From owner-freebsd-security  Tue Jun 27 11:22:29 2000
Delivered-To: freebsd-security@freebsd.org
Received: from gatekeeper.veriohosting.com (gatekeeper.veriohosting.com [192.41.0.2])
	by hub.freebsd.org (Postfix) with ESMTP id 0DE7E37B642
	for <freebsd-security@FreeBSD.ORG>; Tue, 27 Jun 2000 11:22:16 -0700 (PDT)
	(envelope-from hart@iserver.com)
Received: by gatekeeper.veriohosting.com; Tue, 27 Jun 2000 12:22:14 -0600 (MDT)
Received: from unknown(192.168.1.109) by gatekeeper.veriohosting.com via smap (V3.1.1)
	id xma004046; Tue, 27 Jun 00 12:22:09 -0600
Received: (hart@localhost) by anchovy.orem.iserver.com (8.9.3) id MAA29714; Tue, 27 Jun 2000 12:22:09 -0600 (MDT)
Date: Tue, 27 Jun 2000 12:22:09 -0600 (MDT)
From: Paul Hart <hart@iserver.com>
X-Sender: hart@anchovy.orem.iserver.com
To: "Ron 'The InSaNe One' Rosson" <insane@lunatic.oneinsane.net>
Cc: freebsd-security@FreeBSD.ORG
Subject: Re: icmp type 3 code 4: a couple of questions
In-Reply-To: <20000627102339.B861@lunatic.oneinsane.net>
Message-ID: <Pine.BSF.4.21.0006271215230.29364-100000@anchovy.orem.iserver.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

On Tue, 27 Jun 2000, Ron 'The InSaNe One' Rosson wrote:

> I would love to see your rule set that accomplishes this on a gateway
> firewall. (No NAT)

I'm not sure what difference NAT would make, but what's wrong with
something like this?

    block in on fxp0
    pass out quick on fxp0 proto tcp from any to any keep state
    pass out quick on fxp0 proto udp from any to any keep state
    pass out quick on fxp0 proto icmp from any to any keep state

Here fxp0 is your "outside" interface.  I've only used something like this
in conjunction with NAT, but are you saying that something like this would
not work on a non-NAT firewall?  I don't know the specific requirements of
the original poster, but from his Klingon analogy is sounds like he wants
to remain invisible on the network (i.e. he has no inbound connections)
and as far as I can tell the above rules accomplish just that.

Paul Hart

--
Paul Robert Hart        ><8>  ><8>  ><8>        Verio Web Hosting, Inc.
hart@iserver.com        ><8>  ><8>  ><8>        http://www.iserver.com/



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message