From owner-freebsd-questions@FreeBSD.ORG Wed Jan 14 14:43:16 2004 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 87F0516A4CE for ; Wed, 14 Jan 2004 14:43:16 -0800 (PST) Received: from m01.ca.astound.net (m01.ca.astound.net [64.85.239.11]) by mx1.FreeBSD.org (Postfix) with ESMTP id 24F8843D46 for ; Wed, 14 Jan 2004 14:43:15 -0800 (PST) (envelope-from rchopra@cal.berkeley.edu) Received: from cal.berkeley.edu (astound-64-85-244-72.ca.astound.net [64.85.244.72]) by m01.ca.astound.net (8.12.10/8.12.10) with ESMTP id i0EMgfjo027312 for ; Wed, 14 Jan 2004 14:42:42 -0800 Message-ID: <4005C5C2.20302@cal.berkeley.edu> Date: Wed, 14 Jan 2004 14:42:10 -0800 From: Rishi Chopra User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.6b) Gecko/20031205 Thunderbird/0.4 X-Accept-Language: en-us, en MIME-Version: 1.0 To: freebsd-questions@FreeBSD.ORG References: <200401111053.QAA05193@manage.24online> <40035568.6010306@cal.berkeley.edu> <44ptdolfwd.fsf@be-well.ilk.org> In-Reply-To: <44ptdolfwd.fsf@be-well.ilk.org> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Virus-Scanned: by amavisd-new Subject: Re: (Yet Another) Home Networking Question X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 14 Jan 2004 22:43:16 -0000 A question about the 'me' keyword and ipfw: The man page for ipfw states the following: me matches any IP address configured on an interface in the system. The address list is evaluated at the time the packet is analysed. If I set my oif to 'rl0' (a nic in my system) and I set the oip to 'me', what should the onet address be set to? Can I set the onet address to 'me' also? The oif has its address assigned by DHCP. -R Lowell Gilbert wrote: >Rishi Chopra writes: > > > >>Perhaps someone can help me with this small part of rc.firewall: >> >>[Ss][Ii][Mm][Pp][Ll][Ee]) >> ############ >> # This is a prototype setup for a simple firewall. Configure this >> # machine as a named server and ntp server, and point all the machines >> # on the inside at this machine for those services. >> ############ >> >> # set these to your outside interface network and netmask and ip >> oif="ed0" >> onet="192.0.2.0" >> omask="255.255.255.0" >> oip="192.0.2.1" >> >> # set these to your inside interface network and netmask and ip >> iif="ed1" >> inet="192.0.2.1" >> imask="255.255.255.0" >> iip="192.0.2.17" >> >>I'm curious about the difference between 'inet' and 'iip', what each >>one stands for, and how to configure 'onet/oip' if the outside >>interface network is configured via DHCP. >> >> > >Look a little more closely at the comment right before those lines. >'iif' is "Inside InterFace," 'inet' is "Inside NETwork," 'imask' is >"Inside netMASK," and 'iip' is "Inside IP address." > >If your ouside address is assigned by DHCP, you can't set those in the >script. You can use the "me" keyword (see "man 8 ipfw"), or set up >the firewall in a DHCP hook, or just skip the address (it doesn't >actually give you any extra security if you've got a single address on >a single Ethernet network). > > > >>I'm also curious about this little snippet (under the 'simple' profile): >> >> # Everything else is denied by default, unless the >> # IPFIREWALL_DEFAULT_TO_ACCEPT option is set in your kernel >> # config file. >> >>What happens if this option is set in my kernel config file? Can I >>safely comment out this line and use the 'simple' profile without >>affecting natd? >> >> > >It doesn't affect natd either way. Defaulting to deny is definitely >the way to configure a firewall for security purposes -- don't accept >anything you haven't explicitly configured yourself to let in. > > >