Re: Operation: ipfw on a gateway box
Quoting Lowell Gilbert [EMAIL PROTECTED]: Hiram Abiff [EMAIL PROTECTED] writes: I followed your advice and rewrote my firewall rules. Although, even now, there are some major difficulties. Please remember that you sent this message to a mailing list with a very large number of people. I, for one, do not remember the earlier messages, and may not have read them. I appologize for the inconvenience. I will try to be clearer. I still, can't acces the net from my 2 other computers via my FreeBSD firewalled gateway. Although I set up on it to allow traffic on ports 21, 22, 53, 8080 I can only telent to port 21, all the others report a connection refused error. Where did you do this from? I tried accesing the FreeBSD box from the 2 other computers I have. Also I tried telneting from the FreeBSD box to itself. I can ping the FreeBSD box, but i cannot ping any outside IP addresseses from the FreeBSD box or the other boxes on my home LAN. In other words, not only can't you access the net from the other computers, but you can't from the FreeBSD box either? Unfortunately, yes. I tried pinging outside computers by IP address but I can#263;t anymore. Does anything work *without* the firewall? Yes, before I started messing with the firewall I had squid set up, I set up FreeBSD as a gateway and also as a DNS server. I could acces the WWW, ftp, telnet and all the other services at will, inside and outside my home LAN. Also when FreeBSD is booting I caught some error messages that said unknow command setup for some of my firewall rules. Kind of need more details here. I can't see what that could be... I was thinking maybe I misplaces the setup keyword in my firewall rule file. Did u happen to see it, I posted it in my last mail. I don#269;t understand how ftp works and my proxy serevr doesn't if I used the very same and exact syntax to define the rules. -- It was as though a veil had been rent. I saw on that ivory face the expression of sombre pride, of ruthless power, of craven terror -- of an intense and hopeless despair. Did he live his life again in every detail of desire, temptation, and surrender during that supreme moment of complete knowledge? ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Operation: ipfw on a gateway box
I followed your advice and rewrote my firewall rules. Although, even now, there are some major difficulties. I still, can't acces the net from my 2 other computers via my FreeBSD firewalled gateway. Although I set up on it to allow traffic on ports 21, 22, 53, 8080 I can only telent to port 21, all the others report a connection refused error. I can ping the FreeBSD box, but i cannot ping any outside IP addresseses from the FreeBSD box or the other boxes on my home LAN. Also when FreeBSD is booting I caught some error messages that said unknow command setup for some of my firewall rules. I'm getting desperate please assist me in any way possible. Here's my fwrules file: fwcmd=/sbin/ipfw #Outside interface oif=tun0 #Inside interface iif=rl0 # Force a flushing of the current rules before reload $fwcmd -f flush #Check the state of all packets $fwcmd add check-state #Divert all packets through the tunnel interface. $fwcmd add divert natd ip from any to any via $oif # Allow all data from my network card and localhost $fwcmd add allow all from any to any via lo0 $fwcmd add allow ip from any to any via $iif # Allow all connections that I initiate $fwcmd add allow tcp from any to any out xmit $oif setup # Once connections are made, allow them to stay open $fwcmd add allow tcp from any to any via $oif established # Everyone on the internet is allowed to connect $fwcmd add allow tcp from any to any 22 setup $fwcmd add allow tcp from any to any 21 setup $fwcmd add allow tcp from any to any 8080 setup $fwcmd add allow tcp from any to any 53 setup $fwcmd add allow tcp from any to any 4662 setup $fwcmd add allow udp from any to any 4672 setup # This sends a RESET to all ident packets $fwcmd add reset log tcp from any to any 113 in recv $oif # Allow outgoing DNS queries ONLY to the specified servers $fwcmd add allow udp from any to 161.53.114.135 53 out xmit tun0 $fwcmd add allow udp from any to 161.53.114.145 53 out xmit tun0 # Allow them back in with the answers $fwcmd add allow udp from 161.53.114.135 53 to any in recv $oif $fwcmd add allow udp from 161.53.114.145 53 to any in recv $oif # Allow ICMP $fwcmd add 65435 allow icmp from any to any # Deny all the rest. #$fwcmd add 65435 deny log ip from any to any -- It was as though a veil had been rent. I saw on that ivory face the expression of sombre pride, of ruthless power, of craven terror -- of an intense and hopeless despair. Did he live his life again in every detail of desire, temptation, and surrender during that supreme moment of complete knowledge? ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
ppp_mode and ipfw
