Date: Mon, 6 Jul 1998 23:39:36 +1200 From: "Dan Langille" <junkmale@xtra.co.nz> To: Julian Elischer <julian@whistle.com> Cc: freebsd-questions@FreeBSD.ORG Subject: Re: using IPFW as a firewall Message-ID: <199807061139.XAA19019@cyclops.xtra.co.nz> In-Reply-To: <Pine.BSF.3.95.980706021555.11949H-100000@current1.whistle.com> References: <199807060849.UAA17014@cyclops.xtra.co.nz>
next in thread | previous in thread | raw e-mail | index | archive | help
On 6 Jul 98, at 2:27, Julian Elischer wrote:
>
>
> On Mon, 6 Jul 1998, Dan Langille wrote:
>
> > three rules within /etc/rc.firewall must be commented out in order for
> > some stuff to work. Can anyone educate me as to why these rules prevent
> > ping, news, mail, etc from running on machines on my home network?
> > Those section of rc.firewall appear below.
>
> What's your local topology?
Now that word I had to look up. I hope this is what you wanted.
ISP
|
|
|
202.55.202.87 via DHCP
|
FreeBSD (ruth)
|
192.168.0.20
|
|---192.168.0.1 NT Box (wocker)
|
|---192.168.0.5 NT Box (gus)
>
> >
> > ---
> > # Stop RFC1918 nets on the outside interface
> > $fwcmd add deny all from 192.168.0.0:255.255.0.0 to any via ${oif}
>
> oif is the outside interface.. 192.168 addresses should never be seen
> there.
That's what I thought. But isn't that to prevent attacks?
> > # Allow TCP through if setup succeeded
> > $fwcmd add pass tcp from any to any established
>
> Allow tcp packets going in any direction if they are not startup packets.
Funny how that stops everything though.
> > # Allow setup of any other TCP connection
> > $fwcmd add pass tcp from any to any setup
>
> I see it's supposed to be after a rule that blocks incoming setup packets.
>
> this rule accepts, I cant see how removing it helps anything..
Ditto
> > I'm also running natd. Where's the best place to put the rules
> > pertaining to natd? e.g. add divert natd all from any to any via ed0 I
> > can't put them in rc.firewall as natd doesn't seem to be active at that
> > time.
>
> doesn't matter.. if natd isn't running they effectively become 'drop'
> rules until it starts up.
OH. Perhaps then the problem is dhcp. Because if If I add the divert to
rc.firewall, I get "natd: failed to write packet back (No route to host)".
That's right after the DHCPREQUEST on ed0 to 255.255.255.255 port 67.
Under such circumstances, other boxes on the net cannot get out through
the firewall.
--
Dan Langille
DVL Software Limited
http://www.dvl-software.com : for race timing solutions
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199807061139.XAA19019>