Re: Firewall + Cable Modem
A firewall set to accept by default has the last rule in the chain as an accept rule. The opposite goes for deny, whereby the last rule is a deny rule (this is the most common way to set up a firewall). The firewall is not the problem. Leave the inetd running, just comment out all the services you don't need in inetd.conf. Do you use ppp to connect to your ISP via a tunnel? Are you using an internal cable modem? Did you try comment out the DHCP line in your rc.conf? Matt. On Sat, Jan 25, 2003 at 01:16:16PM -0500, Asenchi wrote: From: Asenchi [EMAIL PROTECTED] To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Subject: RE: Firewall + Cable Modem Date: Sat, 25 Jan 2003 13:16:16 -0500 X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2910.0) Where do you see that my firewall is set to accept by default? how do I disable my firewall without recompiling a kernel? Will firewall_enable=NO actually work? Won't this just set the default deny rule as the firewall? Why would I run INETD, I am not sure? Most of the errors with DHCLIENT said make sure there are certain services turned off in INETD. Also, there isn't a service listed in INETD that I believe I need to run this machine? Do I? Maybe I am not clear on something... Thank you for your help, I really appreciate it. Curt -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Matthew Faircliff Sent: Saturday, January 25, 2003 2:39 PM To: Asenchi Cc: [EMAIL PROTECTED] Subject: Re: Firewall + Cable Modem Hello, It seems to me as though you are running two class C networks for your internal computers (xl0 and rl0) and have your cable modem running under vr0. The NATD stuff looks cool. Disable your firewall (even though it seems to be set to accept by default) and then fix your cable modem. Try commenting out the ifconfig_vr0=DHCP line in your rc.conf. Why are you not running INETD? Matt. To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message
Firewall + Cable Modem
Hello All, I have worked by butt off on this, reading everything I could find on the subjects. Some reason I can't get this to work. I know it is probably really simple, but could someone please help me? I am configuring an IPFW firewall that will act as a gateway and run natd. It will be on a Dynamic IP cable modem. There will be 25 users behind it. I cannot get my card to remain connected, it keeps dropping its addressing, or so it appears in IFCONFIG. I have included below outputs of various processes for you all. Thank you in advance for any help you are able to offer. Curt Micol #uname -a FreeBSD world.attbi.com 4.7-STABLE FreeBSD 4.7-STABLE #6: Fri Jan 24 22:05:56 EST 2003 asenchi@world:/usr/obj/usr/src/sys/ASENCHI i386 #vi /etc/rc.conf # -- sysinstall generated deltas -- # Thu Nov 14 10:01:53 2002 # Created: Thu Nov 14 10:01:53 2002 # Enable network daemons for user convenience. # Please make all changes to this file, not to /etc/defaults/rc.conf. # This file now contains just the overrides from /etc/defaults/rc.conf. #Network Stuff hostname=world.attbi.com ifconfig_vr0=DHCP ifconfig_rl0=inet 192.168.0.1 netmask 255.255.255.0 ifconfig_xl0=inet 192.168.1.1 netmask 255.255.255.0 gateway_enable=YES #Misc Options inetd_enable=NO kern_securelevel_enable=NO nfs_reserved_port_only=YES ntpdate_enable=YES ntpdate_flags=clock.linuxshell.net sshd_enable=YES sshd_flags=-4 usbd_enable=NO syslogd_enable=YES syslogd_flags=-ss clear_tmp_enable=YES icmp_drop_redirect=YES icmp_log_redirect=YES icmp_bmcastecho=NO fsck_y_enable=YES linux_enable=NO moused_enable=NO portmap_enable=NO #Firewall firewall_enable=YES #firewall_type=OPEN firewall_type=/etc/rc.firewall firewall_quiet=YES firewall_logging=YES log_in_vain=YES #NATD natd_enable=YES natd_interface=vr0 natd_flags=-f /etc/natd.conf sendmail_enable=NONE #qmail options qmail_smtp_enable=YES qmail_pop_enable=YES qmail_enable=YES #ps -acux USER PID %CPU %MEM VSZ RSS TT STAT STARTED TIME COMMAND root 1033 0.0 0.1 420 248 v0 R+3:20AM 0:00.00 ps root1 0.0 0.1 552 316 ?? ILs 9:43PM 0:00.01 init root2 0.0 0.0 00 ?? DL9:43PM 0:00.00 pagedaemon root3 0.0 0.0 00 ?? DL9:43PM 0:00.00 vmdaemon root4 0.0 0.0 00 ?? DL9:43PM 0:00.02 bufdaemon root5 0.0 0.0 00 ?? DL9:43PM 0:00.05 vnlru root6 0.0 0.0 00 ?? DL9:43PM 0:00.47 syncer root 25 0.0 0.0 212 96 ?? Is9:43PM 0:00.00 adjkerntz root 62 0.0 0.3 944 728 ?? Is2:43AM 0:00.00 dhclient root 130 0.0 0.3 972 656 ?? Ss2:43AM 0:00.26 syslogd root 138 0.0 0.3 1024 764 ?? Is2:43AM 0:00.01 cron root 140 0.0 0.7 2324 1744 ?? Is2:43AM 