From owner-freebsd-questions@FreeBSD.ORG  Fri Jan 27 01:56:28 2006
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
X-Original-To: freebsd-questions@freebsd.org
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 5BC1916A420
	for <freebsd-questions@freebsd.org>;
	Fri, 27 Jan 2006 01:56:28 +0000 (GMT)
	(envelope-from fbsd_user@a1poweruser.com)
Received: from mta4.adelphia.net (mta4.adelphia.net [68.168.78.184])
	by mx1.FreeBSD.org (Postfix) with ESMTP id E553343D46
	for <freebsd-questions@freebsd.org>;
	Fri, 27 Jan 2006 01:56:18 +0000 (GMT)
	(envelope-from fbsd_user@a1poweruser.com)
Received: from barbish ([69.172.31.117]) by mta9.adelphia.net
	(InterMail vM.6.01.05.02 201-2131-123-102-20050715) with SMTP
	id <20060127012435.QESU14388.mta9.adelphia.net@barbish>;
	Thu, 26 Jan 2006 20:24:35 -0500
From: "fbsd_user" <fbsd_user@a1poweruser.com>
To: "gahn" <ipfreak@yahoo.com>,
	"freebsd general questions" <freebsd-questions@freebsd.org>
Date: Thu, 26 Jan 2006 20:24:33 -0500
Message-ID: <MIEPLLIBMLEEABPDBIEGAECEHMAA.fbsd_user@a1poweruser.com>
MIME-Version: 1.0
Content-Type: text/plain;
	charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
X-Priority: 3 (Normal)
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook IMO, Build 9.0.6604 (9.0.2911.0)
In-Reply-To: <20060126233439.62351.qmail@web52101.mail.yahoo.com>
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1409
Importance: Normal
Cc: 
Subject: RE: strange problem with ipfw and rc.conf
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
Reply-To: fbsd_user@a1poweruser.com
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 27 Jan 2006 01:56:28 -0000

Your problem is you have rc.conf loading 2 different firewalls
at same time.
IPFW which is compiled into your kernel as firewall and
ipfilter which you have rc.conf starting. You don't need to
compile either one of the firewalls into the kernel to work.

You need to read the firewall section of the handbook.
It contains a very complete usage description of the 3 firewalls
that come with FreeBSD.

I would recommend you use ipfilter as your firewall.
IPFW is for the experienced firewall user who has FW
requirements needing functions not provided by one of the
other FW's delivered with the base FreeBSD install.

And since it looks like you have 3 private circuits on your
LAN you will need NAT function and nat in ipfilter is so much
easier to set up than ipfw when using the keep state function
in your rules file.

The handbook ipfilter sample rules sets work as is.
Just copy and past into your own rules file and your pretty
much good to go after following the comments.


And another thing, its not acceptable behavior to cross post
to 2 lists with same question.
This question does not belong in freebsd-security@freebsd.org.


-----Original Message-----
From: owner-freebsd-questions@freebsd.org
[mailto:owner-freebsd-questions@freebsd.org]On Behalf Of gahn
Sent: Thursday, January 26, 2006 6:35 PM
To: freebsd security; freebsd general questions
Subject: strange problem with ipfw and rc.conf


Hi all:

I have strange probelm with rc.conf. I set up ipfw
(compiled into kernel) on freebsd-5.4 and it doesn't
seem to load ipfw rulesets (it uses default ruleset
65335 locking out everything). I have to do "sh
/etc/ipfw.rules" in order to load the rulesets, once I
did that, I can access the box from remote locations

here is my rc.conf:

host# more /etc/rc.conf

network_interfaces="lo0 em0 dc0 rl0 plip0"
kern_securelevel="2"
kern_securelevel_enable="YES"
linux_enable="YES"
named_enable="YES"
nisdomainname="NO"
sshd_enable="YES"
usbd_enable="YES"
hostname="sis"
tcp_keepalive="YES"
tcp_extensions="YES"
ifconfig_em0="inet 192.168.128.222/24"
ifconfig_dc0="inet 192.168.1.4/24"
ifconfig_rl0="inet 10.10.75.126/24"
defaultrouter="192.168.128.1"
static_routes="net1 net2"
route_net1="-net 192.168.0.0/22 192.168.1.1"
route_net2="-net 10.10.0.0/16 10.10.128.1"
firewall_script="/etc/ipfw.rules"
firewall_type="simple"
firewall_quiet="YES"
ipfilter_enable="YES"
ipfilter_rules="/etc/ipf.rules"
ipmon_enable="YES"
ipmon_flags="-Ds"
mpd_enable="YES"

also my customized kernel (partial):

options         IPFIREWALL
#firewall
options         IPFIREWALL_VERBOSE
#enable logging to syslogd(8)
options         IPFIREWALL_VERBOSE_LIMIT=10     #limit
verbosity
#options        IPFIREWALL_DEFAULT_TO_ACCEPT    #allow
everything by default
options         IPFIREWALL_FORWARD
#packet destination changes
options         IPFIREWALL_FORWARD_EXTENDED     #all
packet dest changes
options         IPDIVERT
#divert sockets

TIA


__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around
http://mail.yahoo.com
_______________________________________________
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to
"freebsd-questions-unsubscribe@freebsd.org"