From owner-freebsd-questions Wed Apr 28 17:36:18 1999 Delivered-To: freebsd-questions@freebsd.org Received: from mailhub.scl.ameslab.gov (mailhub.scl.ameslab.gov [147.155.137.127]) by hub.freebsd.org (Postfix) with ESMTP id A105514FB1 for ; Wed, 28 Apr 1999 17:36:13 -0700 (PDT) (envelope-from ghelmer@scl.ameslab.gov) Received: from demios.ether.scl.ameslab.gov ([147.155.137.54]) by mailhub.scl.ameslab.gov with esmtp (Exim 1.90 #1) id 10ceoz-0001AI-00; Wed, 28 Apr 1999 19:36:57 -0500 Date: Wed, 28 Apr 1999 19:36:10 -0500 From: Guy Helmer To: Christoff Snijders Cc: freebsd-questions@FreeBSD.org Subject: Re: ipfw rules In-Reply-To: <3727A604.55A107A@home.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG On Wed, 28 Apr 1999, Christoff Snijders wrote: > I have a very simple setup: one FreeBSD 2.2.5-RELEASE box with two > Ethernet cards in it. One card is connected to a cable modem with a > static IP address, the other is connected to a hub, which is in turn > connected to several computers on an internal network. > > If I remove all the ipfw rules and allow access from anything to > anything, with traffic diverted through natd on port 6668, all the > machines on the network can access the net, but the firewall is useless > (non-existant). > > If I use the standard, simple rules in rc.firewall, the console user can > access the Internet, but none of the users on the internal network can. > ... > # set these to your outside interface network and netmask and ip > oif="ed2" > ... > # divert traffic to natd (I added this) > /sbin/ipfw add divert natd all from any to any via ed2 Hmm, isn't there a divert rule at the beginning of /etc/rc.firewall? > ... > # Stop RFC1918 nets on the outside interface > $fwcmd add deny all from 192.168.0.0:255.255.0.0 to any via ${oif} > $fwcmd add deny all from 172.16.0.0:255.240.0.0 to any via ${oif} > $fwcmd add deny all from 10.0.0.0:255.0.0.0 to any via ${oif} I've replaced those three rules with these six rules on my 2.2.8 firewall: # Stop RFC1918 nets on the outside interface $fwcmd add deny all from 192.168.0.0:255.255.0.0 to any in via ${oif} $fwcmd add deny all from any to 192.168.0.0:255.255.0.0 out via ${oif} $fwcmd add deny all from 172.16.0.0:255.240.0.0 to any in via ${oif} $fwcmd add deny all from any to 172.16.0.0:255.240.0.0 out via ${oif} $fwcmd add deny all from 10.0.0.0:255.0.0.0 to any in via ${oif} $fwcmd add deny all from any to 10.0.0.0:255.0.0.0 out via ${oif} Hope this helps, Guy Guy Helmer, Ph.D. Candidate, Iowa State University Dept. of Computer Science Research Assistant, Ames Laboratory --- ghelmer@scl.ameslab.gov Research Assistant, Dept. of Computer Science --- ghelmer@cs.iastate.edu http://www.cs.iastate.edu/~ghelmer To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message