Check out this site, once you get a handle on the setup read this HOWTO. I've looked at lot's of resources but this is the best as far as I'm concerned.
http://www.freebsd-howto.com/HOWTO/Ipfw-HOWTO If someone has one better, I would love to see it. Grant Cooper ----- Original Message ----- From: "Dan Pelleg" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]>; "Redmond Militante" <[EMAIL PROTECTED]> Sent: Monday, October 21, 2002 6:16 PM Subject: RE: need help with ipfw rules > > > hi all > > > > my apologies, this could get long as i'm including the text of various > > config files: > > > > i've been trying to learn ipfw. i've recompiled a kernel with the > > following options > > > > ipfw add allow ip from any to any > > Do you really want to allow everything in, or is this just a typo? > If this rule is really in effect, the rest of the rules are > not doing anything. > > > ipfw add allow ip from 127.0.0.1 to 127.0.0.1 vua lo0 > > I'm assuming "vua" is a typo - should be "via". > > > ipfw add allow udp from any to any 53 > > ipfw add check-state > > You're not letting DNS replies to come back. You are allowing the queries > to go *out*, but when the remote server's reply packets hit the firewall > they have port 53 on the *source* address, not on the destination. > So they don't match that rule anymore and are discarded. > > What you probably want instead is: > ipfw add allow udp from any to any 53 keep-state > > > Another point: you're not using the "divert" rule for natd, > and I see you have NAT enabled in your rc.conf. This is likely to > be a problem later (well, you'll just not have NAT). > > A very good resource for this is /etc/rc.firewall. Just try > to follow what the "CLIENT", "SIMPLE" and "OPEN" targets > do, or even let them run, then output the generated ruleset > and use it as the skeleton of your own ruleset. > > Another useful debugging tool is "ipfw show" - typed repeatedly to watch > which counters increased and so to know which rules were hit. > Once you get into stateful filtering, you'll want "ipfw -d show". > > Having said that, good ol' tcpdump is always handy to have around. > Just fire up "tcpdump -ni XXX" with XXX for your external interface > and see what's going out and what's coming in. Once you start > firewalling for a network, a "tcpdump -ni III" with III being > the internal interface becomes useful as well, either in itself > or in addition to the external-watching tcpdump. > > -- > Dan Pelleg > > > > To Unsubscribe: send mail to [EMAIL PROTECTED] > with "unsubscribe freebsd-questions" in the body of the message To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-questions" in the body of the message
