From owner-freebsd-security Thu Oct 19 16:13:14 2000 Delivered-To: freebsd-security@freebsd.org Received: from virtual.sysadmin-inc.com (lists.sysadmin-inc.com [209.16.228.140]) by hub.freebsd.org (Postfix) with ESMTP id 208A237B4C5 for ; Thu, 19 Oct 2000 16:13:11 -0700 (PDT) Received: from 98wkst ([10.10.1.71]) by virtual.sysadmin-inc.com (8.9.1/8.9.1) with SMTP id TAA22480 for ; Thu, 19 Oct 2000 19:13:12 -0400 Reply-To: From: "Peter Brezny" To: Subject: rc.firewall rule question. Date: Thu, 19 Oct 2000 19:13:17 -0400 Message-ID: <000c01c03a22$2acab280$47010a0a@fire.sysadmininc.com> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook CWS, Build 9.0.2416 (9.0.2910.0) Importance: Normal X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org on a 4.1 box i've confirmed ipfw/nat working using a simplified rule script. however, when i use the default rc.firewall script (modified for my machine) using the 'simple' parameter designed to protect a network and allow nat, my internal private network (10.90.1.0) doesn't work (i know could i be more specific...). i've added ${fwcmd} add allow icmp from any to any at the next to the last entry of the ruleset to help with diagnosis. when I comment out the line ${fwcmd} add deny all from 10.0.0.0/8 to any via ${oif} it still doesn't work, however when i comment out the line ${fwcmd} add deny all from any to 10.0.0.0/8 via ${oif} i can ping to external domains. I guess my big question is, does this script actually allow private internal domains to reach the outside world when properly configured? Has anyone gotten this script to work properly. Thanks in advance. Peter Brezny SysAdmin Services, Inc. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message