From owner-freebsd-stable@FreeBSD.ORG Fri Oct 7 12:58:59 2005 Return-Path: X-Original-To: freebsd-stable@freebsd.org Delivered-To: freebsd-stable@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D550116A41F for ; Fri, 7 Oct 2005 12:58:59 +0000 (GMT) (envelope-from cadavo@mail.ru) Received: from mx3.mail.ru (mx3.mail.ru [194.67.23.149]) by mx1.FreeBSD.org (Postfix) with ESMTP id 7675043D49 for ; Fri, 7 Oct 2005 12:58:57 +0000 (GMT) (envelope-from cadavo@mail.ru) Received: from [213.234.245.154] (port=6735 helo=hp.tbnbykovo.ru.) by mx3.mail.ru with esmtp id 1ENroN-000GI0-00 for freebsd-stable@freebsd.org; Fri, 07 Oct 2005 16:58:56 +0400 From: =?koi8-r?Q?=E7=CF=D2=D3=D4=CB=C9=CE_?= =?koi8-r?Q?=E9=CC=D8=D1?= To: freebsd-stable@freebsd.org Content-Type: text/plain Date: Fri, 07 Oct 2005 16:58:22 +0400 Message-Id: <1128689902.653.28.camel@hp.tbnbykovo.ru> Mime-Version: 1.0 X-Mailer: Evolution 2.2.1.1 FreeBSD GNOME Team Port Content-Transfer-Encoding: 7bit Subject: ipfw: firewall.sh don't work! X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 07 Oct 2005 12:59:00 -0000 Hi all! FreeBSD 5.4 p7. ipfw works in a mode - firewall_type="open" only. At attempt to apply firewall_script="/etc/firewall.sh" the system forbids the traffic even if firewall.sh configured as "allow all any to any" my kernel: options IPFIREWALL options IPFIREWALL_VERBOSE options IPFIREWALL_VERBOSE_LIMIT=100 options IPFIREWALL_FORWARD options IPFIREWALL_FORWARD_EXTENDED options IPDIVERT options DUMMYNET rc.conf: gateway_enable="YES" ifconfig_bge0="inet 192.168.1.1" ifconfig_xl0="inet xxxx.xxxx.xxxx.xxxx" icmp_drop_redirect="YES" icmp_log_redirect="YES" icmp_bmcastecho="NO" firewall_enable="YES" #firewall_type="OPEN" firewall_script="/etc/firewall.sh" firewall_logging="YES" natd_enable="YES" natd_interface="xl0" natd_flags="-s" /etc/firewall.sh: #!/bin/sh ipfw='/sbin/ipfw -q' inet='xl0' lan='bge0' ${ipfw} -a flush ${ipfw} add 100 allow all from any to any via lo0 ${ipfw} add 300 divert natd tcp from any to any via ${inet} ${ipfw} add 310 divert natd udp from any to any via ${inet} ${ipfw} add 400 deny icmp from any to any in icmptype 5,9,13,14,15,16,17 ${ipfw} add 410 deny icmp from any to any frag ${ipfw} add 420 allow icmp from any to any ${ipfw} add 500 deny tcp from any to 192.168.1.0/24 137-139 via ${inet} ${ipfw} add 510 deny udp from any to 192.168.1.0/24 137-139 via ${inet} ${ipfw} add 520 deny ip from 192.168.1.0/24 to any in via ${inet} ${ipfw} add 530 allow tcp from 192.168.1.1 to any 5999 ${ipfw} add 540 allow udp from any 53 to any ${ipfw} add 550 allow udp from any to any 53 ${ipfw} add 600 allow tcp from 192.168.1.0/24 to any 20,21,25,80,110,443,5190 ${ipfw} add 610 allow tcp from any 20,21,25,80,110,443,5190 to 192.168.1.0/24 where a problem? thanks!