From owner-freebsd-ipfw@FreeBSD.ORG Fri Nov 12 08:35:11 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5F3B816A4CE for ; Fri, 12 Nov 2004 08:35:11 +0000 (GMT) Received: from smtpauth06.mail.atl.earthlink.net (smtpauth06.mail.atl.earthlink.net [209.86.89.66]) by mx1.FreeBSD.org (Postfix) with ESMTP id 00FFF43D31 for ; Fri, 12 Nov 2004 08:35:11 +0000 (GMT) (envelope-from martes.wigglesworth@earthlink.net) Received: from [213.209.169.198] (helo=[192.168.1.50]) by smtpauth06.mail.atl.earthlink.net with asmtp (TLSv1:AES256-SHA:256) (Exim 4.34) id 1CSWtc-0001Hz-UL; Fri, 12 Nov 2004 03:35:10 -0500 From: Martes Wigglesworth To: David Roberts In-Reply-To: <20041112065715.4EEE743D49@mx1.FreeBSD.org> References: <20041112065715.4EEE743D49@mx1.FreeBSD.org> Content-Type: multipart/mixed; boundary="=-PEZycNUkMrBPNLxfFGGn" Organization: Wiggtekmicro Corporation Message-Id: <1100248505.826.6.camel@Mobile1.276NET> Mime-Version: 1.0 X-Mailer: Ximian Evolution 1.4.6 Date: Fri, 12 Nov 2004 11:35:05 +0300 X-ELNK-Trace: 532caf459ba90ce6996df0496707a79d9bea09fe345ed53d9ef193a6bfc3dd48b99f727214eaac27184df7c5b9d1fefa387f7b89c61deb1d350badd9bab72f9c X-Originating-IP: 213.209.169.198 cc: ipfw-mailings Subject: Re: upgrading from 5.2.1 to 5.3 broke my ipfw X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: martes.wigglesworth@earthlink.net List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 12 Nov 2004 08:35:11 -0000 --=-PEZycNUkMrBPNLxfFGGn Content-Type: text/plain Content-Transfer-Encoding: 7bit That is really a problem. I have seen more broken stuff with 5.3, than with 5.2.1, than I care to complain about. The way that the default-accept option is supposed to work, is that your default 65535 rule is allow ip from any to any. Your experience is not normal. You rules should apply to something. Have you tried doing a /etc/netstart? I used to get ignored functionality, when my routing table was querky, due to dhcp or something else. The main issue is that your rule is saying one thing, and not doing the displayed functionality. That is something that you may want to put to the Current list. I am not an expert, however, I have bumped into erronious-user land many a time, with BSD, and I have experienced such functionality, with the exception of the ficticious default rule.(Please excuse spelling) You may want to fetch the newest CVSUP'd src and recompile the kernel, with a new version of the config file, and all. I have found that an unreliable source can cause this wierdness, aswell. -- Respectfully, M.G.W. System: Asus M6N Intel Dothan 1.7 512MB RAM 40GB HD 10/100/1000 NIC Wireless b/g (not working yet) BSD-5.2.1 GCC-3.3.5/3.3.3(until I replace indigenous gcc) IFORT-for linux(Intell Fortran) gfortran python-2.3 Perl-5.6.1/5.8.5 Java-sdk-1.4.2_5 KDE-3.1.4 --=-PEZycNUkMrBPNLxfFGGn Content-Disposition: inline Content-Description: Forwarded message - upgrading from 5.2.1 to 5.3 broke my ipfw Content-Type: message/rfc822 Status: U Return-Path: Received: from mx2.freebsd.org ([216.136.204.119]) by mx-a065a10.pas.sa.earthlink.net (EarthLink SMTP Server) with ESMTP id 1csvnh4Gn3NZFpB0 for ; Thu, 11 Nov 2004 22:57:35 -0800 (PST) Received: from hub.freebsd.org (hub.freebsd.org [216.136.204.18]) by mx2.freebsd.org (Postfix) with ESMTP id 907C455AAA; Fri, 12 Nov 2004 06:57:18 +0000 (GMT) (envelope-from