Date: Wed, 25 Oct 2000 09:45:35 +1100 From: Andrew Johns <johnsa@kpi.com.au> To: peter@sysadmin-inc.com Cc: freebsd-security@FreeBSD.ORG Subject: Re: request for example rc.firewall script Message-ID: <39F6110F.E8B461CA@kpi.com.au> References: <003401c03dfe$68b42d80$47010a0a@fire.sysadmininc.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Peter Brezny wrote: > I'm working on adding the rules needed to rc.firewall under the 'simple' > sections to allow the script to function as a firewall/nat router for a > small network with private ip's in the 10.x.x.x range. > > The firewall works if i use a simplified script, but the standard > rc.firewall that comes with 4.1 doesn't appear to allow nat to work without > modifying the rc.firewall script more than just putting in your network > info. Correct. > > > i think i need some allow rules before the > > # Stop RFC1918 nets on the outside inteface > > section of the script. > Absolutely, or else after the divert rule, the packet is (optionally) re-injected back into the ruleset at the next rule, where it eventually hits the RFC1918 deny's and gets dropped. Several methods are available: a) Move the RFC1918 deny's in front of the divert rule, which is what you generally want anyway - stopping idiots upstream from you sending packets with those addresses from misconfigured machines. b) Forget the RFC1918 deny's and only allow specific target IP/ports through and explicitly deny everything else. These are just two ideas. tcpdump is most useful in diagnosing these issues, as you'll see the SRC and DST IP/port packets and you can watch the deny logs on the console (or wherever you're sending them) - this assumes that you've got 'deny log' rules of course. HTH AJ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?39F6110F.E8B461CA>