Date: Fri, 20 Oct 2000 10:20:25 +0100 From: Adam Laurie <adam@algroup.co.uk> To: peter@sysadmin-inc.com Cc: freebsd-security@freebsd.org Subject: Re: rc.firewall rule question. Message-ID: <39F00E59.53ABB11D@algroup.co.uk> References: <000c01c03a22$2acab280$47010a0a@fire.sysadmininc.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Peter Brezny wrote:
>
> on a 4.1 box i've confirmed ipfw/nat working using a simplified rule script.
>
> however, when i use the default rc.firewall script (modified for my machine)
> using the 'simple' parameter designed to protect a network and allow nat, my
> internal private network (10.90.1.0) doesn't work (i know could i be more
> specific...).
>
> i've added
>
> ${fwcmd} add allow icmp from any to any
>
> at the next to the last entry of the ruleset to help with diagnosis.
>
> when I comment out the line
>
> ${fwcmd} add deny all from 10.0.0.0/8 to any via ${oif}
>
> it still doesn't work, however when i comment out the line
>
> ${fwcmd} add deny all from any to 10.0.0.0/8 via ${oif}
>
> i can ping to external domains.
>
> I guess my big question is, does this script actually allow private internal
> domains to reach the outside world when properly configured?
>
> Has anyone gotten this script to work properly.
Not out of box. You need to put your allow rules before the RFC1918
rules if you're doing NAT.
cheers,
Adam
--
Adam Laurie Tel: +44 (20) 8742 0755
A.L. Digital Ltd. Fax: +44 (20) 8742 5995
Voysey House http://www.thebunker.net
Barley Mow Passage http://www.aldigital.co.uk
London W4 4GB mailto:adam@algroup.co.uk
UNITED KINGDOM PGP key on keyservers
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?39F00E59.53ABB11D>