OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Dru (genisisistar.ca)
Date: Tue Jul 10 2001 - 06:15:34 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    Hi Francisco,

    I don't see any rules to allow UDP. There's a step-by-step article on
    what's required here:

    http://www.onlamp.com/pub/a/bsd/2001/05/09/FreeBSD_Basics.html?page=2

    Cheers,

    Dru

    On Tue, 10 Jul 2001, Francisco Reyes wrote:

    > setup:
    > client --> fxp0 (internal NIC FBSD) --> ed0 (external NIC)
    >
    > I am trying to find why an internal machine/client can't ping or do
    > nslookups on my home network.
    >
    > I used sample rules I found on the archives to let icmp/dns through, but
    > they failed to let the client ping or do dns lookups.
    >
    > I added the "log" option to all my deny statements, yet I don't see any
    > entries in /var/log/security after I try to ping an external machine from
    > the internal client and it fails.
    >
    > ipfw list|grep deny
    > 00200 deny log logamount 50 ip from any to 127.0.0.0/8
    > 00300 deny log logamount 50 ip from 127.0.0.0/8 to any
    > 02100 deny log logamount 50 ip from 192.168.10.0/24 to any in recv ed0
    > 02200 deny log logamount 50 ip from 66.114.65.0/24 to any in recv fxp0
    > 02300 deny log logamount 50 ip from any to 10.0.0.0/8 via ed0
    > 02400 deny log logamount 50 ip from any to 172.16.0.0/12 via ed0
    > 02500 deny log logamount 50 ip from any to 0.0.0.0/8 via ed0
    > 02600 deny log logamount 50 ip from any to 169.254.0.0/16 via ed0
    > 02700 deny log logamount 50 ip from any to 192.0.2.0/24 via ed0
    > 02800 deny log logamount 50 ip from any to 224.0.0.0/4 via ed0
    > 02900 deny log logamount 50 ip from any to 240.0.0.0/4 via ed0
    > 03100 deny log logamount 50 ip from 10.0.0.0/8 to any via ed0
    > 03200 deny log logamount 50 ip from 172.16.0.0/12 to any via ed0
    > 03300 deny log logamount 50 ip from 0.0.0.0/8 to any via ed0
    > 03400 deny log logamount 50 ip from 169.254.0.0/16 to any via ed0
    > 03500 deny log logamount 50 ip from 192.0.2.0/24 to any via ed0
    > 03600 deny log logamount 50 ip from 224.0.0.0/4 to any via ed0
    > 03700 deny log logamount 50 ip from 240.0.0.0/4 to any via ed0
    > 05000 deny log logamount 50 tcp from any to any in recv ed0 setup
    > 05400 deny log logamount 50 ip from any to any
    > 65535 deny ip from any to any
    >
    > Any ideas why failed connections are not logged even though all deny
    > clauses have the log option?
    >
    > Since I couldn't get the "log" parameter to help I then tried to add
    > rules to let everything through:
    > 00100 allow ip from any to any via lo0
    > 00150 allow icmp from any to any
    > 00160 allow ip from any to any
    >
    > That still didn't help.
    >
    > If I set the firewall to open in rc.conf then the client machine can ping
    > and do dns lookups.
    >
    > Any thoughts?
    >
    >
    > To Unsubscribe: send mail to majordomoFreeBSD.org
    > with "unsubscribe freebsd-security" in the body of the message
    >
    >
    >
    >

    To Unsubscribe: send mail to majordomoFreeBSD.org
    with "unsubscribe freebsd-security" in the body of the message