Date: Thu, 29 Mar 2001 22:42:05 -0800 From: Chip Wiegand <chip@wiegand.org> To: Greg Lehey <grog@lemis.com> Cc: nomad@netrail.net, freebsd-questions@freebsd.org, ahl@austclear.com.au, Subject: Re: IPFW rules problem Message-ID: <20010329224205.7991d041.chip@wiegand.org> In-Reply-To: <20010330135815.M61395@wantadilla.lemis.com> References: <20010329200130.1f844009.chip@wiegand.org> <MPEGJCJPPBKNCNBGOHGDCEKECPAA.cschreiber@netrail.net> <20010329200130.1f844009.chip@wiegand.org> <20010330135815.M61395@wantadilla.lemis.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Thankyou, I inserted the missing spaces and it works fine now. One more related question - I run nmap -sS against my firewall and it shows all ports are closed except 111-sunrpc. Why is that? Shouldn't it be closed by the default deny rule? How much faith do you all have in the port scan done online from www.grc.com? I used that also, and it shows a very differant story. Including port 80 open, others closed and others stealth. I just want all ports closed to incoming requests, except of course the natd takes care of it's job, which it does quite well. -- Chip On Fri, 30 Mar 2001 13:58:15 +0930 Greg Lehey <grog@lemis.com> surely must have wrote something like: > On Thursday, 29 March 2001 at 20:01:30 -0800, Chip Wiegand wrote: > > I have used Greg Lehey's book, the chapter on firewalls, to set up my > > firewall. I basically copied his firewall rules to my machine, figured > > that'd be a good place to learn from. Anyway, now that I have done that > > I get the following error when doing ipfw show - > > ----------------------------------------------------- > > Flushed all rules. > > 00000 divert 8668 ip from any to any via xl1 > > 00000 allow ip from any to any > > [: missing ] > > [: missing ] > > [: missing ] > > ----------------------------------------------------- > > > > I cannot for the life of me find where to put the missing :'s. > > These aren't missing :'s, they're missing ]s. The name of the program > reporting them is [. > > > I have included the rc.firewall file, maybe someone with sharper > > eyes than mine can tell me where the missing :'s belong - > > ----------------------------------------------------- > > > > /sbin/ipfw -f flush > > "Flushed all rules." > > > /sbin/ipfw add divert natd all from any to any via xl1 > > "00000 divert 8668 ip from any to any via xl1" > > > /sbin/ipfw add pass all from any to any > > "00000 allow ip from any to any" > > Must be coming soon... > > > # Allow everything in and out, completely wide open > > if [ "${firewall}" = "open"]; then > > /sbin/ipfw add 65000 pass all from any to any > > I don't see any ipfw output here. The missing ] must be above. > > The real problem here is that you need a space before the ]. If you > look at the book, you'll see it there. But you don't need to type > this stuff in, it's already there in /etc/rc.firewall (slightly > changed since the book was printed). > > On Thursday, 29 March 2001 at 23:05:38 -0500, Christian S. wrote: > > > > I dunno if it helps, but I always use my rules in the > > xxx.xxx.xxx.xxx/yy notation for network/netmask rather than > > xxx.xxx.xxx.xxx:yy.. no idea if it helps/hurts, but that's what I > > use.. Just an idea.. :/ > > The / convention specifies the number of bits in the mask, not the > mask itself. You can either write 223.147.37.0:255.255.255.0, or > 223.147.37.0/24. I prefer the latter, but /etc/rc.firewall uses the : > construct. But as I said, that's not the issue here. > > Greg > -- -- Chip Wiegand Alternative Operating Systems www.wiegand.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010329224205.7991d041.chip>