LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Other *NIX Forums > *BSD
User Name
Password
*BSD This forum is for the discussion of all BSD variants.
FreeBSD, OpenBSD, NetBSD, etc.

Notices

Reply
 
Search this Thread
Old 10-15-2003, 09:07 AM   #1
Reme
LQ Newbie
 
Registered: Sep 2003
Posts: 9

Rep: Reputation: 0
simple ipfw default rc.firewall


Running a default rc.firewall config. When i use an open type firewall everything works. However, when i use a simple type firewall i get an error like this when running the ping command.

ping: sendto: Permission denied

Since i cannot get a connection to my isp dns servers, none of the clients can pull up webpages. I have read that many people had this problem, but no answers were posted for replies. Could someone help me solve this very simple problem with ipfw's?

Thanks in advance.
 
Old 10-15-2003, 12:34 PM   #2
bbeers
Member
 
Registered: Jul 2002
Location: Florida
Distribution: Centos, Slackware
Posts: 260

Rep: Reputation: 30
No help unless you can post your "default rc.firewall" and "simple type firewall"
so we can tell what you are doing.

What distribution are you using?
 
Old 10-15-2003, 01:14 PM   #3
whistles
Member
 
Registered: Aug 2003
Distribution: bsd
Posts: 41

Rep: Reputation: 15
why don't you set your own rules? Instead of "open"(no firewall) or "client"... put the path to your rules and write a ruleset. It is very simple and will be suited to exactly what you need. there is a 3 or 4 part article that is very easy to understand and starts here--> http://www.onlamp.com/pub/a/bsd/2001...SD_Basics.html (onlamp has quite a few good articles ,although some are a little dated)
 
Old 10-15-2003, 10:02 PM   #4
Reme
LQ Newbie
 
Registered: Sep 2003
Posts: 9

Original Poster
Rep: Reputation: 0
FreeBSD 5.0-RELEASE (MY2KERNEL) #0: Wed Oct 8 10:16:31 KST 2003

firewall_type="simple" # in rc.conf

Here is rc.firewall the tabs are a little screwed, sorry....



setup_loopback () {
############
# Only in rare cases do you want to change these rules
#
${fwcmd} add 100 pass all from any to any via lo0
${fwcmd} add 200 deny all from any to 127.0.0.0/8
${fwcmd} add 300 deny ip from 127.0.0.0/8 to any
}

if [ -n "${1}" ]; then
firewall_type="${1}"
fi

############
# Set quiet mode if requested
#
case ${firewall_quiet} in
[Yy][Ee][Ss])
fwcmd="/sbin/ipfw -q"
;;
*)
fwcmd="/sbin/ipfw"
;;
esac

############
# Flush out the list before we begin.
#
${fwcmd} -f flush


############
# This is a prototype setup for a simple firewall. Configure this
# machine as a named server and ntp server, and point all the machines
# on the inside at this machine for those services.
############

# setting this to use DHCP to connect to the internet
oif="fxp0"
lease="/var/db/dhclient.leases"
oip=`grep fixed-address ${lease}|cut -d\; -f1|awk '{print $2}'|tail -1`
omask=`grep subnet-mask ${lease}|cut -d\; -f1|awk '{print $3}'|tail -1`
shortonet=`echo "$oip"|cut -d. -f1,2,3`
onet="$shortonet.0"
echo "DHCP onet = $onet"
echo "DHCP omask = $omask"
echo "DHCP oip = $oip"
sleep 4


# set these to your inside interface network and netmask and ip
iif="rl0"
inet="192.168.0.0"
imask="255.255.255.0"
iip="192.168.0.1"

setup_loopback

# Stop spoofing
${fwcmd} add deny all from ${inet}:${imask} to any in via ${oif}
${fwcmd} add deny all from ${onet}:${omask} to any in via ${iif}

# Stop RFC1918 nets on the outside interface
${fwcmd} add deny all from any to 10.0.0.0/8 via ${oif}
${fwcmd} add deny all from any to 172.16.0.0/12 via ${oif}
${fwcmd} add deny all from any to 192.168.0.0/16 via ${oif}

