From owner-freebsd-ipfw@FreeBSD.ORG Fri Nov 12 06:57:15 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 74AC316A4CE for ; Fri, 12 Nov 2004 06:57:15 +0000 (GMT) Received: from smtp804.mail.sc5.yahoo.com (smtp804.mail.sc5.yahoo.com [66.163.168.183]) by mx1.FreeBSD.org (Postfix) with SMTP id 4EEE743D49 for ; Fri, 12 Nov 2004 06:57:15 +0000 (GMT) (envelope-from dtrobert@pacbell.net) Received: from unknown (HELO MADAGASCAR) (dtrobert@pacbell.net@69.107.12.181 with login) by smtp804.mail.sc5.yahoo.com with SMTP; 12 Nov 2004 06:57:14 -0000 From: "David Roberts" To: Date: Thu, 11 Nov 2004 22:57:12 -0800 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Mailer: Microsoft Office Outlook, Build 11.0.6353 Thread-Index: AcTIhNWIGdUImtd9SgmSlhEhVuFUBA== X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1441 Message-Id: <20041112065715.4EEE743D49@mx1.FreeBSD.org> Subject: upgrading from 5.2.1 to 5.3 broke my ipfw X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 12 Nov 2004 06:57:15 -0000 Hi, I have been using ipfw for some time now and recently upgraded from 5.2.1 to 5.3. My firewall immediately started blocking me even from pinging localhost. I also noted an error around an ipfw log entry I had and commented it out. I checked online and saw an IPFIREWALL_DEFAULT_TO_ACCEPT and figured I'd give it a try since I was always frustrated that flushing my rules would bump me off. I rebuilt the kernel and now I have the opposite problem, eveything is allowed no matter what my rules say. My kernel opts are now options IPFIREWALL options IPFIREWALL_VERBOSE options IPFIREWALL_VERBOSE_LIMIT=10 options IPFIREWALL_DEFAULT_TO_ACCEPT After flushing ipfw I get # ipfw show 65535 67836 20914281 deny ip from any to any I even added another deny rule but everything is still allowed. Does that option just disable my firewall entirely? My #ipfw show after running my firewall.rules is: 00100 0 0 allow ip from 127.0.0.1 to any keep-state 00200 0 0 allow ip from 192.168.1.0/28 to any keep-state 00300 0 0 allow ip from to any keep-state 00400 0 0 deny ip from 192.168.1.0/28 to any in via fxp0 00500 0 0 deny ip from any to 172.16.0.0/12 via fxp0 00600 0 0 deny ip from any to 192.168.0.0/16 via fxp0 00700 0 0 deny ip from any to 0.0.0.0/8 via fxp0 00800 0 0 deny ip from any to 169.254.0.0/16 via fxp0 00900 0 0 deny ip from any to 192.0.2.0/24 via fxp0 01000 0 0 deny ip from any to 224.0.0.0/4 via fxp0 01100 0 0 deny ip from any to 240.0.0.0/4 via fxp0 01200 0 0 deny ip from 172.16.0.0/12 to any via fxp0 01300 0 0 deny ip from 192.168.0.0/16 to any via fxp0 01400 0 0 deny ip from 0.0.0.0/8 to any via fxp0 01500 0 0 deny ip from 169.254.0.0/16 to any via fxp0 01600 0 0 deny ip from 192.0.2.0/24 to any via fxp0 01700 0 0 deny ip from 224.0.0.0/4 to any via fxp0 01800 0 0 deny ip from 240.0.0.0/4 to any via fxp0 01900 0 0 allow tcp from any to dst-port 80 setup 02000 0 0 allow tcp from any to dst-port 22 setup keep-state 02100 0 0 allow tcp from 192.168.1.0/28 to any setup 65535 70851 21336238 deny ip from any to any Thanks David