Date: Fri, 21 Nov 2003 17:49:44 -0600 From: "Micheal Patterson" <micheal@tsgincorporated.com> To: "Alex de Kruijff" <freebsd@akruijff.dds.nl>, "Chip" <chip@wiegand.org> Cc: FreeBSD Questions List <questions@freebsd.org> Subject: Re: firewall rules do not get read Message-ID: <04ec01c3b08b$1ceaabb0$0201a8c0@dredster> References: <3FBC535A.6020904@wiegand.org> <20031120140340.GA505@dds.nl> <3FBD59FD.2020604@wiegand.org> <20031121192449.GB2898@dds.nl>
next in thread | previous in thread | raw e-mail | index | archive | help
----- Original Message ----- From: "Alex de Kruijff" <freebsd@akruijff.dds.nl> To: "Chip" <chip@wiegand.org> Cc: "FreeBSD Questions List" <questions@freebsd.org> Sent: Friday, November 21, 2003 1:24 PM Subject: Re: firewall rules do not get read > On Thu, Nov 20, 2003 at 04:19:09PM -0800, Chip wrote: > > > > > > Alex de Kruijff wrote: > > > > >On Wed, Nov 19, 2003 at 09:38:34PM -0800, Chip wrote: > > > > > >>I noticed my firewall rules are not being read. I have rc.conf set to > > >>read the file rc.firewall. In rc.firewall the first line is add divert > > >>natd etc etc. that is followed by pass all from any to any etc etc. Then > > >>nothing after that is read, it is all ignored. > > >>If I comment out the line pass all from any to any then nothing works to > > >>access the internet. > > >>I don't know what to do to make it read past those first two lines. > > >>Any suggestions? > > > > > > > > >Can you give me the output of 'ipfw s'. If that one doesn't work then > > >try 'ipfw l'? > > > > No problem, below are the results of the two commands. Question - do I > > have to use rc.firewall? > > No you can create your own configuration file for ipfw. You need these > two line in rc.conf: > > firewall_enable="YES" > firewall_type="/etc/firewall.conf" > > The configuration file looks something like: > add divert natd ip from any to any via xl1 > add allow ip from any to any > > > Or is it just a generic ruleset that can be > > replaced by a custom ruleset, as I have done (called firewall.rules > > pasted in below)? > > Its posible to place your own ruleset in the default script, but i would > adive *not* to do this, because when you update this file can be > overriden in the process. It is also possible to simply create an ipfw.sh script in /usr/local/etc/rc.d and add all of your rules to that script. ipfw.sh ipfw -f flush #NATD Rules here ipfw add 3 divert natd all from any to any via xl1 etc.. I've used both rc.conf and this method but I prefer to number my rule sets so that I can easily tell which one is causing an issue should I inadvertantly block traffic that needs to get through. To my knowledge, either method works well, it's just that what I do is generally not mentioned. :) -- Micheal Patterson Network Administration Cancer Care Network 405-917-0600
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?04ec01c3b08b$1ceaabb0$0201a8c0>