From owner-freebsd-questions  Tue Feb 12 16:37:15 2002
Delivered-To: freebsd-questions@freebsd.org
Received: from bsduser.ca (CPE0080c6ee707f.cpe.net.cable.rogers.com [24.156.61.29])
	by hub.freebsd.org (Postfix) with ESMTP id 8E01F37B400
	for <questions@freebsd.org>; Tue, 12 Feb 2002 16:37:10 -0800 (PST)
Received: from localhost (localhost.collins-ca.com [127.0.0.1])
	by bsduser.ca (8.11.6/8.11.4) with ESMTP id g1D0aZ101263
	for <questions@freebsd.org>; Tue, 12 Feb 2002 19:36:35 -0500 (EST)
	(envelope-from chris@collins-ca.com)
Date: Tue, 12 Feb 2002 19:36:35 -0500 (EST)
From: Chris Collins <chris@collins-ca.com>
X-X-Sender: chris@bsduser.ca
To: questions@freebsd.org
Subject: NAT/IPFW security question
Message-ID: <20020212192234.F908-100000@bsduser.ca>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-questions@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-questions.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-questions>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-questions>
X-Loop: FreeBSD.ORG

Hello

I have just recently setup my FreeBSD machine to connect to my ISP via
dhcp and run nat for the rest of my network. I have question I hope
somebody on this list can help me with.

How do I secure my FreeBSD box so that it does not allow any traffic into
may machine that I do not make a rule for? As it stand right now the rule

add pass all from any to any

is allowing all ports into my machine but without it my nat does not work.

Here is a complete list of my rules.

-f flush
add divert natd all from any to any via dc0
add pass all from any to any
add 230 allow tcp from any to 21 via dc0
add 240 allow tcp from any to 25 via dc0
add 250 allow tcp from any to 110 via dc0
add 270 allow tcp from any to 80 via dc0
#add 290 allow tcp from any to 10000 via dc0
add 300 allow icmp from any to any
add 65534 deny log ip from any to any

I have other ports being used that are not in this list that I only want
my 10.0.0.0/24 on interface dc1 home network to have access to.

Can anybody offer any suggestions?

Thanks
Chris


-=-=-==-=-=-=-=-=-=-=-=-=-=-=--=-=-==-=-=-
Chris Collins
chris@collins-ca.com
MSN Msg: chris_collins_ca@hotmail.com
-=-=-==-=-=-=-=-=-=-=-=-=-=-=--=-=-==-=-=-



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message