Kernel firewall settings:
options IPFW2
options IPFIREWALL #Firewall
options IPFIREWALL_VERBOSE #print info about dropped packets
options IPFIREWALL_VERBOSE_LIMIT=10 #limit verbosity
options IPV6FIREWALL
options IPV6FIREWALL_VERBOSE
options IPV6FIREWALL_VERBOSE_LIMIT=10
options IPDIVERT#Divert sockets
options IPSTEALTH #support stealth forwarding
options ICMP_BANDLIM#Rate limit bad replies
options ACCEPT_FILTER_DATA
options ACCEPT_FILTER_HTTP
I can't reach the web from the inside, nor can I ssh to my server.
Everything seems to be getting hung up on rules 310 and 410. I, of
course, want to do away with 32000. In order to get through, I have
temporarily added an 'allow all from any to any' at 210. I'll start
logging the denys and see what happens.
-jason
On Fri, Jan 31, 2003 at 11:56:02AM -0500, Steve Bertrand wrote:
What part is not working? Can you nat through? Perhaps you could add
some logging to see which packets are failing and why.
Do you have the following in the kernel?
optionsIPFIREWALL
optionsIPFIREWALL_VERBOSE
optionsIPDIVERT
Let us know.
Steve
Jason Morgan wrote:
OK, I've read the man page for IPFW a couple times and I am still having
difficulty setting up a working firewall. The firewall acts as a gateway
to my inside network as well as a web server and mail server. I also
need ssh connectivity from inside and out. Also, one odd thing is that I
have a Zyxel Prestige 643 acting as an additional router between me and
my DSL connection (I couldn't figure out how to get the router in pure
bridging mode). It comes in handy, though, as it has a 4-port switch
built in and can also act a firewall and does the PPPoE easy enough.
NICs:
xl0 as 192.168.1.101 (to Zyxel and outside)
dc0 as 10.0.0.1 (inside)
Current IPFW config:
-
# Basics
add 00010 pass all from any to any via lo0
add 00020 deny all from any to 127.0.0.0/8
add 00030 deny ip from 127.0.0.0/8 to any
add 00040 deny ip from any to any frag
# Spoofing Check
add 00050 deny all from 10.0.0.0/8 to any in via xl0
add 00060 deny all from 172.16.0.0/12 to any in via xl0
add 00080 allow all from 192.168.1.1 to any in via xl0
add 00085 deny all from 192.168.0.0/16 to any in via xl0
# Divert
add 00100 divert natd all from any to any via xl0
# Allowances
add 00200 allow all from any to any in via dc0
# Check state of dynamic rules
add 00220 check-state
# UDP
add 00300 allow udp from any to any out setup
add 00310 deny udp from any to any established
add 00320 allow udp from any to any 53 in via xl0 setup keep-state
# TCP
add 00400 allow tcp from any to any out setup keep-state
add 00410 deny tcp from any to any established
add 00420 allow tcp from any to any 22,25,80 in setup keep-state
add 32000 allow all from any to any
Could anyone offer some advice?
Regards,
Jason
To Unsubscribe: send mail to [EMAIL PROTECTED]
with unsubscribe freebsd-questions in the body of the message
To Unsubscribe: send mail to [EMAIL PROTECTED]
with unsubscribe freebsd-questions in the body of the message
