From owner-freebsd-questions@FreeBSD.ORG Thu Nov 20 16:22:08 2003 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0A4D716A4CE for ; Thu, 20 Nov 2003 16:22:08 -0800 (PST) Received: from pioneernet.net (mail.pioneernet.net [207.115.64.224]) by mx1.FreeBSD.org (Postfix) with ESMTP id AC7AA43FF7 for ; Thu, 20 Nov 2003 16:22:04 -0800 (PST) (envelope-from chip@wiegand.org) Received: from wiegand.org [66.114.152.128] by pioneernet.net with ESMTP (SMTPD32-6.06) id AAC093500AC; Thu, 20 Nov 2003 16:22:24 -0800 Message-ID: <3FBD59FD.2020604@wiegand.org> Date: Thu, 20 Nov 2003 16:19:09 -0800 From: Chip User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.4) Gecko/20030624 Netscape/7.1 (ax) X-Accept-Language: en-us, en MIME-Version: 1.0 To: Alex de Kruijff References: <3FBC535A.6020904@wiegand.org> <20031120140340.GA505@dds.nl> In-Reply-To: <20031120140340.GA505@dds.nl> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit cc: FreeBSD Questions List Subject: Re: firewall rules do not get read X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 21 Nov 2003 00:22:08 -0000 Alex de Kruijff wrote: > On Wed, Nov 19, 2003 at 09:38:34PM -0800, Chip wrote: > >>I noticed my firewall rules are not being read. I have rc.conf set to >>read the file rc.firewall. In rc.firewall the first line is add divert >>natd etc etc. that is followed by pass all from any to any etc etc. Then >>nothing after that is read, it is all ignored. >>If I comment out the line pass all from any to any then nothing works to >>access the internet. >>I don't know what to do to make it read past those first two lines. >>Any suggestions? > > > Can you give me the output of 'ipfw s'. If that one doesn't work then > try 'ipfw l'? No problem, below are the results of the two commands. Question - do I have to use rc.firewall? Or is it just a generic ruleset that can be replaced by a custom ruleset, as I have done (called firewall.rules pasted in below)? -- Chip here is ipfw s results - 00100 1571924 1218317046 divert 8668 ip from any to any via xl1 00200 3144909 2436915536 allow ip from any to any 00300 0 0 divert 8668 ip from any to any via xl1 00400 0 0 allow ip from any to any 00500 0 0 divert 8668 ip from any to any via xl1 65535 0 0 deny ip from any to any and here is ipfw l results - 00100 divert 8668 ip from any to any via xl1 00200 allow ip from any to any 00300 divert 8668 ip from any to any via xl1 00400 allow ip from any to any 00500 divert 8668 ip from any to any via xl1 65535 deny ip from any to any And just as a refresher here is the ruleset firewall.rules for anyone else looking in on this thread - #!/bin/sh # Define your variables fwcmd="/sbin/ipfw" # leave as is if using ipfw oif="xl1" # set to outside interface name (for DSL pppoe0 in 10.0.x, # set following line to outside ip address oip="66.114.152.128" onwr="66.114.152.128/8" #set to outside network range iif="xl0" #set to internal interface name inwr="192.168.1.0/16" #set to internal network range iip="192.168.1.10" #set to internal ip address # Rules with descriptions # Basic rules: there is no need to modify anything in this first section. # This is the bare minimum to block simple spoofing. # Force a flush of the current firewall rules before we reload $fwcmd -f flush # Allow your loop back to work $fwcmd add allow all from any to any via lo0 # Prevent spoofing of your loopback $fwcmd add deny log all from any to 127.0.0.0/8 # # Stop spoofing of your internal network range $fwcmd add deny log ip from $inwr to any in via $oif # Stop spoofing from inside your private ip range $fwcmd add deny log ip from not $inwr to any in via $iif # Stop private networks (RFC1918) from entering the outside interface. $fwcmd add deny log ip from 192.168.0.0/16 to any in via $oif $fwcmd add deny log ip from 172.16.0.0/12 to any in via $oif $fwcmd add deny log ip from 10.0.0.0/8 to any in via $oif $fwcmd add deny log ip from any to 192.168.0.0/16 in via $oif $fwcmd add deny log ip from any to 172.16.0.0/12 in via $oif $fwcmd add deny log ip from any to 10.0.0.0/8 in via $oif # Stop draft-manning-dsua-01.txt nets on the outside interface $fwcmd add deny log all from 0.0.0.0/8 to any in via $oif $fwcmd add deny log all from 169.254.0.0/16 to any in via $oif $fwcmd add deny log all from 192.0.2.0/24 to any in via $oif $fwcmd add deny log all from 224.0.0.0/4 to any in via $oif $fwcmd add deny log all from 240.0.0.0/4 to any in via $oif $fwcmd add deny log all from any to 0.0.0.0/8 in via $oif $fwcmd add deny log all from any to 169.254.0.0/16 in via $oif $fwcmd add deny log all from any to 192.0.2.0/24 in via $oif $fwcmd add deny log all from any to 224.0.0.0/4 in via $oif $fwcmd add deny log all from any to 240.0.0.0/4 in via $oif # If you use NATD (for your 192.168.1.0 interface for instance) # you must uncomment the following. If you don't or if you don't know, # make sure next rule (divert) is commented. # Divert all packets through natd $fwcmd add divert natd all from any to any via $oif # Allow all established connections to persist (setup required # for new connections). $fwcmd add allow tcp from any to any established # Allow incoming requests to reach the various services. # To allow multiple services you may list them separated # by a coma, for example ...to $oip 22,25,110,80 setup # If you have an internal interface (e.g. if you do not run NATd) # uncomment the second line to enable AppleTalk on it. $fwcmd add allow tcp from any to $oip 22,25,110,80,6881,6882,6883,6884,6885,6885,6886,6887,6889 setup # Allow icmp packets for diagnostic purposes (ping traceroute) # you may wish to leave commented out. $fwcmd add allow icmp from any to any # Allow required ICMP $fwcmd add allow icmp from any to any icmptypes 3,4,11,12 # Politely and quickly rejects AUTH requests (e.g. email and ftp) $fwcmd add reset tcp from any to $oip 113 # Checks packets against dynamic rule set below. $fwcmd add check-state # Allow any traffic from firewall ip to any going out the # external interface $fwcmd add allow ip from $oip to any keep-state out via $oif # Allow any traffic from local network to any passing through the # internal interface $fwcmd add allow ip from $inwr to any keep-state via $iif # Deny everything else $fwcmd add 65435 deny log ip from any to any