Site Navigation

Date:      Sat, 7 Sep 2002 06:21:26 +0900
From:      "nuro_pro" <maillist@withdoc.net>
To:        <freebsd-questions@freebsd.org>
Subject:   problems using ipfw2 .
Message-ID:  <000801c255eb$5be931c0$0200a8c0@SUPPER>

---

next in thread | raw e-mail | index | archive | help

---

I want to use ipfw2 for my bsd box. I have set it up just like belows.
Services listening on 143 995 80 993 465 110 22 21 ports are working fine
except  samba server.
I can't connect to the bsd box from my windows machine using network drive
connection which say " can't find network drive". But I actually used it
fine before using ipfw2.
Please give me some suggestions.

Here are what I've done.

uname -a
FreeBSD localhost 4.6-STABLE FreeBSD 4.6-STABLE #3: Sat Sep  7 04:35:20 KST
2002     fans@localhost:/usr/obj/usr/src/sys/nute  i386

netstat -an|more
Active Internet connections (including servers)
Proto Recv-Q Send-Q  Local Address          Foreign Address        (state)
tcp4       0     20  192.168.0.4.22         192.168.0.2.1030
ESTABLISHED
tcp4       0      0  *.465                  *.*                    LISTEN
tcp4       0      0  *.139                  *.*                    LISTEN
tcp4       0      0  *.3306                 *.*                    LISTEN
tcp4       0      0  *.25                   *.*                    LISTEN
tcp4       0      0  *.21                   *.*                    LISTEN
tcp4       0      0  192.168.0.4.110        *.*                    LISTEN
tcp4       0      0  192.168.0.4.995        *.*                    LISTEN
tcp4       0      0  192.168.0.4.143        *.*                    LISTEN
tcp4       0      0  192.168.0.4.993        *.*                    LISTEN
tcp4       0      0  192.168.0.4.80         *.*                    LISTEN
tcp4       0      0  *.22                   *.*                    LISTEN
udp4       0      0  *.161                  *.*
udp4       0      0  192.168.0.4.138        *.*
udp4       0      0  192.168.0.4.137        *.*
udp4       0      0  *.138                  *.*
udp4       0      0  *.137                  *.*
udp4       0      0  192.168.0.4.53         *.*
udp4       0      0  *.514                  *.*

# install ipfw2
cd /usr/src/sbin/ipfw
make IPFW2=yes install

# kernel options added
options     IPFIREWALL
options     IPDIVERT

# some options concerned to ipfw2 in /etc/rc.conf
firewall_enable="YES"
firewall_script="/etc/rc.ipfw"
firewall_type="open"
firewall_quiet="NO"
tcp_drop_synfin="YES"


# my /etc/rc.ipfw

if [ -r /etc/defaults/rc.conf ]; then
        . /etc/defaults/rc.conf
        source_rc_confs
elif [ -r /etc/rc.conf ]; then
        . /etc/rc.conf
fi

if [ -n "${1}" ]; then
        firewall_type="${1}"
fi
fwcmd="/sbin/ipfw"
outside_network_device="xl0"
outside_network="192.168.0.0"
outside_network_mask="255.255.255.0"
outside_network_ip="192.168.0.4"

${fwcmd} add 100 pass all from any to any via lo0
${fwcmd} add 200 deny all from any to 127.0.0.0/8

# ${fwcmd} add deny all from ${outside_network}:${outside_network_mask} to
any in via ${inside_network_device}

${fwcmd} add deny all from any to 10.0.0.0/8 via ${outside_network_device}
${fwcmd} add deny all from any to 172.16.0.0/12 via
${outside_network_device}
${fwcmd} add deny all from any to 0.0.0.0/8 via ${outside_network_device}
${fwcmd} add deny all from any to 169.254.0.0/16 via
${outside_network_device}
${fwcmd} add deny all from any to 192.0.2.0/24 via ${outside_network_device}
${fwcmd} add deny all from any to 224.0.0.0/4 via ${outside_network_device}
${fwcmd} add deny all from any to 240.0.0.0/4 via ${outside_network_device}

