Date: Sun, 7 May 2000 20:03:48 -0700 From: Jan Koum <jkb@ethereal.net> To: Jordan Blanchard <cybernetik@sympatico.ca> Cc: freebsd-net@FreeBSD.ORG Subject: Re: possible /etc/rc.firewall bug? Message-ID: <20000507200348.B92100@ethereal.net> In-Reply-To: <000d01bfb899$1ebd6920$1021fea9@sympatico.ca>; from cybernetik@sympatico.ca on Sun, May 07, 2000 at 10:57:16PM -0400 References: <20000506162221.B45391@ethereal.net><Pine.BSF.4.21.0005071654320.18861-100000@juice.shallow.net> <20000507163857.A92100@ethereal.net> <000d01bfb899$1ebd6920$1021fea9@sympatico.ca>
next in thread | previous in thread | raw e-mail | index | archive | help
the web has been turned off in the US last night around 9:30pm. it is now illegal to use the web here. you have to go through proxy based in china or cuba - which is why it only works for you via proxy. really -- what do you mean "how i have web working"??? and please, this does not belong on -net, this belongs on -questions mailing list. On Sun, May 07, 2000 at 10:57:16PM -0400, Jordan Blanchard <cybernetik@sympatico.ca> wrote: > may I asked how you have web working without a proxy program??? I've got > freebsd 4.0 running and I have never been able to get web working without a > proxy program, everything else works just not web! > > > ----- Original Message ----- > From: Jan Koum <jkb@ethereal.net> > To: Joshua Goodall <joshua@roughtrade.net> > Cc: <freebsd-net@FreeBSD.ORG> > Sent: Sunday, May 07, 2000 7:38 PM > Subject: Re: possible /etc/rc.firewall bug? > > > > > > i don't need a fix that works for me -- i can figure out how to make > > things work. i'd like someone to commit change i describe below (either > > giving natd rule assignment of 50 or going away from numbers all together > > in rc.firewall and let ipfw do internal number assignments) > > > > it's a very simple fix. i don't know why nobody commited it yet. > > > > > > On Sun, May 07, 2000 at 05:00:20PM +0200, Joshua Goodall > <joshua@roughtrade.net> wrote: > > > > > > This is a "known problem". Since the implications compromise natd > > > security, it should have been fixed. However, it isn't in the latest > > > 4.0-STABLE. > > > > > > There is a potential fix that may work for you. See > > > > > > http://www.freebsd.org/cgi/query-pr.cgi?pr=13769 > > > > > > but beware the warnings about making your firewall "weak". The resulting > > > firewall ruleset should provide a basis for a stronger configuration. > > > > > > -- > > > Joshua Goodall <joshuag@interxion.com> > > > IP Systems Engineer - InterXion - http://www.InterXion.com/ > > > > > > On Sat, 6 May 2000, Jan Koum wrote: > > > > > > > > > > > i just noticed something. if you setup natd and ipfw, you end up with: > > > > > > > > # ipfw -a l > > > > 00100 677369 166815520 divert 8668 ip from any to any via ed0 > > > > 00100 397358 45078874 allow ip from any to any via lo0 > > > > 00200 0 0 deny ip from any to 127.0.0.0/8 > > > > 65000 1709011 373169093 allow ip from any to any > > > > 65535 0 0 deny ip from any to any > > > > > > > > two rules with number 100 -- i suggest moving divert rule to 50 by > changing > > > > > > > > ${fwcmd} add divert natd all from any to any via ${natd_interface} > > > > > > > > to: > > > > > > > > ${fwcmd} add 50 divert natd all from any to any via > ${natd_interface} > > > > > > > > > > > > of course another way to do this is to remove #'s from following > rules: > > > > ${fwcmd} add 100 pass all from any to any via lo0 > > > > ${fwcmd} add 200 deny all from any to 127.0.0.0/8 > > > > > > > > > > > > thanks, > > > > > > > > -- yan > > > > > > > > > > > > p.s. - this is 4.0 box with rc.firewall: > > > > # $FreeBSD: src/etc/rc.firewall,v 1.30 2000/02/06 19:24:37 paul Exp $ > > > > > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > > > with "unsubscribe freebsd-net" in the body of the message > > > > > > > > > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > > with "unsubscribe freebsd-net" in the body of the message > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-net" in the body of the message > > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20000507200348.B92100>