From owner-freebsd-questions Fri Jun 30 04:31:58 1995 Return-Path: questions-owner Received: (from majordom@localhost) by freefall.cdrom.com (8.6.10/8.6.6) id EAA29575 for questions-outgoing; Fri, 30 Jun 1995 04:31:58 -0700 Received: from inet-gw-3.pa.dec.com (inet-gw-3.pa.dec.com [16.1.0.33]) by freefall.cdrom.com (8.6.10/8.6.6) with SMTP id EAA29569 for ; Fri, 30 Jun 1995 04:31:56 -0700 Received: from tartufo.pcs.dec.com by inet-gw-3.pa.dec.com (5.65/24Feb95) id AA03821; Fri, 30 Jun 95 04:26:57 -0700 Received: by tartufo.pcs.dec.com (/\=-/\ Smail3.1.16.1 #16.39) id ; Fri, 30 Jun 95 13:25 MSZ Message-Id: Date: Fri, 30 Jun 95 13:25 MSZ From: me@tartufo.pcs.dec.com (Michael Elbel) To: mcw@hpato.aus.hp.com Cc: questions@freebsd.org Subject: Re: ipfw and socks again Newsgroups: pcs.freebsd.questions References: <199506300308.AA168761720@relay.hp.com> Reply-To: me@freebsd.org Sender: questions-owner@freebsd.org Precedence: bulk In pcs.freebsd.questions you write: >Hi, > I was under the impression that if I am to use sockd on FreeBSD as >a firewall machine, I should have all other machines on behind it >have the IP_FORWARDING off, except the firewall machine itself should >haveIP_FORWARDING on, is this correct ? Is this also correct with the >kernel ipfw ? No, the other way around. *Only* the firewall with it's at least two interfaces is supposed to have ip forwarding turned *off* (or the ipfw configured to something similar, like blocking most traffic between the interface on the inside and that on the outside). IP forwarding on means that ip packets coming in on one interface that have a route to another one will actually get passed there - basically what having the machine be a router is all about. If you turn it off, the firewall will not be able to route, exactly what all the firewall stuff is about. Michael -- Michael Elbel, PCS GmbH, Muenchen, Germany - me@FreeBSD.org Fermentation fault (coors dumped)