Date: Thu, 07 Dec 2000 04:52:38 +0100 From: ncalvo <ncalvo@es.freebsd.org> To: gnats-admin@FreeBSD.org, freebsd-doc@FreeBSD.org Subject: Re: docs/23342: Inaccuracy of the dialup-firewall tutorial Message-ID: <3A2F0986.C0EFC24B@es.freebsd.org> References: <200012070330.eB73U1k49660@freefall.freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
This is a multi-part message in MIME format. --------------479189647CBBDBFACF53008A Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Hello, I am enclosing the patch mentioned in the pr. Greetings ncalvo _ --------------479189647CBBDBFACF53008A Content-Type: text/plain; charset=us-ascii; name="article.sgml.patch" Content-Transfer-Encoding: 7bit Content-Disposition: inline; filename="article.sgml.patch" --- article.sgml.orig Sun Aug 20 01:16:27 2000 +++ article.sgml Thu Dec 7 03:24:02 2000 @@ -142,7 +142,7 @@ <programlisting>firewall_enable="YES" firewall_script="/etc/firewall/fwrules" natd_enable="YES" -natd_interface="tun0" +natd_interface="ppp0" natd_flags="-dynamic"</programlisting> <para>For more information on what the above do take a look at @@ -208,7 +208,7 @@ $fwcmd -f flush # Divert all packets through the tunnel interface. -$fwcmd add divert natd all from any to any via tun0 +$fwcmd add divert natd all from any to any via ppp0 # Allow all data from my network card and localhost. Make sure you # change your network card (mine was fxp0) before you reboot. :) @@ -216,10 +216,10 @@ $fwcmd add allow ip from any to any via fxp0 # Allow all connections that I initiate. -$fwcmd add allow tcp from any to any out xmit tun0 setup +$fwcmd add allow tcp from any to any out xmit ppp0 setup # Once connections are made, allow them to stay open. -$fwcmd add allow tcp from any to any via tun0 established +$fwcmd add allow tcp from any to any via ppp0 established # Everyone on the internet is allowed to connect to the following # services on the machine. This example shows that people may connect @@ -228,13 +228,13 @@ $fwcmd add allow tcp from any to any 22 setup # This sends a RESET to all ident packets. -$fwcmd add reset log tcp from any to any 113 in recv tun0 +$fwcmd add reset log tcp from any to any 113 in recv ppp0 # Allow outgoing DNS queries ONLY to the specified servers. -$fwcmd add allow udp from any to <replaceable>x.x.x.x</replaceable> 53 out xmit tun0 +$fwcmd add allow udp from any to <replaceable>x.x.x.x</replaceable> 53 out xmit ppp0 # Allow them back in with the answers... :) -$fwcmd add allow udp from <replaceable>x.x.x.x</replaceable> 53 to any in recv tun0 +$fwcmd add allow udp from <replaceable>x.x.x.x</replaceable> 53 to any in recv ppp0 # Allow ICMP (for ping and traceroute to work). You may wish to # disallow this, but I feel it suits my needs to keep them in. @@ -277,7 +277,7 @@ <question> <para>If I'm using private addresses internally, such as in the 192.168.0.0 range, Could I add a command like <literal>$fwcmd add - deny all from any to 192.168.0.0:255.255.0.0 via tun0</literal> + deny all from any to 192.168.0.0:255.255.0.0 via ppp0</literal> to the firewall rules to prevent outside attempts to connect to internal machines?</para> </question> @@ -285,11 +285,11 @@ <answer> <para>The simple answer is no. The reason for this is that natd is doing address translation for <emphasis>anything</emphasis> being - diverted through the tun0 device. As far as it's concerned + diverted through the ppp0 device. As far as it's concerned incoming packets will speak only to the dynamically assigned IP address and NOT to the internal network. Note though that you can add a rule like <literal>$fwcmd add deny all from - 192.168.0.4:255.255.0.0 to any via tun0</literal> which would + 192.168.0.4:255.255.0.0 to any via ppp0</literal> which would limit a host on your internal network from going out via the firewall.</para> </answer> --------------479189647CBBDBFACF53008A-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-doc" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3A2F0986.C0EFC24B>