From owner-freebsd-net  Sun May  7 20: 4: 0 2000
Delivered-To: freebsd-net@freebsd.org
Received: from camel.ethereal.net (216.200.22.209.cp.net [216.200.22.209])
	by hub.freebsd.org (Postfix) with ESMTP id 6153437BCC2
	for <freebsd-net@FreeBSD.ORG>; Sun,  7 May 2000 20:03:57 -0700 (PDT)
	(envelope-from jkb@camel.ethereal.net)
Received: (from jkb@localhost)
	by camel.ethereal.net (8.10.0.Beta10/8.10.0.Beta10) id e4833mL22371;
	Sun, 7 May 2000 20:03:48 -0700 (PDT)
Date: Sun, 7 May 2000 20:03:48 -0700
From: Jan Koum <jkb@ethereal.net>
To: Jordan Blanchard <cybernetik@sympatico.ca>
Cc: freebsd-net@FreeBSD.ORG
Subject: Re: possible /etc/rc.firewall bug?
Message-ID: <20000507200348.B92100@ethereal.net>
References: <20000506162221.B45391@ethereal.net><Pine.BSF.4.21.0005071654320.18861-100000@juice.shallow.net> <20000507163857.A92100@ethereal.net> <000d01bfb899$1ebd6920$1021fea9@sympatico.ca>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.1.14i
In-Reply-To: <000d01bfb899$1ebd6920$1021fea9@sympatico.ca>; from cybernetik@sympatico.ca on Sun, May 07, 2000 at 10:57:16PM -0400
X-Operating-System: FreeBSD camel.ethereal.net 3.4-RELEASE FreeBSD 3.4-RELEASE
X-Unix-Uptime: 10:34PM  up 1 day,  9:11, 15 users, load averages: 0.13, 0.05, 0.06
Sender: owner-freebsd-net@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org


the web has been turned off in the US last night around 9:30pm. it is now
illegal to use the web here. you have to go through proxy based in china
or cuba - which is why it only works for you via proxy.

really -- what do you mean "how i have web working"??? and please, this
does not belong on -net, this belongs on -questions mailing list.


On Sun, May 07, 2000 at 10:57:16PM -0400, Jordan Blanchard <cybernetik@sympatico.ca> wrote:
> may I asked how you have web working without a proxy program??? I've got
> freebsd 4.0 running and I have never been able to get web working without a
> proxy program, everything else works just not web!
> 
> 
> ----- Original Message -----
> From: Jan Koum <jkb@ethereal.net>
> To: Joshua Goodall <joshua@roughtrade.net>
> Cc: <freebsd-net@FreeBSD.ORG>
> Sent: Sunday, May 07, 2000 7:38 PM
> Subject: Re: possible /etc/rc.firewall bug?
> 
> 
> >
> > i don't need a fix that works for me -- i can figure out how to make
> > things work. i'd like someone to commit change i describe below (either
> > giving natd rule assignment of 50 or going away from numbers all together
> > in rc.firewall and let ipfw do internal number assignments)
> >
> > it's a very simple fix. i don't know why nobody commited it yet.
> >
> >
> > On Sun, May 07, 2000 at 05:00:20PM +0200, Joshua Goodall
> <joshua@roughtrade.net> wrote:
> > >
> > > This is a "known problem". Since the implications compromise natd
> > > security, it should have been fixed. However, it isn't in the latest
> > > 4.0-STABLE.
> > >
> > > There is a potential fix that may work for you. See
> > >
> > > http://www.freebsd.org/cgi/query-pr.cgi?pr=13769
> > >
> > > but beware the warnings about making your firewall "weak". The resulting
> > > firewall ruleset should provide a basis for a stronger configuration.
> > >
> > > --
> > > Joshua Goodall <joshuag@interxion.com>
> > > IP Systems Engineer - InterXion - http://www.InterXion.com/
> > >
> > > On Sat, 6 May 2000, Jan Koum wrote:
> > >
> > > >
> > > > i just noticed something. if you setup natd and ipfw, you end up with:
> > > >
> > > > # ipfw -a l
> > > > 00100  677369 166815520 divert 8668 ip from any to any via ed0
> > > > 00100  397358  45078874 allow ip from any to any via lo0
> > > > 00200       0         0 deny ip from any to 127.0.0.0/8
> > > > 65000 1709011 373169093 allow ip from any to any
> > > > 65535       0         0 deny ip from any to any
> > > >
> > > > two rules with number 100 -- i suggest moving divert rule to 50 by
> changing
> > > >
> > > >   ${fwcmd} add divert natd all from any to any via ${natd_interface}
> > > >
> > > > to:
> > > >
> > > >   ${fwcmd} add 50 divert natd all from any to any via
> ${natd_interface}
> > > >
> > > >
> > > > of course another way to do this is to remove #'s from following
> rules:
> > > >   ${fwcmd} add 100 pass all from any to any via lo0
> > > >   ${fwcmd} add 200 deny all from any to 127.0.0.0/8
> > > >
> > > >
> > > > thanks,
> > > >
> > > > -- yan
> > > >
> > > >
> > > > p.s. - this is 4.0 box with rc.firewall:
> > > > # $FreeBSD: src/etc/rc.firewall,v 1.30 2000/02/06 19:24:37 paul Exp $
> > > >
> > > >
> > > > To Unsubscribe: send mail to majordomo@FreeBSD.org
> > > > with "unsubscribe freebsd-net" in the body of the message
> > > >
> > >
> > >
> > >
> > > To Unsubscribe: send mail to majordomo@FreeBSD.org
> > > with "unsubscribe freebsd-net" in the body of the message
> >
> >
> > To Unsubscribe: send mail to majordomo@FreeBSD.org
> > with "unsubscribe freebsd-net" in the body of the message
> >


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-net" in the body of the message