(no subject)
From: Marc Rogers (marcr@shady.org)
Date: 03/25/01
- Next message: jessem@livecam.com: "Re: Fwd: A Simple TCP Port Alarm"
- Previous message: Domas Mituzas: "Re: Fwd: A Simple TCP Port Alarm"
- In reply to: Benjamin Hutton: "(no subject)"
- Next in thread: Ben Weaver: "Problem setting up firewall"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Sun, 25 Mar 2001 11:14:52 +0100 From: Marc Rogers <marcr@shady.org> To: freebsd-security@FreeBSD.ORG
On Sun, Mar 25, 2001 at 12:34:17PM +0800, Benjamin Hutton wrote:
> I'm attempting to setup a firewall for our network. The machine is
> running 4.2 STABLE. I have the problem that when I enable the firewall
> I can not longer ping the outside world. How do I fix this?
Ok I have two answers for you.....
First of all, you have to tell us if you can connect to the outside world
at all. If you cant then I suggest you read
http://coombs.anu.edu.au/~avalon/ if you are using ipfilter
or
http://www.freebsd.org/handbook/firewalls.html if using ipfw
I would also suggest reading Practical UNIX & Internet Security, 2nd Edition by
Spafford and Garfinkel, published by O'Reilly & Associates aswell as Building
Internet Firewalls, 2nd Edition by Zwicky, Chapman and Cooper, also published
by O'Reilly & Associates.
Your firewall has to specifically allow trafic through or everything is denied.
at the very least this means a rule to let everything through so that you can
specifically deny traffic you dont want.
The next answer is if you can pass through your firewall, but you just cant ping
through it, in which case my appologies for stating the obvious above, but you
never can tell, and you weren't that clear.
I suspect (although until you gives us a little more detail, this is just
guesswork), that you have probably set up rfc1918 reserved addresses within
your network, using something like ipfilters IPNAT. When you do this normaly
you have to specifically enable which traffic you wish to be translated:
in the case of IPNAT, a line such as:
map ed1 192.168.1.0/24 -> 240.1.0.1/32 portmap tcp/udp 10000:20000
is fine to enable translation of tcp and udp traffic, but if you want
icmp traffic, you will need a line like:
map ed1 192.168.1.0/24 -> 240.1.0.1/32
Which will enable translation of any protocol that isnt tcp or udp.
>
> ----------------------------------
> Benjamin Hutton
> IT Officer Bunbury Catholic College
>
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-security" in the body of the message
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
- Next message: jessem@livecam.com: "Re: Fwd: A Simple TCP Port Alarm"
- Previous message: Domas Mituzas: "Re: Fwd: A Simple TCP Port Alarm"
- In reply to: Benjamin Hutton: "(no subject)"
- Next in thread: Ben Weaver: "Problem setting up firewall"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
