Date: Sun, 28 Nov 2004 03:31:35 +0200 From: Giorgos Keramidas <keramida@ceid.upatras.gr> To: Jonathon McKitrick <jcm@FreeBSD-uk.eu.org> Cc: freebsd-questions@freebsd.org Subject: Re: Is this a hole in my firewall? Message-ID: <20041128013135.GD662@gothmog.gr> In-Reply-To: <20041127215612.GA86416@dogma.freebsd-uk.eu.org> References: <20041127215612.GA86416@dogma.freebsd-uk.eu.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On 2004-11-27 21:56, Jonathon McKitrick <jcm@FreeBSD-uk.eu.org> wrote: > root@neptune:~# ipfw show > 00100 0 0 check-state > 00200 2 144 allow ip from me to any keep-state out xmit tun0 > 00300 0 0 allow ip from any to any keep-state out xmit tun0 > 00400 0 0 deny tcp from any to any in recv tun0 established > 00500 0 0 allow ip from any to any via vr0 > 00600 0 0 allow ip from any to any via lo0 > 00700 0 0 deny ip from any to 127.0.0.0/8 > 00800 0 0 deny ip from 127.0.0.0/8 to any > 00900 0 0 allow tcp from any to me 22 keep-state in recv vr0 setup > 01000 0 0 allow icmp from any to any via tun0 icmptype 0,3,8,11,12 > 01100 0 0 deny log logamount 100 ip from any to any > 65535 0 0 deny ip from any to any > > I added rule 300 so that my laptop on my wireless network can connect, > ping, and get DNS and DHCP. Is there a better way to specify this? AFAIK, rule 00300 will never be hit by packets going out tun0 as long as you also have rule 00200 in there.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20041128013135.GD662>