Re: Installing Apache 2 with custom options
Thank you for your reply. I guess I was under the assumption that the Apache port would come pre-configured with some options. So I didn't want to do a configure and overwrite what is there. So can you confirm that it isn't pre-configured anyway? Are any of the ports have configurations set? Cheers, Nicholas On 6/20/05, Alex Zbyslaw [EMAIL PROTECTED] wrote: Nicholas Henry wrote: FreeBSD 5.3-RELEASE (GENERIC) #0: Fri Nov 5 04:19:18 UTC 2004 I have apache2 running which I installed from ports. All is running well. I would like to install the proxy module. As I'm relatively new to FreeBSD and Unix I'm not sure which is the best way to go. Is there a way to change the config options before doing a make. How do I do this so I add to the existing config options with out overwriting them. Can you do this with ports? I'm not quite sure what you are asking. If you are asking how do I get make to remember the configuration options I used last time then the easiest answer is to use sysutils/portupgrade and put your options into /usr/local/etc/pkgtools.conf (which is pretty self documenting when you edit it). Some ports now put the options you used in /var/db/ports/{portname}/options, but apache2 doesn't seem to be one of them yet. So if you didn't make a not of what you picked, you'll have to work them out all over again :-( If you are asking how to re-install apache2 without overwriting changes you made to httpd.conf, then the safest way is to make backup copies before deleting the package and reinstalling. (Easy with portugrgade -f option). Actually, I think the port is clever about this and won't remove the config file if you have changed it, but I'd make backups anyway. Personally, when installing a complex port like apache2, I always try to be generous about what modules etc I compile, and try to include stuff I *might* need even if I have no use for it yet. Only experimental stuff gets left out. Saves a lot of grief when you suddenly find a use for proxying :-) Disk space is nearly always cheaper than time. --Alex ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Installing Apache 2 with custom options
Thanks for your help, Alex. I found what I was looking for here: http://lists.freebsd.org/pipermail/freebsd-questions/2004-January/031160.html If was the: # make WITH_EXTRA_MODULES Cheers, Nicholas On 6/30/05, Alex Zbyslaw [EMAIL PROTECTED] wrote: Nicholas Henry wrote: Thank you for your reply. I guess I was under the assumption that the Apache port would come pre-configured with some options. So I didn't want to do a configure and overwrite what is there. So can you confirm that it isn't pre-configured anyway? Are any of the ports have configurations set? I'm still not clear what you mean by pre-configured. Do you mean comes with a standard configuration file for when it runs then, yes it does, though you will have to edit it to suit your needs. Since you have the port installed, you must have done this. If you mean does it pick some standard options at compile time, then yes, it probably does, but obviously it did not include the proxy module you wanted, so you will have to do something when you make apache2 to get it added. If I remember correctly, if you just type make show-options and it will tell you what to do. Many ports do have pre-defined, standard, compile-time options which they use. Other ports will stop and ask you which of the many options you want to choose. In both cases, *something* is picked as the default, but it may not be what you want. Since your original question was about installing the proxy module, my suggestion was not just to add that, but also to look at the other modules *now* and add any you reasonably think you *might* need just to save installing all over again. Apache is about the most complicated port, with respect to the compile-time options, that you may ever install. There are so many bells, whistles, alternatives and other hoopla, that it makes sense to see what there is and try and take some informed guesstimates at which of those you want. Get it right once and you can forget about it. See my previous message for how to make sure that portupgrade will use the same options, if you ever need to remake the port. Hope that helps, --Alex ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Installing Apache 2 with custom options
FreeBSD 5.3-RELEASE (GENERIC) #0: Fri Nov 5 04:19:18 UTC 2004 I have apache2 running which I installed from ports. All is running well. I would like to install the proxy module. As I'm relatively new to FreeBSD and Unix I'm not sure which is the best way to go. Is there a way to change the config options before doing a make. How do I do this so I add to the existing config options with out overwriting them. Can you do this with ports? Any help would be much appreciated. Cheers, Nicholas ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Installing Apache 2 with custom options
FreeBSD 5.3-RELEASE (GENERIC) #0: Fri Nov 5 04:19:18 UTC 2004 I have apache2 running which I installed from ports. All is running well. I would like to install the proxy module. As I'm relatively new to FreeBSD and Unix I'm not sure which is the best way to go. Is there a way to change the config options before doing a make. How do I do this so I add to the existing config options with out overwriting them. Can you do this with ports? Any help would be much appreciated. Cheers, Nicholas ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Sendmail (Deferred: Operation timed out...)
