Hi! Anthony Landreneau ([EMAIL PROTECTED]): > below. The problem, when I execute the script nothing comes in, nothing > goes out, the perfect firewall. The bad news is I need some traffic to > pass. The network behind the firewall is a subnet of a class B network with
Uhhm, it seems you mixed some source/destination ports. I'm not shure about -b - I've removed it (by mistake??) I'd try the following modifications: > # By Default DENY ALL services first > ipfwadm -F -p deny > # > # Flush all Commands > ipfwadm -F -f > ipfwadm -I -f > ipfwadm -O -f > # > # Allow email to NCTAMS01 > ipfwadm -F -a accept -b -P tcp -S 0.0.0.0/0 1024:65535 -D 111.229.13.13 ipfwadm -F -a accept -P tcp -S 0.0.0.0/0 -D 111.229.13.13 25 > # Allow email to NS1 Relay host > ipfwadm -F -a accept -b -P tcp -S 0.0.0.0/0 1024:65535 -D 111.229.13.2 ipfwadm -F -a accept -P tcp -S 0.0.0.0/0 -D 111.229.13.2 25 > # Allow email to outside mail severs from NCTAMS01 > ipfwadm -F -a accept -b -P tcp -S 111.229.13.13 25 -D 0.0.0.0/0 1024:65535 ipfwadm -F -a accept -P tcp -S 111.229.13.13 -D 0.0.0.0/0 25 > # Allow email to ouside mail servers from NS1 > ipfwadm -F -a accept -b -P tcp -S 111.229.13.2 25 -D 0.0.0.0/0 1024:65535 ipfwadm -F -a accept -P tcp -S 111.229.13.2 -D 0.0.0.0/0 25 > # Allow DNS traffic to NS1 > ipfwadm -F -a accept -b -P udp -S 0.0.0.0/0 53 -D 111.229.13.2 > ipfwadm -F -a accept -b -P tcp -S 0.0.0.0/0 53 -D 111.229.13.2 > ipfwadm -F -a accept -b -P tcp -S 111.229.232.0/24 82 -D 111.229.13.2 # what is port 82? I'm skipping this one ipfwadm -F -a accept -P udp -S 0.0.0.0/0 -D 111.229.13.2 53 ipfwadm -F -a accept -P tcp -S 0.0.0.0/0 -D 111.229.13.2 53 > # Allow Web connections to outside Web Servers > ipfwadm -F -a accept -b -P tcp -S 111.229.13.0/24 80 -D 0.0.0.0/0 1024:65535 ipfwadm -F -a accept -b -P tcp -S 111.229.13.0/24 -D 0.0.0.0/0 80 > # Allow FTP connection to outside Servers > ipfwadm -F -a accept -b -P tcp -S 111.229.13.0/24 20 -D 0.0.0.0/0 1024:65535 > ipfwadm -F -a accept -b -P tcp -S 111.229.13.0/24 21 -D 0.0.0.0/0 1024:65535 # not touching FTP - trying to avoid emitting bogons. > # Allow Telnet connections to outside Servers > ipfwadm -F -a accept -b -P tcp -S 111.229.13.0/24 23 -D 0.0.0.0/0 1024:65535 ipfwadm -F -a accept -P tcp -S 111.229.13.0/24 -D 0.0.0.0/0 23 > # Allow NTP time to NS1 > ipfwadm -F -a accept -b -P tcp -S 111.229.13.2 123 -D 0.0.0.0/0 1024:65535 ipfwadm -F -a accept -P tcp -S 0.0.0.0/0 -D 111.229.13.2 123 Ok, since my packet filter is less restrictive (and based on an allow-policy) I'm definatly not shure if this is correct. At least the first packet to initiate a connection should find it's way :-) Don't know if the adressed host is able to reply. Try re-adding -b's if it doesn't work. I wonder why you're (only) using a forward rule. I'd set the Incoming rules(, too). Rainer -- KeyID=58341901 fingerprint=A5 57 04 B3 69 88 A1 FB 78 1D B5 64 E0 BF 72 EB
pgp5LiEgTt4SO.pgp
Description: PGP signature