From owner-freebsd-questions  Mon Dec 27 20:44:21 1999
Delivered-To: freebsd-questions@freebsd.org
Received: from wondermutt.net (host75-157.student.udel.edu [128.175.75.157])
	by hub.freebsd.org (Postfix) with ESMTP id 866FD14D09
	for <freebsd-questions@freebsd.org>; Mon, 27 Dec 1999 20:44:18 -0800 (PST)
	(envelope-from papalia@udel.edu)
Received: from morgaine (nyf-ny10-39.ix.netcom.com [198.211.18.103])
	by wondermutt.net (8.9.3/8.9.3) with SMTP id XAA01097
	for <freebsd-questions@freebsd.org>; Mon, 27 Dec 1999 23:53:39 -0500 (EST)
	(envelope-from papalia@udel.edu)
Message-Id: <4.1.19991227224118.009e68e0@mail.udel.edu>
X-Sender: papalia@mail.udel.edu
X-Mailer: QUALCOMM Windows Eudora Pro Version 4.1 
Date: Mon, 27 Dec 1999 23:44:27 -0500
To: freebsd-questions@freebsd.org
From: John <papalia@udel.edu>
Subject: IPFW
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Sender: owner-freebsd-questions@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.ORG

Hi all,

I was just tooling around with the rules for configuring a "simple" config
instead of an "open" config, both to learn, and to ultimately achieve the
simple config.  In messing around though, I came up with a question that
I'm not sure about.

Network configuration is:
	* FreeBSD gateway maintaining an assigned Outside IP
	* Same box maintains an Inside IP on 192.168.x.x subnet
	* All inside boxes assigned 192.168.x.x IP's

For example, if I want to allow SSH connections only *to* the FreeBSD box,
but I want both the FreeBSD and the internal boxes to be able to generate
outgoing SSH sessions in the outside world, is the following enough?:

    # Allow all traffic from inside out
    $fwcmd add pass all from ${iip} to ${inet}:${imask}
    $fwcmd add pass all from ${inet}:${imask} to ${iip}

    # Allow access to SSH
    $fwcmd add pass any from any to ${oip} 22 setup
    $fwcmd add pass any from ${oip} to any 22 setup

    # Allow all established connections to pass
    $fwcmd add pass tcp from any to any established

Also, if I wanted users on the inside network to be able to access external
hosts for popmail, but wanted to have popmail disabled on the freebsd
server, would the following solve the problem, or would it cause a security
hole?:

    $fwcmd add pass any from ${inet}:${imask} to any 110 via ${oif} setup


Thanks in advance!!!

Best,
John Papalia


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message