Date: Fri, 28 May 1999 09:59:34 -0400 (EDT) From: Rich Fox <rich@f2sys.net> To: "Wayne, Ken" <WAYNEK@SCHNEIDER.COM> Cc: freebsd-net@FreeBSD.ORG Subject: Re: FreeBSD: Firewall Message-ID: <Pine.BSF.4.05.9905280946440.66197-100000@ppp-rich.ari.net> In-Reply-To: <47FF6BD08413D311A35900805F31EA72@SCHNEIDER.COM>
next in thread | previous in thread | raw e-mail | index | archive | help
Hi, From what I understand you need to reciprocate your access in also, that is: With this configuration: > allow ip from 172.16.1.1 to any > allow ip from 172.16.1.5 to any > deny all You're letting any packet out from ~.1 & ~.5 but you're not letting any packets back in. So if you change this to read: allow ip from 172.16.1.1 to any allow ip from any too 172.16.1.1 allow ip from 172.16.1.5 to any allow ip from any to 172.16.1.5 deny all These boxes will now be able to send *and* recieve packets to the other side of the firewall. (Actually the first box .1 may only be able to handle transmitting and receiving packets via it's interface, assuming this is the gateway box). I have this same setup with Macs on the inside, so I can just let anything to or from the client boxes. I am not sure how best to handle dynamic IP addresses (I have static) when creating firewall rules, but at the very least, I would drop a script into ppp.linkup that adds an 'IPFW add' rule as soon as the box makes a successful connection (a rule that restricts packets from the outside to your freebsd box.) Perhaps someone will suggest a better method. Rich. On Fri, 28 May 1999, Wayne, Ken wrote: > I apologies if there is a better list to send this question to. I think this > is a network question. > > I want to limit who gets from my internal network to the Internet to a few > static IP addresses. I also want to prevent people on the Internet from > getting access to my FreeBSD box or workstations. > > I'm running FreeBSD 2.2.8 with the included Firewall (IPFW) and NAT. > > The NIC in my FreeBSD box (ed0) is set to 172.16.1.1 and the modem is > dynamically assigned when connecting to the Internet. > > My workstation's (Win '95) NIC is set to 172.16.1.5 and it's DNS and gateway > is set to 172.16.1.1 > > With the following firewall rules, I can get access to the internet via > workstation or FreeBSD. > allow all from any to any > deny all > > When I have any of the following rule combinations it dosn't allow access to > the internet from a workstation or my FreeBSD box. > > allow ip from 172.16.1.1 to any > allow ip from 172.16.1.5 to any > deny all > > allow ip from 172.16.1.1 to any via any > allow ip from 172.16.1.5 to any via any > deny all > > allow ip from 172.16.1.1 to any via tun0 > allow ip from 172.16.1.5 to any via tun0 > deny all > > allow ip from 172.16.0.0:255.255.255.0 to any > deny all > > allow ip from 172.16.0.0:255.255.255.0 to any via any > deny all > > allow ip from 172.16.1.0:255.255.255.0 to any > deny all > > allow ip from 172.16.1.0:255.255.255.0 to any via any > deny all > > allow ip from 172.16.1.1:255.255.255.0 to any > allow ip from 172.16.1.5:255.255.255.0 to any > deny all > > allow ip from 172.16.1.1:255.255.255.0 to any via any > allow ip from 172.16.1.5:255.255.255.0 to any via any > deny all > > Any help is greatly appreciated! > > Thanks, -Ken > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-net" in the body of the message > > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.05.9905280946440.66197-100000>