Date: Wed, 6 Oct 1999 09:40:00 -0400 From: "Patrick Bihan-Faou" <patrick-fl-security@mindstep.com> To: "\"f.johan.beisser\"" <jan@caustic.org>, <freebsd-security@FreeBSD.ORG> Subject: Re: default rc.firewall Message-ID: <007e01bf1000$49935520$190aa8c0@local.mindstep.com> References: <007b01bf0f43$1a125de0$190aa8c0@local.mindstep.com> <Pine.BSF.4.05.9910050945160.41067-100000@pogo.caustic.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Hi, > i've found that the rc.firewall is not really nessassary for the NAT > gateways. basically, i set everything from the natd(8), and use the > rc.firewall for logging certain kinds of transactions, or bandwidth > control. I think you missed my point. I am not arguing whether NATD can do what IPFW does. You scheme is fine, bu if you also want to run services on the gateway, it becomes cumbersome. What I want to do is a "rc.firewall" script that behaves mostly like the "rc.network" script: you don't modify the script yourself, you change some variables in "rc.conf" to do what you need done. This goes beyond the NAT router. > <mild snippage> This is the mild snippage that goes in "rc.conf"... ;-) Just for the record here it is again: firewall_public_if="ed2" firewall_allow_passive_ftp="YES" firewall_allow_tcp="80,21,20" firewall_allow_tcp_log="22" And this is the side-effect of rc.firewall using the variables in rc.conf. ipfw add allow tcp from any to any 20 setup in recv ed2 ipfw add allow tcp from any to 1.2.3.4 80,21,20 setup in recv ed2 ipfw add allow log tcp from any to 1.2.3.4 22 setup in recv ed2 Patrick. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?007e01bf1000$49935520$190aa8c0>