On Thu, Apr 22, 2004 at 07:00:48PM -0400, Peter Tokanel wrote:
>
>
> Alex de Kruijff wrote:
>
> >On Wed, Apr 21, 2004 at 07:33:51PM -0400, Peter Tokanel wrote:
> >
> >
> >>Hi,
> >>
> >>I am new to unix but I have managed to setup a home network using
> >>Free BSD. The
> >>FreeBSD box is a gateway/firewall/router for my Windows XP box and a
> >>wireless access
> >>point. The XP box can access the web just great using the shared
> >>connection.
> >>My problem is when email is used on the WindowsXP box , no messages can be
> >>sent out. I can receive email from my ISP's pop-server just fine. I am
> >>not sure if I need
> >>to start some kind of mail daemon or what Is it my firewall
> >>configuration
> >>I have included some of my setup files, hopefully someone can tell me
> >>
> >>
> >
> >XP 192.168.1.0/24 <-> 192.168.1.0/24 gateway <-> internet
> >
> >It could be your firewall but it could also be you XP configuration.
> >If you give me the output of 'ipfw sh' then i'll check if I can find
> >anything that blocks sending mail.
> >
> >
> >
>
> --
> Hi,
> Here is the output of 'ipfw sh'..I don't pretend to understand
> what all these mean. The
> ipfw rules for the 'simple' case in rc.firewall were a starting point,
> but then I added a few
> additional rules from various spots on the net attempting to fix various
> problems. Any advice
> would be appreciated.
I couldn't find exacly what the problem is. It looks oke for me. If you
like to go on with this one you could try doing:
1. ipfw z
2. Try sending your mail
3. ipfw sh (and look where the packed gets blocked)
4. If you sloved the problem skip to the end
5. Add log to the rule and do 1-3. Then check /etc/security and look for
the rigth packets and see what happens.
What I like to do is offer you an alternative framework. I'll be in a
better position to help you this way.
For this first put these lines in your /etc/rc.conf. This will load the
firewall rules from that file.
firewall_enable="YES"
firewall_type="/etc/firewall.conf"
Then put these rules in your /etc/firewall.conf:
# Select NIC (1 = internal 2 = external)
add 00010 skipto 1 ip from any to any via rl0
add 00020 skipto 2 ip from any to any via vl0
add 00030 allow ip from any to any via lo0
add 0 deny ip from any to any
> A packet send from the XP box to the internet passes these rule twice
> because it goes through two NICs.
# Internal NIC
19997 allow ip from 192.168.1.0/24 to any
19997 allow ip from any to 192.168.1.0/24
19998 reject log ip from any to any in
1 deny log ip from any to any out
> reject = deny + it tells the sender that no such service exist. That
> is smart for _you own_ computer.
## External NIC - Anti spoofing
#add 20200 skipto 20300 ip from 192.168.1.0/24 to any in
#add 20210 rejectip from any to 10.0.0.0/8 out
#add 20220 rejectip from any to 172.0.0.0/12 out
#add 20230 rejectip from any to 192.168.0.0/16 out
#add 20240 deny ip from 10.0.0.0/8 to any in
#add 20250 deny ip from 172.0.0.0/12 to any in
#add 20260 deny ip from 192.168.0.0/16 to any in
> Afther everything works you can place your anti spoofing rules here
> and keep those packets from going into natd. Rules 200,240-260 can
> block you out and are optional.
# External NIC - Natd
20520 skipto 20600 ip from me to any
20530 divert 8668 ip from any to any
20540 allow ip from me to any
20550 allow ip from any to 192.168.31.0/24
> This acts like a stateful firewall (like below) for the lan.
# External NIC - Stateful firewall
29800 allow tcp from me to any keep-state setup
29810 allow udp from me to any keep-state
29820 allow ip from me to any keep-state
> This allows packets out and responce back in.
# External NIC - deny or reject everyting else
29998 deny log ip from any to any in
2 reject log ip from any to any out
--
Alex
Articles based on solutions that I use:
http://www.kruijff.org/alex/index.php?dir=docs/FreeBSD/
___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