FreeBSD 5.3-RELEASE (GENERIC) #0: Fri Nov 5 04:19:18 UTC 2004 Hello folks: I'm trying to use sendmail to run a mailing list (a legitimate one!) from a home computer behind a Linksys router using a cable modem. When sending messages out they are left in the mqueue directory. Examining the contents for files I find this error: Deferred: Operation timed out with mx3.megamailservers.com. I am a newbie to FreeBSD/Unix, so if there is some more information I can provide to help me please ask. Any help would be much appreciated. Cheers, Nicholas ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Sendmail (Deferred: Operation timed out...)
FreeBSD 5.3-RELEASE (GENERIC) #0: Fri Nov 5 04:19:18 UTC 2004 Hello folks: I'm trying to use sendmail to run a mailing list (a legitimate one!) from a home computer behind a Linksys router using a cable modem. When sending messages out they are left in the mqueue directory. Examining the contents for files I find this error: Deferred: Operation timed out with mx3.megamailservers.com. I am a newbie to FreeBSD/Unix, so if there is some more information I can provide to help me please ask. Any help would be much appreciated. Cheers, Nicholas ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: IPFW/Samba does not work with WinXP (but with MacOS 10.3)
Yes - that's my understanding too. I'm trying to let all local traffic (i.e. on the same network) through with this: # Allow any traffic to or from my own net. ${fwdcmd} 400 pass all from me to ${net}:${mask} ${fwdcmd} 500 pass all from ${net}:${mask} to me Anyone with any other thoughts? On 5/11/05, Juha Saarinen [EMAIL PROTECTED] wrote: On 5/11/05, Nicholas Henry [EMAIL PROTECTED] wrote: FreeBSD 5.3-RELEASE (GENERIC) #0: Fri Nov 5 04:19:18 UTC 2004 Hello folks: Trying to set rules to let a local network only connection to a Samba server running on my FreeBSD machine. I'm a FreeBSD newbie. Below is the rules file. The strange thing is this works fine when logging into the Samba server from a OS X, but no go with WinXP. I can connect to the Samba server from WinXP if the IPFW is not loaded. Any ideas? Don't know anything about ipfw, but you need to pass TCP and UDP 135-139 for NetBIOS to work, or change network settings in Windows to make it use TCP/UDP port 445 instead. -- Juha ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
firewall_enable: not found
FreeBSD 5.3-RELEASE (GENERIC) #0: Fri Nov 5 04:19:18 UTC 2004 I have IPFW setup and get this message at boot time and mailed to root by when this script is run (/usr/libexec/save-entropy). firewall_enable: not found Anybody have any ideas why I get this message and how I can stop it? Thank you. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: firewall_enable: not found
: * If there is a firewall between you and nameservers you want /etc/rc.conf:firewall_enable =YES /etc/rc.conf:firewall_script=/etc/ipfw.rules /etc/rc.conf:firewall_logging=YES /etc/rc.firewall.bak:# $FreeBSD: src/etc/rc.firewall,v 1.47 2003/11/02 07:31:44 ru Exp $ /etc/rc.firewall.bak:# Setup system for firewall service. /etc/rc.firewall.bak:# Define the firewall type in /etc/rc.conf. Valid values are: /etc/rc.firewall.bak:# UNKNOWN - disables the loading of firewall rules. /etc/rc.firewall.bak: firewall_type=${1} /etc/rc.firewall.bak:case ${firewall_quiet} in /etc/rc.firewall.bak:# before they encounter your remaining rules. The firewall rules /etc/rc.firewall.bak:# For ``simple'' firewall type the divert rule should be put to a /etc/rc.firewall.bak:case ${firewall_type} in /etc/rc.firewall.bak:# do this as your only action by setting the firewall_type to ``open''. /etc/rc.firewall.bak:case ${firewall_type} in /etc/rc.firewall.bak: # This is a prototype setup for a simple firewall. Configure this /etc/rc.firewall.bak: if [ -r ${firewall_type} ]; then /etc/rc.firewall.bak: ${fwcmd} ${firewall_flags} ${firewall_type} /etc/ipfw.rules.bak:# firewall on the private network or from this gateway server /etc/#ipfw.rules#:# firewall on the private network or from this gateway server On 5/11/05, Giorgos Keramidas [EMAIL PROTECTED] wrote: On 2005-05-11 08:15, Nicholas Henry [EMAIL PROTECTED] wrote: FreeBSD 5.3-RELEASE (GENERIC) #0: Fri Nov 5 04:19:18 UTC 2004 I have IPFW setup and get this message at boot time and mailed to root by when this script is run (/usr/libexec/save-entropy). firewall_enable: not found Anybody have any ideas why I get this message and how I can stop it? Show us the following: # grep -r firewall /etc ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: firewall_enable: not found
ipfw.rules is a shell script - and they do appear to be working correctly. Cheers, Nicholas On 5/11/05, Alex Zbyslaw [EMAIL PROTECTED] wrote: Nicholas Henry wrote: /etc/rc.conf:firewall_enable =YES /etc/rc.conf:firewall_script=/etc/ipfw.rules /etc/rc.conf:firewall_logging=YES I don't have 5.X, but I believe that firewall_script is supposed to be a shell script (like /etc/rc.firewall) whereas /etc/ipfw.rules is just a set of firewall rules. You are trying to execute those rules, when they are not meant to be. There should be a separate config variable (maybe firewall_rules, but I can't confirm that) which you should be setting. --Alex PS If this works, then please let the list know ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: IPFW/Samba does not work with WinXP (but with MacOS 10.3)
OK - problem solved. Not sure if this was an obvious one or not (ok probably was) - I added the freebsd machine name and ip to the WinXP hosts file and it works now. Cheers, Nicholas On 5/11/05, Nicholas Henry [EMAIL PROTECTED] wrote: Yes - that's my understanding too. I'm trying to let all local traffic (i.e. on the same network) through with this: # Allow any traffic to or from my own net. ${fwdcmd} 400 pass all from me to ${net}:${mask} ${fwdcmd} 500 pass all from ${net}:${mask} to me Anyone with any other thoughts? On 5/11/05, Juha Saarinen [EMAIL PROTECTED] wrote: On 5/11/05, Nicholas Henry [EMAIL PROTECTED] wrote: FreeBSD 5.3-RELEASE (GENERIC) #0: Fri Nov 5 04:19:18 UTC 2004 Hello folks: Trying to set rules to let a local network only connection to a Samba server running on my FreeBSD machine. I'm a FreeBSD newbie. Below is the rules file. The strange thing is this works fine when logging into the Samba server from a OS X, but no go with WinXP. I can connect to the Samba server from WinXP if the IPFW is not loaded. Any ideas? Don't know anything about ipfw, but you need to pass TCP and UDP 135-139 for NetBIOS to work, or change network settings in Windows to make it use TCP/UDP port 445 instead. -- Juha ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: firewall_enable: not found
Brilliant - thanks so much. On 5/11/05, Giorgos Keramidas [EMAIL PROTECTED] wrote: On 2005-05-11 09:17, Nicholas Henry [EMAIL PROTECTED] wrote: As requested - thank you. [...] /etc/rc.conf:firewall_enable =YES As I suspected it, you have a space where none should be! Delete the space before the '=' character and all should be fine. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
firewall_enabled: not found mail message (was IPFW custom rules file not loading)
