From owner-freebsd-questions Mon Oct 21 18:53:40 2002 Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E97C837B401 for ; Mon, 21 Oct 2002 18:53:37 -0700 (PDT) Received: from mail.nucleus.com (mail.nucleus.com [207.34.93.23]) by mx1.FreeBSD.org (Postfix) with ESMTP id 625C143E6E for ; Mon, 21 Oct 2002 18:53:37 -0700 (PDT) (envelope-from grant.cooper@nucleus.com) Received: from donatev49iknkl (unverified [205.206.105.251]) by mail.nucleus.com (Vircom SMTPRS 1.4.232) with SMTP id ; Mon, 21 Oct 2002 19:53:28 -0600 Message-ID: <007501c27976$cb52d3a0$fb69cecd@donatev49iknkl> From: "Grant Cooper" To: "Dan Pelleg" , , "Redmond Militante" References: <15796.42740.862970.400286@gs166.sp.cs.cmu.edu> Subject: Re: need help with ipfw rules Date: Mon, 21 Oct 2002 19:57:42 -0700 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2800.1106 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106 Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Check out this site, once you get a handle on the setup read this HOWTO. I've looked at lot's of resources but this is the best as far as I'm concerned. http://www.freebsd-howto.com/HOWTO/Ipfw-HOWTO If someone has one better, I would love to see it. Grant Cooper ----- Original Message ----- From: "Dan Pelleg" To: ; "Redmond Militante" Sent: Monday, October 21, 2002 6:16 PM Subject: RE: need help with ipfw rules > > > hi all > > > > my apologies, this could get long as i'm including the text of various > > config files: > > > > i've been trying to learn ipfw. i've recompiled a kernel with the > > following options > > > > ipfw add allow ip from any to any > > Do you really want to allow everything in, or is this just a typo? > If this rule is really in effect, the rest of the rules are > not doing anything. > > > ipfw add allow ip from 127.0.0.1 to 127.0.0.1 vua lo0 > > I'm assuming "vua" is a typo - should be "via". > > > ipfw add allow udp from any to any 53 > > ipfw add check-state > > You're not letting DNS replies to come back. You are allowing the queries > to go *out*, but when the remote server's reply packets hit the firewall > they have port 53 on the *source* address, not on the destination. > So they don't match that rule anymore and are discarded. > > What you probably want instead is: > ipfw add allow udp from any to any 53 keep-state > > > Another point: you're not using the "divert" rule for natd, > and I see you have NAT enabled in your rc.conf. This is likely to > be a problem later (well, you'll just not have NAT). > > A very good resource for this is /etc/rc.firewall. Just try > to follow what the "CLIENT", "SIMPLE" and "OPEN" targets > do, or even let them run, then output the generated ruleset > and use it as the skeleton of your own ruleset. > > Another useful debugging tool is "ipfw show" - typed repeatedly to watch > which counters increased and so to know which rules were hit. > Once you get into stateful filtering, you'll want "ipfw -d show". > > Having said that, good ol' tcpdump is always handy to have around. > Just fire up "tcpdump -ni XXX" with XXX for your external interface > and see what's going out and what's coming in. Once you start > firewalling for a network, a "tcpdump -ni III" with III being > the internal interface becomes useful as well, either in itself > or in addition to the external-watching tcpdump. > > -- > Dan Pelleg > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-questions" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message