Date: Sat, 25 Sep 1999 12:51:08 +0200 From: Harold Gutch <logix@foobar.franken.de> To: Brett Glass <brett@lariat.org>, Nate Williams <nate@mt.sri.com> Cc: Monte Westlund <montejw@memes.com>, freebsd-security@FreeBSD.ORG Subject: Re: default rc.firewall Message-ID: <19990925125108.A13871@foobar.franken.de> In-Reply-To: <4.2.0.58.19990924113626.0480db00@localhost>; from Brett Glass on Fri, Sep 24, 1999 at 11:41:55AM -0600 References: <4.2.0.58.19990924111600.04809a90@localhost> <3.0.5.32.19990923152232.007c94c0@memes.com> <4.2.0.58.19990924111600.04809a90@localhost> <199909241733.LAA27644@mt.sri.com> <4.2.0.58.19990924113626.0480db00@localhost>
next in thread | previous in thread | raw e-mail | index | archive | help
On Fri, Sep 24, 1999 at 11:41:55AM -0600, Brett Glass wrote: > At 11:33 AM 9/24/99 -0600, Nate Williams wrote: > > >Why are you allowing connections from your WWW server to folks? WWW > >traffic isn't generated *from* your server, but to your server. > > Ah, but the same box is also doing NAT for internal machines. If > connections on port 80 weren't allowed OUT, then people on the > local "subnet 10" couldn't browse the Web. The person who posted > the original message of this thread seemed to want NAT to work > (please correct me if I'm wrong here). > But in this case you don't want to allow SYN-Packets coming from the inside with *source* port 80, but with *destination* port 80. Instead of $fwcmd add pass tcp from ${oip} 80 to any setup you'd want $fwcmd add pass tcp from ${oip} to any 80 setup Alternatively set up a proxy that your users have to use. bye, Harold -- <Shabby> Sleep is an abstinence syndrome wich occurs due to lack of caffein. Wed Mar 4 04:53:33 CET 1998 #unix, ircnet To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?19990925125108.A13871>