From owner-freebsd-security Thu Oct 19 18:57:26 2000 Delivered-To: freebsd-security@freebsd.org Received: from InterJet.dellroad.org (adsl-63-194-81-26.dsl.snfc21.pacbell.net [63.194.81.26]) by hub.freebsd.org (Postfix) with ESMTP id CA9E937B4E5 for ; Thu, 19 Oct 2000 18:57:14 -0700 (PDT) Received: from curve.dellroad.org (curve.dellroad.org [10.1.1.30]) by InterJet.dellroad.org (8.9.1a/8.9.1) with ESMTP id SAA11679; Thu, 19 Oct 2000 18:57:14 -0700 (PDT) Received: (from archie@localhost) by curve.dellroad.org (8.11.0/8.11.0) id e9K1vDD57363; Thu, 19 Oct 2000 18:57:13 -0700 (PDT) (envelope-from archie) From: Archie Cobbs Message-Id: <200010200157.e9K1vDD57363@curve.dellroad.org> Subject: Re: natd/ipfw and mpd-netgraph for VPN question In-Reply-To: <000901c0392e$d23150a0$47010a0a@fire.sysadmininc.com> "from Peter Brezny at Oct 18, 2000 02:11:21 pm" To: peter@sysadmin-inc.com Date: Thu, 19 Oct 2000 18:57:13 -0700 (PDT) Cc: freebsd-security@FreeBSD.ORG X-Mailer: ELM [version 2.4ME+ PL82 (25)] MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Peter Brezny writes: [ Charset ISO-8859-1 unsupported, converting... ] > suppose i've got two offices at different locations, each with a cable modem > or other 'fast' access using mpd-netgraph on a 4.1 box to create a vpn > between them. each office uses their connection to go to the internet as > well. > > Now i need to firewall each connection to the internet. Will natd/ipfw be > able to play nice with mpd-netgraph? > > the natd man page says that > > options IPFIREWALL > options IPDIVERT > > must be compiled into the kernel however just the line > > firewall_enable="YES" > > aparently starts a kernel module for ipfw...is that line in rc.conf enough > or does natd really require a recompiled kernel? > > and finally, would i be better off with a package like SOCKS5 instead of > natd/ipfw and would it get along as well with mpd-netgraph? Should work fine.. just make sure you allow TCP port 1723 and IP proto #47 to reach mpd. -Archie ___________________________________________________________________________ Archie Cobbs * Packet Design, Inc. * http://www.packetdesign.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message