel: 254 11 222604 Nkrumah Rd., > Fax: 254 11 222636 PO Box 83613 MOMBASA, KE. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message