From owner-freebsd-questions@FreeBSD.ORG Fri May 6 12:32:30 2005 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 809FB16A4D0 for ; Fri, 6 May 2005 12:32:30 +0000 (GMT) Received: from mta13.adelphia.net (mta13.mail.adelphia.net [68.168.78.44]) by mx1.FreeBSD.org (Postfix) with ESMTP id D1FED43D88 for ; Fri, 6 May 2005 12:32:29 +0000 (GMT) (envelope-from fbsd_user@a1poweruser.com) Received: from barbish ([69.172.31.81]) by mta13.adelphia.net (InterMail vM.6.01.04.01 201-2131-118-101-20041129) with SMTP id <20050506123229.BLLC4191.mta13.adelphia.net@barbish>; Fri, 6 May 2005 08:32:29 -0400 From: "fbsd_user" To: "Eaaiia Eeuy" , Date: Fri, 6 May 2005 08:32:28 -0400 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="Windows-1251" Content-Transfer-Encoding: 8bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.6604 (9.0.2911.0) In-Reply-To: <843429403.20050506140126@mail.ru> X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1409 Importance: Normal Subject: RE: IPFW: 24.6.5.7 An Example NAT and Stateful Ruleset X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: fbsd_user@a1poweruser.com List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 06 May 2005 12:32:30 -0000 If you remove those 2 rules your firewall is completely open. This means you will be deactivating your firewall protection. You have to describe your environment in detail and post rc.conf, ipf.rules, and dmesg.boot files for people to look at. Just saying you can not get to public internet does not mean anything, you have to state just what you are trying to do. When you run test look at the firewall log file to see what ip address and port numbers you are logging. This will give you pointers into true nature of your problem. >From what you posted I would say you do not know what you are doing and that ipfw is not the firewall for you. IPFILTER is more likely better suited to your knowledge level. -----Original Message----- From: owner-freebsd-questions@freebsd.org [mailto:owner-freebsd-questions@freebsd.org]On Behalf Of Иванов Илья Sent: Friday, May 06, 2005 6:01 AM To: questions@FreeBSD.org Subject: IPFW: 24.6.5.7 An Example NAT and Stateful Ruleset Hallo! I read article (http://freebsd.vinf.ru/doc/en/books/handbook/firewalls-ipfw.html) and use your example from "An Example NAT and Stateful Ruleset" part. So, when I use this script for ipfw, I can't be able to use internet, but if I disable the rules 400, 450 I can use internet. I use FreeBSD 4.10, nat, ipfw, squid. # Reject & Log all unauthorized incoming connections from the public Internet $cmd 400 deny log all from any to any in via $pif # Reject & Log all unauthorized out going connections to the public Internet $cmd 450 deny log all from any to any out via $pif My question is: can I use this script for ipfw without rules 400 and 450 or it is a potential threat of security of my system? May be we can put me a link to any article about this? With a best regards, Ivanov Ilya. _______________________________________________ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.org"