Date: Fri, 28 May 1999 16:01:07 -0700 (PDT) From: Doug White <dwhite@resnet.uoregon.edu> To: Konstantinos.DRYLLERAKIS@DG21.cec.be Cc: freebsd-questions@FreeBSD.ORG Subject: Re: ipfw/natd limitation: controlling access of an unregistered net to the internet Message-ID: <Pine.BSF.4.03.9905281557460.11808-100000@resnet.uoregon.edu> In-Reply-To: <WIN944-990528095213-517C*/G=KONSTANTINOS/S=DRYLLERAKIS/O=DG21/PRMD=CEC/ADMD=RTT/C=BE/@MHS>
next in thread | previous in thread | raw e-mail | index | archive | help
Ack. Please wrap your lines, thanks! On Fri, 28 May 1999 Konstantinos.DRYLLERAKIS@DG21.cec.be wrote: > The problem is that of connecting _and_ controlling a company net with > unregistered IP address to the Internet via a multi-homed FreeBSD box > using ipfw/natd. According to my understanding, all packets going > through the outer interface of the mutli-homed machine should be > diverted to natd as soon as possible. The problem appears to be that > outgoing packets (through the firewall) are first translated to the > firewall's IP address and _then_ further constrained by the firewall > rules. This gives ALL internal machines the same "access privileges" > to the internet as the firewall machine. For incoming packets this is > simpler since they are first translated back to the real target and > then passed through the firewall so you can control them by target IP > address. I should write something up on this. It is totally unnecessary to use any sort of packet filtering with NAT and still have a secure network. The reason is that natd will not permit traffic from the outside world into the private network unless it is associated with an existing data stream. This makes for a very, very effective firewall. If you're creative with your 'via', 'in', and 'out' keywords you can control this, but for most circumstances you do not need firewall rules beyond the defaults provided by rc.conf. Doug White Internet: dwhite@resnet.uoregon.edu | FreeBSD: The Power to Serve http://gladstone.uoregon.edu/~dwhite | www.freebsd.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.03.9905281557460.11808-100000>