Date: Fri, 23 Oct 1998 12:06:39 +1300 (NZDT) From: Andrew McNaughton <andrew@squiz.co.nz> To: Dan Langille <junkmale@xtra.co.nz> Cc: freebsd-security@FreeBSD.ORG Subject: Re: default rules in rc.firewall cause problem Message-ID: <Pine.BSF.4.01.9810231204020.2888-100000@aniwa.sky> In-Reply-To: <199810221629.FAA27065@cyclops.xtra.co.nz>
next in thread | previous in thread | raw e-mail | index | archive | help
On Fri, 23 Oct 1998, Dan Langille wrote:
> I've been setting up a firewall using the open model supplied in
> /etc/rc.firewall as the basis of our security. I've found that one of the
> rules, designed to "# Stop RFC1918 nets on the outside interface" does not
> seem to be very useful, at least in my situation. The rule in question is:
>
> $fwcmd add deny all from any to 192.168.0.0:255.255.0.0 via ${oif}
>
> The subnet is within the 192.168.*.* range. ed1 is the subnet, and ed0 is
> the ISP. In order for any traffic to get outside, I need to modify the
> above rule to:
>
> $fwcmd add deny all from any to 192.168.0.0:255.255.0.0 via ${oif} out
Are you using natd or iijppp's address translation? The ppp translation
seems to happen after the packets have been through the firewall. In any
case, if you are using ppp's translation the RFC1918 rules are not needed
or useful.
Andrew
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.01.9810231204020.2888-100000>