Date: Sun, 2 Dec 2001 12:28:05 -0500 From: Neill Robins <freebsd@nc.rr.com> To: "Thor Legvold" <tlegvold@hotmail.com> Cc: freebsd-questions@FreeBSD.ORG Subject: Re: Firewall rules (ipfw) Message-ID: <49603215908.20011202122805@nc.rr.com> In-Reply-To: <F101YbZhoItg3V3Ny2A000137f7@hotmail.com> References: <F101YbZhoItg3V3Ny2A000137f7@hotmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Sunday, December 02, 2001, 8:43:34 AM, Thor Legvold wrote: TL> Crist wrote: >>These DHCP rules are a bit messed up. ITYM something more like, TL> Duly noted. Thanks. BTW, what's ITYM mean? http://www.acronymfinder.com/af-query.asp?String=exact&Acronym=itym >> > # Allow GRE & PPTP control connection >> > ${fwcmd} add allow tcp from any to any 1723 in recv cable0 setup >> > ${fwcmd} add allow gre from any to any via cable0 >> >>Nothing here allows you to talk back on that TCP connection. TL> Meaning I should allow TCP on 1723 both ways? Are both mahines using 1723, TL> or only the PPTP server (client in that case on >1023?) >> > # Stop all other traffic via cable0 - only GRE/PPTP/DHCP allowed >> > ${fwcmd} add deny log all from any to any via cable0 >> >>Nothing else at all is going to go in or out? OK. TL> Well, my intention was to allow GRE only incoming to nat (as only GRE TL> packets are intended for my machine over the cable0/pptp link - all else is TL> garbage, or dhcp), and anything outgoing (via nat). That would reduce 80% of TL> the traffic on the cable0 iface reaching nat and my LAN. Seems that's not TL> really feasable though. >> > # NAT >> > ${fwcmd} add divert natd log all from any to any via tun0 >> >>OK. TL> Not ok. Nothing reaches nat (tried it today). I also tried allowing only GRE TL> to nat (instead of all), that didn't work either (I think becuase while TL> incoming packets are gre, outgoing one's arent...) TL> Guess I'll go back to diverting all and concentrate on getting the rules TL> right when the packets appear on the tun0 iface coming in. >>-- >>Crist J. Clark | cjclark@alum.mit.edu >> | cjclark@jhu.edu >>http://people.freebsd.org/~cjc/ | cjc@freebsd.org TL> Regards, TL> Thor -- Good Luck, -Neill freebsd@nc.rr.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?49603215908.20011202122805>