From owner-freebsd-doc Tue Dec 18 5:28:37 2001 Delivered-To: freebsd-doc@freebsd.org Received: from Kain.sumuk.de (Kain.sumuk.de [213.221.86.114]) by hub.freebsd.org (Postfix) with ESMTP id 0552237B416 for ; Tue, 18 Dec 2001 05:28:34 -0800 (PST) Received: from Moses.earth.sol (Moses.earth.sol [192.168.1.1]) by Kain.sumuk.de (8.11.6/8.11.5) with ESMTP id fBIDSW524492 for ; Tue, 18 Dec 2001 14:28:32 +0100 (CET) (envelope-from martin@sumuk.de) Received: (from vincent@localhost) by Moses.earth.sol (8.11.6/8.11.6) id fBIDSVE06845 for freebsd-doc@FreeBSD.ORG; Tue, 18 Dec 2001 14:28:31 +0100 (CET) (envelope-from vincent) Date: Tue, 18 Dec 2001 14:28:30 +0100 From: Martin Heinen To: freebsd-doc@FreeBSD.ORG Subject: Question 6.3 of 'Dialup firewalling with FreeBSD' Message-ID: <20011218142830.A6807@sumuk.de> Reply-To: freebsd-doc@FreeBSD.ORG Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i Sender: owner-freebsd-doc@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org The answer to question 6.3 in 'Dialup firewalling with FreeBSD' states that it is impossible to filter RFC-1918 addresses on the outside interface. Ok, it states 'The simple answer is no.', but the article should provide a long answer. Possible solutions: 1) Include the relevant section from the 'simple' setup of /etc/rc.firewall, that is first stop RFC-1918 nets on the outside interface, then do NAT (divert rule); remove question 6.3. Although this is the correct approach (IMHO), this will double the size of the firewall rulebase and readers may have difficulties to follow the article. 2) The answer to question 6.3 provides the relevant section of /etc/rc.firewall and where to plug it in. 3) We could refer the reader to /etc/rc.firewall but this seems to circumvent the purpose of the article. If no one objects I'll send-pr solution 1). Martin -- Marxpitn To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-doc" in the body of the message