Re: strange problem with ipfw and rc.conf
--- gahn [EMAIL PROTECTED] wrote: 65335 locking out everything). I have to do sh /etc/ipfw.rules in order to load the rulesets, once I did that, I can access the box from remote locations Hmm... It helped me, to look at /etc/rc.firewall... There are some comments, that might give u the right hints... Maybe firewall_enable should be YES? E. g. my /etc/rc.firewall.bartely file cannot be executed with sh... But maybe I still did not understand ipfw... My /etc/rc.firewall.bartely contains rules like: add pass log all from any to 47.11.42.42 add deny log all from any to any And in rc.conf my firewall_type=/etc/rc.firewall.bartleby And I use default firewall_script=/etc/rc.firewall -Arne __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: strange problem with ipfw and rc.conf
On 1/26/06, gahn [EMAIL PROTECTED] wrote: I have strange probelm with rc.conf. I set up ipfw (compiled into kernel) on freebsd-5.4 and it doesn't seem to load ipfw rulesets (it uses default ruleset 65335 locking out everything). I have to do sh /etc/ipfw.rules in order to load the rulesets, once I did that, I can access the box from remote locations ... firewall_script=/etc/ipfw.rules firewall_type=simple firewall_enable=YES firewall_type=/etc/ipfw.rules delete firewal_script=/etc/ipfw.rules, the default rc.conf already has the correct value for what you're trying to do. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: strange problem with ipfw and rc.conf
Thanks. I don't think it was the problem of ipfw rulesets. In fact once I did sh /etc/ipfw.rules and things are fine. I just cant figure out why the rc.conf won't load the rulesets. Besides, I recompiled the customized kernel and there is no need for firewall_enable=YES statement in rc.conf. --- Arne Woerner [EMAIL PROTECTED] wrote: --- gahn [EMAIL PROTECTED] wrote: 65335 locking out everything). I have to do sh /etc/ipfw.rules in order to load the rulesets, once I did that, I can access the box from remote locations Hmm... It helped me, to look at /etc/rc.firewall... There are some comments, that might give u the right hints... Maybe firewall_enable should be YES? E. g. my /etc/rc.firewall.bartely file cannot be executed with sh... But maybe I still did not understand ipfw... My /etc/rc.firewall.bartely contains rules like: add pass log all from any to 47.11.42.42 add deny log all from any to any And in rc.conf my firewall_type=/etc/rc.firewall.bartleby And I use default firewall_script=/etc/rc.firewall -Arne __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: strange problem with ipfw and rc.conf
Thanks for the comments. My real problem is thta the rc.conf just won load the rulesets when the system reboots. I have to do this every time the system reboots: sh /etc/ipfw.rules --- Oxygenshell [EMAIL PROTECTED] wrote: ipfw rules automatically default to deny You have to explicitly tell it to allow by default. (kernel setting) - Original Message - From: Arne Woerner [EMAIL PROTECTED] To: gahn [EMAIL PROTECTED]; freebsd security freebsd-security@freebsd.org; freebsd general questions freebsd-questions@freebsd.org Sent: Thursday, January 26, 2006 7:03 PM Subject: Re: strange problem with ipfw and rc.conf --- gahn [EMAIL PROTECTED] wrote: 65335 locking out everything). I have to do sh /etc/ipfw.rules in order to load the rulesets, once I did that, I can access the box from remote locations Hmm... It helped me, to look at /etc/rc.firewall... There are some comments, that might give u the right hints... Maybe firewall_enable should be YES? E. g. my /etc/rc.firewall.bartely file cannot be executed with sh... But maybe I still did not understand ipfw... My /etc/rc.firewall.bartely contains rules like: add pass log all from any to 47.11.42.42 add deny log all from any to any And in rc.conf my firewall_type=/etc/rc.firewall.bartleby And I use default firewall_script=/etc/rc.firewall -Arne __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com ___ freebsd-security@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to [EMAIL PROTECTED] __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: strange problem with ipfw and rc.conf
Besides, I recompiled the customized kernel and there is no need for firewall_enable=YES statement in rc.conf. Yes, there is. Just because it's compiled in, doesn't mean it's turned on. And since /etc/defaults/rc.conf has 'firewall_enable=NO ' in it, it specifically is turned off. ~Dan -- FreeBSD Cheat Sheets http://www.mostgraveconcern.com/freebsd/ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: strange problem with ipfw and rc.conf
