Date: Mon, 21 Oct 2002 20:46:31 -0500 From: Redmond Militante <r-militante@northwestern.edu> To: Dan Pelleg <daniel+fbsdq@pelleg.org> Cc: freebsd-questions@freebsd.org Subject: Re: need help with ipfw rules Message-ID: <20021022014631.GA477@darkpossum> In-Reply-To: <15796.42740.862970.400286@gs166.sp.cs.cmu.edu> References: <15796.42740.862970.400286@gs166.sp.cs.cmu.edu>
next in thread | previous in thread | raw e-mail | index | archive | help
--d6Gm4EdcadzBjdND Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 hi thanks for responding On Mon, Oct 21, 2002 at 09:16:36PM -0400, Dan Pelleg expatiated with great = perspicuity: >=20 > > hi all > >=20 > > my apologies, this could get long as i'm including the text of various > > config files: > >=20 > > i've been trying to learn ipfw. i've recompiled a kernel with the > > following options >=20 >=20 > > ipfw add allow ip from any to any > typo =20 > Do you really want to allow everything in, or is this just a typo? > If this rule is really in effect, the rest of the rules are > not doing anything. >=20 > > ipfw add allow ip from 127.0.0.1 to 127.0.0.1 vua lo0 >=20 > I'm assuming "vua" is a typo - should be "via". > typo again =20 > > ipfw add allow udp from any to any 53 > > ipfw add check-state >=20 > You're not letting DNS replies to come back. You are allowing the queries > to go *out*, but when the remote server's reply packets hit the firewall > they have port 53 on the *source* address, not on the destination. > So they don't match that rule anymore and are discarded. >=20 > What you probably want instead is: > ipfw add allow udp from any to any 53 keep-state >=20 > i changed this line. boots up fine. webserver, ssh, nfs, mail, etc. work.= there's only one problem i noticed right off the bat - it looks like ftp = users can authenticate fine, but when their ftp client tries to bring up a = list of files in their ftp directories, it hangs at 'getting file list...' any ideas on how to fix? thanks redmond=20 > Another point: you're not using the "divert" rule for natd, > and I see you have NAT enabled in your rc.conf. This is likely to > be a problem later (well, you'll just not have NAT). >=20 > A very good resource for this is /etc/rc.firewall. Just try > to follow what the "CLIENT", "SIMPLE" and "OPEN" targets > do, or even let them run, then output the generated ruleset > and use it as the skeleton of your own ruleset. >=20 > Another useful debugging tool is "ipfw show" - typed repeatedly to watch > which counters increased and so to know which rules were hit. > Once you get into stateful filtering, you'll want "ipfw -d show". >=20 > Having said that, good ol' tcpdump is always handy to have around. > Just fire up "tcpdump -ni XXX" with XXX for your external interface > and see what's going out and what's coming in. Once you start > firewalling for a network, a "tcpdump -ni III" with III being > the internal interface becomes useful as well, either in itself > or in addition to the external-watching tcpdump. >=20 > -- > Dan Pelleg >=20 >=20 >=20 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (FreeBSD) iD8DBQE9tK3rFNjun16SvHYRAnSNAJ9RPPcFelXQwS3R7ELFN+A8UdEWDwCgsJWS 3TUBFhcGrtRa9eCIrhrnv0w=3D =3D07L+ -----END PGP SIGNATURE----- --d6Gm4EdcadzBjdND Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (FreeBSD) iD8DBQE9tK32FNjun16SvHYRArjaAJ4qvmPoLiNQh7iyNleDt5odagLZsQCcDPV5 33PDawW50BMxVnyM+oukyLY= =MoxY -----END PGP SIGNATURE----- --d6Gm4EdcadzBjdND-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20021022014631.GA477>