Skip site navigation (1)Skip section navigation (2)
Date:      Tue, 21 Jun 2005 17:19:54 -0400
From:      "fbsd_user" <fbsd_user@a1poweruser.com>
To:        "RYAN vAN GINNEKEN" <luck@computerking.ca>, <freebsd-questions@freebsd.org>
Subject:   RE: ipf not working correctly???
Message-ID:  <MIEPLLIBMLEEABPDBIEGEEFEHHAA.fbsd_user@a1poweruser.com>
In-Reply-To: <42B87130.6050203@computerking.ca>

next in thread | previous in thread | raw e-mail | index | archive | help
Your first problem is you have ipfw and ipf both turned on in kernel
and rc.conf.
You can only have one firewall on at a time.
Remove all "firewall" and ipf statements from the kernel and
recompile or just use the generic kernel. Then remove all "firewall"
and "natd' statements from rc.conf.

Then go back and read the FreeBSD handbook section on firewalls it's
been updated to give detailed instructions on what to do. Follow
then to the letter and you will be all set.


-----Original Message-----
From: owner-freebsd-questions@freebsd.org
[mailto:owner-freebsd-questions@freebsd.org]On Behalf Of RYAN vAN
GINNEKEN
Sent: Tuesday, June 21, 2005 3:58 PM
To: freebsd-questions@freebsd.org
Subject: ipf not working correctly???


Hello all i use FreeBSD stable 4.11 and wish to use built in ipf
version
3.x something.i have been using ipfw with type set to open however i
have recently been attacked and need to beef up security.



I have followed the basic setup that is in the freebsd handbook and
read
through the world famous ipf howto lots of times.



Currently I have the below options compiled into my kernel the docs
I
have read say you do not need to compile ipfilter options into the
kernel to use it.  I was going to uncomment the ipfilter stuff and
comment out the ipfirewall options when I got ipfilter working.  Is
it
necessary to recompile the kernel without ipfirewall options to make
ipfilter work.



Kernel OPTIONS========================



options         IPFIREWALL

options         IPFIREWALL_VERBOSE

options         IPFIREWALL_VERBOSE_LIMIT=100

options         IPDIVERT



#options                IPFILTER

#options                IPFILTER_LOG

#options                IPFILTER_DEFAULT_BLOCK



IN MY /etc/rc.conf==========================

#IPF & IPNAT

ipfilter_enable="YES"             # Start ipf firewall

#ipfilter_rules="/etc/ipf.rules"   # loads rules definition text
file

ipfilter_rules="/etc/ipfopen.rules"



ipmon_enable="YES"                # Start IP monitor log

ipmon_flags="-Ds"                 # D = start as daemon, s = log to
syslog, v =



ipnat_enable="YES"                # Start ipnat function

ipnat_rules="/etc/ipnat.rules"    # rules definition file for ipnat



AS WELL AS THIS TO TURN OF IPFILTER AND NATD



#IPFW & NATD

firewall_enable="NO

firewall_type="OPEN"

firewall_quiet="NO"

#firewall_scrYESt="/etc/rc.firewall"



natd_enable="NO

natd_interface="xl0"

natd_flags="-f /etc/natd.conf"

HERE IS
/etc/ipnat.rules=============================================

# the rule that forwards everthing

map xl0 192.168.0.0/16 -> 0/32

#VNC HOSTS
#HOST 1
#java
rdr xl0 0/32 port 5801 -> 192.168.0.1 port 5801
#no java
rdr xl0 0/32 port 5901 -> 192.168.0.1 port 5901

#HOST 2
#java
rdr xl0 0/32 port 5802 -> 192.168.0.1 port 5802
#no java
rdr xl0 0/32 port 5902 -> 192.168.0.1 port 5902

===============================================================

PLEASE FIND MY ipf.rules ATTACHED TO this email I have even tried to
use
the following rules set to see if I could get ipf to work as an open
firewall but it still seems to block to much.

===============================================================

pass out quick on lo0 all

pass in quick on lo0 all



pass out quick on xl1 all

pass in quick on xl1 all



pass out quick on xl0 all

pass in quick on xl0 all


when I ping google.ca I get errors about unknown hostname.  When I
ping
googles ipaddress I get permission denied over and over again.  When
I
try to use lynx I get alert destination host unreachable.  Seems
like
dns?? When I turn off ipf and use ipfw set to open everything works
fine
again.  Please someone help what is going wrong.  ipmon/ipfstat do
not
seem to help but mabey i need some guidance with these tools.






Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?MIEPLLIBMLEEABPDBIEGEEFEHHAA.fbsd_user>