From owner-freebsd-questions  Sun Dec  2  9:26:15 2001
Delivered-To: freebsd-questions@freebsd.org
Received: from mail5.nc.rr.com (fe5.southeast.rr.com [24.93.67.52])
	by hub.freebsd.org (Postfix) with ESMTP id D2BE437B416
	for <freebsd-questions@freebsd.org>; Sun,  2 Dec 2001 09:25:48 -0800 (PST)
Received: from tbird-850 ([24.25.29.45]) by mail5.nc.rr.com  with Microsoft SMTPSVC(5.5.1877.687.68);
	 Sun, 2 Dec 2001 12:25:47 -0500
Date: Sun, 2 Dec 2001 12:28:05 -0500
From: Neill Robins <freebsd@nc.rr.com>
X-Mailer: The Bat! (v1.48f) Personal
Reply-To: Neill Robins <freebsd@nc.rr.com>
X-Priority: 3 (Normal)
Message-ID: <49603215908.20011202122805@nc.rr.com>
To: "Thor Legvold" <tlegvold@hotmail.com>
Cc: freebsd-questions@FreeBSD.ORG
Subject: Re: Firewall rules (ipfw)
In-reply-To: <F101YbZhoItg3V3Ny2A000137f7@hotmail.com>
References: <F101YbZhoItg3V3Ny2A000137f7@hotmail.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Sender: owner-freebsd-questions@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-questions.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-questions>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-questions>
X-Loop: FreeBSD.ORG

Sunday, December 02, 2001, 8:43:34 AM, Thor Legvold wrote:
TL> Crist wrote:

>>These DHCP rules are a bit messed up. ITYM something more like,

TL> Duly noted. Thanks. BTW, what's ITYM mean?

http://www.acronymfinder.com/af-query.asp?String=exact&Acronym=itym

>> > # Allow GRE & PPTP control connection
>> > ${fwcmd} add allow tcp from any to any 1723 in recv cable0 setup
>> > ${fwcmd} add allow gre from any to any via cable0
>>
>>Nothing here allows you to talk back on that TCP connection.

TL> Meaning I should allow TCP on 1723 both ways? Are both mahines using 1723, 
TL> or only the PPTP server (client in that case on >1023?)

>> > # Stop all other traffic via cable0 - only GRE/PPTP/DHCP allowed
>> > ${fwcmd} add deny log all from any to any via cable0
>>
>>Nothing else at all is going to go in or out? OK.

TL> Well, my intention was to allow GRE only incoming to nat (as only GRE 
TL> packets are intended for my machine over the cable0/pptp link - all else is 
TL> garbage, or dhcp), and anything outgoing (via nat). That would reduce 80% of 
TL> the traffic on the cable0 iface reaching nat and my LAN. Seems that's not 
TL> really feasable though.

>> > # NAT
>> > ${fwcmd} add divert natd log all from any to any via tun0
>>
>>OK.

TL> Not ok. Nothing reaches nat (tried it today). I also tried allowing only GRE 
TL> to nat (instead of all), that didn't work either (I think becuase while 
TL> incoming packets are gre, outgoing one's arent...)

TL> Guess I'll go back to diverting all and concentrate on getting the rules 
TL> right when the packets appear on the tun0 iface coming in.

>>--
>>Crist J. Clark                     |     cjclark@alum.mit.edu
>>                                    |     cjclark@jhu.edu
>>http://people.freebsd.org/~cjc/    |     cjc@freebsd.org

TL> Regards,
TL> Thor

-- 
Good Luck,
-Neill
 freebsd@nc.rr.com



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message