Hello, I installed FBSD 4.7 a couple days ago on an old P100 to replace my linksys cable router. I've rebuilt the kernel and have done everything else to enable the machine to act as router/firewall. The only problems I am having is setting up the ipfw rules. I've spent the last 2 days trying to set them up and can't get anything to work (unless of course I set the firewall type to open). I'm to the point where I almost have no hair left from pulling it out over the last 48hrs :) In pseudocode, this is what I'd like to do:
allow icmp traffic in and out (certain ones that are necessary for apps that depend on them) allow email in and out allow smb in via internal nic allow limewire/gnutella in and out allow ssh in via internal nic allow aim in and out allow port 80 in via internal and external nic allow irc in and out allow ntp in and out default to deny with the following rules, I haven't tested whether gnutella or smb works but ssh works, and aim will not work.. I even verified that the aim client is running on the proper port, but it doesnt matter. also, with ssh.. why is it that if the firewall type is open I can connect to the FreeBSD box instantly, but if I specify all the rules, it takes 10+ seconds for me to get a password prompt.. any ideas? and here is my modified version of the simple fw in /etc/rc.firewall. Can anyone see anything wrong with the following? # external net oif="ep0" onet="24.26.107" omask="0xfffffe00" oip="me" #internal net iif="xl0" inet="" imask="" iip="" fwcmd="/sbin/ipfw" ${fwcmd} add 100 pass all from any to any via lo0 ${fwcmd} add 200 deny all from any to ${fwcmd} add 300 deny ip from to any ${fwcmd} -f flush # Stop spoofing ${fwcmd} add deny all from ${inet}:${imask} to any in via ${oif} ${fwcmd} add deny all from ${onet}:${omask} to any in via ${iif} # Stop RFC1918 nets on the outside interface ${fwcmd} add deny all from any to via ${oif} ${fwcmd} add deny all from any to via ${oif} ${fwcmd} add deny all from any to via ${oif} # Stop draft-manning-dsua-03.txt (1 May 2000) nets (includes RESERVED-1, # DHCP auto-configuration, NET-TEST, MULTICAST (class D), and class E) # on the outside interface ${fwcmd} add deny all from any to via ${oif} ${fwcmd} add deny all from any to via ${oif} ${fwcmd} add deny all from any to via ${oif} ${fwcmd} add deny all from any to via ${oif} ${fwcmd} add deny all from any to via ${oif} #natd ${fwcmd} add divert natd all from any to any via ${oif} # Stop RFC1918 nets on the outside interface ${fwcmd} add deny all from to any via ${oif} ${fwcmd} add deny all from to any via ${oif} ${fwcmd} add deny all from to any via ${oif} # Stop draft-manning-dsua-03.txt (1 May 2000) nets (includes RESERVED-1, # DHCP auto-configuration, NET-TEST, MULTICAST (class D), and class E) # on the outside interface ${fwcmd} add deny all from to any via ${oif} ${fwcmd} add deny all from to any via ${oif} ${fwcmd} add deny all from to any via ${oif} ${fwcmd} add deny all from to any via ${oif} ${fwcmd} add deny all from to any via ${oif} ${fwcmd} add allow icmp from any to any icmptypes 0,3,5,8,11 # Allow TCP through if setup succeeded ${fwcmd} add pass tcp from any to any established # Allow IP fragments to pass through ${fwcmd} add pass all from any to any frag # Allow setup of incoming email ${fwcmd} add pass tcp from any to ${oip} 25 setup #smb ${fwcmd} add allow tcp from ${inet} to ${iip} 137-139 in via ${iif} # Limewire/Gnutella ${fwcmd} add allow tcp from any to any 6346 in via ${oif} ${fwcmd} add allow tcp from any 6346 to any out via ${oif} # ssh ${fwcmd} add allow log all from ${inet} 22 to ${iip} 22 in via ${iif} # AIM ${fwcmd} add pass tcp from any to ${oip} 5190 in via ${oif} ${fwcmd} add pass tcp from any to any 5190 out via ${oif} # Allow access to our DNS # DO I NEED THIS IF IM NOT RUNNING A DNS SERVER? ${fwcmd} add pass tcp from any to ${oip} 53 setup ${fwcmd} add pass udp from any to ${oip} 53 ${fwcmd} add pass udp from ${oip} 53 to any # Allow access to our WWW ${fwcmd} add pass tcp from any to ${oip} 80 setup # Allow access to IDENT/IRC ${fwcmd} add allow tcp from any to ${oip} 194 ${fwcmd} add allow udp from any to ${oip} 194 ${fwcmd} add allow tcp from any to ${oip} 113 ${fwcmd} add allow udp from any to ${oip} 113 # Allow setup of any other TCP connection ${fwcmd} add pass tcp from any to any setup # Allow DNS queries out in the world ${fwcmd} add pass udp from ${oip} to any 53 keep-state # Allow NTP queries out in the world ${fwcmd} add pass udp from ${oip} to any 123 keep-state ${fwcmd} add allow tcp from me to any setup keep-state ${fwcmd} add allow udp from me to any keep-state ${fwcmd} add allow ip from ${inet} to any out via ${oif} -- Thanks, Aaron W. To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-questions" in the body of the message