--- gahn [EMAIL PROTECTED] wrote: Thanks for the comments. My real problem is thta the rc.conf just won load the rulesets when the system reboots. I have to do this every time the system reboots: sh /etc/ipfw.rules Could you just try firewall_enable=YES in your /etc/rc.conf please? Remember: The kernel options do not change /etc/default/rc.conf... -Arne __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
RE: strange problem with ipfw and rc.conf
Your problem is you have rc.conf loading 2 different firewalls at same time. IPFW which is compiled into your kernel as firewall and ipfilter which you have rc.conf starting. You don't need to compile either one of the firewalls into the kernel to work. You need to read the firewall section of the handbook. It contains a very complete usage description of the 3 firewalls that come with FreeBSD. I would recommend you use ipfilter as your firewall. IPFW is for the experienced firewall user who has FW requirements needing functions not provided by one of the other FW's delivered with the base FreeBSD install. And since it looks like you have 3 private circuits on your LAN you will need NAT function and nat in ipfilter is so much easier to set up than ipfw when using the keep state function in your rules file. The handbook ipfilter sample rules sets work as is. Just copy and past into your own rules file and your pretty much good to go after following the comments. And another thing, its not acceptable behavior to cross post to 2 lists with same question. This question does not belong in [EMAIL PROTECTED] -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of gahn Sent: Thursday, January 26, 2006 6:35 PM To: freebsd security; freebsd general questions Subject: strange problem with ipfw and rc.conf Hi all: I have strange probelm with rc.conf. I set up ipfw (compiled into kernel) on freebsd-5.4 and it doesn't seem to load ipfw rulesets (it uses default ruleset 65335 locking out everything). I have to do sh /etc/ipfw.rules in order to load the rulesets, once I did that, I can access the box from remote locations here is my rc.conf: host# more /etc/rc.conf network_interfaces=lo0 em0 dc0 rl0 plip0 kern_securelevel=2 kern_securelevel_enable=YES linux_enable=YES named_enable=YES nisdomainname=NO sshd_enable=YES usbd_enable=YES hostname=sis tcp_keepalive=YES tcp_extensions=YES ifconfig_em0=inet 192.168.128.222/24 ifconfig_dc0=inet 192.168.1.4/24 ifconfig_rl0=inet 10.10.75.126/24 defaultrouter=192.168.128.1 static_routes=net1 net2 route_net1=-net 192.168.0.0/22 192.168.1.1 route_net2=-net 10.10.0.0/16 10.10.128.1 firewall_script=/etc/ipfw.rules firewall_type=simple firewall_quiet=YES ipfilter_enable=YES ipfilter_rules=/etc/ipf.rules ipmon_enable=YES ipmon_flags=-Ds mpd_enable=YES also my customized kernel (partial): options IPFIREWALL #firewall options IPFIREWALL_VERBOSE #enable logging to syslogd(8) options IPFIREWALL_VERBOSE_LIMIT=10 #limit verbosity #optionsIPFIREWALL_DEFAULT_TO_ACCEPT#allow everything by default options IPFIREWALL_FORWARD #packet destination changes options IPFIREWALL_FORWARD_EXTENDED #all packet dest changes options IPDIVERT #divert sockets TIA __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: strange problem with ipfw and rc.conf
arne: Thanks. I did and it worked. You are right; the kernel options don't change the fact that the statement of firewall_enable must be in the rc.conf. Best --- Arne Woerner [EMAIL PROTECTED] wrote: --- gahn [EMAIL PROTECTED] wrote: Thanks for the comments. My real problem is thta the rc.conf just won load the rulesets when the system reboots. I have to do this every time the system reboots: sh /etc/ipfw.rules Could you just try firewall_enable=YES in your /etc/rc.conf please? Remember: The kernel options do not change /etc/default/rc.conf... -Arne __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: strange problem with ipfw and rc.conf
gahn wrote: Hi all: I have strange probelm with rc.conf. I set up ipfw (compiled into kernel) on freebsd-5.4 and it doesn't seem to load ipfw rulesets (it uses default ruleset 65335 locking out everything). I have to do sh /etc/ipfw.rules in order to load the rulesets, once I did that, I can access the box from remote locations [...] ipfilter_rules=/etc/ipf.rules Hi, Your rc.conf looks for ipf.rules instead of ipfw.rules files. Adding the missing w may solve your problem. Mikhail. -- Mikhail Goriachev Systems Administrator Naval Radio Telephone: +61 (0)3 62252501 Mobile Phone: +61 (0)4 38255158 E-Mail: [EMAIL PROTECTED] Web: http://www.navalradio.cl PGP Key ID: 0x4E148A3B PGP Key Fingerprint: D96B 7C14 79A5 8824 B99D 9562 F50E 2F5D 4E14 8A3B signature.asc Description: OpenPGP digital signature
