Date: Fri, 7 Oct 2005 08:04:40 -0500 (CDT) From: Chris <racerx@makeworld.com> To: =?koi8-r?Q?=E7=CF=D2=D3=D4=CB=C9=CE_?= =?koi8-r?Q?=E9=CC=D8=D1?= <cadavo@mail.ru> Cc: freebsd-stable@freebsd.org Subject: Re: ipfw: firewall.sh don't work! Message-ID: <20051007080347.N32724@makeworld.com> In-Reply-To: <1128689902.653.28.camel@hp.tbnbykovo.ru> References: <1128689902.653.28.camel@hp.tbnbykovo.ru>
next in thread | previous in thread | raw e-mail | index | archive | help
This message is in MIME format. The first part should be readable text,
while the remaining parts are likely unreadable without MIME-aware tools.
--0-1918198972-1128690280=:32724
Content-Type: TEXT/PLAIN; charset=X-UNKNOWN; format=flowed
Content-Transfer-Encoding: QUOTED-PRINTABLE
On Fri, 7 Oct 2005, =E7=CF=D2=D3=D4=CB=C9=CE =E9=CC=D8=D1 wrote:
> Hi all!
> FreeBSD 5.4 p7.
>
> ipfw works in a mode - firewall_type=3D"open" only.
> At attempt to apply firewall_script=3D"/etc/firewall.sh" the system
> forbids the traffic even if firewall.sh configured as "allow all any to
> any"
>
> my kernel:
> options IPFIREWALL
> options IPFIREWALL_VERBOSE
> options IPFIREWALL_VERBOSE_LIMIT=3D100
> options IPFIREWALL_FORWARD
> options IPFIREWALL_FORWARD_EXTENDED
> options IPDIVERT
> options DUMMYNET
>
> rc.conf:
> gateway_enable=3D"YES"
> ifconfig_bge0=3D"inet 192.168.1.1"
> ifconfig_xl0=3D"inet xxxx.xxxx.xxxx.xxxx"
> icmp_drop_redirect=3D"YES"
> icmp_log_redirect=3D"YES"
> icmp_bmcastecho=3D"NO"
> firewall_enable=3D"YES"
> #firewall_type=3D"OPEN"
> firewall_script=3D"/etc/firewall.sh"
> firewall_logging=3D"YES"
> natd_enable=3D"YES"
> natd_interface=3D"xl0"
> natd_flags=3D"-s"
>
> /etc/firewall.sh:
> #!/bin/sh
>
> ipfw=3D'/sbin/ipfw -q'
> inet=3D'xl0'
> lan=3D'bge0'
>
> ${ipfw} -a flush
> ${ipfw} add 100 allow all from any to any via lo0
>
>
> ${ipfw} add 300 divert natd tcp from any to any via ${inet}
> ${ipfw} add 310 divert natd udp from any to any via ${inet}
>
> ${ipfw} add 400 deny icmp from any to any in icmptype
> 5,9,13,14,15,16,17
> ${ipfw} add 410 deny icmp from any to any frag
> ${ipfw} add 420 allow icmp from any to any
> ${ipfw} add 500 deny tcp from any to 192.168.1.0/24 137-139 via ${inet}
> ${ipfw} add 510 deny udp from any to 192.168.1.0/24 137-139 via ${inet}
> ${ipfw} add 520 deny ip from 192.168.1.0/24 to any in via ${inet}
> ${ipfw} add 530 allow tcp from 192.168.1.1 to any 5999
> ${ipfw} add 540 allow udp from any 53 to any
> ${ipfw} add 550 allow udp from any to any 53
>
> ${ipfw} add 600 allow tcp from 192.168.1.0/24 to any
> 20,21,25,80,110,443,5190
> ${ipfw} add 610 allow tcp from any 20,21,25,80,110,443,5190 to
> 192.168.1.0/24
>
> where a problem?
> thanks!
Go back to the HAndbook and read it again. You'll see that you are NOT=20
making the proper references for LAN traffic and internet traffic.
Best regards,
Chris
A little ambiguity never hurt anyone.
--0-1918198972-1128690280=:32724--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20051007080347.N32724>