Date: Sun, 21 Jan 2001 01:47:34 -0600 From: Jason Hunt <jhunt@blaz.homeip.net> To: freebsd-questions@freebsd.org Subject: problems with clients behind firewall accessing icq. Message-ID: <3A6A9416.F0F97D5B@blaz.niinet.net>
next in thread | raw e-mail | index | archive | help
greetings,
I have the following in my rules:
# Allow ICQ Server Packets
add allow tcp from any 5190 to any via xl0
# Allow ICQ Client-to-Client communications
add allow tcp from any 1024-65535 to any 1024-65535 in recv xl0
my firewall has xl0 connected to cable modem, and xl1 is connected
to locallan. Machines behind the firewall can not access icq
though, or some other services. How can I basically allow
everything that can get to the firewall through to my lan?
here are the rest of my TCP RULES:
# HTTP - Allow access to our web server
${fwcmd} add pass tcp from any to any 80 setup
# SMTP - Allow access to sendmail for incoming e-mail
${fwcmd} add pass tcp from any to any 25 setup
${fwcmd} add pass tcp from any to any 110 setup
# FTP - Allow incoming data channel for outgoing connections,# reject &
log all incoming control connections
${fwcmd} add pass tcp from any 20 to any 1024-65535 setup
${fwcmd} add deny log tcp from any to any 21 in via ${oif} setup
# SSH Login - Allow & Log all incoming
${fwcmd} add pass log tcp from any to any 22 in via ${oif} setup
# IDENT - Reset incoming connections
${fwcmd} add reset tcp from any to any 113 in via ${oif} setup
# Reject&Log all setup of incoming connections from the outside
${fwcmd} add deny log tcp from any to any in via ${oif} setup
# Allow setup of any other TCP connection
${fwcmd} add pass tcp from any to any setup
### UDP RULES
# DNS - Allow queries out in the world
${fwcmd} add pass udp from any to ${dns1} 53
${fwcmd} add pass udp from any to ${dns2} 53
${fwcmd} add pass udp from ${dns1} 53 to any
${fwcmd} add pass udp from ${dns2} 53 to any
# SMB - Allow local traffic# ${fwcmd} add pass udp from any to any
137-139 via ${iif}
# SYSLOG - Allow machines on inside net to log to us.
${fwcmd} add pass log udp from any to any 514 via ${iif}
# NTP - Allow queries out in the world
${fwcmd} add pass udp from any 123 to any 123 via ${oif}
${fwcmd} add pass udp from any 123 to any via ${iif}
${fwcmd} add pass udp from any to any 123 via ${iif}
# TRACEROUTE - Allow outgoing
${fwcmd} add pass udp from any to any 33434-33523 out via ${oif}
-- strange thing is machines on my lan can not do a traceroute,
just from firewall.. here are my ICMP rules:
### ICMP RULES
# ICMP packets
# Allow all ICMP packets on internal interface
${fwcmd} add pass icmp from any to any via ${iif}
# Allow outgoing pings
${fwcmd} add pass icmp from any to any icmptypes 8 out via ${oif}
${fwcmd} add pass icmp from any to any icmptypes 0 in via ${oif}
# Allow Destination Unreachable, Source Quench, Time Exceeded, and Bad
Header
${fwcmd} add pass icmp from any to any icmptypes 3,4,11,12 via ${oif}
# Deny the rest of them
${fwcmd} add deny icmp from any to any
### MISCELLANEOUS REJECT RULES
# Reject broadcasts from outside interface
${fwcmd} add 63000 deny ip from any to 0.0.0.255:0.0.0.255 in via ${oif}
# Reject&Log SMB connections on outside interface
${fwcmd} add 64000 deny log udp from any to any 137-139 via ${oif}
# Reject&Log all other connections from outside interface
${fwcmd} add 65000 deny log ip from any to any via ${oif}
# Everything else is denied by default, unless the
# IPFIREWALL_DEFAULT_TO_ACCEPT option is set in kernel
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3A6A9416.F0F97D5B>