Date: Thu, 18 Sep 2003 14:40:12 -0400 From: "Bob Hall" <rjhjr@cox.net> To: freebsd-questions@freebsd.org Subject: Re: firewall Message-ID: <20030918184011.GA17330@kongemord.krig.net> In-Reply-To: <20030918085430.7bdbefa7.y2kbug@ms25.hinet.net> References: <20030917172325.5e2f64a9.y2kbug@ms25.hinet.net> <20030917182921.GA12360@kongemord.krig.net> <20030918085430.7bdbefa7.y2kbug@ms25.hinet.net>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, Sep 18, 2003 at 08:54:30AM +0800, Robert Storey wrote: > On Wed, 17 Sep 2003 14:29:22 -0400 > "Bob Hall" <rjhjr@cox.net> wrote: > > Apologies humbly offered. Apparently, I'm getting confused by reading My fault. I'm too impatient. > the tons of documentation I've been looking at. For now, option No. 1 > will do - I just want to get kernel ppp working with a firewall enabled. > So far, I've gotten ppp working, but only with the firewall disabled. Good. Use that as a starting point. Revert back to the cofiguration that worked, and we'll add a firewall. With option 1, your box is not a gateway. However, if you use the box as a gateway later, you will need NAT. If you are using pppd, you'll need to implement NAT in the firewall. In that case, you'll need the IPFIREWALL and IPDIVERT options. If you have already recompiled with them, don't change that. They won't hurt you now and you'll need them later. > > You also need > > options IPFIREWALL > > for any of the three options. > > Now that's interesting. I did indeed read that in "FreeBSD Unleashed", > but "The Complete FreeBSD" says "If you wish you can build a kernel with > firewall support...but you don't need to build a new kernel. You can > load the KLD /boot/kernel/ipfw.ko instead: #kldload ipfw" > So I tried that, and it told me it was already loaded. What did "kldstat" return? Lehey can do lots of things with FBSD that I don't know how to do. I've never tried loading IPFW as a dynamic module. I've seen posts from people who've tried it and had problems. Your milage will vary. My belief is that you connect to the internet often enough that you don't gain anything by using a dynamic module. You might as well load IPFW at bootup. > OK, that part I knew, but what setting should I use? Just leave it > blank? When I try "ifconfig -a" it always gives me an address in the > format 168.95.xx.xx where x can be any number. Start with the "OPEN" firewall. If there are no firewall rules, the rules can't cause problems. Once you know that the firewall is working, you can switch to client or simple. If you have a problem at that point, you've isolated the problem to your ruleset. Before using an open firewall, make sure that /etc/hosts.allow is configured to allow only localhost and machines on your LAN to establish connections. Anything external to your LAN should be blocked, at least until your firewall is no longer "OPEN". ALL : localhost 127.0.0.1 : allow ALL : box1.lan.net 192.168.0.1 : allow ... portmap : 192.168.0.0/255.255.255.250 : allow ALL : ALL : deny or something similar. > Again, thank you for your help. Sorry for my stupidity, but I am As a beginner, you have no right to claim stupidity. You are only entitled to vague feelings of incompentence. It will take a couple of years of having the computer constantly make you look like a fool to develop and sharpen those feelings into true stupidity. Until then, use the force. > probably the only FreeBSD user within 100 miles of where I live - on one > around here who I can ask. I don't personally know any FBSD users, other than myself. My geek friends are into Linux. Bob Hall
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20030918184011.GA17330>