Thank you for you help - I misunderstood the firewall_script and firewall_type. Everything works well now. Just one annoying problem. I continually get a mail msg regarding firewall_enabled not found: From [EMAIL PROTECTED] Sat May 7 12:44:00 2005 Date: Sat, 7 May 2005 12:44:00 -0400 (EDT) From: [EMAIL PROTECTED] (Cron Daemon) To: [EMAIL PROTECTED] Subject: Cron [EMAIL PROTECTED] /usr/libexec/save-entropy firewall_enable: not found Can anyone tell me how to resolve this issue? Thanks again, Nicholas On 5/3/05, Giorgos Keramidas [EMAIL PROTECTED] wrote: On 2005-05-03 15:18, Nicholas Henry [EMAIL PROTECTED] wrote: May 3 14:25:22 babe kernel: firewall_enable: not found May 3 14:25:22 babe kernel: ipfw2 initialized, divert disabled, rule-based forwarding dis$ May 3 14:25:22 babe kernel: Flushed all rules. May 3 14:25:22 babe kernel: Line 3: May 3 14:25:22 babe kernel: bad command `ipfw' May 3 14:25:22 babe kernel: May 3 14:25:22 babe kernel: Firewall rules loaded, starting divert daemons: May 3 14:25:22 babe kernel: firewall_enable: not found May 3 14:25:22 babe kernel: . May 3 14:25:22 babe kernel: net.inet.ip.fw.enable: May 3 14:25:22 babe kernel: 1 May 3 14:25:22 babe kernel: - May 3 14:25:22 babe kernel: 1 I'm refering to the bad command 'ipfw' line. I'm also concerned about the firewall_enable not found message. It's normal. You're using firewall_type and yet you have written a firewall _script_ in /etc/ipfw.rules. ** start rc.conf snippet ** firewall_enable=YES firewall_script=/etc/rc.firewall firewall_type=/etc/ipfw.rules firewall_quiet=NO firewall_logging=NO firewall_flags= ** send rc.conf snippet ** Your firewall_type points to a pathname, so the file should contain rules in the form: check-state add allow tcp from any to any 80 keep-state add block ip from any to any ** start ipfw.rules ** #!/bin/sh # Flush out the list before we begin. ipfw -q -f flush # Set rules command prefix cmd=ipfw -q add skip=skipto 801 pif=fxp0#found by doing a ifconfig or netstat -nr # public interface name of NIC Your ipfw.rules file is written in the form of a firewall_script. The difference between the two is small but important. A firewall_type file contains just a set of rules that ipfw(8) will parse, without intervention by a shell. A firewall_script is executed by the /bin/sh shell, as a normal shell script. One example of what can be used as a firewall_script is /etc/rc.firewall (in pre-5.X versions) or /etc/rc.d/ipfw (in FreeBSD 5.X or later). ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
IPFW/Samba does not work with WinXP (but with MacOS 10.3)
FreeBSD 5.3-RELEASE (GENERIC) #0: Fri Nov 5 04:19:18 UTC 2004 Hello folks: Trying to set rules to let a local network only connection to a Samba server running on my FreeBSD machine. I'm a FreeBSD newbie. Below is the rules file. The strange thing is this works fine when logging into the Samba server from a OS X, but no go with WinXP. I can connect to the Samba server from WinXP if the IPFW is not loaded. Any ideas? #!/bin/sh # Flush out the list before we begin. ipfw -q -f flush fwdcmd=ipfw -q add # loopback ${fwdcmd} 100 pass all from any to any via lo0 ${fwdcmd} 200 deny all from any to 127.0.0.0/8 ${fwdcmd} 300 deny ip from 127.0.0.0/8 to any net=192.168.1.0 mask=255.255.255.0 # Allow the packet through if it has previous been added to the # the dynamic rules table by a allow keep-state statement. ${fwdcmd} 350 check-state # Allow any traffic to or from my own net. ${fwdcmd} 400 pass all from me to ${net}:${mask} ${fwdcmd} 500 pass all from ${net}:${mask} to me # Allow TCP through if setup succeeded ${fwdcmd} 600 pass tcp from any to any established # Allow IP fragments to pass through ${fwdcmd} 700 pass all from any to any frag # Allow setup of incoming email ${fwdcmd} 800 pass tcp from any to me 25 setup # Allow setup of outgoing TCP connections only ${fwdcmd} 900 pass tcp from me to any setup # Disallow setup of all other TCP connections ${fwdcmd} 1000 deny tcp from any to any setup # Allow DNS queries out in the world ${fwdcmd} 1100 pass udp from me to any 53 keep-state # Allow NTP queries out in the world ${fwdcmd} 1200 pass udp from me to any 123 keep-state # Allow access to our WWW ${fwdcmd} 1300 pass tcp from any to me 80 setup # Telnet ${fwdcmd} 1400 allow tcp from any to me 23 setup limit src-addr 2 # Everything else is denied by default ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