0:00.00 sshd qmaild164 0.0 0.2 896 392 con- I 2:43AM 0:00.00 tcpserver root 165 0.0 0.2 896 392 con- I 2:43AM 0:00.00 tcpserver qmails166 0.0 0.2 948 508 con- I 2:43AM 0:00.10 qmail-send qmaill171 0.0 0.2 896 504 con- I 2:43AM 0:00.02 splogger root 172 0.0 0.2 896 476 ?? I 2:43AM 0:00.01 qmail-lspawn qmailr173 0.0 0.2 896 412 ?? I 2:43AM 0:00.00 qmail-rspawn qmailq174 0.0 0.2 884 440 ?? I 2:43AM 0:00.00 qmail-clean root 175 0.0 0.4 1268 948 v0 Is2:43AM 0:00.03 login root 177 0.0 0.3 952 644 v2 Is+ 2:43AM 0:00.00 getty root 178 0.0 0.3 952 644 v3 Is+ 2:43AM 0:00.00 getty root 179 0.0 0.3 952 644 v4 Is+ 2:43AM 0:00.00 getty root 180 0.0 0.3 952 644 v5 Is+ 2:43AM 0:00.00 getty root 181 0.0 0.3 952 644 v6 Is+ 2:43AM 0:00.00 getty root 182 0.0 0.3 952 644 v7 Is+ 2:43AM 0:00.00 getty asenchi 198 0.0 0.2 636 440 v0 I 2:43AM 0:00.01 sh root 212 0.0 0.4 1488 1116 v0 S 2:44AM 0:00.21 csh root 300 0.0 0.4 1268 948 v1 Is2:46AM 0:00.04 login root 677 0.0 0.4 1492 1128 v1 I+3:01AM 0:00.08 csh root 1022 0.0 0.1 432 308 ?? Ss3:19AM 0:00.00 natd root0 0.0 0.0 00 ?? DLs 9:43PM 0:00.00 swapper #/etc/netstart Doing stage one network startup: Doing initial network setup:. vr0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500 inet6 fe80::240:33ff:fe5a:748a%vr0 prefixlen 64 scopeid 0x1 inet 0.0.0.0 netmask 0xff00 broadcast 255.255.255.255 ether 00:40:33:5a:74:8a media: Ethernet autoselect (100baseTX full-duplex) status: active xl0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500 options=3rxcsum,txcsum inet6 fe80::204:76ff:fec5:f4a2%xl0 prefixlen 64 scopeid 0x2 inet 192.168.1.1 netmask 0xff00 broadcast 192.168.1.255 ether 00:04:76:c5:f4:a2 media: Ethernet autoselect (none) status: no carrier rl0:
Re: Firewall + Cable Modem
On Sat, 25 Jan 2003, Asenchi wrote: I cannot get my card to remain connected, it keeps dropping its addressing, or so it appears in IFCONFIG. I have included below outputs of various processes for you all. Thank you in advance for any help you are able to offer. With DHCP you get a lease for a certain period of time. Some ISP's have very short lease times; and your system may not be quick enough to get a lease. Another option is that you get your first lease before the firewill is fully set up; but that you cannot negotiate a lease after the firewall is there due to it blocking the negotiation process. Temporarily disabling the firewall(and nat) will tell you this. Jan 25 03:03:00 world dhclient: Listening on BPF/vr0/00:40:33:5a:74:8a Jan 25 03:03:00 world dhclient: Sending on BPF/vr0/00:40:33:5a:74:8a Jan 25 03:03:00 world dhclient: Can't bind to dhcp address: Address already in use This suggest that your dhclient can not bind to the port it needs. You may want to check what is bound to that port. See 'lsof' and 'netstat'. Dw To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message
Re: Firewall + Cable Modem
Hello, It seems to me as though you are running two class C networks for your internal computers (xl0 and rl0) and have your cable modem running under vr0. The NATD stuff looks cool. Disable your firewall (even though it seems to be set to accept by default) and then fix your cable modem. Try commenting out the ifconfig_vr0=DHCP line in your rc.conf. Why are you not running INETD? Matt. To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message
RE: Firewall + Cable Modem
Where do you see that my firewall is set to accept by default? how do I disable my firewall without recompiling a kernel? Will firewall_enable=NO actually work? Won't this just set the default deny rule as the firewall? Why would I run INETD, I am not sure? Most of the errors with DHCLIENT said make sure there are certain services turned off in INETD. Also, there isn't a service listed in INETD that I believe I need to run this machine? Do I? Maybe I am not clear on something... Thank you for your help, I really appreciate it. Curt -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Matthew Faircliff Sent: Saturday, January 25, 2003 2:39 PM To: Asenchi Cc: [EMAIL PROTECTED] Subject: Re: Firewall + Cable Modem Hello, It seems to me as though you are running two class C networks for your internal computers (xl0 and rl0) and have your cable modem running under vr0. The NATD stuff looks cool. Disable your firewall (even though it seems to be set to accept by default) and then fix your cable modem. Try commenting out the ifconfig_vr0=DHCP line in your rc.conf. Why are you not running INETD? Matt. To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message
