----- Original Message ----- From: "Alex de Kruijff" <[EMAIL PROTECTED]> To: "Chip" <[EMAIL PROTECTED]> Cc: "FreeBSD Questions List" <[EMAIL PROTECTED]> Sent: Friday, November 21, 2003 1:24 PM Subject: Re: firewall rules do not get read
> On Thu, Nov 20, 2003 at 04:19:09PM -0800, Chip wrote: > > > > > > Alex de Kruijff wrote: > > > > >On Wed, Nov 19, 2003 at 09:38:34PM -0800, Chip wrote: > > > > > >>I noticed my firewall rules are not being read. I have rc.conf set to > > >>read the file rc.firewall. In rc.firewall the first line is add divert > > >>natd etc etc. that is followed by pass all from any to any etc etc. Then > > >>nothing after that is read, it is all ignored. > > >>If I comment out the line pass all from any to any then nothing works to > > >>access the internet. > > >>I don't know what to do to make it read past those first two lines. > > >>Any suggestions? > > > > > > > > >Can you give me the output of 'ipfw s'. If that one doesn't work then > > >try 'ipfw l'? > > > > No problem, below are the results of the two commands. Question - do I > > have to use rc.firewall? > > No you can create your own configuration file for ipfw. You need these > two line in rc.conf: > > firewall_enable="YES" > firewall_type="/etc/firewall.conf" > > The configuration file looks something like: > add divert natd ip from any to any via xl1 > add allow ip from any to any > > > Or is it just a generic ruleset that can be > > replaced by a custom ruleset, as I have done (called firewall.rules > > pasted in below)? > > Its posible to place your own ruleset in the default script, but i would > adive *not* to do this, because when you update this file can be > overriden in the process. It is also possible to simply create an ipfw.sh script in /usr/local/etc/rc.d and add all of your rules to that script. ipfw.sh ipfw -f flush #NATD Rules here ipfw add 3 divert natd all from any to any via xl1 etc.. I've used both rc.conf and this method but I prefer to number my rule sets so that I can easily tell which one is causing an issue should I inadvertantly block traffic that needs to get through. To my knowledge, either method works well, it's just that what I do is generally not mentioned. :) -- Micheal Patterson Network Administration Cancer Care Network 405-917-0600 _______________________________________________ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
