ipfw is not working
Sam Carleton
ipchains script that is working fine in Linux, is there some way to
eaily convert that over to ipfw? Here is the ipfw script I have so far,
real simple in my option:
-----------------------------------------
############
# Setup system for firewall service.
if [ -f /etc/defaults/rc.conf ]; then
. /etc/defaults/rc.conf
elif [ -f /etc/rc.conf ]; then
. /etc/rc.conf
fi
############
# Set quiet mode if requested
if [ "x$firewall_quiet" = "xYES" ]; then
fwcmd="/sbin/ipfw -q"
else
fwcmd="/sbin/ipfw"
fi
EXTERNAL_INTERFACE="ep0" # whichever you use
LOOPBACK_INTERFACE="lo0"
LOCAL_INTERFACE_1="ex0" # whichever you use
IPADDR="10.226.46.56/29"
LOCALNET_1="192.168.0.0/24" # whatever private range you use
LOOPBACK="127.0.0.0/8"
############
# Flush out the list before we begin.
$fwcmd -f flush
$fwcmd add 100 pass all from any to any via ${LOOPBACK_INTERFACE}
$fwcmd add 200 deny all from any to ${LOOPBACK}
$fwcmn add deny all from ${LOCALNET_1} to any in via
${EXTERNAL_INTERFACE}
$fwcmn add deny all from ${IPADDR} to any in via ${LOCAL_INTERFACE_1}
$fwcmd add 65000 pass all from any to any
-----------------------------------------
Here is the output:
-----------------------------------------
Flushed all rules.
00100 allow ip from any to any via lo0
00200 deny ip from any to 127.0.0.0/8
add: not found
add: not found
65000 allow ip from any to any
-----------------------------------------
I cannot figure out what is wrong the two deny lines that have the
output "add: not found". What am I doing wrong?
Sam Carleton
To Unsubscribe: send mail to majo...@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message
Crist J. Clark
> I am working on building a firewall script. First off, I have a
> ipchains script that is working fine in Linux, is there some way to
> eaily convert that over to ipfw?
As long as you have not built any custom chains, I think ipchains
rules can be converted to ipfw rules in a one-to-one manner (they are
both stateless packet filters) for a firewall that does not do NAT.
I'm not sure what happens when you start doing NAT (or as Linux calls
it, IP masquerading).
> Here is the ipfw script I have so far,
> real simple in my option:
> -----------------------------------------
> ############
> # Setup system for firewall service.
>
> if [ -f /etc/defaults/rc.conf ]; then
> . /etc/defaults/rc.conf
> elif [ -f /etc/rc.conf ]; then
> . /etc/rc.conf
> fi
>
> ############
> # Set quiet mode if requested
> if [ "x$firewall_quiet" = "xYES" ]; then
> fwcmd="/sbin/ipfw -q"
> else
> fwcmd="/sbin/ipfw"
> fi
>
> EXTERNAL_INTERFACE="ep0" # whichever you use
> LOOPBACK_INTERFACE="lo0"
> LOCAL_INTERFACE_1="ex0" # whichever you use
If that makes it more clear to you... but that's a lot of typing. ;)
> IPADDR="10.226.46.56/29"
> LOCALNET_1="192.168.0.0/24" # whatever private range you use
>
> LOOPBACK="127.0.0.0/8"
>
> ############
> # Flush out the list before we begin.
> $fwcmd -f flush
>
> $fwcmd add 100 pass all from any to any via ${LOOPBACK_INTERFACE}
> $fwcmd add 200 deny all from any to ${LOOPBACK}
>
> $fwcmn add deny all from ${LOCALNET_1} to any in via ${EXTERNAL_INTERFACE}
^
> $fwcmn add deny all from ${IPADDR} to any in via ${LOCAL_INTERFACE_1}
^
>
> $fwcmd add 65000 pass all from any to any
> -----------------------------------------
> Here is the output:
> -----------------------------------------
> Flushed all rules.
> 00100 allow ip from any to any via lo0
> 00200 deny ip from any to 127.0.0.0/8
> add: not found
> add: not found
> 65000 allow ip from any to any
> -----------------------------------------
>
> I cannot figure out what is wrong the two deny lines that have the
> output "add: not found". What am I doing wrong?
You mispelled '$fwcmd' as '$fwcmn'. Since the variable does not exist,
it returns a null string and the shell tries to execute the line,
add deny all ...
And like the error message says, there is no 'add' command.
--
Crist J. Clark cjc...@home.com
Sam Carleton
"Crist J. Clark" wrote:
> On Sat, Mar 11, 2000 at 12:02:36AM -0500, Sam Carleton wrote:
> > I am working on building a firewall script. First off, I have a
> > ipchains script that is working fine in Linux, is there some way to
> > eaily convert that over to ipfw?
>
> As long as you have not built any custom chains, I think ipchains
> rules can be converted to ipfw rules in a one-to-one manner (they are
> both stateless packet filters) for a firewall that does not do NAT.
> I'm not sure what happens when you start doing NAT (or as Linux calls
> it, IP masquerading).
Wait a second here. My understanding is that NAT and IP Masquerading are
different. From my understanding, with IP Masq there only needs to be one valid
IP address, that on the external card of the firewall. With IP Masq gives all
out going requests the one external IP address. With NAT, there needs to be one
external IP address for every machine that wants to get to the Internet.
Considering most folks at home only have one external IP address, they would
want to use IP Masq. I have also heard IP Masq called PAT.
