Date: Wed, 12 Aug 1998 11:26:49 -0700 (PDT) From: Dan Busarow <dan@dpcsys.com> To: Dan Langille <junkmale@xtra.co.nz> Cc: freebsd-questions@FreeBSD.ORG Subject: Re: ipfw rules Message-ID: <Pine.BSF.3.96.980812111721.21796C-100000@java.dpcsys.com> In-Reply-To: <199808120750.TAA00553@cyclops.xtra.co.nz>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, 12 Aug 1998, Dan Langille wrote:
> > > # if either of the following two lines are enabled, it stops my
> > > # Pegasus email client from accessing the POP server at my ISP
> > > add deny all from 192.168.0.0:255.255.0.0 to any via ${oif}
> >
> > Stop any packets originating from 192.168.x.x from leaving this machine.
> > What's the machine's IP?
>
> ed0 (outside world) is not within this range. ed1 (my subnet) is. Isn't
> this rule trying to stop packets going out on ed0 (outside world)?
If the deny comes before your divert rule then the inside network
is locked inside. This can be useful but doesn't sound like what
you are after.
If it's after the divert it should be blocking 1918 addresses coming
in from the Internet (where they shouldn't be roaming around anyway).
> > > add pass tcp from any to any setup
> >
> > Allows TCP connections to start but probably blocks the rest because of
> > the above rule.
>
> Yeah. Strange. These are the default rules within rc.firewall.
There should be an earlier rule that passes established connections.
And there should be a
$fwcmd add deny log tcp from any to any in via ${oif} setup
before the add pass tcp from any to any setup.
Without the deny the established and setup pair pretty much says
"anything goes"
Dan
--
Dan Busarow 949 443 4172
DPC Systems / Beach.Net dan@dpcsys.com
Dana Point, California 83 09 EF 59 E0 11 89 B4 8D 09 DB FD E1 DD 0C 82
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.3.96.980812111721.21796C-100000>