From owner-freebsd-ipfw@FreeBSD.ORG Mon Oct 28 11:06:50 2013 Return-Path: Delivered-To: freebsd-ipfw@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTP id 57B46AE6 for ; Mon, 28 Oct 2013 11:06:50 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:1900:2254:206c::16:87]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id 44E3A246F for ; Mon, 28 Oct 2013 11:06:50 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.7/8.14.7) with ESMTP id r9SB6okF055119 for ; Mon, 28 Oct 2013 11:06:50 GMT (envelope-from owner-bugmaster@FreeBSD.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.7/8.14.7/Submit) id r9SB6nNW055117 for freebsd-ipfw@FreeBSD.org; Mon, 28 Oct 2013 11:06:49 GMT (envelope-from owner-bugmaster@FreeBSD.org) Date: Mon, 28 Oct 2013 11:06:49 GMT Message-Id: <201310281106.r9SB6nNW055117@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: gnats set sender to owner-bugmaster@FreeBSD.org using -f From: FreeBSD bugmaster To: freebsd-ipfw@FreeBSD.org Subject: Current problem reports assigned to freebsd-ipfw@FreeBSD.org X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 28 Oct 2013 11:06:50 -0000 Note: to view an individual PR, use: http://www.freebsd.org/cgi/query-pr.cgi?pr=(number). The following is a listing of current problems submitted by FreeBSD users. These represent problem reports covering all versions including experimental development code and obsolete releases. S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/180731 ipfw [ipfw] problem with displaying 255.255.255.255 address o kern/180729 ipfw [ipfw] ipfw nat show empty output o kern/178482 ipfw [ipfw] logging problem from vnet jail o kern/178480 ipfw [ipfw] dynamically loaded ipfw with a vimage kernel do o kern/178317 ipfw [ipfw] ipfw options need to specifed in specific order o kern/177948 ipfw [ipfw] ipfw fails to parse port ranges (p1-p2) for udp o kern/176503 ipfw [ipfw] ipfw layer2 problem o conf/167822 ipfw [ipfw] [patch] start script doesn't load firewall_type o kern/166406 ipfw [ipfw] ipfw does not set ALTQ identifier for ipv6 traf o kern/165939 ipfw [ipfw] bug: incomplete firewall rules loaded if tables o kern/165190 ipfw [ipfw] [lo] [patch] loopback interface is not marking o kern/158066 ipfw [ipfw] ipfw + netgraph + multicast = multicast packets o kern/157689 ipfw [ipfw] ipfw nat config does not accept nonexistent int f kern/155927 ipfw [ipfw] ipfw stops to check packets for compliance with o bin/153252 ipfw [ipfw][patch] ipfw lockdown system in subsequent call o kern/153161 ipfw [ipfw] does not support specifying rules with ICMP cod o kern/148827 ipfw [ipfw] divert broken with in-kernel ipfw o kern/148430 ipfw [ipfw] IPFW schedule delete broken. o kern/148091 ipfw [ipfw] ipfw ipv6 handling broken. f kern/143973 ipfw [ipfw] [panic] ipfw forward option causes kernel reboo o kern/143621 ipfw [ipfw] [dummynet] [patch] dummynet and vnet use result o kern/137346 ipfw [ipfw] ipfw nat redirect_proto is broken o kern/137232 ipfw [ipfw] parser troubles o kern/129036 ipfw [ipfw] 'ipfw fwd' does not change outgoing interface n o kern/127230 ipfw [ipfw] [patch] Feature request to add UID and/or GID l f kern/122963 ipfw [ipfw] tcpdump does not show packets redirected by 'ip s kern/121807 ipfw [request] TCP and UDP port_table in ipfw o kern/116009 ipfw [ipfw] [patch] Ignore errors when loading ruleset from o kern/104682 ipfw [ipfw] [patch] Some minor language consistency fixes a o kern/103454 ipfw [ipfw] [patch] [request] add a facility to modify DF b o kern/103328 ipfw [ipfw] [request] sugestions about ipfw table o kern/97951 ipfw [ipfw] [patch] ipfw does not tie interface details to o kern/95084 ipfw [ipfw] [regression] [patch] IPFW2 ignores "recv/xmit/v o kern/86957 ipfw [ipfw] [patch] ipfw mac logging o bin/83046 ipfw [ipfw] ipfw2 error: "setup" is allowed for icmp, but s o kern/82724 ipfw [ipfw] [patch] [request] Add setnexthop and defaultrou o bin/78785 ipfw [patch] ipfw(8) verbosity locks machine if /etc/rc.fir o kern/60719 ipfw [ipfw] Headerless fragments generate cryptic error mes s kern/55984 ipfw [ipfw] [patch] time based firewalling support for