Looking at page 506 of the 3rd edition of "The Complete FreeBSD", it looks like
FreeBSD uses the terminology IP aliasing for what Linux folks call IP Masq. Am
I correct?
> > EXTERNAL_INTERFACE="ep0" # whichever you use
> > LOOPBACK_INTERFACE="lo0"
> > LOCAL_INTERFACE_1="ex0" # whichever you use
>
> If that makes it more clear to you... but that's a lot of typing. ;)
I am big on CUT&PASTE:)
> You mispelled '$fwcmd' as '$fwcmn'.
Soemtimes I feel like a complete fool:) Thanks!
Giorgos Keramidas
> I am working on building a firewall script. First off, I have a
> ipchains script that is working fine in Linux, is there some way to
> eaily convert that over to ipfw? Here is the ipfw script I have so
> far, real simple in my option:
Try changing 'in via' to 'in recv' in the lines below:
> $fwcmn add deny all from ${LOCALNET_1} to any in via ${EXTERNAL_INTERFACE}
> $fwcmn add deny all from ${IPADDR} to any in via ${LOCAL_INTERFACE_1}
I think it will work then...
--
Giorgos Keramidas, < keramida @ ceid . upatras . gr >
For my public PGP key: finger kera...@diogenis.ceid.upatras.gr
PGP fingerprint, phone and address in the headers of this message.
Crist J. Clark
>
>
> "Crist J. Clark" wrote:
>
> > On Sat, Mar 11, 2000 at 12:02:36AM -0500, Sam Carleton wrote:
> > > I am working on building a firewall script. First off, I have a
> > > ipchains script that is working fine in Linux, is there some way to
> > > eaily convert that over to ipfw?
> >
> > rules can be converted to ipfw rules in a one-to-one manner (they are
> > both stateless packet filters) for a firewall that does not do NAT.
> > I'm not sure what happens when you start doing NAT (or as Linux calls
> > it, IP masquerading).
>
> Wait a second here. My understanding is that NAT and IP Masquerading are
> different. From my understanding, with IP Masq there only needs to be one valid
> IP address, that on the external card of the firewall. With IP Masq gives all
> out going requests the one external IP address. With NAT, there needs to be one
> external IP address for every machine that wants to get to the Internet.
> Considering most folks at home only have one external IP address, they would
> want to use IP Masq. I have also heard IP Masq called PAT.
>
> Looking at page 506 of the 3rd edition of "The Complete FreeBSD", it looks like
> FreeBSD uses the terminology IP aliasing for what Linux folks call IP Masq. Am
> I correct?
No. NAT only needs one registered IP address on the external
interface. If it required a one-to-one mapping, it'd be rather
useless. See the natd(8) manpage. Also see RFC 1631 and other RFCs
related to NAT if interested. (BTW, there are no RFCs about "IP
masquerading." No idea if there are differences.)
--
Crist J. Clark cjc...@home.com
Peter Schwenk
Linux, you would never know the term NAT.
"Crist J. Clark" wrote:
>
> No. NAT only needs one registered IP address on the external
> interface. If it required a one-to-one mapping, it'd be rather
> useless. See the natd(8) manpage. Also see RFC 1631 and other RFCs
> related to NAT if interested. (BTW, there are no RFCs about "IP
> masquerading." No idea if there are differences.)
--
- Peter Schwenk
- peters...@home.com
-
- Give FreeBSD a try! http://www.freebsd.org
Sam Carleton
> > Wait a second here. My understanding is that NAT and IP Masquerading are
> > different. From my understanding, with IP Masq there only needs to be one valid
> > IP address, that on the external card of the firewall. With IP Masq gives all
> > out going requests the one external IP address. With NAT, there needs to be one
> > external IP address for every machine that wants to get to the Internet.
> > Considering most folks at home only have one external IP address, they would
> > want to use IP Masq. I have also heard IP Masq called PAT.
> >
> > Looking at page 506 of the 3rd edition of "The Complete FreeBSD", it looks like
> > FreeBSD uses the terminology IP aliasing for what Linux folks call IP Masq. Am
> > I correct?
>
> No. NAT only needs one registered IP address on the external
> interface. If it required a one-to-one mapping, it'd be rather
> useless. See the natd(8) manpage. Also see RFC 1631 and other RFCs
> related to NAT if interested. (BTW, there are no RFCs about "IP
> masquerading." No idea if there are differences.)
Crist,
A one-to-one mapping is not useless, that is what I want to do at home for part of my
network. I have aDSL, my telephone company allows me to have four machines on the
Internet at once, so I have an IP mask of 255.255.255.248. I want to have three
different physical servers of sorts on the web, along with the a few workstations. I
want all the machines to be protected by a firewall. I figured I would set the
servers on a 172.16.0.1 and have FreeBSD do a one-to-one NAT from the 172.16.0.x to
the external addresses. I would also have a third NIC in the FreeBSD box on a
192.168.0.x, doing a one-to-many NAT for the workstations.
I have a good grip on the consept of the firewall, but never worked with the
one-to-one NAT, can you recommend any good books?
Sam
Crist J. Clark
You are not doing all one-to-one NAT. Like you say, you also want a
one-to-many function for your workstations. If you were _only_ doing
one-to-one, I would not say it is worth the effort.
Anyway, I think all you need is in the natd(8) manpage and look at the
'-redirect_address' option.
--
Crist J. Clark cjc...@home.com