Re: where am I supposed to put my rc.firewall?
On Friday 30 January 2004 11:02 pm, JJB wrote: How can it cause connections problems, you have never used it yet, so how can you say that. I HAVE used it, and it is cause, primarily, DNS request problems. DNS queries don't seem to have the ability to forward to other servers. Yes the rule set you posted is wide open. You could remove rule 200 300, pretty meaningless in an wide open config. The wide-open config is a start. I want to start with a working connection, and move to adding deny rules from there. Thanks for the reply! -- Eric F Crist AdTech Integrated Systems, Inc (612) 998-3588 pgp0.pgp Description: signature
Re: where am I supposed to put my rc.firewall?
On Fri, 30 Jan 2004 19:47:47 -0600 Eric F Crist [EMAIL PROTECTED] wrote: On Friday 30 January 2004 06:54 pm, Chuck Swiger wrote: Eric F Crist wrote: I'm trying to add IPFW support. Where do I put my rc.firewall so that it gets read at boot time? I've tried /usr/local/etc/rc.d and /etc but neither seems to get read. Specify the location of your firewall script in /etc/rc.conf like so: firewall_enable='YES' firewall_type='/etc/ERICS_firewall' firewall_flags='-p /usr/bin/cpp' [ You might choose to use some other preprocessor... ] Well, here's what I have now. I have a file in /etc called grog.firewall. It's contents are: grog# more grog.firewall ipfw -f flush ipfw add 100 pass all from any to any via lo0 ipfw add 200 deny all from any to 127.0.0.0/8 ipfw add 300 deny ip from 127.0.0.0/8 to any ipfw add 600 allow all from any to any In my /etc/rc.conf file, I have the following two entries pertaining to the firewall: firewall_enable=YES firewall_type=/etc/grog.firewall Add this to your rc.conf: (instead of firewall_type=...): firewall_script=/etc/grog.firewall See /etc/defaults/rc.conf ! ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: where am I supposed to put my rc.firewall?
Peder Blom wrote: [ ... ] Add this to your rc.conf: (instead of firewall_type=...): firewall_script=/etc/grog.firewall See /etc/defaults/rc.conf ! While I won't speak against looking at /etc/defaults/rc.conf, setting firewall_type works fine; see the end of /etc/rc.firewall: *) if [ -r ${firewall_type} ]; then ${fwcmd} ${firewall_flags} ${firewall_type} fi ;; -- -Chuck ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: where am I supposed to put my rc.firewall?
On Sat, 31 Jan 2004 10:50:19 -0500 Chuck Swiger [EMAIL PROTECTED] wrote: Peder Blom wrote: [ ... ] Add this to your rc.conf: (instead of firewall_type=...): firewall_script=/etc/grog.firewall See /etc/defaults/rc.conf ! While I won't speak against looking at /etc/defaults/rc.conf, setting firewall_type works fine; see the end of /etc/rc.firewall: *) if [ -r ${firewall_type} ]; then ${fwcmd} ${firewall_flags} ${firewall_type} fi ;; -- -Chuck ___ Yes, that's the other way of doing it. The mentioning of scripts and the fact that his file was in the form of a script made me assume that he wanted to write his own script for setting up his firewall. On second thought I realize that he might just as well want to do it your way and define a set of rules to be read in by rc.firewall. (This might even be the best solution). I've never done it this way, but in this case I assume that you just define the rules in '/etc/ERICS_firewall', thus: -- add 100 pass all from any to any via lo0 add 200 deny all from any to 127.0.0.0/8 add 300 deny ip from 127.0.0.0/8 to any add 600 allow all from any to any -- Using your suggestions for rc.conf, of course. Is this correct? ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: where am I supposed to put my rc.firewall?
Peder Blom wrote: I've never done it this way, but in this case I assume that you just define the rules in '/etc/ERICS_firewall', thus: -- add 100 pass all from any to any via lo0 add 200 deny all from any to 127.0.0.0/8 add 300 deny ip from 127.0.0.0/8 to any add 600 allow all from any to any -- Using your suggestions for rc.conf, of course. Is this correct? Exactly. And then you add a preprocessor like cpp, and you can define: # set these to your inside interface network and netmask and ip #define IIF fxp0 #define INET 10.1.1.0/24 #define IIP 10.1.1.1 [ ...OIF info snipped... ] # port number ranges #define LOPORTS 1-1023 #define HIPORTS 1024-65535 # basic stuff add 100 pass all from any to any via lo0 add deny all from any to 127.0.0.0/8 add deny ip from 127.0.0.0/8 to any add deny all from INET to any in via OIF add deny all from ONET to any in via IIF ...and go from there. -- -Chuck ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: where am I supposed to put my rc.firewall?
