From owner-freebsd-questions Mon Feb 7 17:45:47 2000 Delivered-To: freebsd-questions@freebsd.org Received: from quark.pioneernet.net (pop3.pioneernet.net [208.240.196.25]) by builder.freebsd.org (Postfix) with ESMTP id E5D6A40D3 for ; Mon, 7 Feb 2000 17:45:28 -0800 (PST) Received: from firewall.homenet (sb26.pioneernet.net [208.194.173.26]) by quark.pioneernet.net with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2650.21) id 1P0MNQ30; Mon, 7 Feb 2000 17:46:14 -0800 From: Chip To: jan@caustic.org Subject: RE: rc.firewall problem Date: Sun, 6 Feb 2000 17:49:21 -0800 X-Mailer: KMail [version 1.0.21] Content-Type: text/plain Cc: questions@FreeBSD.ORG MIME-Version: 1.0 Message-Id: <00020618000900.02763@firewall.homenet> Content-Transfer-Encoding: 8bit Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG The complete rc.firewall file is at the bottom of this message, and as I mentioned is almost word-for-word the same as the one in the book The Complete FreeBSD 3.3. I also copied the original message after the firewall file, for any other readers to consider. Chip W. >could you please send us your rc.firewall configuration? > >that will make this a bit easier to figure out. > >-- jan > >On Sat, 5 Feb 2000, Chip Wiegand wrote: > > I set up ipfirewall exactly as specified in The > complete FreeBSD 3.3 book for the 'simple' > firewall profile. First problem was when I > I would like to use this to replace a linux > firewall and run apache (which is working, btw). > Chip W. +-----/ f. johan beisser /------------------------------+ email: jan[at]caustic.org web: http://www.caustic.org/~jan "knowledge is power. power corrupts. study hard, be evil." +++++++++++++++++++++++++++++++++++++++++++++++++++++ ===================================================== rc.firewall - if [ "${firewall}" = simple" ]; then # set these to your outside interface network and netmask and ip oif="mx0" onet="208.194.173.26" omask="255.255.255.128" oip="208.194.173.26" # set these to your inside interface network and netmask and ip iif="pn0" inet="192.168.0.6" imask="255.255.255.0" iip="192.168.0.6" /sbin/ipfw flush /sbin/ipfw add divert natd all from any to any via mx0 # stop spoofing /sbin/ipfw add deny all from ${inet}:${imask} to any in via ${oif} /sbin/ipfw add deny all from ${onet}:${omask} to any in via ${iif} # stop rfc1918 nets on the outside interface /sbin/ipfw add deny all from 192.168.0.0:255.255.0.0 to any via ${oif} /sbin/ipfw add deny all from 172.16.0.0:255.240.0.0 to any via ${oif} /sbin/ipfw add deny all from 10.0.0.0:255.0.0.0 to any via ${oif} # allow tcp through if setup succeeded /sbin/ipfw add pass tcp from any to any established # allow setup of incoming email /sbin/ipfw add pass tcp from any to ${oip} 25 setup # allow access to our www /sbin/ipfw add pass tcp from any to ${oip} 80 setup # reject & log all setup of incoming connections from the outside /sbin/ipfw add deny log tcp from any to any in via ${oif} setup # allow setup of any other tcp connection /sbin/ipfw add pass tcp from any to any setup # everything else is denied by default fi ---------------------------------------------------------- Original Message: I set up ipfirewall exactly as specified in The complete FreeBSD 3.3 book for the 'simple' firewall profile. First problem was when I rebooted I got a message about a line in the rc.firewall that wasn't recognized - it didn't like ' elif [..... etc]; then ' (page 504), and I got prompt that the system couldn't find the path to the shell, I had to enter it or hit enter. I did. Then edited rc.firewall and removed the ' el ' from 'elif' - but that resulted in a message about the script being incomplete. And of course I got the same prompt again, then edited rc.firewall again and added ' fi ' to the end of it, thinking that might be what it needed to finish the script. But that resulted in a message about a unterminated string, and the shell prompt again. Of course I can't access the internet or any pc's on my homenet, can't even ping localhost. I configured the kernel for firewall, did everything the book says to do, it just ain't workin'. I would like to use this to replace a linux firewall and run apache (which is working, btw). Chip W. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message