Date: Wed, 15 Nov 2000 00:05:28 -0000 From: "Nuno Teixeira" <nuno.teixeira@pt-quorum.com> To: "Steve Reid" <sreid@sea-to-sky.net> Cc: <freebsd-security@FreeBSD.ORG> Subject: Re: PPP NAT Gateway security Message-ID: <001c01c04e97$c69c3c90$0200a8c0@n2> References: <00c801c04dc4$12a89220$0200a8c0@n2> <20001114144513.A888@grok>
next in thread | previous in thread | raw e-mail | index | archive | help
Hi,
I've configured a 'client' firewall (in the /etc/rc.firewall) in FreeBSD for
a private class C IP numbers of my network. It works ok inside the network
but I can't get access to the Internet. I believe that this problem is
related to my ISP (PPP analog modem) doesn't give me a static IP but a
dinamic one.
What I'd like to do is something like BlackIce do in Windows OS. Can I do
the same work with IPFW?
Thanks very much,
Nuno Teixeira
----- Original Message -----
From: "Steve Reid" <sreid@sea-to-sky.net>
To: "Nuno Teixeira" <nuno.teixeira@pt-quorum.com>
Cc: <freebsd-security@FreeBSD.ORG>
Sent: Tuesday, November 14, 2000 10:45 PM
Subject: Re: PPP NAT Gateway security
> On Mon, Nov 13, 2000 at 10:50:05PM -0000, Nuno Teixeira wrote:
> > ppp -background -nat MYISP
> > It works OK and I have access to a lot of Internet services.
> > My question is: do I need to configure this machine with firewall, so I
can
> > protect my internal network from the outside net?
>
> You probably don't _need_ a firewall, but it usually is a good idea. In
> practice NAT provides some protection, but that is not what NAT is
> intended for so I wouldn't rely on it.
>
> The usual way to do it is with ipfw or ipfilter. "man ipfw" and "man
> ipf" respectively. Because you're using userland PPP you can also do it
> via the ppp daemon ("man ppp"). I would recommend using ipfw or
> ipfilter though, as then you don't have to re-write your filter rules
> if you ever change to a non-ppp interface. You'll probably find more
> ipf/ipfw information than ppp filter information, because ipf and ipfw
> are more widely used. Google search for "ipfw howto" or "ipf howto"
> should turn up some nice docs.
>
> Both ipfw and ipf are stateful now, so AFAICS the remaining differences
> are relatively minor for most people. ipf has been ported to systems
> other than FreeBSD; ipfw works with ethernet bridging. There may be
> other differences I'm not aware of- I'm an ipf user myself and haven't
> used ipfw in years.
>
>
>
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-security" in the body of the message
>
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?001c01c04e97$c69c3c90$0200a8c0>