Skip site navigation (1)Skip section navigation (2) 
Date:      Wed, 21 Apr 1999 13:32:16 -0400 (EDT)
From:      David Gilbert <dgilbert@velocet.ca>
To:        Phil Gilley <pgilley@metronet.com>
Cc:        Thomas Uhrfelt <thomas.uhrfelt@plymovent.se>, freebsd-security@FreeBSD.ORG
Subject:   Re: SV: Sample Ipfw scripts?
Message-ID:  <14110.2976.43026.123677@trooper.velocet.ca>
In-Reply-To: <Pine.HPP.3.95.990420163957.14052A-100000@fohnix.metronet.com>
References:  <01BE8B49.BD40B300.thomas.uhrfelt@plymovent.se> <Pine.HPP.3.95.990420163957.14052A-100000@fohnix.metronet.com>
next in thread | previous in thread | raw e-mail | index | archive | help 
>>>>> "Phil" == Phil Gilley <pgilley@metronet.com> writes:

Phil> examples for people to learn from.  Does anyone care to show off
Phil> what they're doing with ipfw?

One thing in particular that I've done with ipfw that is different
from the rc.firewall is to change a rule like:

add 10 divert 8668 ip from any to any via ed0

(where ed0 is the external interface, to)

add 10 divert 8668 ip from 192.168.0.0/16 to any out via ed0
add 11 divert 8668 ip from any to a.b.c.d in via ed0

where a.b.c.d is a virtual address on ed0 used only for NAT.  This
avoids putting every packet through NAT (and is one of the primary
advantages to the FreeBSD style of divert sockets over Linux-style NAT 
rules).  This reduces the load that NAT produces (can be important if
only a small amount of traffic is NAT'd) and also allows you to kill
natd from points other than the console as long as you're not involved 
in the divert rule.

Dave.

-- 
============================================================================
|David Gilbert, Velocet Communications.       | Two things can only be     |
|Mail:       dgilbert@velocet.net             |  equal if and only if they |
|http://www.velocet.net/~dgilbert             |   are precisely opposite.  |
=========================================================GLO================


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?14110.2976.43026.123677>