ipfw o kern/48172 ipfw [ipfw] [patch] ipfw does not log size and flags o kern/46159 ipfw [ipfw] [patch] [request] ipfw dynamic rules lifetime f a kern/26534 ipfw [ipfw] Add an option to ipfw to log gid/uid of who cau 42 problems total. From owner-freebsd-ipfw@FreeBSD.ORG Wed Oct 30 01:22:30 2013 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTP id 13153AAC for ; Wed, 30 Oct 2013 01:22:30 +0000 (UTC) (envelope-from www-data@modersmal.skolverket.se) Received: from modersmal.skolverket.se (dns.skolverket.se [62.13.78.2]) by mx1.freebsd.org (Postfix) with ESMTP id CE65D2627 for ; Wed, 30 Oct 2013 01:22:29 +0000 (UTC) Received: by modersmal.skolverket.se (Postfix, from userid 33) id 7B746B20CC; Wed, 30 Oct 2013 02:10:22 +0100 (CET) To: freebsd-ipfw@freebsd.org Subject: Re: Assalam X-PHP-Originating-Script: 33:247@abu.php From: Mohamad Hassan MIME-Version: 1.0 Content-Type: text/plain Content-Transfer-Encoding: 8bit Message-Id: <20131030011331.7B746B20CC@modersmal.skolverket.se> Date: Wed, 30 Oct 2013 02:10:22 +0100 (CET) X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list Reply-To: mohamad_hassan@rediffmail.com List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 30 Oct 2013 01:22:30 -0000 Assalamalaikum Wr Wb I hope in the name of ALLAH that I have the right person who will assist me. I got your contact through a web directory. I want to transfer my family's money into your country/ business for investment purposes and to secure the future of my 3 children because we are uncertain of the future of this country; as such I would like to make contact with you residing in that country for assistance. Note these funds are already in a security company which has branches around the world for safe keeping. I would have done this myself but my present health condition will not warrant me to do so. Kindly help with this because I cannot travel out of libya at the moment due to some certain conditions and great difficulties added to the fact that am disabled on a wheel chair due to a bombing that occurred in Benghazi I will explain more to you when I am certain that I can trust you. The fall of Muammar Gaddafi came with a lot of destruction / Hell to our great country Libya and everything is practically difficult now and opportunities are closing up, the new government is trying to frustrate our life. Please if you accept this offer of assistance you are required to give me your Name, age, occupation, address also enclosing your telephone fax numbers. What I now need from you are as follows: 1. You will help me receive and secure the funds from the security company on my family's behalf and open a Bank account for my children in your country with the credentials i will give you. 2. You will be entitled to 30% of the total sum involved for your assistance. 3. As soon as you confirm to me by e-mail your readiness to assist with this, I will give you more details as regards claiming the funds from the security company. 4. Please note that this project is 100% risk free but you must keep it very secret and confidential with strong assurance that you will not let me down at all. Regards, Mohamad Hassan al-Rida From owner-freebsd-ipfw@FreeBSD.ORG Wed Oct 30 01:24:18 2013 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTP id 7C2CFB98 for ; Wed, 30 Oct 2013 01:24:18 +0000 (UTC) (envelope-from koayhc@gmail.com) Received: from mail-ea0-x244.google.com (mail-ea0-x244.google.com [IPv6:2a00:1450:4013:c01::244]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id 0561B2656 for ; Wed, 30 Oct 2013 01:24:17 +0000 (UTC) Received: by mail-ea0-f196.google.com with SMTP id r16so108630ead.7 for ; Tue, 29 Oct 2013 18:24:16 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=DD7C3dNaaayzgUqBUjI5MPSvBFUqMr3vAD22yPFYeAE=; b=KWDpLxmV2yzGYvUsuu3w3ftxj9oK/GpzxVyR5TY2VI8pB91h5VsVhdvCdQfAtfU28T RcSUw85LByhwYoKH/KzenqTnR2i7+ikST3vHGEVhjarPg2F1moucTYzMOTn2i8PSVLw2 vjl4v0Y9cb2+DUW+WqcfqZoTONvyYoOpTO9uzOgw9VIwiAZnCFtmv8vFFzoNENw9HKo2 jUQx+pbxv6YL/SXgT4xBj9ICcYwaGDkLUin7R9cqML90eJOO7GaFNpId7iwRkItIzwAW ZaPu3YrcdEw0nLNE1E3KkmOFGVVTyhoZ/tHolTAbrw5zn6VJzFDuH3Sj7AQTQXyHAL7u /lHw== MIME-Version: 1.0 X-Received: by 10.14.106.131 with SMTP id m3mr2064829eeg.83.1383096256227; Tue, 29 Oct 2013 18:24:16 -0700 (PDT) Received: by 10.14.104.69 with HTTP; Tue, 29 Oct 2013 18:24:16 -0700 (PDT) Received: by 10.14.104.69 with HTTP; Tue, 29 Oct 2013 18:24:16 -0700 (PDT) In-Reply-To: <20131030011331.7B746B20CC@modersmal.skolverket.se> References: <20131030011331.7B746B20CC@modersmal.skolverket.se> Date: Wed, 30 Oct 2013 09:24:16 +0800 Message-ID: Subject: Re: Assalam From: KHC To: mohamad_hassan@rediffmail.com Content-Type: text/plain; charset=ISO-8859-1 X-Content-Filtered-By: Mailman/MimeDel 2.1.14 Cc: freebsd-ipfw@freebsd.org X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 30 Oct 2013 01:24:18 -0000 Pls do...i don't have enough money...please transfer it as soon as possible... Tq for your kindness Sent from Galaxy Note II On Oct 30, 2013 9:22 AM, "Mohamad Hassan" wrote: > > Assalamalaikum Wr Wb > > I hope in the name of ALLAH that I have the right person who will assist > me. I got your contact through a web directory. > > I want to transfer my family's money into your country/ business for > investment purposes and to secure the future of my 3 children because we > are uncertain of the future of this country; as such I would like to make > contact with you residing in that country for assistance. > > Note these funds are already in a security company which has branches > around the world for safe keeping. > > I would have done this myself but my present health condition will not > warrant me to do so. Kindly help with this because I cannot travel out of > libya at the moment due to some certain conditions and great difficulties > added to the fact that am disabled on a wheel chair due to a bombing that > occurred in Benghazi I will explain more to you when I am certain that I > can trust you. > > The fall of Muammar Gaddafi came with a lot of destruction / Hell to our > great country Libya and everything is practically difficult now and > opportunities are closing up, the new government is trying to frustrate our > life. > > Please if you accept this offer of assistance you are required to give me > your Name, age, occupation, address also enclosing your telephone fax > numbers. > > What I now need from you are as follows: > > 1. You will help me receive and secure the funds from the security company > on my family's behalf and open a Bank account for my children in your > country with the credentials i will give you. > > 2. You will be entitled to 30% of the total sum involved for your > assistance. > > 3. As soon as you confirm to me by e-mail your readiness to assist with > this, I will give you more details as regards claiming the funds from the > security company. > > 4. Please note that this project is 100% risk free but you must keep it > very secret and confidential with strong assurance that you will not let me > down at all. > > Regards, > Mohamad Hassan al-Rida > > > _______________________________________________ > freebsd-ipfw@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw > To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" > From owner-freebsd-ipfw@FreeBSD.ORG Thu Oct 31 20:10:52 2013 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTP id 0AE9E7CA for ; Thu, 31 Oct 2013 20:10:52 +0000 (UTC) (envelope-from casey@phantombsd.org) Received: from scottmail.org (scottmail.org [209.206.250.76]) by mx1.freebsd.org (Postfix) with ESMTP id D12FB2E9A for ; Thu, 31 Oct 2013 20:10:51 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by scottmail.org (Postfix) with ESMTP id 8BC2124A885 for ; Thu, 31 Oct 2013 13:10:51 -0700 (PDT) X-Virus-Scanned: amavisd-new at scottmail.org Received: from scottmail.org ([127.0.0.1]) by localhost (scottmail.