From owner-freebsd-security Thu Aug 20 08:55:27 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id IAA00589 for freebsd-security-outgoing; Thu, 20 Aug 1998 08:55:27 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from Tyr.office.EFN.org ([204.214.99.45]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id IAA00582 for ; Thu, 20 Aug 1998 08:55:24 -0700 (PDT) (envelope-from spy@tyr.office.efn.org) Received: from Tyr.office.EFN.org (IDENT:spy@Tyr.office.EFN.org [204.214.99.45]) by Tyr.office.EFN.org (8.9.1/8.9.1) with SMTP id IAA25097; Thu, 20 Aug 1998 08:54:22 -0700 (PDT) Date: Thu, 20 Aug 1998 08:54:22 -0700 (PDT) From: Ben Reply-To: ben@efn.org To: laurens van alphen cc: ben@efn.org, freebsd-security@FreeBSD.ORG Subject: Re: natd and ipfw rules not working together In-Reply-To: <000201bdcc31$926e5510$0a00a8c0@uptight.student.utwente.nl> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Thu, 20 Aug 1998, laurens van alphen wrote: > > rc.firewall contains: > $fwcmd add divert natd all from any to any via ${natd_interface} > where natd _interface is ed0 > > next the default rc.firewall contained these rules: > > $fwcmd add deny all from 192.168.0.0/16 to any via ${oif} > $fwcmd add deny all from any to 192.168.0.0/16 via ${oif} Check to see if the deny rules are indeed being hit(ipfw -a l will show a counter of how many packets it has denied/allowed). You should also add numerics to the rules: $fwcmd add 1 divert natd all from any to any via $nat_interface I might also change these rules to: $fwcmd add 100 deny all from 192.168.0.0/16 to any via ${oif} in $fwcmd add 101 deny all from any to 192.168.0.0/16 via ${oif} in > -- > laurens van alphen > craxx e-consultants > alphen@craxx.com > http://craxx.com/ > > -- the information contained in this communication is confidential and > may be legally privileged. it is intended solely for the use of the > individual or entity to whom it is addressed and others authorised to You mispelled authorized. > receive it. if you are not the intended recipient you are hereby notified > that any disclosure, copying, distribution or taking any action in > reliance of the contents of this information is strictly prohibited and > may be unlawful. craxx is either liable for the proper and complete > transmission of the information contained in this communication nor > for any delay in its receipt. -ben@efn.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message