From owner-freebsd-questions@FreeBSD.ORG Thu Jan 8 14:54:12 2004 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1C66E16A4CE for ; Thu, 8 Jan 2004 14:54:12 -0800 (PST) Received: from rwcrmhc13.comcast.net (rwcrmhc13.comcast.net [204.127.198.39]) by mx1.FreeBSD.org (Postfix) with ESMTP id CC6BC43D5A for ; Thu, 8 Jan 2004 14:54:09 -0800 (PST) (envelope-from freebsd-questions-local@be-well.ilk.org) Received: from be-well.no-ip.com ([66.30.200.37]) by comcast.net (rwcrmhc13) with ESMTP id <2004010822540901500bjqrte>; Thu, 8 Jan 2004 22:54:09 +0000 Received: by be-well.no-ip.com (Postfix, from userid 1147) id E230855; Thu, 8 Jan 2004 17:54:08 -0500 (EST) Sender: lowell@be-well.ilk.org To: freebsd-questions@freebsd.org References: <200401070432.XAA14594728@shell.TheWorld.com> From: Lowell Gilbert Date: 08 Jan 2004 17:54:08 -0500 In-Reply-To: <200401070432.XAA14594728@shell.TheWorld.com> Message-ID: <4465fmuk4v.fsf@be-well.ilk.org> Lines: 33 User-Agent: Gnus/5.09 (Gnus v5.9.0) Emacs/21.3 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Subject: Re: Trying to understand ipfirewall/divert/nat X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 08 Jan 2004 22:54:12 -0000 Kenneth W Cochran writes: > Would like to do similar things, e.g. allow/deny port/service/protocol here> & get all that to play nicely > with divert/natd. For example, with divert, it appears that > we should have a ruleset for "before" the divert & another > "mirror-image" ruleset for "after" divert. Where might I > find some nice explanations of the logic/strategy with this? Look carefully; it's not a mirror image. The "before" set is denying the addresses as destinations, while the "after" set is denying them as source addresses. > I guess what confuses me is /etc/rc.firewall does things one > way & the firewall(7) manpage another. Firewalls configurations differ. It's possible to struggle through without understanding what you're doing, but it's hard, and you're a lot more likely to make mistakes. > Where are some, umm, good sources of information about > ipfirewall (ipfw)? Seems all the books talk about are > Linux's ipchains & iptables & *bsd's ipf. The *good* books don't do much with any specific implementation. [I'm thinking of Cheswick/Bellovin, as well as the Zwicky book.] They cover the theory; if you have that, the syntax is pretty easy with any of them. -- Lowell Gilbert, embedded/networking software engineer, Boston area: resume/CV at http://be-well.ilk.org:8088/~lowell/resume/ username/password "public"