From owner-freebsd-net@FreeBSD.ORG Sun Oct 19 07:34:21 2003 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6201316A4B3 for ; Sun, 19 Oct 2003 07:34:21 -0700 (PDT) Received: from mta03-svc.ntlworld.com (mta03-svc.ntlworld.com [62.253.162.43]) by mx1.FreeBSD.org (Postfix) with ESMTP id E3B8C43F3F for ; Sun, 19 Oct 2003 07:34:17 -0700 (PDT) (envelope-from dan@ntlbusiness.com) Received: from cpc3-ches1-4-0-cust213.lutn.cable.ntl.com ([213.105.213.213]) by mta03-svc.ntlworld.comESMTP <20031019143416.VSSQ6394.mta03-svc.ntlworld.com@cpc3-ches1-4-0-cust213.lutn.cable.ntl.com> for ; Sun, 19 Oct 2003 15:34:16 +0100 From: Dan To: freebsd-net@freebsd.org Date: Sun, 19 Oct 2003 15:32:40 +0100 User-Agent: KMail/1.5 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Content-Disposition: inline Message-Id: <200310191532.40136.dan@ntlbusiness.com> Subject: IPFW. X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 19 Oct 2003 14:34:21 -0000 Hi there. I hope you can help. I've been trying and trying for days to try and get these rules sorted, as whenever they're used, my laptop (which is using my FreeBSD box as a gateway) cannot access the Internet. If I use a "small" set of rules, such as: fwcmd="/sbin/ipfw" $fwcmd -f flush $fwcmd add divert natd all from any to any via sis0 $fwcmd add allow all from any to any it works fine. sis0 is the Ethernet that has the business cable modem attached to it, and sis1 is the Ethernet that has the wireless Access point (netgear HE102) connected to it which the laptop (using a HA501 netgear card) connects to. It's taken me so long just to get this far! I looked through the standard /etc/rc.firewall and that's how I managed to get the priorities for the ones i've done. But if you can tell me where I'm going wrong (as I'm going mind-boggled now with this!) it'd be absolutely gratefully appreciated. Many thanks! The rules: # Define the firewall command (as in /etc/rc.firewall) for easy # reference. Helps to make it easier to read. fwcmd="/sbin/ipfw" # Force a flushing of the current rules before we reload. $fwcmd -f flush # Divert all packets through the tunnel interface. $fwcmd add 50 divert natd all from any to any via sis0 # Allow all connections that have dynamic rules built for them, # but deny established connections that don't have a dynamic rule. # See ipfw(8) for details. $fwcmd add check-state $fwcmd add pass tcp from any to any established # Allow all localhost connections ${fwcmd} add 100 pass all from any to any via lo0 ${fwcmd} add 200 deny all from any to 127.0.0.0/8 ${fwcmd} add 300 deny ip from 127.0.0.0/8 to any # Allow all connections from my network card that I initiate $fwcmd add allow tcp from me to any out xmit any setup keep-state $fwcmd add deny tcp from me to any $fwcmd add allow ip from me to any out xmit any keep-state $fwcmd add allow all from 192.168.0.0/24 to any # Everyone on the Internet is allowed to connect to the following # services on the machine. This example specifically allows connections # to sshd and a webserver. $fwcmd add allow tcp from any to any established $fwcmd add allow tcp from any to me 80 setup $fwcmd add allow tcp from any to me 22 setup # This sends a RESET to all ident packets. $fwcmd add reset log tcp from any to me 113 in recv any # Enable ICMP: remove type 8 if you don't want your host to be pingable $fwcmd add allow icmp from any to any icmptypes 0,3,8,11,12,13,14 # Deny all the rest. $fwcmd add deny log ip from any to any