Date: Wed, 27 Nov 2002 20:41:18 +0200 From: Dancho Penev <dpenev@mail.bg> To: Phierce <phierce@phierce.com> Cc: freebsd-questions@FreeBSD.org Subject: Re: IPFW Help Message-ID: <20021127184118.GA240@earth.dpsca.bg> In-Reply-To: <MBEJIFDOFDEFEJPKKKPKEEDDCDAA.phierce@phierce.com> References: <MBEJIFDOFDEFEJPKKKPKEEDDCDAA.phierce@phierce.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, Nov 25, 2002 at 08:57:15PM -0500, Phierce wrote:
>From: "Phierce" <phierce@phierce.com>
>To: <freebsd-questions@FreeBSD.ORG>
>Subject: IPFW Help
>Date: Mon, 25 Nov 2002 20:57:15 -0500
>
>Hello All,
>
> New to the FreeBSD os, but learning... havint some trouble with IPFW
>below is what it looks like I can sh rc.firewall with no errors, but yet my
>root account is still unable to ping out I recieve permission denied.
>Wondering if anyone could help me out.
How did you run script? I suposse you forgot parameter and in rc.conf
firewall_type is not set.
# sh /etc/rc.firewall custom
or
in /etc/rc.conf
firewall_type="custom"
>
>#
># Suck in the configuration variables.
>if [ -z "${source_rc_confs_defined}" ]; then
> if [ -r /etc/defaults/rc.conf ]; then
> . /etc/defaults/rc.conf
> source_rc_confs
> elif [ -r /etc/rc.conf ]; then
> . /etc/rc.conf
> fi
>fi
>#
>
>if [ -n "${1}" ]; then
> firewall_type="${1}"
>fi
># Set quiet mode if requested
>#
>case ${firewall_quiet} in
>[Yy][Ee][Ss])
> fwcmd="/sbin/ipfw -q"
> ;;
>*)
> fwcmd="/sbin/ipfw"
> ;;
>esac
>
>#######################################################
># Flush out the list before we begin.
>#
>${fwcmd} -f flush
>
>case ${firewall_type} in
>[Cc][Uu][Ss][Tt][Oo][Mm])
> # set these to your network netmask and ip
> net="192.168.1.1"
> mask="255.255.255.0"
> ip="192.168.1.10"
>
># Deny all fragments as bogus packets
>${fwcmd} add 00100 deny log all from any to any frag
>
>#Allow any TCP UDP traffic from my own net.
>${fwcmd} add 00200 allow all from any to any via lo0
>${fwcmd} add 00300 deny log ip from any to 127.0.0.1/8
>
>#We should allow in&out some TCP and udp ports.
>${fwcmd} add 00400 allow tcp from any to any 32000-65535
>${fwcmd} add 00500 allow udp from any to any 32000-65535
>
>#Allow TCP through if setup succeeded
>${fwcmd} add 00600 allow tcp from any to any established
>
>#Allow access to FTPD
>${fwcmd} add 00700 allow tcp from any to ${ip} 21
>${fwcmd} add 00800 allow tcp from any 20 to any 1024-49151 out
>
>#Allow access to OPENSSH
>${fwcmd} add 00900 allow tcp from any to ${ip} 22
>
>#Allow access to SENDMAIL
>${fwcmd} add 01000 allow tcp from any to any 25
>
>#Allow access to BIND
>${fwcmd} add 01100 allow udp from ${ip} to any
>${fwcmd} add 01200 allow udp from any to ${ip}
>
>
>#Allow access to FINGER
>${fwcmd} add 01300 allow tcp from any to any 79
>
>#Allow access to HTTP
>${fwcmd} add 01400 allow tcp from any to any 80
>
>#Allow access to POP3
>${fwcmd} add 01500 allow tcp from any to any 110
>
>#Allow access to IDENT
>${fwcmd} add 01600 allow tcp from any to any 113
>${fwcmd} add 01700 allow udp from any to any 113
>
>#Allow access to IMAP
>${fwcmd} add 01800 allow tcp from any to any 143
>
>#Allow access to HTTPS
>${fwcmd} add 01900 allow tcp from any to any 443
>
>#Allow access to SUBMISSION
>${fwcmd} add 02000 allow udp from any to any 512
>${fwcmd} add 02100 allow udp from any to any 520
>
>#Allow access to IRC
>${fwcmd} add 02200 allow tcp from any to any 6667
>${fwcmd} add 02300 allow tcp from any to any 6668
>${fwcmd} add 02400 allow tcp from any to any 6669
>
>#Extended account access
>${fwcmd} add 02500 allow all from any to any uid USERNAME
>${fwcmd} add 02600 allow icmp from any to any uid USERNAME
>${fwcmd} add 02700 allow tcp from any to any uid USERNAME
>${fwcmd} add 02800 allow icmp from any to any uid USERNAME
>
>#root access non-restrictive
>${fwcmd} add 02900 allow all from any to any uid root
>${fwcmd} add 03000 allow icmp from any to any uid root
>
>#lastly we deny everything by default here as well as in the kernel.
>${fwcmd} add 03100 deny log all from any to any
>
> ;;
>esac
>
>
>Thanks
>
>-Zack
>---
>Outgoing mail is certified Virus Free.
>Checked by AVG anti-virus system (http://www.grisoft.com).
>Version: 6.0.419 / Virus Database: 235 - Release Date: 11/13/2002
>
>
>To Unsubscribe: send mail to majordomo@FreeBSD.org
>with "unsubscribe freebsd-questions" in the body of the message
--
Regards,
D. Penev
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20021127184118.GA240>