From owner-freebsd-questions  Sun Mar 28  6:24:36 1999
Delivered-To: freebsd-questions@freebsd.org
Received: from adelphi.physics.adelaide.edu.au (adelphi.physics.adelaide.edu.au [129.127.36.247])
	by hub.freebsd.org (Postfix) with ESMTP id EA2541571D
	for <freebsd-questions@freebsd.org>; Sun, 28 Mar 1999 06:24:29 -0800 (PST)
	(envelope-from kkennawa@physics.adelaide.edu.au)
Received: from bragg (bragg [129.127.36.34])
	by adelphi.physics.adelaide.edu.au (8.8.8/8.8.8/UofA-1.5) with SMTP id AAA23399;
	Mon, 29 Mar 1999 00:55:21 +0930 (CST)
Received: from localhost by bragg; (5.65/1.1.8.2/05Aug95-0227PM)
	id AA08489; Mon, 29 Mar 1999 00:54:13 +0930
Date: Mon, 29 Mar 1999 00:54:13 +0930 (CST)
From: Kris Kennaway <kkennawa@physics.adelaide.edu.au>
X-Sender: kkennawa@bragg
To: Remy Nonnenmacher <remy@synx.com>
Cc: ru@ucb.crimea.ua, noor@netvision.net.il,
	freebsd-questions@freebsd.org
Subject: Re: ipfw behavior, is it normal?
In-Reply-To: <199903281409.QAA22122@rt2.synx.com>
Message-Id: <Pine.OSF.4.10.9903290046290.25034-100000@bragg>
Mime-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-questions@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.ORG

On Sun, 28 Mar 1999, Remy Nonnenmacher wrote:

> >> 00100 allow ip from any to any via lo0
> >> 00200 allow ip from [machine-a-ip] to [server-ip] via xl0
> >> 00300 allow ip from [machine-b-ip] to [server-ip] via xl0
> >> 00400 allow ip from any to [server-ip] 80 in via xl0
> >> 00500 allow ip from any to [server-ip] 21 in via xl0
> >> 65000 allow ip from any to any
> >> 65535 deny ip from any to any

Except for rule 65000, you are allowing IP traffic in one direction only
(outside -> server). This lets the packets in, butdoesn't let the return
packets out when you remove rule 65000.

To allow outbound packets part of an established (incoming) TCP connection,
use the 'established' keyword: 

00100 allow tcp from any to any out xmit xl0 established

Configure your kernel with
options         IPFIREWALL_VERBOSE
and it will log the packets which are bounced by the firewall - great for
tuning the configuration and seeing where things are going wrong.

This isn't really a -hackers question, follow-ups sent to -questions.

Kris

-----
The Feynman problem-solving algorithm: 1. Write down the problem
                                       2. Think real hard
                                       3. Write down the solution



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message