From owner-freebsd-questions  Thu Nov 25  3:36:28 1999
Delivered-To: freebsd-questions@freebsd.org
Received: from isy.liu.se (isy.liu.se [130.236.48.10])
	by hub.freebsd.org (Postfix) with ESMTP id A584D14CDF
	for <questions@freebsd.org>; Thu, 25 Nov 1999 03:36:23 -0800 (PST)
	(envelope-from mj@isy.liu.se)
Received: from lagrange.isy.liu.se (lagrange.isy.liu.se [130.236.49.127])
	by isy.liu.se (8.9.1/8.9.1) with ESMTP id MAA01627
	for <questions@freebsd.org>; Thu, 25 Nov 1999 12:36:22 +0100 (MET)
Message-ID: <XFMail.991125123620.mj@isy.liu.se>
X-Mailer: XFMail 1.3 [p0] on FreeBSD
X-Priority: 3 (Normal)
Content-Type: text/plain; charset=iso-8859-1
Content-Transfer-Encoding: 8bit
MIME-Version: 1.0
Date: Thu, 25 Nov 1999 12:36:20 +0100 (CET)
From: Micke Josefsson <mj@isy.liu.se>
To: questions@freebsd.org
Subject: IPFW setup Beginner's questions
Sender: owner-freebsd-questions@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.ORG


I have just recently started reading Chapman and Zwicky's Building Internet
Firewalls and am a bit confused.

While the book talks about direction of traffic they hardly ever mention which
interface to use. In our ipfw rules we can specify to filter traffic 'via fxp0'
for example, but the book seems rarely interested in that.

To prevent internal IPnumbers to come from the outside we specify:

    $fwcmd add deny all from ${inet}:${imask} to any in via ${oif}
    $fwcmd add deny all from ${onet}:${omask} to any in via ${iif}

where inet/imask and oif are our internal net and netmask and outer interface,
and onet/omask and iif are outer net, outer netmask and inner interface.


This seems logical, but what about for exampel telnet (port 23); will a rule of

   $fwcmd add pass tcp from any to ${oip} 23 setup      #oip = outer ip

allow contact to telnetd from both of my interfaces, but not *through* my
firewall? (i.e. *between* interfaces?) what about specifying interfaces in this
case?


If I only want my internal net to access telnetd do I have to set up a rule via
vx0 (my 192.168-interface), and another rule for fxp0 (my 130.236-interface)?


And does direction have its origin in the firewall, sitting between the two
interfaces? So that telnet access from my internal net to external net is
'incoming' from vx0 to firewall and 'outgoing' from firewall to the rest of the
world? 

In any case I have sysctl.inet.ip.forwarding=0, so that any traffic at all must
trickle through my firewall.


It really is an amazing subject, anyway:)

Cheers,
Micke


----------------------------------   
Michael Josefsson, MSEE
mj@isy.liu.se

This message was sent by XFMail
running on FreeBSD 3.1 
----------------------------------


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message