Date: Fri, 28 May 1999 11:29:45 +0200 From: Ladavac Marino <mladavac@metropolitan.at> To: "'Konstantinos.DRYLLERAKIS@DG21.cec.be'" <Konstantinos.DRYLLERAKIS@DG21.cec.be>, freebsd-hackers@freebsd.org, freebsd-question@freebsd.org Subject: RE: ipfw/natd limitation: controlling access of an unregistered n et to the internet Message-ID: <55586E7391ACD211B9730000C1100276179629@r-lmh-wi-100.corpnet.at>
next in thread | raw e-mail | index | archive | help
> -----Original Message----- > From: Konstantinos.DRYLLERAKIS@DG21.cec.be > [SMTP:Konstantinos.DRYLLERAKIS@DG21.cec.be] > Sent: Friday, May 28, 1999 11:15 AM > To: freebsd-hackers@freebsd.org; freebsd-question@freebsd.org > Subject: ipfw/natd limitation: controlling access of an > unregistered net to the internet > > It seems to me that outgoing packets through the outer interface > should first be run (somehow) through the firewall and if succesfull > pass through natd (without a further re-injection to the firewall > ruleset) whereas incoming packets should pass first from natd and then > pass through the firewall rules (the existing operation). [ It is > clear that only "deny" rules can be added before the "divert" rule to > control the outgoing packets of internal machines and this can prove > very tricky and tedious ]. > [ML] Did you consider using a firewall-cleanwall combination? In the essence, the idea is very simple: the cleanwall is inside the firewall and it does not allow unprivileged packets to reach the nat/firewall. I think that Bellowin's book explains this in detail. The downside is that you need two machines. /Marino To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?55586E7391ACD211B9730000C1100276179629>