# Stop RFC1918 nets on the outside interface
${fwcmd} add deny all from 10.0.0.0/8 to any via ${outside_network_device}
${fwcmd} add deny all from 172.16.0.0/12 to any via
${outside_network_device}

# Stop draft-manning-dsua-03.txt (1 May 2000) nets (includes RESERVED-1,
# DHCP auto-configuration, NET-TEST, MULTICAST (class D), and class E)
# on the outside interface
${fwcmd} add deny all from 0.0.0.0/8 to any via ${outside_network_device}
${fwcmd} add deny all from 169.254.0.0/16 to any via
${outside_network_device}
${fwcmd} add deny all from 192.0.2.0/24 to any via ${outside_network_device}
${fwcmd} add deny all from 224.0.0.0/4 to any via ${outside_network_device}
${fwcmd} add deny all from 240.0.0.0/4 to any via ${outside_network_device}

# Allow established connections with minimal overhead
${fwcmd} add pass tcp from any to any established

# Allow IP fragments to pass through
${fwcmd} add pass all from any to any frag

# HTTP - Allow access to our web server
${fwcmd} add pass tcp from any to any 80 setup

# SMTP - Allow access to sendmail for incoming e-mail
${fwcmd} add pass tcp from any to any 25 setup

# ssmtp
${fwcmd} add pass tcp from any to any 465 setup
# pop
${fwcmd} add pass tcp from any to any 110 setup
# imap
${fwcmd} add pass tcp from any to any 143 setup
# pop3s
${fwcmd} add pass tcp from any to any 995 setup
# imaps
${fwcmd} add pass tcp from any to any 993 setup

# FTP - Allow incoming data channel for outgoing connections,
# reject & log all incoming control connections
${fwcmd} add pass tcp from any 20 to any 1024-65535 setup
${fwcmd} add pass tcp from any to any 21 in via ${outside_network_device}
setup

# SSH Login - Allow & Log all incoming
${fwcmd} add pass log tcp from any to any 22 in via
${outside_network_device} setup

# IDENT - Reset incoming connections
${fwcmd} add reset tcp from any to any 113 in via ${outside_network_device}
setup
# Reject&Log all setup of incoming connections from the outside
${fwcmd} add deny log tcp from any to any in via ${outside_network_device}
setup

# Allow setup of any other TCP connection
${fwcmd} add pass tcp from any to any setup

# DNS - Allow queries out in the world
${fwcmd} add pass udp from any to ${dns1} 53
${fwcmd} add pass udp from any to ${dns2} 53
${fwcmd} add pass udp from ${dns1} 53 to any
${fwcmd} add pass udp from ${dns2} 53 to any

# SMB - Allow local traffic
${fwcmd} add pass udp from any to any 137 via ${outside_network_device}
${fwcmd} add pass udp from any to any 138 via ${outside_network_device}
${fwcmd} add pass udp from any to any 139 via ${outside_network_device}

${fwcmd} add pass tcp from any to any 137 via ${outside_network_device}
${fwcmd} add pass tcp from any to any 138 via ${outside_network_device}
${fwcmd} add pass tcp from any to any 139 via ${outside_network_device}

# NTP - Allow queries out in the world
${fwcmd} add pass udp from any 123 to any 123 via ${outside_network_device}

# TRACEROUTE - Allow outgoing
${fwcmd} add pass udp from any to any 33434-33523 out via
${outside_network_device}

# Allow outgoing pings
${fwcmd} add pass icmp from any to any icmptypes 8 out via
${outside_network_device}
${fwcmd} add pass icmp from any to any icmptypes 0 in via
${outside_network_device}

# Allow Destination Unreachable, Source Quench, Time Exceeded, and Bad
Header
${fwcmd} add pass icmp from any to any icmptypes 3,4,11,12 via
${outside_network_device}

# Deny the rest of them
${fwcmd} add deny icmp from any to any



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message

---

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?000801c255eb$5be931c0$0200a8c0>

Legal Notices | © 1995-2024 The FreeBSD Project. All rights reserved.

Contact