Date: Fri, 20 Oct 2000 10:20:25 +0100 From: Adam Laurie <adam@algroup.co.uk> To: peter@sysadmin-inc.com Cc: freebsd-security@freebsd.org Subject: Re: rc.firewall rule question. Message-ID: <39F00E59.53ABB11D@algroup.co.uk> References: <000c01c03a22$2acab280$47010a0a@fire.sysadmininc.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Peter Brezny wrote: > > on a 4.1 box i've confirmed ipfw/nat working using a simplified rule script. > > however, when i use the default rc.firewall script (modified for my machine) > using the 'simple' parameter designed to protect a network and allow nat, my > internal private network (10.90.1.0) doesn't work (i know could i be more > specific...). > > i've added > > ${fwcmd} add allow icmp from any to any > > at the next to the last entry of the ruleset to help with diagnosis. > > when I comment out the line > > ${fwcmd} add deny all from 10.0.0.0/8 to any via ${oif} > > it still doesn't work, however when i comment out the line > > ${fwcmd} add deny all from any to 10.0.0.0/8 via ${oif} > > i can ping to external domains. > > I guess my big question is, does this script actually allow private internal > domains to reach the outside world when properly configured? > > Has anyone gotten this script to work properly. Not out of box. You need to put your allow rules before the RFC1918 rules if you're doing NAT. cheers, Adam -- Adam Laurie Tel: +44 (20) 8742 0755 A.L. Digital Ltd. Fax: +44 (20) 8742 5995 Voysey House http://www.thebunker.net Barley Mow Passage http://www.aldigital.co.uk London W4 4GB mailto:adam@algroup.co.uk UNITED KINGDOM PGP key on keyservers To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?39F00E59.53ABB11D>