Date: Sat, 25 Sep 1999 12:51:08 +0200 From: Harold Gutch <logix@foobar.franken.de> To: Brett Glass <brett@lariat.org>, Nate Williams <nate@mt.sri.com> Cc: Monte Westlund <montejw@memes.com>, freebsd-security@FreeBSD.ORG Subject: Re: default rc.firewall Message-ID: <19990925125108.A13871@foobar.franken.de> In-Reply-To: <4.2.0.58.19990924113626.0480db00@localhost>; from Brett Glass on Fri, Sep 24, 1999 at 11:41:55AM -0600 References: <4.2.0.58.19990924111600.04809a90@localhost> <3.0.5.32.19990923152232.007c94c0@memes.com> <4.2.0.58.19990924111600.04809a90@localhost> <199909241733.LAA27644@mt.sri.com> <4.2.0.58.19990924113626.0480db00@localhost>
next in thread | previous in thread | raw e-mail | index | archive | help
On Fri, Sep 24, 1999 at 11:41:55AM -0600, Brett Glass wrote:
> At 11:33 AM 9/24/99 -0600, Nate Williams wrote:
>
> >Why are you allowing connections from your WWW server to folks? WWW
> >traffic isn't generated *from* your server, but to your server.
>
> Ah, but the same box is also doing NAT for internal machines. If
> connections on port 80 weren't allowed OUT, then people on the
> local "subnet 10" couldn't browse the Web. The person who posted
> the original message of this thread seemed to want NAT to work
> (please correct me if I'm wrong here).
>
But in this case you don't want to allow SYN-Packets coming from
the inside with *source* port 80, but with *destination* port 80.
Instead of
$fwcmd add pass tcp from ${oip} 80 to any setup
you'd want
$fwcmd add pass tcp from ${oip} to any 80 setup
Alternatively set up a proxy that your users have to use.
bye,
Harold
--
<Shabby> Sleep is an abstinence syndrome wich occurs due to lack of caffein.
Wed Mar 4 04:53:33 CET 1998 #unix, ircnet
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?19990925125108.A13871>