Hi! I've been trying to set up ipfw on my FreeBSD box which I use as a gateway to the Internet on my LAN. I compiled the kernel with options IPFIREWALL and IPDIVERT, edited rc.conf and some other files. Now I have 2 problems: 1.) Each time FreeBSD boots ppp automatically establishes a connection via ISDN. I do not want it to do that, I want the connection to be established when some of the other 2 boxes I have on my LAN run software that demands an internet connection. For Example, if I run firefox on my linux box, i want the FreeBSD box to receive the linux boxes request for a connection and dial my ISP via ISDN. In rc.conf I set ppp_mode=auto because in ppp's man page it says that this is the correct mode for on-demand connection. 2.) Although I set up my firewall rules I cannot acces anything on the outside net anymore, and my other 2 boxes can't acces the Internet after setting aup the firewall. Also I cannot acces the squid proxy I set up on my FreeBSD box anymore. All of this was working before I set up the firewall. What am I doing wrong? Why can't I access the net outside my home LAN and why doesn't squid work anymore? Here's my firewall rule file: fwcmd=/sbin/ipfw #Outside interface oif=tun0 #Inside interface iif=rl0 # Force a flushing of the current rules before reload $fwcmd -f flush #Check the state of all packets $fwcmd add check-state #Divert all packets through the tunnel interface. $fwcmd add divert natd all from any to any via oif # Allow all data from my network card and localhost $fwcmd add allow all from any to any via lo0 $fwcmd add allow ip from any to any via $ii0 # Allow all connections that I initiate $fwcmd add allow tcp from any to any out xmit oif setup # Once connections are made, allow them to stay open $fwcmd add allow tcp from any to any via oif established # Everyone on the internet is allowed to connect $fwcmd add allow tcp from any to any 22 setup $fwcmd add allow tcp from any to any 21 setup $fwcmd add allow tcp from any to any 8080 setup $fwcmd add allow tcp from any to any 53 setup $fwcmd add allow tcp from any to any 4662 setup $fwcmd add allow udp from any to any 4672 setup # This sends a RESET to all ident packets $fwcmd add reset log tcp from any to any 113 in recv oif # Allow outgoing DNS queries ONLY to the specified servers $fwcmd add allow udp from any to 161.53.114.135 53 out xmit tun0 $fwcmd add allow udp from any to 161.53.114.145 53 out xmit tun0 # Allow them back in with the answers $fwcmd add allow udp from 161.53.114.135 53 to any in recv oif $fwcmd add allow udp from 161.53.114.145 53 to any in recv oif # Allow ICMP $fwcmd add 65435 allow icmp from any to any # Deny all the rest. #$fwcmd add 65435 deny log ip from any to any -- It was as though a veil had been rent. I saw on that ivory face the expression of sombre pride, of ruthless power, of craven terror -- of an intense and hopeless despair. Did he live his life again in every detail of desire, temptation, and surrender during that supreme moment of complete knowledge? ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
ISDN and userland PPP
Greeting and salutations, my everyday idyll has recently been interrupted while I was trying to set up my FreeBSD box as a gateway. It has an ISDN card for connecting to the Internet and an ethernet card for connection to the rest of my network. First, I had to recompile the kernel to enable support for my ISDN card(W9662 chip) as iwic0. Then came the tweaking of several configuration files. Finally, I tried establishing the connection as follows: wier# ppp Working in interactive mode Using interface: tun0 ppp ON wier dial papchap ppp ON wier after the dial papchap command I just get hte ppp prompt back. Shouldn't it be informing me about the status of the dialing? the command ifconfig tun0 says: tun0: flags=8051UP,POINTOPOINT,RUNNING,MULTICAST mtu 1500 Opened by PID 54 What am I doing wrong, am I using the correct procedure to establish a connection? I want to establish only one 64k link. I am using FreeBSD Release 4.7. Here are my configuration files: /etc/ppp/options /dev/cuaa0 115200 crtscts modem passive noipdefault defaultroute /etc/ppp/ppp.conf default: set log Phase Chat LCP IPCP CCP tun command ident user-ppp VERSION (built COMPILATIONDATE) set device /dev/i4brbch0 set speed sync set dial ABORT BUSY ABORT NO\\sCARRIER TIMEOUT 5 \ \\ AT OK-AT-OK ATE1Q0 OK \\dATDT\\T TIMEOUT 40 CONNECT set timeout 180# 3 minute idle timer (the default) enable dns # request DNS info (for resolv.conf) papchap: set phone ISP_NUMBER set authname MY_USERNAME set authkey MY_PASSWORD enable lqr set reconnect 3 5 set redial 3 10 set lqrperiod 45 disable pred1 deflate mppe deny pred1 deflate mppe set dial set login set logout set hangup set ifaddr 0 0 add default HISADDR /etc/isdn/isdnd.rc system acctall = on acctfile= /var/log/isdnd.acct useacctfile = yes isdntime = on monitor-allowed = off entry name= WBDU0 usrdevicename = rbch usrdeviceunit = 0 isdncontroller = 0 isdnchannel = -1 local-phone-incoming= MY_NUMBER remote-phone-incoming = * local-phone-dialout = MY_NUMBER remote-phone-dialout= ISP_NUMBER remdial-handling= first dialin-reaction = ignore dialout-type= normal b1protocol = hdlc idletime-incoming = 900 idletime-outgoing = 900 unitlength = 0 unitlengthsrc = conf dialretries = 1 dialrandincr= off recoverytime= 1 direction = out /etc/resolv.conf nameserver MY_ISP'S_NAMESERVER nameserver MY_ISP'S_NAMESERVER2 /etc/rc.conf hostname=wier network interfaces=lo tun0 ifconfig_tun0= ifconfig_rl0=inet 10.10.10.1 gateway_enable=YES kern_securelevel_enable=NO moused_enable=YES moused_port=/dev/cuaa1 moused_type=logitech nfs_reserved_port_only=YES sendmail_enable=NO router_enable=NO sshd_enable=YES ppp_enable=YES I spent 7 hours trying to configure this box as a gateway with an ISDN connection. Could someone provide me with some clue or hints as to where I am erring. -- I get high on a buzz Then a rush when I'm plugged in you I connect when I'm flush You get love when told what to do Wonderful electric Cover me in you ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]