On Sun, Sep 14, 2003 at 05:27:15PM +0800, Robert Storey wrote: > Dear All, > > I'm having a hard time configuring a firewall. I ALMOST understand it, > but I've run into one problem. I think I don't actually have my > /etc/rc.firewall set up properly. Maybe I don't really understand what > the "ip" setting should be, and I've made it the same as my "net" > setting. Anyway, what I can say is that with the configuration I have, I > can access my internal (ethernet) network, but ppp is totally blocked, > which of course I don't want. > > Below are the configuration settings I've made, and the results I get. I > hope that somebody can help. > > best regards, > Robert Storey > > FROM /etc/rc.conf: > > firewall_enable="YES" > firewall_script="/etc/rc.firewall" > firewall_type="client" > > FROM /etc/rc.firewall: > > # set these to your network and netmask and ip > net="192.168.0.2" > mask="255.255.255.0" > ip="192.168.0.2" > > CONTENT OF /etc/hosts: > # > ::1 localhost localhost.utopia.com > 127.0.0.1 localhost localhost.utopia.com > # > 192.168.0.3 ibm.utopia.com ibm > 192.168.0.2 sonic.utopia.com sonic > 192.168.0.1 pro.utopia.com pro > > > OUTPUT OF "ipfw -a list": > > 00100 0 0 allow ip from any to any via lo0 > 00200 0 0 deny ip from any to 127.0.0.0/8 > 00300 0 0 deny ip from 127.0.0.0/8 to any > 00400 0 0 allow ip from 192.168.0.2 to 192.168.0.0/24 > 00500 0 0 allow ip from 192.168.0.0/24 to 192.168.0.2 > 00600 0 0 allow tcp from any to any established > 00700 0 0 allow ip from any to any frag > 00800 0 0 allow tcp from any to 192.168.0.2 dst-port 25 setup > 00900 0 0 allow tcp from 192.168.0.2 to any setup > 01000 0 0 deny tcp from any to any setup > 01100 0 0 allow udp from 192.168.0.2 to any dst-port 53 keep-state > 01200 0 0 allow udp from 192.168.0.2 to any dst-port 123 keep-state > 65535 0 0 deny ip from any to any
It doesn't look it's really made a diff, but your "net" settings should be 192.168.0.0. The rules you pasted would appear to allow your local machine (192.168.0.2) out - the other interesting thing is that all of the counters in your listing are 0. If everything was totally broken I would still expect to see the counters for rule 65535 with values. Is this box a gateway on your network or just another machine on the LAN? What is the output of `ifconfig -a'? Nathan -- gpg --keyserver pgp.mit.edu --recv-keys D8527E49
pgp00000.pgp
Description: PGP signature