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9Jc_5usHpyq7 for ; Thu, 31 Oct 2013 13:10:47 -0700 (PDT) Received: from localhost (localhost [127.0.0.1]) by scottmail.org (Postfix) with ESMTP id 0F50A24A8A3 for ; Thu, 31 Oct 2013 13:10:47 -0700 (PDT) X-Virus-Scanned: amavisd-new at scottmail.org Received: from scottmail.org ([127.0.0.1]) by localhost (scottmail.org [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id wv0O6-qpOhAd for ; Thu, 31 Oct 2013 13:10:42 -0700 (PDT) Received: from scottmail.org (bearcat.phantombsd.org [192.168.1.20]) by scottmail.org (Postfix) with ESMTP id 8823324A885 for ; Thu, 31 Oct 2013 13:10:42 -0700 (PDT) Date: Thu, 31 Oct 2013 13:10:42 -0700 (PDT) From: Casey Scott To: freebsd-ipfw@freebsd.org Message-ID: <1695827686.288.1383250242478.JavaMail.root@phantombsd.org> In-Reply-To: <789665157.296.1383076677766.JavaMail.root@phantombsd.org> References: <789665157.296.1383076677766.JavaMail.root@phantombsd.org> Subject: NAT/ipfw blocking internal traffic MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-Originating-IP: [208.95.100.4] X-Mailer: Zimbra 8.0.2_GA_5569 (ZimbraWebClient - GC30 (Win)/8.0.2_GA_5569) Thread-Topic: NAT/ipfw blocking internal traffic Thread-Index: 3cKgm/6ptMG8WNLL2tuh53HBurosRr67xiBW X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list Reply-To: Casey Scott List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 31 Oct 2013 20:10:52 -0000 Hello, My NAT and ipfw ruleset follow almost exactly what is given at http://www.freebsd.org/doc/handbook/firewalls-ipfw.html The problem I'm encountering is that a portion of my outbound internal traffic is being blocked by ipfw. This is a fresh Freebsd installaion, so I'm kind of at a loss since the config matches the handbook. Any suggestions are appreciated. uname -a *********************************************** FreeBSD hostname 9.2-RELEASE FreeBSD 9.2-RELEASE #6 r256447: Fri Oct 18 20:06:53 PDT 2013 root@hostname:/usr/src/sys/amd64/compile/hostname amd64 *********************************************** /var/log/security: *********************************************** Oct 29 10:14:46 hostname kernel: ipfw: 450 Deny TCP 65.126.84.81:80 192.168.1.6:61681 in via fxp0 Oct 29 10:14:47 hostname kernel: ipfw: 450 Deny TCP 65.126.84.81:80 192.168.1.6:61681 in via fxp0 Oct 29 10:14:47 hostname kernel: ipfw: 450 Deny TCP 65.126.84.81:80 192.168.1.6:61681 in via fxp0 Oct 29 10:14:54 hostname kernel: ipfw: 450 Deny TCP 192.168.1.6:61915 174.129.210.177:80 out via fxp0 Oct 29 10:17:55 hostname kernel: ipfw: 450 Deny TCP 192.168.1.6:61876 65.126.84.88:80 out via fxp0 Oct 29 10:17:55 hostname kernel: ipfw: 450 Deny TCP 192.168.1.6:61877 65.126.84.88:80 out via fxp0 Oct 29 10:17:58 hostname kernel: ipfw: 450 Deny TCP 192.168.1.6:61921 208.85.40.45:80 out via fxp0 Oct 29 10:17:58 hostname kernel: ipfw: 450 Deny TCP 192.168.1.6:61921 208.85.40.45:80 out via fxp0 *********************************************** firewall script: *********************************************** #!/bin/sh cmd="ipfw -q add" skip="skipto 500" pif=fxp0 ks="keep-state" good_tcpo="22,25,37,43,53,80,443" ipfw -q -f flush $cmd 002 allow all from any to any via em0 # exclude LAN traffic $cmd 003 allow all from any to any via lo0 # exclude loopback traffic $cmd 100 divert natd ip from any to any in via $pif $cmd 101 check-state # Authorized outbound packets $cmd 136 $skip udp from any to any 53 out via $pif $ks $cmd 150 $skip tcp from any to any $good_tcpo out via $pif setup $ks $cmd 151 $skip icmp from any to any out via $pif $ks $cmd 152 $skip udp from any to any 123 out via $pif $ks # Deny all inbound traffic from non-routable reserved address spaces $cmd 300 deny all from 192.168.0.0/16 to any in via $pif #RFC 1918 private IP $cmd 301 deny all from 172.16.0.0/12 to any in via $pif #RFC 1918 private IP $cmd 302 deny all from 10.0.0.0/8 to any in via $pif #RFC 1918 private IP $cmd 303 deny all from 127.0.0.0/8 to any in via $pif #loopback $cmd 304 deny all from 0.0.0.0/8 to any in via $pif #loopback $cmd 305 deny all from 169.254.0.0/16 to any in via $pif #DHCP auto-config $cmd 306 deny all from 192.0.2.0/24 to any in via $pif #reserved for docs $cmd 307 deny all from 204.152.64.0/23 to any in via $pif #Sun cluster $cmd 308 deny all from 224.0.0.0/3 to any in via $pif #Class D & E multicast # Authorized inbound packets $cmd 400 allow tcp from any to me 76 in via $pif setup limit src-addr 2 $cmd 402 allow ip from any to me 