Re: firewall rules do not get read
On Thu, Nov 20, 2003 at 04:19:09PM -0800, Chip wrote: Alex de Kruijff wrote: On Wed, Nov 19, 2003 at 09:38:34PM -0800, Chip wrote: I noticed my firewall rules are not being read. I have rc.conf set to read the file rc.firewall. In rc.firewall the first line is add divert natd etc etc. that is followed by pass all from any to any etc etc. Then nothing after that is read, it is all ignored. If I comment out the line pass all from any to any then nothing works to access the internet. I don't know what to do to make it read past those first two lines. Any suggestions? Can you give me the output of 'ipfw s'. If that one doesn't work then try 'ipfw l'? No problem, below are the results of the two commands. Question - do I have to use rc.firewall? No you can create your own configuration file for ipfw. You need these two line in rc.conf: firewall_enable=YES firewall_type=/etc/firewall.conf The configuration file looks something like: add divert natd ip from any to any via xl1 add allow ip from any to any Or is it just a generic ruleset that can be replaced by a custom ruleset, as I have done (called firewall.rules pasted in below)? Its posible to place your own ruleset in the default script, but i would adive *not* to do this, because when you update this file can be overriden in the process. here is ipfw s results - 00100 1571924 1218317046 divert 8668 ip from any to any via xl1 00200 3144909 2436915536 allow ip from any to any 00300 0 0 divert 8668 ip from any to any via xl1 00400 0 0 allow ip from any to any 00500 0 0 divert 8668 ip from any to any via xl1 65535 0 0 deny ip from any to any The result of rc.firewall can be seen with ipfw l and ipfw s (show). The later gives the same information as ipfw l (list). The two values are number of packets and the number of bytes that applied to a rule. A couple of comments 1. Here you have tree rules with divert natd. Normaly you want a packet to pass natd only one time. 2. Rule 200 is to allow everyting so the others aren't looked at. 3. This firewall allows every packed to pass. You may like to have a look at my home page. I have an artile about how to setup a firewall, that may proof to be usefull to you. -- Alex Articles based on solutions that I use: http://www.kruijff.org/alex/index.php?dir=docs/FreeBSD/ ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: firewall rules do not get read
- Original Message - From: Alex de Kruijff [EMAIL PROTECTED] To: Chip [EMAIL PROTECTED] Cc: FreeBSD Questions List [EMAIL PROTECTED] Sent: Friday, November 21, 2003 1:24 PM Subject: Re: firewall rules do not get read On Thu, Nov 20, 2003 at 04:19:09PM -0800, Chip wrote: Alex de Kruijff wrote: On Wed, Nov 19, 2003 at 09:38:34PM -0800, Chip wrote: I noticed my firewall rules are not being read. I have rc.conf set to read the file rc.firewall. In rc.firewall the first line is add divert natd etc etc. that is followed by pass all from any to any etc etc. Then nothing after that is read, it is all ignored. If I comment out the line pass all from any to any then nothing works to access the internet. I don't know what to do to make it read past those first two lines. Any suggestions? Can you give me the output of 'ipfw s'. If that one doesn't work then try 'ipfw l'? No problem, below are the results of the two commands. Question - do I have to use rc.firewall? No you can create your own configuration file for ipfw. You need these two line in rc.conf: firewall_enable=YES firewall_type=/etc/firewall.conf The configuration file looks something like: add divert natd ip from any to any via xl1 add allow ip from any to any Or is it just a generic ruleset that can be replaced by a custom ruleset, as I have done (called firewall.rules pasted in below)? Its posible to place your own ruleset in the default script, but i would adive *not* to do this, because when you update this file can be overriden in the process. It is also possible to simply create an ipfw.sh script in /usr/local/etc/rc.d and add all of your rules to that script. ipfw.sh ipfw -f flush #NATD Rules here ipfw add 3 divert natd all from any to any via xl1 etc.. I've used both rc.conf and this method but I prefer to number my rule sets so that I can easily tell which one is causing an issue should I inadvertantly block traffic that needs to get through. To my knowledge, either method works well, it's just that what I do is generally not mentioned. :) -- Micheal Patterson Network Administration Cancer Care Network 405-917-0600 ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: firewall rules do not get read
On Wed, Nov 19, 2003 at 09:38:34PM -0800, Chip typed: I noticed my firewall rules are not being read. I have rc.conf set to read the file rc.firewall. In rc.firewall the first line is add divert natd etc etc. that is followed by pass all from any to any etc etc. Then nothing after that is read, it is all ignored. My guess is you're using ipfw and confusing it with ipfilter. In ipfw, processing stops at the first rule that matches. Your all from any to any rule matches everything, so all subsequent rules are never reached. Try moving this rule to the end of your firewall script. Ruben If I comment out the line pass all from any to any then nothing works to access the internet. I don't know what to do to make it read past those first two lines. Any suggestions? ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: firewall rules do not get read
