From owner-freebsd-questions@FreeBSD.ORG Mon Feb 2 07:09:29 2004 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 89B2716A4CE for ; Mon, 2 Feb 2004 07:09:29 -0800 (PST) Received: from mta10.adelphia.net (mta10.adelphia.net [68.168.78.202]) by mx1.FreeBSD.org (Postfix) with ESMTP id 853D543D69 for ; Mon, 2 Feb 2004 07:08:44 -0800 (PST) (envelope-from Barbish3@adelphia.net) Received: from barbish ([68.169.105.190]) by mta10.adelphia.net (InterMail vM.5.01.06.05 201-253-122-130-105-20030824) with SMTP id <20040202150854.VDFU9070.mta10.adelphia.net@barbish>; Mon, 2 Feb 2004 10:08:54 -0500 From: "JJB" To: "Eugene Panchenko" , Date: Mon, 2 Feb 2004 10:08:38 -0500 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="KOI8-R" Content-Transfer-Encoding: 8bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.6604 (9.0.2911.0) In-Reply-To: X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165 Importance: Normal Subject: RE: NAT and IPFW rules X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: Barbish3@adelphia.net List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 02 Feb 2004 15:09:29 -0000 Hello Friend First I agree with you the FBSD handbook documentation on firewall software sucks big time. It leads the reader into believing that ipfw is the only solution when it is not. FBSD is delivered with ipfw and IPFILTER which are both firewall software applications. The second thing that the sparse ipfw documentation falls to say, is an firewall that does not use stateful rules is not very secure. The real show stopper is ipfw with stateful rules using the 'keep state' option does not work when used with the divert/nated legacy sub-routine. What this means is ipfw with stateful rules can only be used if 'user ppp -nat' is how you connect to the public internet. IPFILTER 's stateful rules work fine, and it has it's own external ipnat function. I strongly recommend you drop ipfw and instead use IPFILTER as it's the superior firewall software solution from the ease of use of stateful rules. If you use 'user ppp" to connect to the public internet and want to continue to use ipfw, I have ipfw stateful rule set I can send you. If you want to use IPFILTER, I can sent of an rule set for it also along with links to doc sites. -----Original Message----- From: owner-freebsd-questions@freebsd.org [mailto:owner-freebsd-questions@freebsd.org]On Behalf Of Eugene Panchenko Sent: Sunday, February 01, 2004 11:15 AM To: questions@freebsd.org Subject: NAT and IPFW rules Hallo! Out from reading the manpage for natd, I have a question about how to restrict IPFW access for NAT for the case when I have one computer connected directly to another one (having two NICs installed into it)? That means that I don't have to care about big private network, but rather want to narrow down the access to single private IP address. For NAT to work, two rules need to be added: ipfw add divert natd all from any to any via xl0 Can this rule be restricted (is it possible to divert not every packets)? Right now, every packet that enters/leaves the system is diverted, sometimes natd process eats quite a lot of processor resources. Can this be avoided? How? ipfw add pass all from any to any How can this be restricted? I basically need only outgoing stuff working, that's all, and silently passing any packets from whatever location to any destination is insecure to me. Can someone post a live examples of such setup? Waiting to hear from some gurus ;) -- Eugene --------------------------------------------------------- Размер почтовых ящиков увеличен до 25 мегабайт! ПОЧТА НГС - http://ngs.ru/ _______________________________________________ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.org"