Jack L. Stone wrote: At 02:04 PM 1.31.2004 -0500, Chuck Swiger wrote: # set these to your inside interface network and netmask and ip #define IIF fxp0 #define INET 10.1.1.0/24 #define IIP 10.1.1.1 [ ...OIF info snipped... ] # port number ranges #define LOPORTS 1-1023 #define HIPORTS 1024-65535 A simple example would be: # dynamic rules add check-state # permit some services inbound... add pass tcp from any HIPORTS to INET 22,80,143,443,993,3128 setup keep-state # ...but block most other services (ie, ones with root privs) add deny tcp from any to INET LOPORTS For a more complicated example, where PI is a mailserver which performs virus scanning and spamfiltering, PONG is an internal reader box: INET --- [FW1] --DMZ + Mailserver PI-- [FW2] --Internal subnet + PONG # on FW1: add pass tcp from PI HIPORTS to any 25 add pass tcp from any 25 to PI HIPORTS established add pass tcp from any HIPORTS to PI 25 add pass tcp from PI 25 to OIP HIPORTS established add unreach filter-prohib log tcp from any to INET 25 # on FW2: # permit SMTP exchange between pi and pong/fw add pass tcp from PI HIPORTS to PONG 25 add pass tcp from PONG 25 to PI HIPORTS established add pass tcp from PONG HIPORTS to PI 25 add pass tcp from PI 25 to PONG HIPORTS established [ ... ] # track SMTP from inside to outside and block SMTP from outside add pass log logamount 20 tcp from INET HIPORTS to any 25 setup add pass tcp from INET HIPORTS to any 25 established add pass tcp from any 25 to INET HIPORTS established -- -Chuck ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: where am I supposed to put my rc.firewall?
Eric F Crist wrote: I'm trying to add IPFW support. Where do I put my rc.firewall so that it gets read at boot time? I've tried /usr/local/etc/rc.d and /etc but neither seems to get read. Specify the location of your firewall script in /etc/rc.conf like so: firewall_enable='YES' firewall_type='/etc/ERICS_firewall' firewall_flags='-p /usr/bin/cpp' [ You might choose to use some other preprocessor... ] -- -Chuck ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: where am I supposed to put my rc.firewall?
On Friday 30 January 2004 06:54 pm, Chuck Swiger wrote: Eric F Crist wrote: I'm trying to add IPFW support. Where do I put my rc.firewall so that it gets read at boot time? I've tried /usr/local/etc/rc.d and /etc but neither seems to get read. Specify the location of your firewall script in /etc/rc.conf like so: firewall_enable='YES' firewall_type='/etc/ERICS_firewall' firewall_flags='-p /usr/bin/cpp' [ You might choose to use some other preprocessor... ] Well, here's what I have now. I have a file in /etc called grog.firewall. It's contents are: grog# more grog.firewall ipfw -f flush ipfw add 100 pass all from any to any via lo0 ipfw add 200 deny all from any to 127.0.0.0/8 ipfw add 300 deny ip from 127.0.0.0/8 to any ipfw add 600 allow all from any to any In my /etc/rc.conf file, I have the following two entries pertaining to the firewall: firewall_enable=YES firewall_type=/etc/grog.firewall Now, this is a headless system, so I access it through the serial port. I don't see any errors anywhere, but my ipfw show command, immediately after boot, shows: 65535 481 38684 deny ip from any to any What have I done wrong? -- Eric F Crist AdTech Integrated Systems, Inc (612) 998-3588 pgp0.pgp Description: signature
Re: where am I supposed to put my rc.firewall?
On Friday 30 January 2004 09:34 pm, JJB wrote: firewall_type=/etc/grog.firewall is wrong, replace it with firewall_srcipt='/etc/grog.firewall ' -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Eric F Crist Sent: Friday, January 30, 2004 8:48 PM To: Chuck Swiger Cc: [EMAIL PROTECTED] Subject: Re: where am I supposed to put my rc.firewall? On Friday 30 January 2004 06:54 pm, Chuck Swiger wrote: Eric F Crist wrote: I'm trying to add IPFW support. Where do I put my rc.firewall so that it gets read at boot time? I've tried /usr/local/etc/rc.d and /etc but neither seems to get read. Specify the location of your firewall script in /etc/rc.conf like so: firewall_enable='YES' firewall_type='/etc/ERICS_firewall' firewall_flags='-p /usr/bin/cpp' [ You might choose to use some other preprocessor... ] Well, here's what I have now. I have a file in /etc called grog.firewall. It's contents are: grog# more grog.firewall ipfw -f flush ipfw add 100 pass all from any to any via lo0 ipfw add 200 deny all from any to 127.0.0.0/8 ipfw add 300 deny ip from 127.0.0.0/8 to any ipfw add 600 allow all from any to any In my /etc/rc.conf file, I have the following two entries pertaining to the firewall: firewall_enable=YES firewall_type=/etc/grog.firewall Now, this is a headless system, so I access it through the serial port. I don't see any errors anywhere, but my ipfw show command, immediately after boot, shows: 65535 481 38684 deny ip from any to any What have I done wrong? -- Eric F Crist AdTech Integrated Systems, Inc (612) 998-3588 Ok, I'll change that. This script still seems to cause connection problems. Which rules do I need to change? This should be a wide-open firewall script, right? TIA -- Eric F Crist AdTech Integrated Systems, Inc (612) 998-3588 pgp0.pgp Description: signature