From owner-freebsd-questions Fri Oct 18 10:52:22 2002 Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D902637B401 for ; Fri, 18 Oct 2002 10:52:19 -0700 (PDT) Received: from smtp.comcast.net (smtp.comcast.net [24.153.64.2]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5176E43E6E for ; Fri, 18 Oct 2002 10:52:19 -0700 (PDT) (envelope-from bikeIN@canada.com) Received: from pcp02388807pcs.pinval01.in.comcast.net (pcp02388807pcs.pinval01.in.comcast.net [68.54.25.123]) by mtaout03.icomcast.net (iPlanet Messaging Server 5.1 HotFix 1.4 (built Aug 5 2002)) with ESMTP id <0H46007AUPAFWR@mtaout03.icomcast.net> for freebsd-questions@FreeBSD.org; Fri, 18 Oct 2002 11:49:28 -0400 (EDT) Date: Fri, 18 Oct 2002 11:31:35 -0500 From: mh Subject: Mac can't connect to Internet To: freebsd-questions@FreeBSD.org Message-id: <1034958695.580.28.camel@hammarlund.radio.org> MIME-version: 1.0 X-Mailer: Ximian Evolution 1.0.8 Content-type: text/plain Content-transfer-encoding: 7BIT Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG I have FreeBSD, 4.7 Stable running as a gateway box, with a Debian box also on the network. The gateway is connected to a Comcast cable modem, and is running ipfw as a firewall. Both boxes can see/connect each other and the Internet. I added a Powerbook, OS X, to the local network, configured /etc/hosts and /etc/resolv.conf. PB can ping the other boxes ok, but can't see the Internet. The other boxes can ping the PB ok. Looks like a firewall problem. If I connect the PB to the cable modem directly, the PB connects ok. It appears that the PB is trying to send UDP packets out on port 67, so I tried to open up the firewall for UDP traffic (not a good idea?) but still can't see outside the local network. Attached is my rc.firewall. In /etc/rc.conf I have firewall_type="open" and added some rules to the "open" section in rc.firewall. What am I doing wrong? Thanks. Michael Heyes ############ # Flush out the list before we begin. # ${fwcmd} -f flush ############ # Network Address Translation. All packets are passed to natd(8) # before they encounter your remaining rules. The firewall rules # will then be run again on each packet after translation by natd # starting at the rule number following the divert rule. # # For ``simple'' firewall type the divert rule should be put to a # different place to not interfere with address-checking rules. # case ${firewall_type} in [Oo][Pp][Ee][Nn]|[Cc][Ll][Ii][Ee][Nn][Tt]) case ${natd_enable} in [Yy][Ee][Ss]) if [ -n "${natd_interface}" ]; then ${fwcmd} add 50 divert natd all from any to any via ${natd_interface} fi ;; esac ############ # If you just configured ipfw in the kernel as a tool to solve network # problems or you just want to disallow some particular kinds of traffic # then you will want to change the default policy to open. You can also # do this as your only action by setting the firewall_type to ``open''. # # ${fwcmd} add 65000 pass all from any to any ############ # Only in rare cases do you want to change these rules # ${fwcmd} add 100 pass all from any to any via lo0 ${fwcmd} add 200 deny all from any to 127.0.0.0/8 #${fwcmd} add 300 deny ip from 127.0.0.0/8 to any # Prototype setups. # case ${firewall_type} in [Oo][Pp][Ee][Nn]) ${fwcmd} add 300 check-state ${fwcmd} add 350 allow all from 192.168.0.0/16 to any ${fwcmd} add 352 allow ip from any to 192.168.0.0/16 ${fwcmd} add 400 allow tcp from any to any in established ${fwcmd} add 410 pass tcp from any to any keep-state out setup ${fwcmd} add 420 pass udp from any to any 53 in recv dc0 ${fwcmd} add 430 pass udp from any to any out ${fwcmd} add 440 pass icmp from any to any icmptypes 3 ${fwcmd} add 450 pass icmp from any to any icmptypes 4 ${fwcmd} add 460 pass icmp from any to any icmptypes 8 ${fwcmd} add 470 pass icmp from any to any in icmptypes 0 ${fwcmd} add 480 deny ip from any to any ${fwcmd} add 65000 pass all from any to any ;; To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message