Date: Fri, 23 Jun 2000 23:28:43 -0700 From: "Crist J. Clark" <cristjc@earthlink.net> To: Joel Eusebio <joel@tilapia.pang.pworld.net.ph> Cc: freebsd-questions@FreeBSD.ORG Subject: Re: ipfw Message-ID: <20000623232843.A215@dialin-client.earthlink.net> In-Reply-To: <Pine.LNX.3.95.1000624044604.6469A-100000@tilapia.pang.pworld.net.ph>; from joel@tilapia.pang.pworld.net.ph on Sat, Jun 24, 2000 at 04:54:51AM %2B0000 References: <Pine.LNX.3.95.1000624044604.6469A-100000@tilapia.pang.pworld.net.ph>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sat, Jun 24, 2000 at 04:54:51AM +0000, Joel Eusebio wrote:
> I still can't make ipfw work on my 4-0 box. I tried to recompile my
> kernel but still I see errors when I run ipfw manually. I still get ipfw:
> setsockopt (IP_FW_ADD) protocol not available errors.Do I have to include
> additional lines in /conf/GENERIC before I recompile??? If so what lines
> do I have to add??? I really need help
In ipfw(4):
Kernel Options
Options in the kernel configuration file:
options IPFIREWALL enable ipfirewall
options IPFIREWALL_VERBOSE enable firewall output
options IPFIREWALL_VERBOSE_LIMIT limit firewall output
options IPDIVERT enable divert(4) sockets
In ipfw(8):
fwd ipaddr[,port]
Change the next-hop on matching packets to ipaddr, which
can be an IP address in dotted quad or a host name.
.
.
.
The kernel must have been compiled with the
IPFIREWALL_FORWARD option.
In /usr/src/sys/i386/conf/LINT,
# IPFIREWALL enables support for IP firewall construction, in
# conjunction with the `ipfw' program. IPFIREWALL_VERBOSE sends
# logged packets to the system logger. IPFIREWALL_VERBOSE_LIMIT
# limits the number of times a matching entry can be logged.
#
# WARNING: IPFIREWALL defaults to a policy of "deny ip from any to any"
# and if you do not add other rules during startup to allow access,
# YOU WILL LOCK YOURSELF OUT. It is suggested that you set firewall_type=open
# in /etc/rc.conf when first enabling this feature, then refining the
# firewall rules in /etc/rc.firewall after you've tested that the new kernel
# feature works properly.
#
# IPFIREWALL_DEFAULT_TO_ACCEPT causes the default rule (at boot) to
# allow everything. Use with care, if a cracker can crash your
# firewall machine, they can get to your protected machines. However,
# if you are using it as an as-needed filter for specific problems as
# they arise, then this may be for you. Changing the default to 'allow'
# means that you won't get stuck if the kernel and /sbin/ipfw binary get
# out of sync.
#
# IPDIVERT enables the divert IP sockets, used by ``ipfw divert''
#
# IPSTEALTH enables code to support stealth forwarding (i.e., forwarding
# packets without touching the ttl). This can be useful to hide firewalls
# from traceroute and similar tools.
#
# TCPDEBUG is undocumented.
#
options TCP_COMPAT_42 #emulate 4.2BSD TCP bugs
options MROUTING # Multicast routing
options IPFIREWALL #firewall
options IPFIREWALL_VERBOSE #print information about
# dropped packets
options IPFIREWALL_FORWARD #enable transparent proxy support
options IPFIREWALL_VERBOSE_LIMIT=100 #limit verbosity
options IPFIREWALL_DEFAULT_TO_ACCEPT #allow everything by default
options IPV6FIREWALL #firewall for IPv6
options IPV6FIREWALL_VERBOSE
options IPV6FIREWALL_VERBOSE_LIMIT=100
options IPV6FIREWALL_DEFAULT_TO_ACCEPT
options IPDIVERT #divert sockets
--
Crist J. Clark cjclark@alum.mit.edu
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20000623232843.A215>