From owner-freebsd-questions@FreeBSD.ORG Mon Feb 14 16:43:04 2005 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2696316A4CE for ; Mon, 14 Feb 2005 16:43:04 +0000 (GMT) Received: from out005.verizon.net (out005pub.verizon.net [206.46.170.143]) by mx1.FreeBSD.org (Postfix) with ESMTP id 90DC343D3F for ; Mon, 14 Feb 2005 16:43:03 +0000 (GMT) (envelope-from reso3w83@verizon.net) Received: from ringworm.mechee.com ([4.26.84.7]) by out005.verizon.net (InterMail vM.5.01.06.06 201-253-122-130-106-20030910) with ESMTP id <20050214164302.EBGB6130.out005.verizon.net@ringworm.mechee.com> for ; Mon, 14 Feb 2005 10:43:02 -0600 Received: by ringworm.mechee.com (Postfix, from userid 1001) id C7D6C2CE740; Mon, 14 Feb 2005 08:38:45 -0800 (PST) From: "Michael C. Shultz" To: freebsd-questions@freebsd.org Date: Mon, 14 Feb 2005 08:38:45 -0800 User-Agent: KMail/1.7.2 References: <1108389001.4210ac89766a6@mail.online.ie> In-Reply-To: <1108389001.4210ac89766a6@mail.online.ie> Cc: freebsd-questions@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Content-Disposition: inline Message-Id: <200502140838.45451.reso3w83@verizon.net> X-Authentication-Info: Submitted using SMTP AUTH at out005.verizon.net from [4.26.84.7] at Mon, 14 Feb 2005 10:43:02 -0600 Subject: Re: ppp_mode and ipfw X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 14 Feb 2005 16:43:04 -0000 On Monday 14 February 2005 05:50 am, Hiram Abiff wrote: > Hi! > > I've been trying to set up ipfw on my FreeBSD box > which I use as a gateway to the Internet on my LAN. > > I compiled the kernel with options IPFIREWALL and IPDIVERT, > edited rc.conf and some other files. > > Now I have 2 problems: > > 1.) Each time FreeBSD boots ppp automatically establishes > a connection via ISDN. I do not want it to do that, I want > the connection to be established when some of the other > 2 boxes I have on my LAN run software that demands an > internet connection. > > For Example, if I run firefox on my linux box, i want > the FreeBSD box to receive the linux boxes request > for a connection and dial my ISP via ISDN. > > In rc.conf I set ppp_mode="auto" because in ppp's man > page it says that this is the correct mode for > on-demand connection. > > 2.) Although I set up my firewall rules I cannot acces > anything on the outside net anymore, and my other > 2 boxes can't acces the Internet after setting aup the > firewall. Also I cannot acces the squid proxy I set up > on my FreeBSD box anymore. All of this was working > before I set up the firewall. What am I doing wrong? > Why can't I access the net outside my home LAN and > why doesn't squid work anymore? > > Here's my firewall rule file: > > fwcmd="/sbin/ipfw" > > > #Outside interface > oif="tun0" > > > #Inside interface > iif="rl0" > > > # Force a flushing of the current rules before reload > $fwcmd -f flush > > > #Check the state of all packets > $fwcmd add check-state > > > #Divert all packets through the tunnel interface. > $fwcmd add divert natd all from any to any via oif You should only be NAT'ing inbound packets here, also the "$" is missing in oif: $fwcmd add divert natd ip from any to any in via $oif > > > # Allow all data from my network card and localhost > $fwcmd add allow all from any to any via lo0 > $fwcmd add allow ip from any to any via $ii0 > Is $ii0 a typo? you have iif="rl0" defined as your private NIC did you mean to have: $fwcmd add allow ip from any to any via $iif??? I see the same sort of errors in the rest, look it over carefully. -Mike > > # Allow all connections that I initiate > $fwcmd add allow tcp from any to any out xmit oif setup > > > # Once connections are made, allow them to stay open > $fwcmd add allow tcp from any to any via oif established > > > # Everyone on the internet is allowed to connect > $fwcmd add allow tcp from any to any 22 setup > $fwcmd add allow tcp from any to any 21 setup > $fwcmd add allow tcp from any to any 8080 setup > $fwcmd add allow tcp from any to any 53 setup > $fwcmd add allow tcp from any to any 4662 setup > $fwcmd add allow udp from any to any 4672 setup > > > # This sends a RESET to all ident packets > $fwcmd add reset log tcp from any to any 113 in recv oif > > > # Allow outgoing DNS queries ONLY to the specified servers > > > $fwcmd add allow udp from any to 161.53.114.135 53 out xmit tun0 > $fwcmd add allow udp from any to 161.53.114.145 53 out xmit tun0 > > > # Allow them back in with the answers > > > $fwcmd add allow udp from 161.53.114.135 53 to any in recv oif > $fwcmd add allow udp from 161.53.114.145 53 to any in recv oif > > > # Allow ICMP > $fwcmd add 65435 allow icmp from any to any > > > # Deny all the rest. > #$fwcmd add 65435 deny log ip from any to any > > > > -- > "It was as though a veil had been rent. I saw on that ivory face > the expression of sombre pride, of ruthless power, > of craven terror -- of an intense and hopeless despair. > Did he live his life again in every detail of desire, > temptation, and surrender during that supreme moment > of complete knowledge?" > _______________________________________________ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to > "freebsd-questions-unsubscribe@freebsd.org"