53 in via $pif setup limit src-addr 2 $cmd 420 allow tcp from any to me 80 in via $pif setup limit src-addr 2 $cmd 421 allow tcp from any to me 80 in via $pif setup limit src-addr 2 $cmd 450 deny log ip from any to any # This is skipto location for outbound stateful rules $cmd 500 divert natd ip from any to any out via $pif *********************************************** natd run options: *********************************************** /sbin/natd -dynamic -m -n fxp0 *********************************************** -Casey ----- Forwarded Message ----- Hello, My NAT and ipfw ruleset follow almost exactly what is given at http://www.freebsd.org/doc/handbook/firewalls-ipfw.html The problem I'm encountering is that a portion of my outbound internal traffic is being blocked by ipfw. This is a fresh Freebsd installaion, so I'm kind of at a loss since the config matches the handbook. Any suggestions are appreciated. uname -a *********************************************** FreeBSD hostname 9.2-RELEASE FreeBSD 9.2-RELEASE #6 r256447: Fri Oct 18 20:06:53 PDT 2013 root@hostname:/usr/src/sys/amd64/compile/hostname amd64 *********************************************** /var/log/security: *********************************************** Oct 29 10:14:46 hostname kernel: ipfw: 450 Deny TCP 65.126.84.81:80 192.168.1.6:61681 in via fxp0 Oct 29 10:14:47 hostname kernel: ipfw: 450 Deny TCP 65.126.84.81:80 192.168.1.6:61681 in via fxp0 Oct 29 10:14:47 hostname kernel: ipfw: 450 Deny TCP 65.126.84.81:80 192.168.1.6:61681 in via fxp0 Oct 29 10:14:54 hostname kernel: ipfw: 450 Deny TCP 192.168.1.6:61915 174.129.210.177:80 out via fxp0 Oct 29 10:17:55 hostname kernel: ipfw: 450 Deny TCP 192.168.1.6:61876 65.126.84.88:80 out via fxp0 Oct 29 10:17:55 hostname kernel: ipfw: 450 Deny TCP 192.168.1.6:61877 65.126.84.88:80 out via fxp0 Oct 29 10:17:58 hostname kernel: ipfw: 450 Deny TCP 192.168.1.6:61921 208.85.40.45:80 out via fxp0 Oct 29 10:17:58 hostname kernel: ipfw: 450 Deny TCP 192.168.1.6:61921 208.85.40.45:80 out via fxp0 *********************************************** firewall script: *********************************************** #!/bin/sh cmd="ipfw -q add" skip="skipto 500" pif=fxp0 ks="keep-state" good_tcpo="22,25,37,43,53,80,443" ipfw -q -f flush $cmd 002 allow all from any to any via em0 # exclude LAN traffic $cmd 003 allow all from any to any via lo0 # exclude loopback traffic $cmd 100 divert natd ip from any to any in via $pif $cmd 101 check-state # Authorized outbound packets $cmd 136 $skip udp from any to any 53 out via $pif $ks $cmd 150 $skip tcp from any to any $good_tcpo out via $pif setup $ks $cmd 151 $skip icmp from any to any out via $pif $ks $cmd 152 $skip udp from any to any 123 out via $pif $ks # Deny all inbound traffic from non-routable reserved address spaces $cmd 300 deny all from 192.168.0.0/16 to any in via $pif #RFC 1918 private IP $cmd 301 deny all from 172.16.0.0/12 to any in via $pif #RFC 1918 private IP $cmd 302 deny all from 10.0.0.0/8 to any in via $pif #RFC 1918 private IP $cmd 303 deny all from 127.0.0.0/8 to any in via $pif #loopback $cmd 304 deny all from 0.0.0.0/8 to any in via $pif #loopback $cmd 305 deny all from 169.254.0.0/16 to any in via $pif #DHCP auto-config $cmd 306 deny all from 192.0.2.0/24 to any in via $pif #reserved for docs $cmd 307 deny all from 204.152.64.0/23 to any in via $pif #Sun cluster $cmd 308 deny all from 224.0.0.0/3 to any in via $pif #Class D & E multicast # Authorized inbound packets $cmd 400 allow tcp from any to me 76 in via $pif setup limit src-addr 2 $cmd 402 allow ip from any to me 53 in via $pif setup limit src-addr 2 $cmd 420 allow tcp from any to me 80 in via $pif setup limit src-addr 2 $cmd 421 allow tcp from any to me 80 in via $pif setup limit src-addr 2 $cmd 450 deny log ip from any to any # This is skipto location for outbound stateful rules $cmd 500 divert natd ip from any to any out via $pif *********************************************** natd run options: *********************************************** /sbin/natd -dynamic -m -n fxp0 *********************************************** -Casey