firewall_enabled: not found mail message (was IPFW custom rules file not loading)
Thank you for you help - I misunderstood the firewall_script and firewall_type. Everything works well now. Just one annoying problem. I continually get a mail msg regarding firewall_enabled not found: From [EMAIL PROTECTED] Sat May 7 12:44:00 2005 Date: Sat, 7 May 2005 12:44:00 -0400 (EDT) From: [EMAIL PROTECTED] (Cron Daemon) To: [EMAIL PROTECTED] Subject: Cron [EMAIL PROTECTED] /usr/libexec/save-entropy firewall_enable: not found Can anyone tell me how to resolve this issue? Thanks again, Nicholas On 5/3/05, Giorgos Keramidas [EMAIL PROTECTED] wrote: On 2005-05-03 15:18, Nicholas Henry [EMAIL PROTECTED] wrote: May 3 14:25:22 babe kernel: firewall_enable: not found May 3 14:25:22 babe kernel: ipfw2 initialized, divert disabled, rule-based forwarding dis$ May 3 14:25:22 babe kernel: Flushed all rules. May 3 14:25:22 babe kernel: Line 3: May 3 14:25:22 babe kernel: bad command `ipfw' May 3 14:25:22 babe kernel: May 3 14:25:22 babe kernel: Firewall rules loaded, starting divert daemons: May 3 14:25:22 babe kernel: firewall_enable: not found May 3 14:25:22 babe kernel: . May 3 14:25:22 babe kernel: net.inet.ip.fw.enable: May 3 14:25:22 babe kernel: 1 May 3 14:25:22 babe kernel: - May 3 14:25:22 babe kernel: 1 I'm refering to the bad command 'ipfw' line. I'm also concerned about the firewall_enable not found message. It's normal. You're using firewall_type and yet you have written a firewall _script_ in /etc/ipfw.rules. ** start rc.conf snippet ** firewall_enable=YES firewall_script=/etc/rc.firewall firewall_type=/etc/ipfw.rules firewall_quiet=NO firewall_logging=NO firewall_flags= ** send rc.conf snippet ** Your firewall_type points to a pathname, so the file should contain rules in the form: check-state add allow tcp from any to any 80 keep-state add block ip from any to any ** start ipfw.rules ** #!/bin/sh # Flush out the list before we begin. ipfw -q -f flush # Set rules command prefix cmd=ipfw -q add skip=skipto 801 pif=fxp0#found by doing a ifconfig or netstat -nr # public interface name of NIC Your ipfw.rules file is written in the form of a firewall_script. The difference between the two is small but important. A firewall_type file contains just a set of rules that ipfw(8) will parse, without intervention by a shell. A firewall_script is executed by the /bin/sh shell, as a normal shell script. One example of what can be used as a firewall_script is /etc/rc.firewall (in pre-5.X versions) or /etc/rc.d/ipfw (in FreeBSD 5.X or later). ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
IPFW custom rules file not loading
FreeBSD 5.3-RELEASE #0: Fri Nov 5 04:19:18 UTC 2004 I'm a new BSD user installing the OS for the first time. Everything is running well except the firewall. IPFW is not loading the custom rules set I have created at startup/boot (although it does say it has but when I ipfw list it only gives me the one default rule). I assume it is related to this area that I received on the console: May 3 14:25:22 babe kernel: firewall_enable: not found May 3 14:25:22 babe kernel: ipfw2 initialized, divert disabled, rule-based forwarding dis$ May 3 14:25:22 babe