I can successfully ping google with the vpn on, but I can also ping google with the vpn off. I have set everything up as described but this is a BIG problem for me.
Here are my firewall rules.
Code:
root@transmission_1:~ # ipfw list
00100 allow IP from any to any via lo0
00200 deny IP from any to 127.0.0.0/8
00300 deny IP from 127.0.0.0/8 to any
00400 deny IP from any to ::1
00500 deny IP from ::1 to any
00600 allow ipv6-icmp from :: to ff02::/16
00700 allow ipv6-icmp from fe80::/10 to fe80::/10
00800 allow ipv6-icmp from fe80::/10 to ff02::/16
00900 allow ipv6-icmp from any to any ip6 icmp6types 1
01000 allow ipv6-icmp from any to any ip6 icmp6types 2,135,136
01000 allow log udp from 10.69.0.0/16 to 10.69.0.3 dst-port 53 keep-state
01002 allow log udp from 10.69.0.0/16 to 10.69.0.1 dst-port 53 keep-state
01004 allow log udp from 10.69.0.0/16 to 208.67.222.222 dst-port 53 keep-state
01006 allow IP from 10.69.0.0/16 to 10.69.0.0/16 keep-state
02000 allow IP from 10.69.0.0/16 to xxx.xxx.xxx.xxx keep-state
02002 allow IP from 10.69.0.0/16 to xxx.xxx.xxx.xxx keep-state
02004 allow IP from 10.69.0.0/16 to xxx.xxx.xxx.xxx keep-state
02006 allow IP from 10.69.0.0/16 to xxx.xxx.xxx.xxx keep-state
04000 allow IP from 127.0.0.1 to any
05000 allow IP from 10.0.0.0/8 to any
05003 allow IP from any to 10.0.0.0/8
65534 deny IP from any to any
65535 allow IP from any to any
Why does the firewall have rules that I did not specify? I think the last line is causing the traffic to get through. How to get rid of this line?
Here is a cat from the file /media/ipfw_rules
Code:
root@transmission_1:~ # cat /media/ipfw_rules
add 01000 allow log udp from 10.69.0.0/16 to 10.69.0.3 dst-port 53 keep-state
add 01002 allow log udp from 10.69.0.0/16 to 10.69.0.1 dst-port 53 keep-state
add 01004 allow log udp from 10.69.0.0/16 to 208.67.222.222 dst-port 53 keep-state
add 01006 allow IP from 10.69.0.0/16 to 10.69.0.0/16 keep-state
add 02000 allow IP from 10.69.0.0/16 to xxx.xxx.xxx.xxx keep-state
add 02002 allow IP from 10.69.0.0/16 to xxx.xxx.xxx.xxx keep-state
add 02004 allow IP from 10.69.0.0/16 to xxx.xxx.xxx.xxx keep-state
add 02006 allow IP from 10.69.0.0/16 to xxx.xxx.xxx.xxx keep-state
add 04000 allow IP from 127.0.0.1 to any
add 05000 allow IP from 10.0.0.0/8 to any
add 05003 allow IP from any to 10.0.0.0/8
add 65534 deny IP from any to any
If anyone has any suggestions I would appreciate it.
EDIT: After doing some research if the kernel is compiled with
IPFIREWALL_DEFAULT_TO_ACCEPT then the last rule is created. Is this what FreeNAS does by default in their kernel config? If so how do I change it?