ipfw

ok imam problem pri razumenvanju nacina delovanja in upravlanja ipfw. prebrau sem poglavje v handbooku glede tega sam se vseno ne vem:
1. kako enablat dolocen rule d bo delau. npr "$cmd 00005 allow all from any to any via rl1" tega. kko ga enablam? u handbooku pise (saj jest tko razumm) d namst $cmd napism add sam to ne dela (al sm pa kj drudzga narobe naredu)
2. kere vrste ipfw obstajajo in zakaj je kksn dobr (vem d so simple pa closed)
3.ke lahk se zvem o ipfw (preprosto googlanje sm ze sprobu pa ni slo)
zaenkrt bo to to. ce se bom se kj spomnu bom napisu. ze vnaprej hvala za odgovore
lp karantan

Zivjo!

Mene tud zanima ipfw, instaliral sm freebsd 5.4, rekompajlal kernel nastimal ipfw, vendar ce izberem ipfw type simple, ne spusti nicesar iz lana skoz dela samo net iz routerja, po default nastavitwah je rc.firewall tak:
[Ss][Ii][Mm][Pp][Ll][Ee])
############
# This is a prototype setup for a simple firewall. Configure this
# machine as a DNS and NTP server, and point all the machines
# on the inside at this machine for those services.
############

# set these to your outside interface network and netmask and ip
oif="tun0"
onet="193.x.x.0"
omask="255.255.255.240"
oip="193.x.x.x"

# set these to your inside interface network and netmask and ip
iif="rl1"
inet="192.168.0.0"
imask="255.0.0.0"
iip="192.168.0.1"

setup_loopback

# Stop spoofing
${fwcmd} add 603 deny all from ${inet}:${imask} to any in via ${oif}
${fwcmd} add 604 deny all from ${onet}:${omask} to any in via ${iif}

# Stop RFC1918 nets on the outside interface
${fwcmd} add 605 deny all from any to 10.0.0.0/8 in via ${oif}
${fwcmd} add 606 deny all from any to 172.16.0.0/12 in via ${oif}
${fwcmd} add 607 deny all from any to 192.168.0.0/16 in via ${oif}
# ${fwcmd} add 608 deny all from 10.0.0.0/8 to any in via ${oif}
# ${fwcmd} add 609 deny all from 172.16.0.0/12 to any in via ${oif}
# ${fwcmd} add 610 deny all from 192.168.0.0/16 to any in via ${oif}


# Stop draft-manning-dsua-03.txt (1 May 2000) nets (includes RESERVED-1,
# DHCP auto-configuration, NET-TEST, MULTICAST (class D), and class E)
# on the outside interface
#${fwcmd} add 608 deny all from any to 0.0.0.0/8 via ${oif}
#${fwcmd} add 609 deny all from any to 169.254.0.0/16 via ${oif}
#${fwcmd} add 610 deny all from any to 192.0.2.0/24 via ${oif}
#${fwcmd} add 611 deny all from any to 224.0.0.0/4 via ${oif}
#${fwcmd} add 612 deny all from any to 240.0.0.0/4 via ${oif}

# Network Address Translation. This rule is placed here deliberately
# so that it does not interfere with the surrounding address-checking
# rules. If for example one of your internal LAN machines had its IP
# address set to 192.0.2.1 then an incoming packet for it after being
# translated by natd(8) would match the `deny' rule above. Similarly
# an outgoing packet originated from it before being translated would
# match the `deny' rule below.
case ${natd_enable} in
[Yy][Ee][Ss])
if [ -n "${natd_interface}" ]; then
${fwcmd} add 2000 divert natd all from any to any via ${natd_interface}
fi
;;
esac

# Stop RFC1918 nets on the outside interface
${fwcmd} add 2001 deny all from 10.0.0.0/8 to any via ${oif}
${fwcmd} add 2002 deny all from 172.16.0.0/12 to any via ${oif}
${fwcmd} add 2003 deny all from 192.168.0.0/16 to any via ${oif}

# Stop draft-manning-dsua-03.txt (1 May 2000) nets (includes RESERVED-1,
# DHCP auto-configuration, NET-TEST, MULTICAST (class D), and class E)
# on the outside interface
#${fwcmd} add 2004 deny all from 0.0.0.0/8 to any via ${oif}
#${fwcmd} add 2005 deny all from 169.254.0.0/16 to any via ${oif}
#${fwcmd} add 2006 deny all from 192.0.2.0/24 to any via ${oif}
#${fwcmd} add 2007 deny all from 224.0.0.0/4 to any via ${oif}
#${fwcmd} add 2008 deny all from 240.0.0.0/4 to any via ${oif}

# Allow TCP through if setup succeeded
#${fwcmd} add 700 pass tcp from any to any established

# Allow IP fragments to pass through
#${fwcmd} add 701 pass all from any to any frag

# Allow setup of incoming email
#${fwcmd} add 702 pass tcp from any to ${oip} 25 setup
# Allow access to our DNS
${fwcmd} add 703 pass tcp from any to ${oip} 53 setup
${fwcmd} add 704 pass udp from any to ${oip} 53
${fwcmd} add 705 pass udp from ${oip} 53 to any

# Allow access to our WWW
#${fwcmd} add 706 pass tcp from any to ${oip} 80 setup

# Allow access to our SSH
${fwcmd} add 707 pass tcp from any to ${oip} 22 setup

# Reject&Log all setup of incoming connections from the outside
# ${fwcmd} add 708 deny log tcp from any to any in via ${oif} setup

# Allow setup of any other TCP connection
# ${fwcmd} add 709 pass tcp from any to any setup

# Allow DNS queries out in the world
${fwcmd} add 710 pass udp from ${oip} to any 53 keep-state

# Allow NTP queries out in the world
${fwcmd} add 711 pass udp from ${oip} to any 123 keep-state

# Pipe

${fwcmd} pipe 1 config bw 0bit/s queue 0bytes
${fwcmd} pipe 2 config bw 32Kbit/s queue 6Kbytes
${fwcmd} pipe 3 config bw 64Kbit/s queue 12Kbytes
${fwcmd} pipe 4 config bw 128Kbit/s queue 24Kbytes
${fwcmd} pipe 5 config bw 256Kbit/s queue 32Kbytes
${fwcmd} pipe 6 config bw 320Kbit/s queue 64Kbytes

#Lan
${fwcmd} add 5000 pass all from 192.168.0.2 to ${onet}:${omask}
${fwcmd} add 5001 pass all from ${onet}:${omask} to 192.168.0.2

Na ta nacin imam skonfiguriran ipfw vendar lana ne spusti skoz. Zanima me ce mi lahko gdo malo razlozi kako mu dopovem, da spusti lan skoz. Po defoltu ne spusti nicesar skoz samo tisto kar mu dovolim.

LP

Hvala za odgovor, vendar ne delam po handbooku, zaradi varnosti ce bi uporabljal ta nacin se ipfw zazene zadnji in mislm da se tud z /etc/netstart ne zazene ponovno. Stvar mi trenutno deluje razen dummyneta.

LP