On Thu, Apr 22, 2004 at 07:00:48PM -0400, Peter Tokanel wrote:
> 
> 
> Alex de Kruijff wrote:
> 
> >On Wed, Apr 21, 2004 at 07:33:51PM -0400, Peter Tokanel wrote:
> > 
> >
> >>Hi,
> >>
> >>I am new to unix but I have managed to setup a home network using  
> >>Free BSD. The
> >>FreeBSD box is a gateway/firewall/router for my Windows XP box and a 
> >>wireless access
> >>point. The XP box can access the web just great using the shared 
> >>connection.
> >>My problem is when email is used on the WindowsXP box , no messages can be
> >>sent out. I can receive email from my ISP's pop-server just fine. I am 
> >>not sure if I need
> >>to start some kind of mail daemon or what???? Is it my firewall 
> >>configuration????
> >>I have included some of my setup files, hopefully someone can tell me 
> >>   
> >>
> >
> >XP 192.168.1.0/24 <-> 192.168.1.0/24 gateway <public_ip> <-> internet
> >
> >It could be your firewall but it could also be you XP configuration.
> >If you give me the output of 'ipfw sh' then i'll check if I can find
> >anything that blocks sending mail.
> >
> > 
> >
> 
> -- 
> Hi,
>  Here is the output of 'ipfw sh'......I don't pretend to understand 
> what all these mean. The
> ipfw rules for the 'simple' case in rc.firewall were a starting point, 
> but then I added a few
> additional rules from various spots on the net attempting to fix various 
> problems. Any advice
> would be appreciated.

I couldn't find exacly what the problem is. It looks oke for me. If you
like to go on with this one you could try doing:
1. ipfw z
2. Try sending your mail
3. ipfw sh (and look where the packed gets blocked)
4. If you sloved the problem skip to the end
5. Add log to the rule and do 1-3. Then check /etc/security and look for
the rigth packets and see what happens.

What I like to do is offer you an alternative framework. I'll be in a
better position to help you this way.

For this first put these lines in your /etc/rc.conf. This will load the
firewall rules from that file.
firewall_enable="YES"
firewall_type="/etc/firewall.conf"

Then put these rules in your /etc/firewall.conf:
# Select NIC (10000 = internal 20000 = external)
add 00010 skipto 10000  ip from any to any via rl0
add 00020 skipto 20000  ip from any to any via vl0
add 00030 allow         ip from any to any via lo0
add 09999 deny          ip from any to any

> A packet send from the XP box to the internet passes these rule twice
> because it goes through two NICs.

# Internal NIC
19997 allow ip from 192.168.1.0/24 to any
19997 allow ip from any to 192.168.1.0/24
19998 reject log ip from any to any in
19999 deny log ip from any to any out

> reject = deny + it tells the sender that no such service exist. That
> is smart for _you own_ computer.

## External NIC - Anti spoofing
#add 20200 skipto 20300  ip from 192.168.1.0/24 to any in
#add 20210 reject        ip from any to 10.0.0.0/8     out
#add 20220 reject        ip from any to 172.0.0.0/12   out
#add 20230 reject        ip from any to 192.168.0.0/16 out
#add 20240 deny          ip from 10.0.0.0/8     to any in
#add 20250 deny          ip from 172.0.0.0/12   to any in
#add 20260 deny          ip from 192.168.0.0/16 to any in

> Afther everything works you can place your anti spoofing rules here
> and keep those packets from going into natd. Rules 200,240-260 can
> block you out and are optional.

# External NIC - Natd
20520 skipto 20600 ip from me to any
20530 divert 8668 ip from any to any
20540 allow ip from me to any
20550 allow ip from any to 192.168.31.0/24

> This acts like a stateful firewall (like below) for the lan.

# External NIC - Stateful firewall
29800 allow tcp from me to any keep-state setup
29810 allow udp from me to any keep-state
29820 allow ip  from me to any keep-state

> This allows packets out and responce back in.

# External NIC - deny or reject everyting else
29998 deny log ip from any to any in
29999 reject log ip from any to any out

-- 
Alex

Articles based on solutions that I use:
http://www.kruijff.org/alex/index.php?dir=docs/FreeBSD/
_______________________________________________
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Reply via email to