jakeandchase
Explorer
- Joined
- Aug 26, 2014
- Messages
- 53
Is this still relevant?
Why do you need to provide that IP range, it's a "private" address range? What does that do / what am I missing here?And the last group allow access to local loop and deny everything else. the 10.0.0.0/8 is for AirVPN, you'll need to find out the ip range for your provider (I found this info in their forums)
Code:add 04000 allow ip from 127.0.0.1 to any add 05000 allow ip from 10.0.0.0/8 to any add 05002 allow ip from any to 10.0.0.0/8 add 65534 deny ip from any to any
Im having issues with my rules loading on boot in the jail. if I go in and due a ipfw list it only shows one rule
65535 allow ip from any to any its my understanding this is loaded from the kernel.
if I do a service ipfw start all the rules load and everything is peachy?
Any help?
Hi RiloWhy do you need to provide that IP range, it's a "private" address range? What does that do / what am I missing here?
EDIT: I read this info, but still the pieces don't fall together :(
Based on that, what would you put in line 2 and 3 then?Yes. Here's my network interfaces showing all three.
Code:loopback (lo0): inet 127.0.0.1 netmask 0xff000000 jail (epair1b): inet 192.168.1.41 netmask 0xffffff00 broadcast 192.168.1.255 vpn (tun0): inet 10.4.13.38 --> 10.4.13.37 netmask 0xffffffff
And the last group allow access to local loop and deny everything else. the 10.0.0.0/8 is for AirVPN, you'll need to find out the ip range for your provider (I found this info in their forums)
Code:add 04000 allow ip from 127.0.0.1 to any add 05000 allow ip from 10.0.0.0/8 to any add 05002 allow ip from any to 10.0.0.0/8 add 65534 deny ip from any to any
Would this be 10.4.13.37/32 (only allowing that specific IP address)?Based on that, what would you put in line 2 and 3 then?
Would this be 10.4.13.37/32 (only allowing that specific IP address)?
So you mean it's trial and error basically...? Or I need to try and find out what ip I range should be using. Wouldn't it be possible to write some script to find the is address assigned to you, write it to the firewall rules and (re)start the firewall or something like that? Maybe someone here already has done something similar?
add 02000 allow ip from 192.168.0.0/16 to xxx.xxx.xxx.xxx keep-state add 02004 allow ip from 192.168.0.0/16 to xxx.xxx.xxx.xxx keep-state add 02008 allow ip from 192.168.0.0/16 to xxx.xxx.xxx.xxx keep-state add 02012 allow ip from 192.168.0.0/16 to xxx.xxx.xxx.xxx keep-state add 02014 allow ip from 192.168.0.0/16 to xxx.xxx.xxx.xxx keep-state add 02016 allow ip from 192.168.0.0/16 to xxx.xxx.xxx.xxx keep-state
I know this is an old comment, but i want to get this right. I don't think the last comment here is correct.I can successfully ping google with the vpn on, but I can also ping google with the vpn off. I have set everything up as described but this is a BIG problem for me.
Here are my firewall rules.
Code:root@transmission_1:~ # ipfw list 00100 allow ip from any to any via lo0 00200 deny ip from any to 127.0.0.0/8 00300 deny ip from 127.0.0.0/8 to any 00400 deny ip from any to ::1 00500 deny ip from ::1 to any 00600 allow ipv6-icmp from :: to ff02::/16 00700 allow ipv6-icmp from fe80::/10 to fe80::/10 00800 allow ipv6-icmp from fe80::/10 to ff02::/16 00900 allow ipv6-icmp from any to any ip6 icmp6types 1 01000 allow ipv6-icmp from any to any ip6 icmp6types 2,135,136 01000 allow log udp from 10.69.0.0/16 to 10.69.0.3 dst-port 53 keep-state 01002 allow log udp from 10.69.0.0/16 to 10.69.0.1 dst-port 53 keep-state 01004 allow log udp from 10.69.0.0/16 to 208.67.222.222 dst-port 53 keep-state 01006 allow ip from 10.69.0.0/16 to 10.69.0.0/16 keep-state 02000 allow ip from 10.69.0.0/16 to xxx.xxx.xxx.xxx keep-state 02002 allow ip from 10.69.0.0/16 to xxx.xxx.xxx.xxx keep-state 02004 allow ip from 10.69.0.0/16 to xxx.xxx.xxx.xxx keep-state 02006 allow ip from 10.69.0.0/16 to xxx.xxx.xxx.xxx keep-state 04000 allow ip from 127.0.0.1 to any 05000 allow ip from 10.0.0.0/8 to any 05003 allow ip from any to 10.0.0.0/8 65534 deny ip from any to any 65535 allow ip from any to any
Why does the firewall have rules that I did not specify? I think the last line is causing the traffic to get through. How to get rid of this line?
Here is a cat from the file /media/ipfw_rules
Code:root@transmission_1:~ # cat /media/ipfw_rules add 01000 allow log udp from 10.69.0.0/16 to 10.69.0.3 dst-port 53 keep-state add 01002 allow log udp from 10.69.0.0/16 to 10.69.0.1 dst-port 53 keep-state add 01004 allow log udp from 10.69.0.0/16 to 208.67.222.222 dst-port 53 keep-state add 01006 allow ip from 10.69.0.0/16 to 10.69.0.0/16 keep-state add 02000 allow ip from 10.69.0.0/16 to xxx.xxx.xxx.xxx keep-state add 02002 allow ip from 10.69.0.0/16 to xxx.xxx.xxx.xxx keep-state add 02004 allow ip from 10.69.0.0/16 to xxx.xxx.xxx.xxx keep-state add 02006 allow ip from 10.69.0.0/16 to xxx.xxx.xxx.xxx keep-state add 04000 allow ip from 127.0.0.1 to any add 05000 allow ip from 10.0.0.0/8 to any add 05003 allow ip from any to 10.0.0.0/8 add 65534 deny ip from any to any
If anyone has any suggestions I would appreciate it.
EDIT: After doing some research if the kernel is compiled with IPFIREWALL_DEFAULT_TO_ACCEPT then the last rule is created. Is this what FreeNAS does by default in their kernel config? If so how do I change it?
Well since in ipfw I believe the last rule the packet matches would be the one it follows, I think that rule would screw you. I was actually trying to build a kernel to do something like this but got stuck on a compilation error I couldn't figure out
Read this:Well since in ipfw I believe the last rule the packet matches would be the one it follows, I think that rule would screw you. I was actually trying to build a kernel to do something like this but got stuck on a compilation error I couldn't figure out
Since your rules are:When a packet enters the IPFW firewall, it is compared against the first rule in the ruleset and progresses one rule at a time, moving from top to bottom in sequence. When the packet matches the selection parameters of a rule, the rule's action is executed and the search of the ruleset terminates for that packet. This is referred to as “first match wins”.
Nothing that does not match any of the rules before would pass the firewall, since the deny rule comes first.65534 deny ip from any to any
65535 allow ip from any to any