Date: Mon, 21 Oct 2002 21:16:36 -0400 From: Dan Pelleg <daniel+fbsqd@pelleg.org> To: freebsd-questions@freebsd.org, Redmond Militante <mre037@merle.acns.nwu.edu> Subject: RE: need help with ipfw rules Message-ID: <15796.42740.862970.400286@gs166.sp.cs.cmu.edu>
next in thread | raw e-mail | index | archive | help
> hi all > > my apologies, this could get long as i'm including the text of various > config files: > > i've been trying to learn ipfw. i've recompiled a kernel with the > following options > ipfw add allow ip from any to any Do you really want to allow everything in, or is this just a typo? If this rule is really in effect, the rest of the rules are not doing anything. > ipfw add allow ip from 127.0.0.1 to 127.0.0.1 vua lo0 I'm assuming "vua" is a typo - should be "via". > ipfw add allow udp from any to any 53 > ipfw add check-state You're not letting DNS replies to come back. You are allowing the queries to go *out*, but when the remote server's reply packets hit the firewall they have port 53 on the *source* address, not on the destination. So they don't match that rule anymore and are discarded. What you probably want instead is: ipfw add allow udp from any to any 53 keep-state Another point: you're not using the "divert" rule for natd, and I see you have NAT enabled in your rc.conf. This is likely to be a problem later (well, you'll just not have NAT). A very good resource for this is /etc/rc.firewall. Just try to follow what the "CLIENT", "SIMPLE" and "OPEN" targets do, or even let them run, then output the generated ruleset and use it as the skeleton of your own ruleset. Another useful debugging tool is "ipfw show" - typed repeatedly to watch which counters increased and so to know which rules were hit. Once you get into stateful filtering, you'll want "ipfw -d show". Having said that, good ol' tcpdump is always handy to have around. Just fire up "tcpdump -ni XXX" with XXX for your external interface and see what's going out and what's coming in. Once you start firewalling for a network, a "tcpdump -ni III" with III being the internal interface becomes useful as well, either in itself or in addition to the external-watching tcpdump. -- Dan Pelleg To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?15796.42740.862970.400286>