Re: Firewall enabling confusion.
On Fri, 27 Feb 2004, Shaun T. Erickson wrote: I looked at that. That's not what I mean. :) I mean, if I do not have to build a new kernel to enable firewalling, logging and divert, I've always done this with a kernel build. There may be a way to do the latter two through loadable modules, but I don't know it. -Warren Block * Rapid City, South Dakota USA ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Firewall enabling confusion.
I put 'firewall_enable=YES' in /etc/rc.conf, in anticipation of rebuilding my kernel with the following options turned on: options IPFIREWALL options IPFIREWALL_VERBOSE options IPFIREWALL_VERBOSE_LIMIT=100 I rebooted, for unrelated reasons, and now see in the messages file that ipfw2 has been enabled and, indeed, since I have no rules in place, my system is cut off from the network. I haven't yet rebuilt my kernel, so I don't understand why this kicked in. Did adding that line in rc.conf suck in a kernel module that obsoletes the need for those kernel options? How do I check (I'd do an lsmod, on Linux - don't know what the equivalent FreeBSD command is)? If it is a module, how do I enable logging, as adding 'firewall_logging=YES' to /etc/rc.conf didn't turn it on, according to the messages file. Likewise for divert (though I don't currently need it). Feb 27 14:37:22 peter kernel: ipfw2 initialized, divert disabled, rule-based forwarding enabled, default to deny, logging disabled -ste ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
RE: Firewall enabling confusion.
kldstat is the program you are looking for (like lsmod)
It can indeed be that the module is loaded with it's default
settings {block all}
Hope this solves your lsmod question, the rest i cannot help you
with since i don't understand ipfw :) {yet}
cheers
--
Kind regards,
Remko Lodder
Elvandar.org/DSINet.org
www.mostly-harmless.nl Dutch community for helping newcomers on the
hackerscene
mrtg.grunn.org Dutch mirror of MRTG
-Oorspronkelijk bericht-
Van: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Shaun T. Erickson
Verzonden: vrijdag 27 februari 2004 20:40
Aan: [EMAIL PROTECTED]
Onderwerp: Firewall enabling confusion.
I put 'firewall_enable=YES' in /etc/rc.conf, in anticipation of
rebuilding my kernel with the following options turned on:
options IPFIREWALL
options IPFIREWALL_VERBOSE
options IPFIREWALL_VERBOSE_LIMIT=100
I rebooted, for unrelated reasons, and now see in the messages file that
ipfw2 has been enabled and, indeed, since I have no rules in place, my
system is cut off from the network.
I haven't yet rebuilt my kernel, so I don't understand why this kicked
in. Did adding that line in rc.conf suck in a kernel module that
obsoletes the need for those kernel options? How do I check (I'd do an
lsmod, on Linux - don't know what the equivalent FreeBSD command is)?
If it is a module, how do I enable logging, as adding
'firewall_logging=YES' to /etc/rc.conf didn't turn it on, according to
the messages file. Likewise for divert (though I don't currently need it).
Feb 27 14:37:22 peter kernel: ipfw2 initialized, divert disabled,
rule-based forwarding enabled, default to deny, logging disabled
-ste
___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]
___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Firewall enabling confusion.
Remko Lodder wrote:
kldstat is the program you are looking for (like lsmod)
It can indeed be that the module is loaded with it's default
settings {block all}
Hope this solves your lsmod question, the rest i cannot help you
with since i don't understand ipfw :) {yet}
Thanks! Yes, the ipfw.ko module is getting loaded. So now I just need to
know how to enable things like divert and logging.
-ste
___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Firewall enabling confusion.
On Fri, 27 Feb 2004, Shaun T. Erickson wrote: Thanks! Yes, the ipfw.ko module is getting loaded. So now I just need to know how to enable things like divert and logging. /etc/rc.firewall has examples. -Warren Block * Rapid City, South Dakota USA ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Firewall enabling confusion.
