setting up ipfw

Kevin Kinsey, DaleCo, S.P. kdk at daleco.biz
Tue Jul 1 18:29:59 PDT 2003 

From: "Jamie" <jamie at gnulife.org>
To: <freebsd-questions at freebsd.org>
Sent: Tuesday, July 01, 2003 8:01 PM
Subject: setting up ipfw


>    I am having a very difficult time setting up ipfw on a 4.8
> installation. Was wondering if anyone might be able to shed some
light on
> this.
>
>    I followed the directions in the handbook, and I compiled a new
kernel
> with these options, ( am going for a deny all by default, open
services
> as necessary philosophy):
>
> options IPFIREWALL
> options IPFIREWALL_VERBOSE
> options IPFIREWALL_VERBOSE_LIMIT=10
>
>    Upon rebooting, I was unable to access the machine from
anywhere, which
> is fine, because I have console access.
>
>    Output of ifconfig -a looks like this:
>
>  ifconfig -a
> fxp0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
>         inet 200.88.54.93 netmask 0xffffff00 broadcast
200.88.54.255
>         inet6 fe80::203:47ff:fe77:8169%fxp0 prefixlen 64 scopeid
0x1
>         ether 00:03:47:77:81:69
>         media: Ethernet autoselect (100baseTX <full-duplex>)
>         status: active
> lp0: flags=8810<POINTOPOINT,SIMPLEX,MULTICAST> mtu 1500
> lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 16384
>         inet6 ::1 prefixlen 128
>         inet6 fe80::1%lo0 prefixlen 64 scopeid 0x3
>         inet 127.0.0.1 netmask 0xff000000
> ppp0: flags=8010<POINTOPOINT,MULTICAST> mtu 1500
> sl0: flags=c010<POINTOPOINT,LINK2,MULTICAST> mtu 552
> faith0: flags=8002<BROADCAST,MULTICAST> mtu 1500
>
>    the name of the machine is power.bar.com
>
>
>    I want to ssh in from another machine: foo.bar.com with IP
address
> 200.88.34.12.
>
>
>
>   This is the rule I am adding:
>
>
> ipfw add allow tcp from 200.88.34.12 to power.bar.com 22
>
>
>    It tells me it can't resolve power.bar.com!
>
> So, I try:
>
> ipfw add allow tcp from 200.88.34.12 to 200.88.54.93 22
>
>    It accepts the rule, but I still cannot connect from
foo.bar.com.
>
>    Anyone have any ideas?

Are you allowing ip OUT from 200.88.54.93?

Please post output of "ipfw show" (not that it's
not implicit, I guess...) and describe your network
topography.

FWIW, here's my top few rules:

00010 allow ip from my.ip.ad.dres to any out
00020 deny log logamount 20 ip from any to any out
00030  allow tcp from any to any established
00040  allow ip from any to any frag
00050  allow tcp from any to my.ip.ad.res setup

Kevin Kinsey
DaleCo, S.P.

More information about the freebsd-questions mailing list