Skip site navigation (1)Skip section navigation (2)
Date:      Thu, 11 Nov 2004 22:57:12 -0800
From:      "David Roberts" <dtrobert@pacbell.net>
To:        <freebsd-ipfw@freebsd.org>
Subject:   upgrading from 5.2.1 to 5.3 broke my ipfw
Message-ID:  <20041112065715.4EEE743D49@mx1.FreeBSD.org>

Next in thread | Raw E-Mail | Index | Archive | Help
Hi,
 I have been using ipfw for some time now and recently upgraded from 5.2.1
to 5.3. My firewall immediately started blocking me even from pinging
localhost.  

I also noted an error around an ipfw log entry I had and commented it out. 
I checked online and saw an IPFIREWALL_DEFAULT_TO_ACCEPT and figured I'd
give it a try since I was always frustrated that flushing my rules would
bump me off. I rebuilt the kernel and now I have the opposite problem,
eveything is allowed no matter what my rules say. 

My kernel opts are now 
options IPFIREWALL
options IPFIREWALL_VERBOSE
options IPFIREWALL_VERBOSE_LIMIT=10
options IPFIREWALL_DEFAULT_TO_ACCEPT

After flushing ipfw I get

# ipfw show
65535 67836 20914281 deny ip from any to any

I even added another deny rule but everything is still allowed. Does that
option just disable my firewall entirely?

My #ipfw show after running my firewall.rules is:

00100     0        0 allow ip from 127.0.0.1 to any keep-state
00200     0        0 allow ip from 192.168.1.0/28 to any keep-state
00300     0        0 allow ip from <myip> to any keep-state
00400     0        0 deny ip from 192.168.1.0/28 to any in via fxp0
00500     0        0 deny ip from any to 172.16.0.0/12 via fxp0
00600     0        0 deny ip from any to 192.168.0.0/16 via fxp0
00700     0        0 deny ip from any to 0.0.0.0/8 via fxp0
00800     0        0 deny ip from any to 169.254.0.0/16 via fxp0
00900     0        0 deny ip from any to 192.0.2.0/24 via fxp0
01000     0        0 deny ip from any to 224.0.0.0/4 via fxp0
01100     0        0 deny ip from any to 240.0.0.0/4 via fxp0
01200     0        0 deny ip from 172.16.0.0/12 to any via fxp0
01300     0        0 deny ip from 192.168.0.0/16 to any via fxp0
01400     0        0 deny ip from 0.0.0.0/8 to any via fxp0
01500     0        0 deny ip from 169.254.0.0/16 to any via fxp0
01600     0        0 deny ip from 192.0.2.0/24 to any via fxp0
01700     0        0 deny ip from 224.0.0.0/4 to any via fxp0
01800     0        0 deny ip from 240.0.0.0/4 to any via fxp0
01900     0        0 allow tcp from any to <myip> dst-port 80 setup
02000     0        0 allow tcp from any to <myip> dst-port 22 setup
keep-state
02100     0        0 allow tcp from 192.168.1.0/28 to any setup
65535 70851 21336238 deny ip from any to any

Thanks

David



Want to link to this message? Use this URL: <http://docs.FreeBSD.org/cgi/mid.cgi?20041112065715.4EEE743D49>