Warren Block wrote: On Fri, 27 Feb 2004, Shaun T. Erickson wrote: Thanks! Yes, the ipfw.ko module is getting loaded. So now I just need to know how to enable things like divert and logging. /etc/rc.firewall has examples. I looked at that. That's not what I mean. :) I mean, if I do not have to build a new kernel to enable firewalling, logging and divert, then how do I enable them, such that the following line from my messages file would show that they have been enabled? Adding firewall_enable=YES to rc.conf caused the ipfw module to be loaded, enabling firewalling. Adding firewall_logging=YES did *not* enable logging in the message file line shown below. How do I do that? How would I get that line to show divert as being enabled? I may be wrong (correct me if I am, please), but doesn't that line have to show them as enabled, before I can successfully make use of them in ipfw commands like those you pointed me to in rc.firewall? What if I want that line to report that the default is open, instead of deny? Feb 27 14:37:22 peter kernel: ipfw2 initialized, divert disabled, rule-based forwarding enabled, default to deny, logging disabled -ste ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Firewall enabling confusion.
On Fri, 27 Feb 2004 15:43:16 -0500 Shaun T. Erickson [EMAIL PROTECTED] wrote: Warren Block wrote: On Fri, 27 Feb 2004, Shaun T. Erickson wrote: Thanks! Yes, the ipfw.ko module is getting loaded. So now I just need toknow how to enable things like divert and logging. /etc/rc.firewall has examples. I looked at that. That's not what I mean. :) I mean, if I do not have to build a new kernel to enable firewalling, logging and divert, then how do I enable them, such that the following line from my messages file would show that they have been enabled? Adding firewall_enable=YES to rc.conf caused the ipfw module to be loaded, enabling firewalling. Adding firewall_logging=YES did *not* enable logging in the message file line shown below. How do I do that? hint: sysctl -a | grep ip.fw for logging do: sysctl -w net.inet.ip.fw.verbose: 1 sysctl -w net.inet.ip.fw.verbose_limit: 5 see also man ipfw, it will answer your questions. How would I get that line to show divert as being enabled? I may be wrong (correct me if I am, please), but doesn't that line have to show them as enabled, before I can successfully make use of them in ipfw commands like those you pointed me to in rc.firewall? What if I want that line to report that the default is open, instead of deny? AFAIK recompile with IPFW_DEFAUL_TO_ACCEPT, but it would be a bad thing. Feb 27 14:37:22 peter kernel: ipfw2 initialized, divert disabled, rule-based forwarding enabled, default to deny, logging disabled -ste ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] !DSPAM:403faf7e32055386612425! -- IOnut Unregistered ;) FreeBSD user ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Firewall enabling confusion.
Ion-Mihai Tetcu wrote: hint: sysctl -a | grep ip.fw for logging do: sysctl -w net.inet.ip.fw.verbose: 1 sysctl -w net.inet.ip.fw.verbose_limit: 5 Ah. see also man ipfw, it will answer your questions. I'm still wading through it - it's quite a long read. I'll finish before asking anything else. ;) AFAIK recompile with IPFW_DEFAUL_TO_ACCEPT, but it would be a bad thing. I don't disagree - I just wanted to know how. It helps me to understand the system better. ;) -ste ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Firewall enabling confusion.
On Fri, 27 Feb 2004 16:14:26 -0500 Shaun T. Erickson [EMAIL PROTECTED] wrote: Ion-Mihai Tetcu wrote: hint: sysctl -a | grep ip.fw for logging do: sysctl -w net.inet.ip.fw.verbose: 1 sysctl -w net.inet.ip.fw.verbose_limit: 5 Ah. see also man ipfw, it will answer your questions. I'm still wading through it - it's quite a long read. I'll finish before asking anything else. ;) AFAIK recompile with IPFW_DEFAUL_TO_ACCEPT, but it would be a bad thing. I don't disagree - I just wanted to know how. It helps me to understand the system better. ;) ;) on ipfw2 you can suspend the last automatic deny all rule, see the man page. -- IOnut Unregistered ;) FreeBSD user ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
