From owner-freebsd-questions Fri Jan 31 8:58: 8 2003 Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id CDF6F37B401 for ; Fri, 31 Jan 2003 08:58:05 -0800 (PST) Received: from diana.northnetworks.ca (att-ws20.switchview.com [216.13.70.20]) by mx1.FreeBSD.org (Postfix) with ESMTP id B09F043F43 for ; Fri, 31 Jan 2003 08:58:04 -0800 (PST) (envelope-from iaccounts@northnetworks.ca) Received: from northnetworks.ca ([192.168.0.250]) by diana.northnetworks.ca (8.11.6/8.11.6) with ESMTP id h0VGvsd33207; Fri, 31 Jan 2003 11:57:54 -0500 (EST) (envelope-from iaccounts@northnetworks.ca) Message-ID: <3E3AAAA2.4010205@northnetworks.ca> Date: Fri, 31 Jan 2003 11:56:02 -0500 From: Steve Bertrand User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.0.1) Gecko/20021218 X-Accept-Language: en-us, en MIME-Version: 1.0 To: Jason Morgan Cc: freebsd-questions@freebsd.org Subject: Re: IPFW2 setup References: <20030131163752.GC354@sentinelchicken.net> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG What part is not working? Can you nat through? Perhaps you could add some logging to see which packets are failing and why. Do you have the following in the kernel? options IPFIREWALL options IPFIREWALL_VERBOSE options IPDIVERT Let us know. Steve Jason Morgan wrote: >OK, I've read the man page for IPFW a couple times and I am still having >difficulty setting up a working firewall. The firewall acts as a gateway >to my inside network as well as a web server and mail server. I also >need ssh connectivity from inside and out. Also, one odd thing is that I >have a Zyxel Prestige 643 acting as an additional router between me and >my DSL connection (I couldn't figure out how to get the router in pure >bridging mode). It comes in handy, though, as it has a 4-port switch >built in and can also act a firewall and does the PPPoE easy enough. > >NICs: >xl0 as 192.168.1.101 (to Zyxel and outside) >dc0 as 10.0.0.1 (inside) > >Current IPFW config: > >--------------------------------------------------------- > ># Basics >add 00010 pass all from any to any via lo0 >add 00020 deny all from any to 127.0.0.0/8 >add 00030 deny ip from 127.0.0.0/8 to any >add 00040 deny ip from any to any frag > ># Spoofing Check >add 00050 deny all from 10.0.0.0/8 to any in via xl0 >add 00060 deny all from 172.16.0.0/12 to any in via xl0 > >add 00080 allow all from 192.168.1.1 to any in via xl0 >add 00085 deny all from 192.168.0.0/16 to any in via xl0 > ># Divert >add 00100 divert natd all from any to any via xl0 > ># Allowances >add 00200 allow all from any to any in via dc0 > ># Check state of dynamic rules >add 00220 check-state > ># UDP >add 00300 allow udp from any to any out setup >add 00310 deny udp from any to any established >add 00320 allow udp from any to any 53 in via xl0 setup keep-state > ># TCP >add 00400 allow tcp from any to any out setup keep-state >add 00410 deny tcp from any to any established >add 00420 allow tcp from any to any 22,25,80 in setup keep-state > > >add 32000 allow all from any to any > >------------------------------------------------------------ > >Could anyone offer some advice? > >Regards, > >Jason > >To Unsubscribe: send mail to majordomo@FreeBSD.org >with "unsubscribe freebsd-questions" in the body of the message > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message