kernel: Flushed all rules. May 3 14:25:22 babe kernel: Line 3: May 3 14:25:22 babe kernel: bad command `ipfw' May 3 14:25:22 babe kernel: May 3 14:25:22 babe kernel: Firewall rules loaded, starting divert daemons: May 3 14:25:22 babe kernel: firewall_enable: not found May 3 14:25:22 babe kernel: . May 3 14:25:22 babe kernel: net.inet.ip.fw.enable: May 3 14:25:22 babe kernel: 1 May 3 14:25:22 babe kernel: - May 3 14:25:22 babe kernel: 1 I'm refering to the bad command 'ipfw' line. I'm also concerned about the firewall_enable not found message. I have included the relevant rc.conf setting and the custom rules file (based on the ruleset from the handbook). I'm currently setting up a firewall for this machine that is connected to a D-Link router. My questions are: Why am I getting the bad command msg? Do I need to be concerned about the firewall_enabled: not found Any help would be much appreciated, thank you. ** start rc.conf snippet ** firewall_enable=YES firewall_script=/etc/rc.firewall firewall_type=/etc/ipfw.rules firewall_quiet=NO firewall_logging=NO firewall_flags= ** send rc.conf snippet ** ** start ipfw.rules ** #!/bin/sh # Flush out the list before we begin. ipfw -q -f flush # Set rules command prefix cmd=ipfw -q add skip=skipto 801 pif=fxp0 #found by doing a ifconfig or netstat -nr # public interface name of NIC # # No restrictions on Inside LAN Interface for private network # Change xl0 to your LAN NIC interface name # # $cmd 005 allow all from any to any via xl0 # don't have a separate interface so won't worry about this # # No restrictions on Loopback Interface # $cmd 010 allow all from any to any via lo0 # # check if packet is inbound and nat address if it is # # $cmd 014 divert natd ip from any to any in via $pif # # Allow the packet through if it has previous been added to the # the dynamic rules table by a allow keep-state statement. # $cmd 015 check-state # # Interface facing Public Internet (Outbound Section) # Interrogate session start requests originating from behind the # firewall on the private network or from this gateway server # destine for the public Internet. # # Allow out access to my ISP's Domain name server. # x.x.x.x must be the IP address of your ISP's DNS # Dup these lines if your ISP has more than one DNS server # Get the IP addresses from /etc/resolv.conf file $cmd 020 $skip tcp from any to 24.153.22.67 53 out via $pif setup keep-state $cmd 020 $skip tcp from any to 24.153.22.66 53 out via $pif setup keep-state # Allow out access to my ISP's DHCP server for cable/DSL configurations. # This is for the internal router $cmd 030 $skip udp from any to 198.168.1.1 67 out via $pif keep-state # Allow out non-secure standard www function $cmd 040 $skip tcp from any to any 80 out via $pif setup keep-state $cmd 040 $skip tcp from any to any 8989 out via $pif setup keep-state # Allow out secure www function https over TLS SSL $cmd 050 $skip tcp from any to any 443 out via $pif setup keep-state # Allow out send get email function $cmd 060 $skip tcp from any to any 25 out via $pif setup keep-state $cmd 061 $skip tcp from any to any 110 out via $pif setup keep-state # Allow out FreeBSD (make install CVSUP) functions # Basically give user root GOD privileges. $cmd 070 $skip tcp from me to any out via $pif setup keep-state uid root # Allow out ping $cmd 080 $skip icmp from any to any out via $pif keep-state # Allow out Time $cmd 090 $skip tcp from any to any 37 out via $pif setup keep-state # Allow out nntp news (i.e. news groups) $cmd 100 $skip tcp from any to any 119 out via $pif setup keep-state # Allow out secure FTP, Telnet, and SCP # This function is using SSH (secure shell) $cmd 110 $skip tcp from any to any 22