From owner-freebsd-ipfw  Mon Apr 24  7:54:18 2000
Delivered-To: freebsd-ipfw@freebsd.org
Received: from MailAndNews.com (MailAndNews.com [199.29.68.160])
	by hub.freebsd.org (Postfix) with ESMTP id A7BAE37B731
	for <freebsd-ipfw@freebsd.org>; Mon, 24 Apr 2000 07:54:12 -0700 (PDT)
	(envelope-from mheffner@mailandnews.com)
Received: from muriel.penguinpowered.com [208.138.199.76] (mheffner@mailandnews.com); Mon, 24 Apr 2000 10:54:09 -0400
X-WM-Posted-At: MailAndNews.com; Mon, 24 Apr 00 10:54:09 -0400
Content-Length: 1471
Message-ID: <XFMail.20000424105306.mheffner@mailandnews.com>
X-Mailer: XFMail 1.4.4 on FreeBSD
X-Priority: 3 (Normal)
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 8bit
MIME-Version: 1.0
In-Reply-To: <NEBBLHFGALIEHENGIGPLGEBCCAAA.cybernetik@sympatico.ca>
Date: Mon, 24 Apr 2000 10:53:06 -0400 (EDT)
Reply-To: Mike Heffner <spock@techfour.net>
From: Mike Heffner <mheffner@mailandnews.com>
To: Jordan Blanchard <cybernetik@sympatico.ca>
Subject: RE: Firewall and the general Network
Cc: freebsd-ipfw@freebsd.org
Sender: owner-freebsd-ipfw@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.ORG


On 24-Apr-2000 Jordan Blanchard wrote:
|  
|  "Forcing you to use a proxy?" What do you mean?
|  
|  
|  well, when trying to view web pages without a proxy program through my 95
|  box, it stalls..
|  
|  
|  Anyway, could you send,
|  
|    # ipfw show
|  
|  00060 66545 35492707 allow ip from any to any
|  00100     0        0 divert 8668 ip from any to any via tun0
|  00100     0        0 allow ip from any to any via lo0
|  00100     0        0 divert 8668 ip from any to any via tun0
|  00100     0        0 divert 8668 ip from any to any via tun0
|  00200     0        0 deny ip from any to 127.0.0.0/8
|  00210     0        0 deny icmp from any to any via ed0
|  65535    16     1000 deny ip from any to any
|  

Well...there doesn't seem to be much sense to those rules. You should probably
be able to notice that all traffic is being passed by rule 60 and none is being
diverted through natd (that's what the 0's mean). Also, why do you have 3
different divert rules? Here is my suggestion to achieve a basic functioning
firewall:

100     allow ip from any to any via lo0
200     deny ip from any to 127.0.0.0/8
300     divert 8668 ip from any to any via tun0
400     allow ip from any to any


Later,

/****************************************
 * Mike Heffner <spock@techfour.net>    *
 * Fredericksburg, VA      ICQ# 882073  *
 * Sent at: 24-Apr-2000 -- 10:47:58 EST *
 * http://my.ispchannel.com/~mheffner   *
 ****************************************/


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-ipfw" in the body of the message