RE: Any IPFW clues???
Perhaps you could post your rules? - Sean -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Gary D Kline Sent: Sunday, December 22, 2002 4:06 PM To: FreeBSD Mailing List Subject: Any IPFW clues??? People, I'm trying to switch from ipfilter to ipfw. With the former, things work. When I comment out the ipf* lines in /etc/rc.conf and enable the ipfw lines (and reboot) not even ping works. I've tried pining ns1.thought.org and get the No route to host error. (!) Anbody ever have this happen and understand what I'm breaking? And how-to fix it? thanks, gary -- Gary Kline [EMAIL PROTECTED] www.thought.org Public service Unix To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message
Re: Any IPFW clues???
On 12/22/2002 at 3:05 PM Gary D Kline wrote: | I'm trying to switch from ipfilter to ipfw. With the former, | things work. When I comment out the ipf* lines in /etc/rc.conf | and enable the ipfw lines (and reboot) not even ping works. | I've tried pining ns1.thought.org and get the No route to host | error. (!) | | Anbody ever have this happen and understand what I'm breaking? | And how-to fix it? = What does your rules file look like? By default, ipfw blocks everything, unless you've enabled the DEFAULT_TO_ACCEPT option in the kernel config. To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message
Re: Any IPFW clues???
On Sun, Dec 22, 2002 at 04:14:31PM -0700, Sean J. Countryman wrote: Perhaps you could post your rules? - Sean Sure:: ipfw -f 10 flush ipfw add 100 check-state ipfw add 150 allow tcp from any to any in via dc0 keep-state ipfw add 200 allow udp from any to any in via dc0 keep-state ipfw add 300 allow icmp from any to any in recv dc0 keep-state ipfw add 500 reset tcp from any to any in via dc0 # Allow in SSH on port 22 [[ this block should be okay ]] ipfw add 1000 allow tcp from any to 10.0.0.249 22 in via dc1 keep-state ipfw add 1050 allow tcp from 10.0.0.249 to any 22 out via dc1 keep-state ipfw add 1100 allow tcp from any to 10.0.0.247 22 in via dc1 keep-state ipfw add 1150 allow tcp from 10.0.0.247 to any 22 in via dc1 keep-state ipfw add 1200 allow tcp from any to 216.231.43.140 22 in via dc0 keep-state ipfw add 1250 allow tcp from 216.231.43.140 to any 22 in via dc0 keep-state # Allow FTP data connections ipfw add 1300 allow tcp from any to 216.231.43.140 21 7499-8501 in via dc0 # Allow in DNS on port 53 ipfw add 1400 allow tcp from any to 216.231.43.140 53 in via dc0 ipfw add 1500 allow udp from any to 216.231.43.140 53 in via dc0 # Allow in private printer and printer on ports 35 AND 515 ipfw add 1600 allow tcp from any to 216.231.43.140 35,515 in via dc0 ipfw add 1700 allow udp from any to 216.231.43.140 35,515 in via dc0 # Allow in HTTP on port 80 ipfw add 1800 allow tcp from any to 216.231.43.140 80 in via dc0 ipfw add 1900 allow udp from any to 216.231.43.140 80 in via dc0 # Allow in SMTP on port 25 ipfw add 2200 allow tcp from any to 216.231.43.140 25 in via dc0 ipfw add 2300 allow udp from any to 216.231.43.140 25 in via dc0 # Allow in named/BIND on port 42 ipfw add 2400 allow tcp from any to 216.231.43.140 42 in via dc0 ipfw add 2500 allow udp from any to 216.231.43.140 42 in via dc0 # deny unreachable pings; (type = 3). ipfw add 2600 deny icmp from any to any in icmptypes 3 # Inside Interface ipfw add 2900 allow udp from any to any out xmit dc0 keep-state ipfw add 3200 allow tcp from any to any via dc0 keep-state ipfw add 3300 allow udp from any to any in recv dc0 keep-state ipfw add 3400 allow icmp from any to any via dc0 keep-state ipfw add 3500 deny ip from any to any recv dc0 # Loopback Interface ipfw add 3600 allow ip from 127.0.0.1 to 127.0.0.1 in recv lo0 ipfw add 3700 allow ip from 127.0.0.1 to 127.0.0.1 out xmit lo0 ipfw add 3800 allow from any to any Anything here glaringly wrong? gary -- Gary Kline [EMAIL PROTECTED] www.thought.org Public service Unix To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message
Re: Any IPFW clues???
On Sun, Dec 22, 2002 at 06:19:12PM -0500, MikeM wrote: On 12/22/2002 at 3:05 PM Gary D Kline wrote: | I'm trying to switch from ipfilter to ipfw. With the former, | things work. When I comment out the ipf* lines in /etc/rc.conf | and enable the ipfw lines (and reboot) not even ping works. | I've tried pining ns1.thought.org and get the No route to host | error. (!) | | Anbody ever have this happen and understand what I'm breaking? | And how-to fix it? = What does your rules file look like? By default, ipfw blocks everything, unless you've enabled the DEFAULT_TO_ACCEPT option in the kernel config. Yeah, I saw that DEFAULT; mine is to ACCEPT... gary PS: rules just posted. -- Gary Kline [EMAIL PROTECTED] www.thought.org Public service Unix To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message
Re: Any IPFW clues???
On Sun, Dec 22, 2002 at 03:21:13PM -0800, Sarah Woolley wrote: I had this happen to me once. ipfw may be set to deny everything. You'll probably need to make rules allowing whatever traffic you want in and out. Try the man pages. They are useful. :) Thanks; I'm reading the HOWTO which is equally helpful. One thing wis that even tho I thought I had the kernel rebuilt earlier, evidently *not* cut-paste messages:154:Dec 22 13:20:36 sage /kernel: IP packet filtering initialized, divert disabled, rule-based forwarding disabled, default to deny, logging disabled messages:258:Dec 22 13:28:26 sage /kernel: IP packet filtering initialized, divert disabled, rule-based forwarding disabled, default to deny, logging disabled messages:362:Dec 22 13:38:43 sage /kernel: IP packet filtering initialized, divert disabled, rule-based forwarding disabled, default to deny, logging disabled About an hour ago everything was OPEN and DEFAULT_TO_ACCEPT. gary -- Gary Kline [EMAIL PROTECTED] www.thought.org Public service Unix To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message
Re: Any IPFW clues???
do ipfw show to see what's actually in ipfw. Also, I don't think the 10 after -f on the first line should be there, perhaps it's preventing ipfw from actually flushing things. Hope this helps. To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message
Re: Any IPFW clues???
On Sun, Dec 22, 2002 at 03:30:04PM -0800, Sarah Woolley wrote: do ipfw show to see what's actually in ipfw. Also, I don't think the 10 after -f on the first line should be there, perhaps it's preventing ipfw from actually flushing things. Hope this helps. Hm! Let me try that...I think you right about the numbering for flush. Ah. There is an err on the last line: ipfw add 3800 allow from any to any should read: ipfw add 3800 allow all from any to any gary -- Gary Kline [EMAIL PROTECTED] www.thought.org Public service Unix To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message