From owner-freebsd-questions Sun Feb 7 02:44:20 1999 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id CAA06867 for freebsd-questions-outgoing; Sun, 7 Feb 1999 02:44:20 -0800 (PST) (envelope-from owner-freebsd-questions@FreeBSD.ORG) Received: from ns.mtu.ru (ns.mtu.ru [195.34.32.10]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id CAA06847; Sun, 7 Feb 1999 02:44:17 -0800 (PST) (envelope-from daktaklakpak@mtu-net.ru) Received: from dial52078.mtu-net.ru (dial52078.mtu-net.ru [195.34.52.78]) by ns.mtu.ru (8.9.1/8.8.8) with ESMTP id NAA19540; Sun, 7 Feb 1999 13:44:13 +0300 (MSK) Date: Sun, 7 Feb 1999 13:43:25 +0300 (MSK) From: Danil Shebunin X-Sender: danil@free-bsd.space To: freebsd-questions@FreeBSD.ORG, freebsd-hackers@FreeBSD.ORG Subject: user ppp packet filtering & ipfw Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG Hi! Excuse me about my poor English. I have a question about ppp & ipfw. I connect to my ISP with user ppp. The -alias option is turned on bescause my internal network have an address 192.168.1.x, and ISP assigns a dynamic IPaddr to me. The gateway computer, which also used as dialout server, have address 192.168.1.1 I need to disable any connections to Telnet and port 3000 of gateway from Internet (but enable to connect to these ports from internal network). Also I need to allow/disallow computers of my internal network to connect to Internet via gate. How can I achieve all this? P.S. I have read man 8 ppp and change ppp.conf file. Below I provide a cut from this file. It seems to work. Do I go a right way? ---8<--- #I want to disallow comp 192.168.1.2 to use Internet connection set filter in 0 deny 0/0 192.168.1.2/32 set filter out 0 deny 192.168.1.2/32 0/0 set filter in 1 deny tcp src eq telnet estab set filter out 1 permit tcp dst eq telnet set filter in 2 deny tcp dst eq 3000 set filter in 3 permit tcp src eq 21 estab set filter out 3 permit tcp dst eq 21 set filter in 4 permit tcp src eq 20 dst gt 1023 set filter out 4 permit tcp dst eq 20 set filter in 5 permit tcp src eq 80 estab set filter out 5 permit tcp dst eq 80 set filter in 6 permit udp src eq 53 set filter out 6 permit udp dst eq 53 set filter in 7 permit icmp set filter out 7 permit icmp set filter in 8 permit udp dst gt 33433 set filter out 8 permit udp dst gt 33433 set server +3000 internet --->8--- When the rules calculated, if packet is come from outside (Internet): before IP packet de-aliasing is performed, or after the packet appears in internal network? And what about packet going from inside to outside? Maybe the point is to use ppp packet filtering for external network and ipfw - for internal? Or maybe I can use ipfw for both networks. In this case, how can I specify dynamic IPaddr in ipfw rules. P.P.S. PLEASE, PLEASE, PLEASE Reply to my e-mail also - I do not subscribed on this mailing lists. Thanks, as long as you answer. -- ===---===---===---===---===---=== Have a nice CONNECT! Dan (daktaklakpak@public.mtu.ru) ===---===---===---===---===---=== To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message