From owner-freebsd-stable Tue Aug 21 21:17:53 2001 Delivered-To: freebsd-stable@freebsd.org Received: from obelix.spectraweb.ch (obelix.plusnet.ch [194.158.230.8]) by hub.freebsd.org (Postfix) with ESMTP id 5FA3F37B417 for ; Tue, 21 Aug 2001 21:17:13 -0700 (PDT) (envelope-from info@pc-service.ch) Received: from server (tch-ls-3-dialup-101.spectraweb.ch [194.230.249.101]) by obelix.spectraweb.ch (8.11.2/8.9.3/SuSE Linux 8.9.3-0.1) with SMTP id f7M4Gsp18459; Wed, 22 Aug 2001 06:16:56 +0200 Message-ID: <004b01c12aca$35be2a20$6502a8c0@server> From: "Martin Schweizer" To: "Radoslav Vasilev" Cc: References: <20010819201824.A330@pc-service.ch> <002f01c128ec$30492f20$52ad44c1@DECKLAND> Subject: Re: IPFirewall Date: Wed, 22 Aug 2001 06:11:21 +0100 Organization: PC-Service M. Schweizer MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4522.1200 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200 Sender: owner-freebsd-stable@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Hello Radoslav I'm testing... Thank you. Regards, Martin -- PC-Service M. Schweizer Gewerbehaus Schwarz CH-8608 Bubikon Tel: 055 243 30 00 Fax: 055 243 33 22 www.pc-service.ch ----- Original Message ----- From: "Radoslav Vasilev" To: "Martin Schweizer" Sent: Sunday, August 19, 2001 9:19 PM Subject: Re: IPFirewall > > > - rc.conf: Do I need an entry for starting? If yes, which? > from man rc.conf you have: > > firewall_enable > (bool) Set to NO if you do not want have firewall rules > loaded at startup, or YES if you do. If set to YES, and > the kernel was not built with IPFIREWALL, the ipfw kernel > module will be loaded. See also ipfilter_enable. > Whether compiled or not the kernel with IPFIREWALL option, setting > firewall_enable="YES" will do the work > > > - After this steps I can't connect over my ppp dailup th the Internet. > After > > I set "ipfw add allow all from any to any" it works. Why that? > > Well, so you have default-to-deny firewall. > Putting allow from any to any is senseless(at least ipfw is supposed to > filter on some basis) > Look in /etc/rc.firewall about some start filter rules. Or you can just > put(change it later!!!): > ipfw add XXX allow ip from YOU.IP.HE.RE to any via "ppp*" keep-state > (well, too rude indeed) > > > - If I reboot all my rules are blow away. How can I make them resistent? > > Again from rc.conf manual: > firewall_script > (str) If you want to run a firewall script other than > /etc/rc.firewall, set this variable to the full path to > that script. > Wondering about the format of the scriptfile? Take a look at > /etc/rc.firewall. So, you have > firewall_script="YES" /* again int the /etc/rc.conf > > > > > - If I want allow all from my freebsd-box to outside and all deny from > outside > > to my freebsd-box, which rule is correct (" ipfw add allow all from > localhost > > to any" won't work? Why? > > It depends on you network/subnetwork masks/ & address > ipfw add XXX allow ip from mynet/mask to any (all services for your lan > macines) > ipfw add YYY deny ip from not mynet/mask to mynet/mask > > After all, just check out man ipfw > > > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message