owner-freebsd-ipfw@freebsd.org) Received: from hub.freebsd.org (localhost [127.0.0.1]) by hub.freebsd.org (Postfix) with ESMTP id DEEF916A4D8; Fri, 12 Nov 2004 06:57:17 +0000 (GMT) Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 74AC316A4CE for ; Fri, 12 Nov 2004 06:57:15 +0000 (GMT) Received: from smtp804.mail.sc5.yahoo.com (smtp804.mail.sc5.yahoo.com 4EEE743D49 for ; Fri, 12 Nov 2004 06:57:15 +0000 (GMT) (envelope-from dtrobert@pacbell.net) Received: from unknown (HELO MADAGASCAR) (dtrobert@pacbell.net@69.107.12.181 with login) by smtp804.mail.sc5.yahoo.com with SMTP; 12 Nov 2004 06:57:14 -0000 From: "David Roberts" To: Date: Thu, 11 Nov 2004 22:57:12 -0800 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" X-Mailer: Microsoft Office Outlook, Build 11.0.6353 Thread-Index: AcTIhNWIGdUImtd9SgmSlhEhVuFUBA== X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1441 Message-Id: <20041112065715.4EEE743D49@mx1.FreeBSD.org> Subject: upgrading from 5.2.1 to 5.3 broke my ipfw X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: owner-freebsd-ipfw@freebsd.org Errors-To: owner-freebsd-ipfw@freebsd.org X-ELNK-AV: 0 Content-Transfer-Encoding: 7bit Hi, I have been using ipfw for some time now and recently upgraded from 5.2.1 to 5.3. My firewall immediately started blocking me even from pinging localhost. I also noted an error around an ipfw log entry I had and commented it out. I checked online and saw an IPFIREWALL_DEFAULT_TO_ACCEPT and figured I'd give it a try since I was always frustrated that flushing my rules would bump me off. I rebuilt the kernel and now I have the opposite problem, eveything is allowed no matter what my rules say. My kernel opts are now options IPFIREWALL options IPFIREWALL_VERBOSE options IPFIREWALL_VERBOSE_LIMIT=10 options IPFIREWALL_DEFAULT_TO_ACCEPT After flushing ipfw I get # ipfw show 65535 67836 20914281 deny ip from any to any I even added another deny rule but everything is still allowed. Does that option just disable my firewall entirely? My #ipfw show after running my firewall.rules is: 00100 0 0 allow ip from 127.0.0.1 to any keep-state 00200 0 0 allow ip from 192.168.1.0/28 to any keep-state 00300 0 0 allow ip from to any keep-state 00400 0 0 deny ip from 192.168.1.0/28 to any in via fxp0 00500 0 0 deny ip from any to 172.16.0.0/12 via fxp0 00600 0 0 deny ip from any to 192.168.0.0/16 via fxp0 00700 0 0 deny ip from any to 0.0.0.0/8 via fxp0 00800 0 0 deny ip from any to 169.254.0.0/16 via fxp0 00900 0 0 deny ip from any to 192.0.2.0/24 via fxp0 01000 0 0 deny ip from any to 224.0.0.0/4 via fxp0 01100 0 0 deny ip from any to 240.0.0.0/4 via fxp0 01200 0 0 deny ip from 172.16.0.0/12 to any via fxp0 01300 0 0 deny ip from 192.168.0.0/16 to any via fxp0 01400 0 0 deny ip from 0.0.0.0/8 to any via fxp0 01500 0 0 deny ip from 169.254.0.0/16 to any via fxp0 01600 0 0 deny ip from 192.0.2.0/24 to any via fxp0 01700 0 0 deny ip from 224.0.0.0/4 to any via fxp0 01800 0 0 deny ip from 240.0.0.0/4 to any via fxp0 01900 0 0 allow tcp from any to dst-port 80 setup 02000 0 0 allow tcp from any to dst-port 22 setup keep-state 02100 0 0 allow tcp from 192.168.1.0/28 to any setup 65535 70851 21336238 deny ip from any to any Thanks David _______________________________________________ freebsd-ipfw@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" --=-PEZycNUkMrBPNLxfFGGn--