From owner-freebsd-questions Mon Jul 6 08:56:46 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id IAA29458 for freebsd-questions-outgoing; Mon, 6 Jul 1998 08:56:46 -0700 (PDT) (envelope-from owner-freebsd-questions@FreeBSD.ORG) Received: from cyclops.xtra.co.nz (cyclops.xtra.co.nz [202.27.184.96]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id IAA29348 for ; Mon, 6 Jul 1998 08:56:21 -0700 (PDT) (envelope-from junkmale@pop3.xtra.co.nz) Received: from wocker (210-55-210-87.ipnets.xtra.co.nz [210.55.210.87]) by cyclops.xtra.co.nz (8.8.8/8.8.8) with SMTP id XAA19019; Mon, 6 Jul 1998 23:39:36 +1200 (NZST) Message-Id: <199807061139.XAA19019@cyclops.xtra.co.nz> From: "Dan Langille" Organization: DVL Software Limited To: Julian Elischer Date: Mon, 6 Jul 1998 23:39:36 +1200 MIME-Version: 1.0 Content-type: text/plain; charset=US-ASCII Content-transfer-encoding: 7BIT Subject: Re: using IPFW as a firewall Reply-to: junkmale@xtra.co.nz CC: freebsd-questions@FreeBSD.ORG References: <199807060849.UAA17014@cyclops.xtra.co.nz> In-reply-to: X-mailer: Pegasus Mail for Win32 (v3.01b) Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG On 6 Jul 98, at 2:27, Julian Elischer wrote: > > > On Mon, 6 Jul 1998, Dan Langille wrote: > > > three rules within /etc/rc.firewall must be commented out in order for > > some stuff to work. Can anyone educate me as to why these rules prevent > > ping, news, mail, etc from running on machines on my home network? > > Those section of rc.firewall appear below. > > What's your local topology? Now that word I had to look up. I hope this is what you wanted. ISP | | | 202.55.202.87 via DHCP | FreeBSD (ruth) | 192.168.0.20 | |---192.168.0.1 NT Box (wocker) | |---192.168.0.5 NT Box (gus) > > > > > --- > > # Stop RFC1918 nets on the outside interface > > $fwcmd add deny all from 192.168.0.0:255.255.0.0 to any via ${oif} > > oif is the outside interface.. 192.168 addresses should never be seen > there. That's what I thought. But isn't that to prevent attacks? > > # Allow TCP through if setup succeeded > > $fwcmd add pass tcp from any to any established > > Allow tcp packets going in any direction if they are not startup packets. Funny how that stops everything though. > > # Allow setup of any other TCP connection > > $fwcmd add pass tcp from any to any setup > > I see it's supposed to be after a rule that blocks incoming setup packets. > > this rule accepts, I cant see how removing it helps anything.. Ditto > > I'm also running natd. Where's the best place to put the rules > > pertaining to natd? e.g. add divert natd all from any to any via ed0 I > > can't put them in rc.firewall as natd doesn't seem to be active at that > > time. > > doesn't matter.. if natd isn't running they effectively become 'drop' > rules until it starts up. OH. Perhaps then the problem is dhcp. Because if If I add the divert to rc.firewall, I get "natd: failed to write packet back (No route to host)". That's right after the DHCPREQUEST on ed0 to 255.255.255.255 port 67. Under such circumstances, other boxes on the net cannot get out through the firewall. -- Dan Langille DVL Software Limited http://www.dvl-software.com : for race timing solutions To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message