Date: Fri, 11 Feb 2000 17:44:55 +0200 From: Giorgos Keramidas <keramida@ceid.upatras.gr> To: chip <chip@wiegand.org> Cc: questions@freebsd.org Subject: Re: rc.firewall problem - Take 4 Message-ID: <20000211174455.B14230@hades.hell.gr> In-Reply-To: <38A39BB1.17ED9740@wiegand.org>; from chip@wiegand.org on Thu, Feb 10, 2000 at 09:18:41PM -0800 References: <20000208040302.B10648@hades.hell.gr> <00020800084901.02763@firewall.homenet> <20000210162740.A13143@hades.hell.gr> <38A39BB1.17ED9740@wiegand.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, Feb 10, 2000 at 09:18:41PM -0800, chip wrote: > > I hope these are readable. I thought it would be better to attach them > than to copy the whole text into the message. Chip W I don't mind the way it's done. As long as the attachments are plain text, there is no problem at all :) > chip# ipfw show > 00100 0 0 allow ip from any to any via lo0 > 00200 0 0 deny ip from any to 127.0.0.0/8 > 00300 0 0 deny ip from 192.168.0.0/24 to any in recv mx0 > 00400 0 0 deny ip from 208.194.173.0/25 to any in recv pn0 > 00500 30 7265 deny ip from 192.168.0.0/16 to any via mx0 > 00600 0 0 deny ip from any to 192.168.0.0/16 via mx0 > 00700 0 0 deny ip from 172.16.0.0/12 to any via mx0 > 00800 0 0 deny ip from any to 172.16.0.0/12 via mx0 > 00900 0 0 deny ip from 10.0.0.0/8 to any via mx0 > 01000 0 0 deny ip from any to 10.0.0.0/8 via mx0 > 01100 23 7274 allow tcp from any to any established > 01200 0 0 allow tcp from any to 208.194.173.26 25 setup > 01300 0 0 allow tcp from any to 208.194.173.26 53 setup > 01400 0 0 allow tcp from any to 208.194.173.26 80 setup > 01500 0 0 deny log logamount 100 tcp from any to any in recv mx0 setup > 01600 8 384 allow tcp from any to any setup > 01700 0 0 allow udp from any 53 to 208.194.173.26 > 01800 0 0 allow udp from 208.194.173.26 to any 53 > 01900 0 0 allow udp from any 123 to 208.194.173.26 > 02000 0 0 allow udp from 208.194.173.26 to any 123 > 65535 36 2634 deny ip from any to any Now, from the rules below I can see that you're just denying *all* icmp packets, which match the rule at the bottom of the list. If you want to be able to ping/traceroute, you will probably find it useful to add in your rc.firewall a line that passes icmp packets through. Just add the following as the last rule of your rc.firewall. add allow icmp from any to any Some say that certain types of ICMP packets are evil, and on several systems I've seen, the administrators have even restricted the permissions of traceroute and ping, in order to stop the users from using them. -- Giorgos Keramidas, < keramida @ ceid . upatras . gr > For my public PGP key: finger keramida@diogenis.ceid.upatras.gr PGP fingerprint, phone and address in the headers of this message. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20000211174455.B14230>