Date: Sat, 7 Sep 2002 06:21:26 +0900 From: "nuro_pro" <maillist@withdoc.net> To: <freebsd-questions@freebsd.org> Subject: problems using ipfw2 . Message-ID: <000801c255eb$5be931c0$0200a8c0@SUPPER>
next in thread | raw e-mail | index | archive | help
I want to use ipfw2 for my bsd box. I have set it up just like belows. Services listening on 143 995 80 993 465 110 22 21 ports are working fine except samba server. I can't connect to the bsd box from my windows machine using network drive connection which say " can't find network drive". But I actually used it fine before using ipfw2. Please give me some suggestions. Here are what I've done. uname -a FreeBSD localhost 4.6-STABLE FreeBSD 4.6-STABLE #3: Sat Sep 7 04:35:20 KST 2002 fans@localhost:/usr/obj/usr/src/sys/nute i386 netstat -an|more Active Internet connections (including servers) Proto Recv-Q Send-Q Local Address Foreign Address (state) tcp4 0 20 192.168.0.4.22 192.168.0.2.1030 ESTABLISHED tcp4 0 0 *.465 *.* LISTEN tcp4 0 0 *.139 *.* LISTEN tcp4 0 0 *.3306 *.* LISTEN tcp4 0 0 *.25 *.* LISTEN tcp4 0 0 *.21 *.* LISTEN tcp4 0 0 192.168.0.4.110 *.* LISTEN tcp4 0 0 192.168.0.4.995 *.* LISTEN tcp4 0 0 192.168.0.4.143 *.* LISTEN tcp4 0 0 192.168.0.4.993 *.* LISTEN tcp4 0 0 192.168.0.4.80 *.* LISTEN tcp4 0 0 *.22 *.* LISTEN udp4 0 0 *.161 *.* udp4 0 0 192.168.0.4.138 *.* udp4 0 0 192.168.0.4.137 *.* udp4 0 0 *.138 *.* udp4 0 0 *.137 *.* udp4 0 0 192.168.0.4.53 *.* udp4 0 0 *.514 *.* # install ipfw2 cd /usr/src/sbin/ipfw make IPFW2=yes install # kernel options added options IPFIREWALL options IPDIVERT # some options concerned to ipfw2 in /etc/rc.conf firewall_enable="YES" firewall_script="/etc/rc.ipfw" firewall_type="open" firewall_quiet="NO" tcp_drop_synfin="YES" # my /etc/rc.ipfw if [ -r /etc/defaults/rc.conf ]; then . /etc/defaults/rc.conf source_rc_confs elif [ -r /etc/rc.conf ]; then . /etc/rc.conf fi if [ -n "${1}" ]; then firewall_type="${1}" fi fwcmd="/sbin/ipfw" outside_network_device="xl0" outside_network="192.168.0.0" outside_network_mask="255.255.255.0" outside_network_ip="192.168.0.4" ${fwcmd} add 100 pass all from any to any via lo0 ${fwcmd} add 200 deny all from any to 127.0.0.0/8 # ${fwcmd} add deny all from ${outside_network}:${outside_network_mask} to any in via ${inside_network_device} ${fwcmd} add deny all from any to 10.0.0.0/8 via ${outside_network_device} ${fwcmd} add deny all from any to 172.16.0.0/12 via ${outside_network_device} ${fwcmd} add deny all from any to 0.0.0.0/8 via ${outside_network_device} ${fwcmd} add deny all from any to 169.254.0.0/16 via ${outside_network_device} ${fwcmd} add deny all from any to 192.0.2.0/24 via ${outside_network_device} ${fwcmd} add deny all from any to 224.0.0.0/4 via ${outside_network_device} ${fwcmd} add deny all from any to 240.0.0.0/4 via ${outside_network_device} # Stop RFC1918 nets on the outside interface ${fwcmd} add deny all from 10.0.0.0/8 to any via ${outside_network_device} ${fwcmd} add deny all from 172.16.0.0/12 to any via ${outside_network_device} # Stop draft-manning-dsua-03.txt (1 May 2000) nets (includes RESERVED-1, # DHCP auto-configuration, NET-TEST, MULTICAST (class D), and class E) # on the outside interface ${fwcmd} add deny all from 0.0.0.0/8 to any via ${outside_network_device} ${fwcmd} add deny all from 169.254.0.0/16 to any via ${outside_network_device} ${fwcmd} add deny all from 192.0.2.0/24 to any via ${outside_network_device} ${fwcmd} add deny all from 224.0.0.0/4 to any via ${outside_network_device} ${fwcmd} add deny all from 240.0.0.0/4 to any via ${outside_network_device} # Allow established connections with minimal overhead ${fwcmd} add pass tcp from any to any established # Allow IP fragments to pass through ${fwcmd} add pass all from any to any frag # HTTP - Allow access to our web server ${fwcmd} add pass tcp from any to any 80 setup # SMTP - Allow access to sendmail for incoming e-mail ${fwcmd} add pass tcp from any to any 25 setup # ssmtp ${fwcmd} add pass tcp from any to any 465 setup # pop ${fwcmd} add pass tcp from any to any 110 setup # imap ${fwcmd} add pass tcp from any to any 143 setup # pop3s ${fwcmd} add pass tcp from any to any 995 setup # imaps ${fwcmd} add pass tcp from any to any 993 setup # FTP - Allow incoming data channel for outgoing connections, # reject & log all incoming control connections ${fwcmd} add pass tcp from any 20 to any 1024-65535 setup ${fwcmd} add pass tcp from any to any 21 in via ${outside_network_device} setup # SSH Login - Allow & Log all incoming ${fwcmd} add pass log tcp from any to any 22 in via ${outside_network_device} setup # IDENT - Reset incoming connections ${fwcmd} add reset tcp from any to any 113 in via ${outside_network_device} setup # Reject&Log all setup of incoming connections from the outside ${fwcmd} add deny log tcp from any to any in via ${outside_network_device} setup # Allow setup of any other TCP connection ${fwcmd} add pass tcp from any to any setup # DNS - Allow queries out in the world ${fwcmd} add pass udp from any to ${dns1} 53 ${fwcmd} add pass udp from any to ${dns2} 53 ${fwcmd} add pass udp from ${dns1} 53 to any ${fwcmd} add pass udp from ${dns2} 53 to any # SMB - Allow local traffic ${fwcmd} add pass udp from any to any 137 via ${outside_network_device} ${fwcmd} add pass udp from any to any 138 via ${outside_network_device} ${fwcmd} add pass udp from any to any 139 via ${outside_network_device} ${fwcmd} add pass tcp from any to any 137 via ${outside_network_device} ${fwcmd} add pass tcp from any to any 138 via ${outside_network_device} ${fwcmd} add pass tcp from any to any 139 via ${outside_network_device} # NTP - Allow queries out in the world ${fwcmd} add pass udp from any 123 to any 123 via ${outside_network_device} # TRACEROUTE - Allow outgoing ${fwcmd} add pass udp from any to any 33434-33523 out via ${outside_network_device} # Allow outgoing pings ${fwcmd} add pass icmp from any to any icmptypes 8 out via ${outside_network_device} ${fwcmd} add pass icmp from any to any icmptypes 0 in via ${outside_network_device} # Allow Destination Unreachable, Source Quench, Time Exceeded, and Bad Header ${fwcmd} add pass icmp from any to any icmptypes 3,4,11,12 via ${outside_network_device} # Deny the rest of them ${fwcmd} add deny icmp from any to any To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?000801c255eb$5be931c0$0200a8c0>