From owner-freebsd-questions Wed Feb 13 19:52: 6 2002 Delivered-To: freebsd-questions@freebsd.org Received: from bsduser.ca (CPE0080c6ee707f.cpe.net.cable.rogers.com [24.156.61.29]) by hub.freebsd.org (Postfix) with ESMTP id 8BF7637B402 for ; Wed, 13 Feb 2002 19:52:01 -0800 (PST) Received: from localhost (localhost.collins-ca.com [127.0.0.1]) by bsduser.ca (8.11.6/8.11.4) with ESMTP id g1E3pOZ27213 for ; Wed, 13 Feb 2002 22:51:24 -0500 (EST) (envelope-from chris@collins-ca.com) Date: Wed, 13 Feb 2002 22:51:24 -0500 (EST) From: Chris Collins X-X-Sender: chris@bsduser.ca To: questions@FreeBSD.ORG Subject: Re: NAT/IPFW security question In-Reply-To: <20020212192234.F908-100000@bsduser.ca> Message-ID: <20020213225032.Q26969-100000@bsduser.ca> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Well I found the answer to my own question at. http://www.mostgraveconcern.com/freebsd/ipfw.html Chris -=-=-==-=-=-=-=-=-=-=-=-=-=-=--=-=-==-=-=- Chris Collins chris@collins-ca.com MSN Msg: chris_collins_ca@hotmail.com -=-=-==-=-=-=-=-=-=-=-=-=-=-=--=-=-==-=-=- On Tue, 12 Feb 2002, Chris Collins wrote: > Hello > > I have just recently setup my FreeBSD machine to connect to my ISP via > dhcp and run nat for the rest of my network. I have question I hope > somebody on this list can help me with. > > How do I secure my FreeBSD box so that it does not allow any traffic into > may machine that I do not make a rule for? As it stand right now the rule > > add pass all from any to any > > is allowing all ports into my machine but without it my nat does not work. > > Here is a complete list of my rules. > > -f flush > add divert natd all from any to any via dc0 > add pass all from any to any > add 230 allow tcp from any to 21 via dc0 > add 240 allow tcp from any to 25 via dc0 > add 250 allow tcp from any to 110 via dc0 > add 270 allow tcp from any to 80 via dc0 > #add 290 allow tcp from any to 10000 via dc0 > add 300 allow icmp from any to any > add 65534 deny log ip from any to any > > I have other ports being used that are not in this list that I only want > my 10.0.0.0/24 on interface dc1 home network to have access to. > > Can anybody offer any suggestions? > > Thanks > Chris > > > -=-=-==-=-=-=-=-=-=-=-=-=-=-=--=-=-==-=-=- > Chris Collins > chris@collins-ca.com > MSN Msg: chris_collins_ca@hotmail.com > -=-=-==-=-=-=-=-=-=-=-=-=-=-=--=-=-==-=-=- > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-questions" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message