From owner-freebsd-questions  Mon Jun  4  5:12:14 2001
Delivered-To: freebsd-questions@freebsd.org
Received: from clmboh1-smtp3.columbus.rr.com (clmboh1-smtp3.columbus.rr.com [65.24.0.112])
	by hub.freebsd.org (Postfix) with ESMTP id 53F6C37B406
	for <freebsd-questions@FreeBSD.ORG>; Mon,  4 Jun 2001 05:12:11 -0700 (PDT)
	(envelope-from wmoran@iowna.com)
Received: from iowna.com (dhcp065-024-023-038.columbus.rr.com [65.24.23.38])
	by clmboh1-smtp3.columbus.rr.com (8.11.2/8.11.2) with ESMTP id f54C8vk18493;
	Mon, 4 Jun 2001 08:08:58 -0400 (EDT)
Message-ID: <3B1B7AD7.A3336A54@iowna.com>
Date: Mon, 04 Jun 2001 08:11:03 -0400
From: Bill Moran <wmoran@iowna.com>
X-Mailer: Mozilla 4.76 [en] (X11; U; FreeBSD 4.3-STABLE i386)
X-Accept-Language: en
MIME-Version: 1.0
To: tinnakorn kunasit <tinnakorn2000@hotmail.com>
Cc: freebsd-questions@FreeBSD.ORG
Subject: Re: ipfirewall
References: <F99eKljq65Rn8P5o7P60000d21f@hotmail.com>
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Sender: owner-freebsd-questions@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-questions.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo?subject=subscribe%20freebsd-questions>
List-Unsubscribe: <mailto:majordomo?subject=unsubscribe%20freebsd-questions>
X-Loop: FreeBSD.ORG

tinnakorn kunasit wrote:

> 1.   add options for ipfirewall and recompile kernel
> 
>             options IPFIREWALL
>             options IPDIVERT
>             options IPFIREWALL_VERBOSE
>             options IPFIREWALL_VERBOSE_LIMIT=100
>             options IPFIREWALL_DEFAULT_TO_ACCEPT

Did you rebuild, install the kernel after this?

> 4.  edit file /etc/rc.firewall
>              /sbin/ipfw -f flush
>              /sbin/ipfw -q add 100 pass all from any to any via lo0
>             /sbin/ipfw  -q add 200 pass all from any to 127.0.0.0/8
>             /sbin/ipfw  -q add 300 pass all from any to any
> 
>             /sbin/sysctl -n -w net.inet.ip.forwarding=1
>            /sbin/natd -l -d  auth -m -u  -n rl1 -dynamic
>            /sbin/ipfw add divert natd all from any to any out
>            /sbin/ipfw add divert natd all from any to any in

Hmm ...
A minimal ruleset would be:
add 100 divert natd ip from any to any via rl0
add 200 allow ip from any to any lo0
add 300 deny ip from any to 127.0.0.0/8
add 400 allow ip from any to any

Considering that you don't seem to be using it to protect anything. The
default rc.firewall would work fine in "OPEN" mode. Read the
natd/firewall section in the man page for rc.conf for details.

-Bill

-- 
If a bird in the hand is worth two in the bush,
then what can I get for two hands in the bush?

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message