Date: Mon, 6 Jul 1998 02:27:23 -0700 (PDT) From: Julian Elischer <julian@whistle.com> To: Dan Langille <junkmale@xtra.co.nz> Cc: freebsd-questions@FreeBSD.ORG Subject: Re: using IPFW as a firewall Message-ID: <Pine.BSF.3.95.980706021555.11949H-100000@current1.whistle.com> In-Reply-To: <199807060849.UAA17014@cyclops.xtra.co.nz>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, 6 Jul 1998, Dan Langille wrote:
> three rules within /etc/rc.firewall must be commented out in order for
> some stuff to work. Can anyone educate me as to why these rules
> prevent ping, news, mail, etc from running on machines on my home
> network? Those section of rc.firewall appear below.
What's your local topology?
>
> ---
> # Stop RFC1918 nets on the outside interface
> $fwcmd add deny all from 192.168.0.0:255.255.0.0 to any via ${oif}
oif is the outside interface.. 192.168 addresses should never be seen
there.
>
> # Allow TCP through if setup succeeded
> $fwcmd add pass tcp from any to any established
Allow tcp packets going in any direction if they are not startup packets.B
>
> # Allow setup of any other TCP connection
> $fwcmd add pass tcp from any to any setup
I see it's supposed to be after a rule that blocks incoming setup packets.
this rule accepts, I cant see how removing it helps anything..
> ---
>
> I'm also running natd. Where's the best place to put the rules pertaining
> to natd? e.g. add divert natd all from any to any via ed0
> I can't put them in rc.firewall as natd doesn't seem to be active at that
> time.
doesn't matter.. if natd isn't running they effectively become 'drop'
rules until it starts up.
julian
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.3.95.980706021555.11949H-100000>