Skip site navigation (1)Skip section navigation (2)
Date:      Thu, 20 Nov 2003 16:19:09 -0800
From:      Chip <chip@wiegand.org>
To:        Alex de Kruijff <freebsd@akruijff.dds.nl>
Cc:        FreeBSD Questions List <questions@freebsd.org>
Subject:   Re: firewall rules do not get read
Message-ID:  <3FBD59FD.2020604@wiegand.org>
In-Reply-To: <20031120140340.GA505@dds.nl>
References:  <3FBC535A.6020904@wiegand.org> <20031120140340.GA505@dds.nl>

next in thread | previous in thread | raw e-mail | index | archive | help


Alex de Kruijff wrote:

> On Wed, Nov 19, 2003 at 09:38:34PM -0800, Chip wrote:
> 
>>I noticed my firewall rules are not being read. I have rc.conf set to 
>>read the file rc.firewall. In rc.firewall the first line is add divert 
>>natd etc etc. that is followed by pass all from any to any etc etc. Then 
>>nothing after that is read, it is all ignored.
>>If I comment out the line pass all from any to any then nothing works to 
>>access the internet.
>>I don't know what to do to make it read past those first two lines.
>>Any suggestions?
> 
> 
> Can you give me the output of 'ipfw s'. If that one doesn't work then
> try 'ipfw l'?

No problem, below are the results of the two commands. Question - do I 
have to use rc.firewall? Or is it just a generic ruleset that can be 
replaced by a custom ruleset, as I have done (called firewall.rules 
pasted in below)?
--
Chip

here is ipfw s results -

00100 1571924 1218317046 divert 8668 ip from any to any via xl1
00200 3144909 2436915536 allow ip from any to any
00300       0          0 divert 8668 ip from any to any via xl1
00400       0          0 allow ip from any to any
00500       0          0 divert 8668 ip from any to any via xl1
65535       0          0 deny ip from any to any

and here is ipfw l results -

00100 divert 8668 ip from any to any via xl1
00200 allow ip from any to any
00300 divert 8668 ip from any to any via xl1
00400 allow ip from any to any
00500 divert 8668 ip from any to any via xl1
65535 deny ip from any to any

And just as a refresher here is the ruleset firewall.rules for anyone 
else looking in on this thread -

#!/bin/sh
# Define your variables
fwcmd="/sbin/ipfw"	# leave as is if using ipfw
oif="xl1"		# set to outside interface name (for DSL pppoe0 in 10.0.x,
			# set following line to outside ip address
oip="66.114.152.128"
onwr="66.114.152.128/8"		#set to outside network range
iif="xl0"		#set to internal interface name
inwr="192.168.1.0/16"	#set to internal network range
iip="192.168.1.10"	#set to internal ip address

# Rules with descriptions
#       Basic rules: there is no need to modify anything in this first 
section.
#       This is the bare minimum to block simple spoofing.

#	Force a flush of the current firewall rules before we reload
	$fwcmd -f flush
#	Allow your loop back to work
	$fwcmd add allow all from any to any via lo0
#	Prevent spoofing of your loopback
	$fwcmd add deny log all from any to 127.0.0.0/8
#
#	Stop spoofing of your internal network range
	$fwcmd add deny log ip from $inwr to any in via $oif

#	Stop spoofing from inside your private ip range
	$fwcmd add deny log ip from not $inwr to any in via $iif

#	Stop private networks (RFC1918) from entering the outside interface.
	$fwcmd add deny log ip from 192.168.0.0/16 to any in via $oif
	$fwcmd add deny log ip from 172.16.0.0/12 to any in via $oif
	$fwcmd add deny log ip from 10.0.0.0/8 to any in via $oif
	$fwcmd add deny log ip from any to 192.168.0.0/16 in via $oif
	$fwcmd add deny log ip from any to 172.16.0.0/12 in via $oif
	$fwcmd add deny log ip from any to 10.0.0.0/8 in via $oif

# 	Stop draft-manning-dsua-01.txt nets on the outside interface
	$fwcmd add deny log all from 0.0.0.0/8 to any in via $oif
	$fwcmd add deny log all from 169.254.0.0/16 to any in via $oif
	$fwcmd add deny log all from 192.0.2.0/24 to any in via $oif
	$fwcmd add deny log all from 224.0.0.0/4 to any in via $oif
	$fwcmd add deny log all from 240.0.0.0/4 to any in via $oif
	$fwcmd add deny log all from any to 0.0.0.0/8 in via $oif
	$fwcmd add deny log all from any to 169.254.0.0/16 in via $oif
	$fwcmd add deny log all from any to 192.0.2.0/24 in via $oif
	$fwcmd add deny log all from any to 224.0.0.0/4 in via $oif
	$fwcmd add deny log all from any to 240.0.0.0/4 in via $oif

# 	If you use NATD (for your 192.168.1.0 interface for instance)
# 	you must uncomment the following.  If you don't or if you don't know,
#       make sure next rule (divert) is commented.
#	Divert all packets through natd
	$fwcmd add divert natd all from any to any via $oif

#	Allow all established connections to persist (setup required
#	for new connections).
	$fwcmd add allow tcp from any to any established

#	Allow incoming requests to reach the various services.
#	To allow multiple services you may list them separated
#	by a coma, for example ...to $oip 22,25,110,80 setup
#	If you have an internal interface (e.g. if you do not run NATd)
#	uncomment the second line to enable AppleTalk on it.
	$fwcmd add allow tcp from any to $oip 
22,25,110,80,6881,6882,6883,6884,6885,6885,6886,6887,6889 setup

#	Allow icmp packets for diagnostic purposes (ping traceroute)
#	you may wish to leave commented out.
	$fwcmd add allow icmp from any to any

#	Allow required ICMP
	$fwcmd add allow icmp from any to any icmptypes 3,4,11,12
#	Politely and quickly rejects AUTH requests (e.g. email and ftp)
	$fwcmd add reset tcp from any to $oip 113

#	Checks packets against dynamic rule set below.
	$fwcmd add check-state

#	Allow any traffic from firewall ip to any going out the
#	external interface
	$fwcmd add allow ip from $oip to any keep-state out via $oif

#	Allow any traffic from local network to any passing through the
#	internal interface
	$fwcmd add allow ip from $inwr to any keep-state via $iif

#	Deny everything else
	$fwcmd add 65435 deny log ip from any to any




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3FBD59FD.2020604>