From owner-freebsd-ipfw Sat Apr 1 11:59:24 2000 Delivered-To: freebsd-ipfw@freebsd.org Received: from praseodumium.btinternet.com (praseodumium.btinternet.com [194.73.73.82]) by hub.freebsd.org (Postfix) with ESMTP id 6E3F337B664 for ; Sat, 1 Apr 2000 11:59:20 -0800 (PST) (envelope-from astrolox@innocent.com) Received: from [213.1.118.12] (helo=faith) by ruthenium.btinternet.com with smtp (Exim 2.05 #1) id 12bPIm-00061z-00 for freebsd-ipfw@FreeBSD.ORG; Sat, 1 Apr 2000 15:55:05 +0100 Message-Id: <3.0.3.32.20000401165224.00a01dc0@mail.virgin.net> X-Sender: brian.wojtczak@mail.virgin.net X-Mailer: QUALCOMM Windows Eudora Light Version 3.0.3 (32) Date: Sat, 01 Apr 2000 16:52:24 +0100 To: freebsd-ipfw@FreeBSD.ORG From: Brian 'Astrolox' Wojtczak Subject: Re: NATD Translation In-Reply-To: References: <38E21E40.2FA2352A@origen.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG >I have a correction to my last comment. > >I looked up the rc.conf setting for firewall=open and I think you can >ignore it. It appears that I actually am using the wrong variable name. >In the LINT kernel example config file you will find and explanation for >it. Here is it. > ># WARNING: IPFIREWALL defaults to a policy of "deny ip from any to any" ># and if you do not add other rules during startup to allow access, ># YOU WILL LOCK YOURSELF OUT. It is suggested that you set >firewall_type=open ># in /etc/rc.conf when first enabling this feature, then refining the ># firewall rules in /etc/rc.firewall after you've tested that the new >kernel ># feature works properly. > >I must have had a typo when setting this up but it still worked. I was >just being cautious without any real good reason. I am guessing that >/etc/rc.firewall set up the rules just right for me so that it would work. >Since it worked for me right away I did not spend any more time with it. > >I am now trying to learn more about it now. > No!!! I have FreeBSD 3.4, I doubt that FreeBSD 4.0 is all that much different but I might be wrong so I am talking about 3.4 here. Firewall rules are a list. There must be at least one item in the list. That item is placed in the list my the kernel. It is placed at the bottom (end) of the list. The list is read from top to bottom and the first matching rule is used. The fules that the kernel can add are either Allow Everything ("allow ip from any to any") or Deny Everything ("deny ip from any to any"). The rule added by the kernel is called the DEFAULT RULE. When "firewall_types=open" is used in the kernel configuration file (MYKERNEL from now on) it means that the firewall will not drop any packets BY DEFAULT. That is the DEFAULT RULE is Allow Everything. This is very insecure, and should never be used, ever!!! (I belive) When "firewall_types=open" is used in the startup configuration file (/etc/rc.conf) it has a totally different meaning. It is the name of the firewall type that the firewall rules script (/etc/rc.firewall) should use. The options for this are defined in /etc/rc.firewall. I do not recomend you use it, unless you don't care about a firewall. I recomend that you edit /etc/rc.firewall and customize it to what you want - there is lots of information about this on the internet, and I will be realising a tutorial on it soon (at www.astrolox.com). Hope that clears that up. -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- Brian 'Astrolox' Wojtczak "If ya going to do it, do it in style" Wolrd Wide Web Page: http://www.astrolox.com/ EMail Address: astrolox@innocent.com Personal RSA PGP Key - be aware of fake keys: 89 30 61 EC 2B CA C8 FA EC 11 87 6D DA 50 7C 6B Bits: 2048 Id: 10E51DFD Date: 2000/02/16 -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message