From owner-freebsd-questions Mon Oct 21 15:43:24 2002 Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D4C1337B401 for ; Mon, 21 Oct 2002 15:43:20 -0700 (PDT) Received: from merle.it.northwestern.edu (merle.it.northwestern.edu [129.105.16.57]) by mx1.FreeBSD.org (Postfix) with ESMTP id 373D543E42 for ; Mon, 21 Oct 2002 15:43:20 -0700 (PDT) (envelope-from mre037@merle.acns.nwu.edu) Received: from localhost (mre037@localhost) by merle.it.northwestern.edu (8.8.7/8.8.7) with ESMTP id RAA25677 for ; Mon, 21 Oct 2002 17:43:08 -0500 (CDT) Date: Mon, 21 Oct 2002 17:43:08 -0500 (CDT) From: Redmond Militante To: freebsd-questions@freebsd.org Subject: need help with ipfw rules Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG hi all my apologies, this could get long as i'm including the text of various config files: i've been trying to learn ipfw. i've recompiled a kernel with the following options options ICMP_BANDLIM options IPFIREWALL options IPFIREWALL_VERBOSE options IPFIREWALL_VERBOSE_LIMIT=100 options IPDIVERT options TCP_DROP_SYNFIN options IPFIREWALL_FORWARD options IPSTEALTH options DUMMYNET my rc.conf: # This file now contains just the overrides from /etc/defaults/rc.conf. defaultrouter="1.1.1.1" gateway_enable="YES" hostname="hostname.com" ifconfig_xl0="inet 1.1.1.1 netmask 255.255.255.0" inetd_enable="YES" firewall_enable="YES" firewall_script="/etc/ipfw.rules" firewall_type="open" firewall_quiet="NO" tcp_drop_synfin="NO" firewall_logging_enable="YES" icmp_drop_redirect="YES" log_in_vain="YES" sendmail_flags=-bd kern_securelevel_enable="NO" linux_enable="YES" moused_enable="YES" moused_port="/dev/psm0" moused_type="auto" nfs_reserved_port_only="YES" saver="logo" sendmail_enable="YES" sshd_enable="YES" usbd_enable="YES" portmap_enable="YES" nfs_server_enable="YES" mountd_flags="-r" i haven't edited rc.firewall this machine is a combinationi desktop/web/ftp/nfs server. my /etc/ipfw.rules looks like ipfw add allow ip from any to any ipfw add allow ip from 127.0.0.1 to 127.0.0.1 vua lo0 ipfw add allow udp from any to any 53 ipfw add check-state ipfw add allow tcp from any to any 80 setup keep-state ipfw add allow tcp from any to any 53 setup keep-state ipfw add allow tcp from any to any 21 setup keep-state ipfw add allow tcp from any to any 22 setup keep-state ipfw add allow tcp from any to any 25 setup keep-state ipfw add allow tcp from any to any 110 setup keep-state ipfw add allow tcp from any to any 587 setup keep-state ipfw add allow tcp from any to any 3306 setup keep-state ipfw add allow tcp from any to any 10000 setup keep-state ipfw add reject tcp from any to any ipfw add allow udp from any to any 53 ipfw add allow icmp from any to any icmptype 0,3,4,8,11 ipfw add deny log logamount 5000 ip from any to any (i was following phoenix's and kirk's ipfw advice in another thread) i've also added !ipfw *.* /var/log/firewall.log to /etc/syslog.conf, touch /var/log/firewall.log, and restarted syslogd. upon reboot, the machine hangs in 3 different places during the bootup process. my bootup messages look like: [snip] additional network daemons:mountd oct 21 15:27:47 hostname mountd[96]: get hostname failed for www3 oct 21 15:27:47 hostname mountd[96]: bad host www3, skipping oct 21 15:27:47 hostname mountd[96]: bad exports list line /mnt/drive2/dailybackup www3 nfs on reserved port only=YES nfsd rpc.statd [snip] here it hangs on mountd for a minute or two, then proceeds [snip] starting standard daemons: inetd cron sshd usbd sendmail sendmail-clientmqueue [snip] here it hangs on sendmail and sendmail-clientmqueue, then proceeds it then hangs for hours at 'recovering vi sessions:'. it eventually boots all the way through after a few hours. this is not workable for me. i've switched my /etc/ipfw.rules to ipfw add allow ip from any to any ipfw add allow udp from any to any 53 temporarily, so that i can use the machine, but would like to have a set of basic ipfw rules in place. can anyone tell me where i'm going wrong? i think it's hanging on the bootup process because my ipfw.rules are messed up. thanks redmond Redmond Militante Northwestern University, Evanston, IL. USA r-militante@northwestern.edu 847-467-7617 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message