From owner-freebsd-security Wed Oct 6 6:40:16 1999 Delivered-To: freebsd-security@freebsd.org Received: from jacuzzi.local.mindstep.com (modemcable156.106-200-24.mtl.mc.videotron.net [24.200.106.156]) by hub.freebsd.org (Postfix) with SMTP id DF5EB15086 for ; Wed, 6 Oct 1999 06:40:02 -0700 (PDT) (envelope-from patrick-fl-security@mindstep.com) Received: (qmail 2275 invoked from network); 6 Oct 1999 13:40:01 -0000 Received: from unknown (HELO patrak) (192.168.10.25) by jacuzzi.local.mindstep.com with SMTP; 6 Oct 1999 13:40:01 -0000 Message-ID: <007e01bf1000$49935520$190aa8c0@local.mindstep.com> Reply-To: "Patrick Bihan-Faou" From: "Patrick Bihan-Faou" To: "\"f.johan.beisser\"" , References: <007b01bf0f43$1a125de0$190aa8c0@local.mindstep.com> Subject: Re: default rc.firewall Date: Wed, 6 Oct 1999 09:40:00 -0400 Organization: MindStep Corporation MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.00.2615.200 X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2615.200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hi, > i've found that the rc.firewall is not really nessassary for the NAT > gateways. basically, i set everything from the natd(8), and use the > rc.firewall for logging certain kinds of transactions, or bandwidth > control. I think you missed my point. I am not arguing whether NATD can do what IPFW does. You scheme is fine, bu if you also want to run services on the gateway, it becomes cumbersome. What I want to do is a "rc.firewall" script that behaves mostly like the "rc.network" script: you don't modify the script yourself, you change some variables in "rc.conf" to do what you need done. This goes beyond the NAT router. > This is the mild snippage that goes in "rc.conf"... ;-) Just for the record here it is again: firewall_public_if="ed2" firewall_allow_passive_ftp="YES" firewall_allow_tcp="80,21,20" firewall_allow_tcp_log="22" And this is the side-effect of rc.firewall using the variables in rc.conf. ipfw add allow tcp from any to any 20 setup in recv ed2 ipfw add allow tcp from any to 1.2.3.4 80,21,20 setup in recv ed2 ipfw add allow log tcp from any to 1.2.3.4 22 setup in recv ed2 Patrick. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message