Date: Wed, 5 Mar 2003 17:26:03 -0500 From: Jeff Walters <jeff@walters.name> To: "Brian Henning" <b1henning@hotmail.com> Cc: freebsd-questions@freebsd.org Subject: Re: firewall revisited Message-ID: <200303051726.03515.jeff@walters.name> In-Reply-To: <OE40IkLeoOWGMhLPBLY0001f008@hotmail.com> References: <OE14i67EKRuYDlrjbud000010a0@hotmail.com> <200303051114.25796.jeff@walters.name> <OE40IkLeoOWGMhLPBLY0001f008@hotmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wednesday 05 March 2003 02:48 pm, Brian Henning wrote: > Jeff, > > you must have your firewall_type set to the default then in rc.conf or > /etc/defaults/rc.conf. does you setup not run the standard rc.firewall file > in /etc? > > does this rule allow any access to the outside network? > ipfw add 00100 allow tcp from any to any via ed0 established > > thanks, > > brian I don't set firewall_type in rc.conf (ie. leaving it at the default), because it would be ignored. When you change firewall_script in /etc/rc.conf, /etc/rc.firewall will no longer run at boot automatically. The ipfw rule above allows all packets for established connections to pass the firewall. This is determined only by the flags in each inbound packet, not because of any memory of the state of connections. You would also need rules dealing with the setup packets to allow the TCP connections to be created. It's in the ipfw man page and probably the FreeBSD Handbook also with better examples, but a quick additional rule to allow you to get out on ed0 with any possible TCP connection would be: ipfw add 00200 allow tcp from any to any out xmit ed0 setup Jeff To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200303051726.03515.jeff>