On Wed, Nov 19, 2003 at 09:38:34PM -0800, Chip wrote: I noticed my firewall rules are not being read. I have rc.conf set to read the file rc.firewall. In rc.firewall the first line is add divert natd etc etc. that is followed by pass all from any to any etc etc. Then nothing after that is read, it is all ignored. If I comment out the line pass all from any to any then nothing works to access the internet. I don't know what to do to make it read past those first two lines. Any suggestions? Can you give me the output of 'ipfw s'. If that one doesn't work then try 'ipfw l'? -- Alex Articles based on solutions that I use: http://www.kruijff.org/alex/index.php?dir=docs/FreeBSD/ ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: firewall rules do not get read
Alex de Kruijff wrote: On Wed, Nov 19, 2003 at 09:38:34PM -0800, Chip wrote: I noticed my firewall rules are not being read. I have rc.conf set to read the file rc.firewall. In rc.firewall the first line is add divert natd etc etc. that is followed by pass all from any to any etc etc. Then nothing after that is read, it is all ignored. If I comment out the line pass all from any to any then nothing works to access the internet. I don't know what to do to make it read past those first two lines. Any suggestions? Can you give me the output of 'ipfw s'. If that one doesn't work then try 'ipfw l'? No problem, below are the results of the two commands. Question - do I have to use rc.firewall? Or is it just a generic ruleset that can be replaced by a custom ruleset, as I have done (called firewall.rules pasted in below)? -- Chip here is ipfw s results - 00100 1571924 1218317046 divert 8668 ip from any to any via xl1 00200 3144909 2436915536 allow ip from any to any 00300 0 0 divert 8668 ip from any to any via xl1 00400 0 0 allow ip from any to any 00500 0 0 divert 8668 ip from any to any via xl1 65535 0 0 deny ip from any to any and here is ipfw l results - 00100 divert 8668 ip from any to any via xl1 00200 allow ip from any to any 00300 divert 8668 ip from any to any via xl1 00400 allow ip from any to any 00500 divert 8668 ip from any to any via xl1 65535 deny ip from any to any And just as a refresher here is the ruleset firewall.rules for anyone else looking in on this thread - #!/bin/sh # Define your variables fwcmd=/sbin/ipfw# leave as is if using ipfw oif=xl1 # set to outside interface name (for DSL pppoe0 in 10.0.x, # set following line to outside ip address oip=66.114.152.128 onwr=66.114.152.128/8 #set to outside network range iif=xl0 #set to internal interface name inwr=192.168.1.0/16 #set to internal network range iip=192.168.1.10#set to internal ip address # Rules with descriptions # Basic rules: there is no need to modify anything in this first section. # This is the bare minimum to block simple spoofing. # Force a flush of the current firewall rules before we reload $fwcmd -f flush # Allow your loop back to work $fwcmd add allow all from any to any via lo0 # Prevent spoofing of your loopback $fwcmd add deny log all from any to 127.0.0.0/8 # # Stop spoofing of your internal network range $fwcmd add deny log ip from $inwr to any in via $oif # Stop spoofing from inside your private ip range $fwcmd add deny log ip from not $inwr to any in via $iif # Stop private networks (RFC1918) from entering the outside interface. $fwcmd add deny log ip from 192.168.0.0/16 to any in via $oif $fwcmd add deny log ip from 172.16.0.0/12 to any in via $oif $fwcmd add deny log ip from 10.0.0.0/8 to any in via $oif $fwcmd add deny log ip from any to 192.168.0.0/16 in via $oif $fwcmd add deny log ip from any to 172.16.0.0/12 in via $oif $fwcmd add deny log ip from any to 10.0.0.0/8 in via $oif # Stop draft-manning-dsua-01.txt nets on the outside interface $fwcmd add deny log all from 0.0.0.0/8 to any in via $oif $fwcmd add deny log all from 169.254.0.0/16 to any in via $oif $fwcmd add deny log all from 192.0.2.0/24 to any in via $oif $fwcmd add deny log all from 224.0.0.0/4 to any in via $oif $fwcmd add deny log all from 240.0.0.0/4 to any in via $oif $fwcmd add deny log all from any to 0.0.0.0/8 in via $oif $fwcmd add deny log all from any to 169.254.0.0/16 in via $oif $fwcmd add deny log all from any to 192.0.2.0/24 in via $oif $fwcmd add deny log all from any to 224.0.0.0/4 in via $oif $fwcmd add deny log all from any to 240.0.0.0/4 in via $oif # If you use NATD (for your 192.168.1.0 interface for instance) # you must uncomment the following. If you don't or if you don't know, # make sure next rule (divert) is commented. # Divert all packets through natd $fwcmd add divert natd all from any to any via $oif # Allow all established connections to persist (setup required # for new connections). $fwcmd add allow tcp from any to any established # Allow incoming requests to reach the various services. # To allow multiple services you may list them separated # by a coma, for example ...to $oip 22,25,110,80 setup # If you have an internal interface (e.g. if you do not run NATd) # uncomment the second line to enable AppleTalk on it. $fwcmd add allow tcp from any to $oip 22,25,110,80,6881,6882,6883,6884,6885,6885,6886,6887,6889 setup # Allow icmp packets for diagnostic purposes (ping traceroute) # you may wish to leave commented out. $fwcmd add allow icmp from any to any # Allow
firewall rules do not get read
I noticed my firewall rules are not being read. I have rc.conf set to read the file rc.firewall. In rc.firewall the first line is add divert natd etc etc. that is followed by pass all from any to any etc etc. Then nothing after that is read, it is all ignored. If I comment out the line pass all from any to any then nothing works to access the internet. I don't know what to do to make it read past those first two lines. Any suggestions? ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
