Date: Tue, 27 Jun 2000 12:22:09 -0600 (MDT) From: Paul Hart <hart@iserver.com> To: "Ron 'The InSaNe One' Rosson" <insane@lunatic.oneinsane.net> Cc: freebsd-security@FreeBSD.ORG Subject: Re: icmp type 3 code 4: a couple of questions Message-ID: <Pine.BSF.4.21.0006271215230.29364-100000@anchovy.orem.iserver.com> In-Reply-To: <20000627102339.B861@lunatic.oneinsane.net>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, 27 Jun 2000, Ron 'The InSaNe One' Rosson wrote:
> I would love to see your rule set that accomplishes this on a gateway
> firewall. (No NAT)
I'm not sure what difference NAT would make, but what's wrong with
something like this?
block in on fxp0
pass out quick on fxp0 proto tcp from any to any keep state
pass out quick on fxp0 proto udp from any to any keep state
pass out quick on fxp0 proto icmp from any to any keep state
Here fxp0 is your "outside" interface. I've only used something like this
in conjunction with NAT, but are you saying that something like this would
not work on a non-NAT firewall? I don't know the specific requirements of
the original poster, but from his Klingon analogy is sounds like he wants
to remain invisible on the network (i.e. he has no inbound connections)
and as far as I can tell the above rules accomplish just that.
Paul Hart
--
Paul Robert Hart ><8> ><8> ><8> Verio Web Hosting, Inc.
hart@iserver.com ><8> ><8> ><8> http://www.iserver.com/
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.21.0006271215230.29364-100000>