# Stop draft-manning-dsua-03.txt (1 May 2000) nets (includes RESERVED-1,
# DHCP auto-configuration, NET-TEST, MULTICAST (class D), and class E)
# on the outside interface
${fwcmd} add deny all from any to 0.0.0.0/8 via ${oif}
${fwcmd} add deny all from any to 169.254.0.0/16 via ${oif}
${fwcmd} add deny all from any to 192.0.2.0/24 via ${oif}
${fwcmd} add deny all from any to 224.0.0.0/4 via ${oif}
${fwcmd} add deny all from any to 240.0.0.0/4 via ${oif}

# Network Address Translation. This rule is placed here deliberately
# so that it does not interfere with the surrounding address-checking
# rules. If for example one of your internal LAN machines had its IP
# address set to 192.0.2.1 then an incoming packet for it after being
# translated by natd(8) would match the `deny' rule above. Similarly
# an outgoing packet originated from it before being translated would
# match the `deny' rule below.
case ${natd_enable} in
[Yy][Ee][Ss])
if [ -n "${natd_interface}" ]; then
${fwcmd} add divert natd all from any to any via ${natd_
fi
;;
esac

# Stop RFC1918 nets on the outside interface
${fwcmd} add deny all from 10.0.0.0/8 to any via ${oif}
${fwcmd} add deny all from 172.16.0.0/12 to any via ${oif}
${fwcmd} add deny all from 192.168.0.0/16 to any via ${oif}

# Stop draft-manning-dsua-03.txt (1 May 2000) nets (includes RESERVED-1,
# DHCP auto-configuration, NET-TEST, MULTICAST (class D), and class E)
# on the outside interface
${fwcmd} add deny all from 0.0.0.0/8 to any via ${oif}
${fwcmd} add deny all from 169.254.0.0/16 to any via ${oif}
${fwcmd} add deny all from 192.0.2.0/24 to any via ${oif}
${fwcmd} add deny all from 224.0.0.0/4 to any via ${oif}
${fwcmd} add deny all from 240.0.0.0/4 to any via ${oif}

# Allow TCP through if setup succeeded
${fwcmd} add pass tcp from any to any established

# Allow IP fragments to pass through
${fwcmd} add pass all from any to any frag

# Allow setup of incoming email
${fwcmd} add pass tcp from any to ${oip} 25 setup

# Allow access to our DNS
${fwcmd} add pass tcp from any to ${oip} 53 setup
${fwcmd} add pass udp from any to ${oip} 53
${fwcmd} add pass udp from ${oip} 53 to any

# Allow access to our WWW
${fwcmd} add pass tcp from any to ${oip} 80 setup

# Reject&Log all setup of incoming connections from the outside
${fwcmd} add deny log tcp from any to any in via ${oif} setup

# Allow setup of any other TCP connection
${fwcmd} add pass tcp from any to any setup

# Allow DNS queries out in the world
${fwcmd} add pass udp from ${oip} to any 53 keep-state

# Allow NTP queries out in the world
# Allow NTP queries out in the world
${fwcmd} add pass udp from ${oip} to any 123 keep-state

# Everything else is denied by default, unless the
# IPFIREWALL_DEFAULT_TO_ACCEPT option is set in your kernel
# config file.
;;
 
Old 10-15-2003, 10:04 PM   #5
Reme
LQ Newbie
 
Registered: Sep 2003
Posts: 9

Original Poster
Rep: Reputation: 0
Sorry but that is the section that is being loaded at start up, i also suck up the variables in rc.conf.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
sendmail on solaris with no hostname & ipfw (or other firewall) tutorials Maidros Solaris / OpenSolaris 1 07-10-2005 02:34 PM
simple firewall jeempc *BSD 16 10-10-2004 11:17 PM
someone help with ipfw for freebsd (should be simple) servnov *BSD 3 10-06-2004 12:49 AM
IPFW gateway firewall Reme *BSD 1 10-30-2003 09:29 PM
IPFW Firewall pppd based ROTWEiLER *BSD 2 07-01-2003 03:44 AM


All times are GMT -5. The time now is 10:31 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration