From owner-freebsd-questions@FreeBSD.ORG Wed Apr 2 13:29:41 2003 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 54D1C37B40A for ; Wed, 2 Apr 2003 13:29:40 -0800 (PST) Received: from sccrmhc01.attbi.com (sccrmhc01.attbi.com [204.127.202.61]) by mx1.FreeBSD.org (Postfix) with ESMTP id 99A1743FCB for ; Wed, 2 Apr 2003 13:29:35 -0800 (PST) (envelope-from sandshrimp@attbi.com) Received: from attbi.com (12-228-93-40.client.attbi.com[12.228.93.40]) by sccrmhc01.attbi.com (sccrmhc01) with SMTP id <20030402212934001009qm0pe>; Wed, 2 Apr 2003 21:29:34 +0000 Message-ID: <3E8AE62D.1040504@attbi.com> Date: Wed, 02 Apr 2003 13:31:25 +0000 From: Ryan Merrick User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.1) Gecko/20021026 X-Accept-Language: en-us, en MIME-Version: 1.0 To: Brian McCann References: <000001c2f8cb$6e4f5e60$2f811581@garfield> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit cc: freebsd-questions@freebsd.org Subject: Re: NATD & IPFW X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 02 Apr 2003 21:29:42 -0000 Brian McCann wrote: >Hi all. I'm having an issue with security while trying to get natd to >work with ipfw. I got my ipfw rules working great, so I added the natd >line in: > > ipfw add divert 8668 all from any to any via $EXTERNAL_INTERFACE > >But I can't do anything (ping, fetch, etc) until I add: > ipfw add pass all from any to any > >Now, I may be wrong, but doesn't this pretty much open the box up? I >tried changing the first "any" to my internal network, but that didn't >work, and I know I've got to be missing something. > >If anyone would like to help me off-list, I could send you a copy of my >rule set if you'd like. > >Thanks in advance, >--Brian > > >_______________________________________________ >freebsd-questions@freebsd.org mailing list >http://lists.freebsd.org/mailman/listinfo/freebsd-questions >To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.org" > > > Hello, The best way to learn about your firewall is to log all denyed packets and review the log file while trying different programs that access the network. #ipfw add 6500 deny log any to any #tail -f /var/log/security Then create rules based on what shows up in the logs. -Ryan