Re: Firewall enabling confusion.
On Fri, 27 Feb 2004, Shaun T. Erickson wrote: > I looked at that. That's not what I mean. :) I mean, if I do not have to > build a new kernel to enable firewalling, logging and divert, I've always done this with a kernel build. There may be a way to do the latter two through loadable modules, but I don't know it. -Warren Block * Rapid City, South Dakota USA ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Firewall enabling confusion.
On Fri, 27 Feb 2004 16:14:26 -0500 "Shaun T. Erickson" <[EMAIL PROTECTED]> wrote: > Ion-Mihai Tetcu wrote: > > > hint: > > sysctl -a | grep ip.fw > > for logging do: > > sysctl -w net.inet.ip.fw.verbose: 1 > > sysctl -w net.inet.ip.fw.verbose_limit: 5 > > Ah. > > > see also man ipfw, it will answer your questions. > > I'm still wading through it - it's quite a long read. I'll finish before > asking anything else. ;) > > > AFAIK recompile with IPFW_DEFAUL_TO_ACCEPT, but it would be a bad thing. > > I don't disagree - I just wanted to know how. It helps me to understand > the system better. ;) ;) on ipfw2 you can suspend the last automatic deny all rule, see the man page. -- IOnut Unregistered ;) FreeBSD user ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Firewall enabling confusion.
Ion-Mihai Tetcu wrote: hint: sysctl -a | grep ip.fw for logging do: sysctl -w net.inet.ip.fw.verbose: 1 sysctl -w net.inet.ip.fw.verbose_limit: 5 Ah. see also man ipfw, it will answer your questions. I'm still wading through it - it's quite a long read. I'll finish before asking anything else. ;) AFAIK recompile with IPFW_DEFAUL_TO_ACCEPT, but it would be a bad thing. I don't disagree - I just wanted to know how. It helps me to understand the system better. ;) -ste ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Firewall enabling confusion.
On Fri, 27 Feb 2004 15:43:16 -0500 "Shaun T. Erickson" <[EMAIL PROTECTED]> wrote: > Warren Block wrote: > > > On Fri, 27 Feb 2004, Shaun T. Erickson wrote: > > > > > >>Thanks! Yes, the ipfw.ko module is getting loaded. So now I just > >need to>know how to enable things like divert and logging. > > > > > > /etc/rc.firewall has examples. > > I looked at that. That's not what I mean. :) I mean, if I do not have > to build a new kernel to enable firewalling, logging and divert, then > how do I enable them, such that the following line from my messages > file would show that they have been enabled? > Adding firewall_enable="YES" to rc.conf caused the ipfw module to be > loaded, enabling firewalling. Adding firewall_logging="YES" did *not* > enable logging in the message file line shown below. How do I do that? hint: sysctl -a | grep ip.fw for logging do: sysctl -w net.inet.ip.fw.verbose: 1 sysctl -w net.inet.ip.fw.verbose_limit: 5 see also man ipfw, it will answer your questions. > How would I get that line to show divert as being enabled? I may be > wrong (correct me if I am, please), but doesn't that line have to show > them as enabled, before I can successfully make use of them in ipfw > commands like those you pointed me to in rc.firewall? What if I want > that line to report that the default is open, instead of deny? AFAIK recompile with IPFW_DEFAUL_TO_ACCEPT, but it would be a bad thing. > > Feb 27 14:37:22 peter kernel: ipfw2 initialized, divert disabled, > rule-based forwarding enabled, default to deny, logging disabled > > -ste > > ___ > [EMAIL PROTECTED] mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to > "[EMAIL PROTECTED]" > > > !DSPAM:403faf7e32055386612425! > > -- IOnut Unregistered ;) FreeBSD user ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Firewall enabling confusion.
Warren Block wrote: On Fri, 27 Feb 2004, Shaun T. Erickson wrote: Thanks! Yes, the ipfw.ko module is getting loaded. So now I just need to know how to enable things like divert and logging. /etc/rc.firewall has examples. I looked at that. That's not what I mean. :) I mean, if I do not have to build a new kernel to enable firewalling, logging and divert, then how do I enable them, such that the following line from my messages file would show that they have been enabled? Adding firewall_enable="YES" to rc.conf caused the ipfw module to be loaded, enabling firewalling. Adding firewall_logging="YES" did *not* enable logging in the message file line shown below. How do I do that? How would I get that line to show divert as being enabled? I may be wrong (correct me if I am, please), but doesn't that line have to show them as enabled, before I can successfully make use of them in ipfw commands like those you pointed me to in rc.firewall? What if I want that line to report that the default is open, instead of deny? Feb 27 14:37:22 peter kernel: ipfw2 initialized, divert disabled, rule-based forwarding enabled, default to deny, logging disabled -ste ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Firewall enabling confusion.
On Fri, 27 Feb 2004, Shaun T. Erickson wrote: > Thanks! Yes, the ipfw.ko module is getting loaded. So now I just need to > know how to enable things like divert and logging. /etc/rc.firewall has examples. -Warren Block * Rapid City, South Dakota USA ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Firewall enabling confusion.
Remko Lodder wrote: kldstat is the program you are looking for (like lsmod) It can indeed be that the module is loaded with it's default settings {block all} Hope this solves your lsmod question, the rest i cannot help you with since i don't understand ipfw :) {yet} Thanks! Yes, the ipfw.ko module is getting loaded. So now I just need to know how to enable things like divert and logging. -ste ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
RE: Firewall enabling confusion.
kldstat is the program you are looking for (like lsmod) It can indeed be that the module is loaded with it's default settings {block all} Hope this solves your lsmod question, the rest i cannot help you with since i don't understand ipfw :) {yet} cheers -- Kind regards, Remko Lodder Elvandar.org/DSINet.org www.mostly-harmless.nl Dutch community for helping newcomers on the hackerscene mrtg.grunn.org Dutch mirror of MRTG -Oorspronkelijk bericht- Van: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Shaun T. Erickson Verzonden: vrijdag 27 februari 2004 20:40 Aan: [EMAIL PROTECTED] Onderwerp: Firewall enabling confusion. I put 'firewall_enable="YES"' in /etc/rc.conf, in anticipation of rebuilding my kernel with the following options turned on: options IPFIREWALL options IPFIREWALL_VERBOSE options IPFIREWALL_VERBOSE_LIMIT=100 I rebooted, for unrelated reasons, and now see in the messages file that ipfw2 has been enabled and, indeed, since I have no rules in place, my system is cut off from the network. I haven't yet rebuilt my kernel, so I don't understand why this kicked in. Did adding that line in rc.conf suck in a kernel module that obsoletes the need for those kernel options? How do I check (I'd do an lsmod, on Linux - don't know what the equivalent FreeBSD command is)? If it is a module, how do I enable logging, as adding 'firewall_logging="YES"' to /etc/rc.conf didn't turn it on, according to the messages file. Likewise for divert (though I don't currently need it). Feb 27 14:37:22 peter kernel: ipfw2 initialized, divert disabled, rule-based forwarding enabled, default to deny, logging disabled -ste ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]" ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"