Skip site navigation (1)Skip section navigation (2)
Date:      Wed, 02 Apr 2003 13:31:25 +0000
From:      Ryan Merrick <sandshrimp@attbi.com>
To:        Brian McCann <bjm1287@ritvax.isc.rit.edu>
Cc:        freebsd-questions@freebsd.org
Subject:   Re: NATD & IPFW
Message-ID:  <3E8AE62D.1040504@attbi.com>
References:  <000001c2f8cb$6e4f5e60$2f811581@garfield>

next in thread | previous in thread | raw e-mail | index | archive | help
Brian McCann wrote:

>Hi all.  I'm having an issue with security while trying to get natd to
>work with ipfw.  I got my ipfw rules working great, so I added the natd
>line in:
>
>  ipfw add divert 8668 all from any to any via $EXTERNAL_INTERFACE
>
>But I can't do anything (ping, fetch, etc) until I add:
>  ipfw add pass all from any to any
>
>Now, I may be wrong, but doesn't this pretty much open the box up?  I
>tried changing the first "any" to my internal network, but that didn't
>work, and I know I've got to be missing something.
>
>If anyone would like to help me off-list, I could send you a copy of my
>rule set if you'd like.
>
>Thanks in advance,
>--Brian
>
>
>_______________________________________________
>freebsd-questions@freebsd.org mailing list
>http://lists.freebsd.org/mailman/listinfo/freebsd-questions
>To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.org"
>
>  
>
Hello,

The best way to learn about your firewall is to log all denyed packets 
and review the log file while trying different programs that access the 
network.

#ipfw add 6500 deny log any to any

#tail -f /var/log/security

Then create rules based on what shows up in the logs.

-Ryan



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3E8AE62D.1040504>