From owner-freebsd-questions  Sun Jun  2 23: 7:10 2002
Delivered-To: freebsd-questions@freebsd.org
Received: from kirk.dlee.org (pool-138-88-4-85.res.east.verizon.net [138.88.4.85])
	by hub.freebsd.org (Postfix) with ESMTP id D031E37B401
	for <freebsd-questions@freebsd.org>; Sun,  2 Jun 2002 23:07:06 -0700 (PDT)
Received: from kirk.dlee.org (dgl@pool-138-88-4-85.res.east.verizon.net [138.88.4.85])
	by kirk.dlee.org (8.12.3/8.12.3) with ESMTP id g53675KZ002192
	for <freebsd-questions@freebsd.org>; Mon, 3 Jun 2002 02:07:05 -0400 (EDT)
	(envelope-from dgl@kirk.dlee.org)
Received: (from dgl@localhost)
	by kirk.dlee.org (8.12.3/8.12.3/Submit) id g53674pT002191
	for freebsd-questions@freebsd.org; Mon, 3 Jun 2002 02:07:04 -0400 (EDT)
Date: Mon, 3 Jun 2002 02:07:03 -0400
From: Doug Lee <dgl@visi.com>
To: freebsd-questions@freebsd.org
Subject: rc.firewall with ppp/nat problem and fix
Message-ID: <20020603060703.GA545@kirk.dlee.org>
Mail-Followup-To: Doug Lee <dgl@visi.com>,
	freebsd-questions@freebsd.org
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.3.25i
Organization: Bartimaeus Group
Sender: owner-freebsd-questions@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-questions.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-questions>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-questions>
X-Loop: FreeBSD.ORG

I've switched from a DHCP cable modem to a PPPoE DSL modem and thus
started running ppp.  I had trouble getting natd to work with ppp, so
I'm now using ppp's nat facilities...

but the rc.firewall rules for denying RFC1918 traffic on the outside
interface seem to block legitimate traffic from my LAN to the Internet
and back also.  My solution is to put the following line above the
first "Stop RFC1918 nets ..." line in /etc/rc.firewall:

$fwcmd add pass all from any to any in via ${iif} keep-state

The questions:  Will this generate a huge number of dynamic rules for
local traffic, and is there a better way to do this, preferably other
than trying to duplicate my rc.firewall in ppp.conf?

Thanks.

-- 
Doug Lee           dgl@visi.com        http://www.visi.com/~dgl
Bartimaeus Group   doug@bartsite.com   http://www.bartsite.com
"There are no guarantees.  From a standpoint of fear, none are
strong enough.  From a standpoint of love, none are necessary."
- from Emmanuel's Book II

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message