From owner-freebsd-hackers Fri May 28 2:32:27 1999 Delivered-To: freebsd-hackers@freebsd.org Received: from titan.metropolitan.at (mail.metropolitan.at [195.212.98.131]) by hub.freebsd.org (Postfix) with ESMTP id 09EA614F84; Fri, 28 May 1999 02:32:01 -0700 (PDT) (envelope-from mladavac@metropolitan.at) Received: by TITAN with Internet Mail Service (5.0.1458.49) id ; Fri, 28 May 1999 11:34:48 +0200 Message-ID: <55586E7391ACD211B9730000C1100276179629@r-lmh-wi-100.corpnet.at> From: Ladavac Marino To: "'Konstantinos.DRYLLERAKIS@DG21.cec.be'" , freebsd-hackers@freebsd.org, freebsd-question@freebsd.org Subject: RE: ipfw/natd limitation: controlling access of an unregistered n et to the internet Date: Fri, 28 May 1999 11:29:45 +0200 X-Priority: 3 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.0.1458.49) Content-Type: text/plain Sender: owner-freebsd-hackers@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG > -----Original Message----- > From: Konstantinos.DRYLLERAKIS@DG21.cec.be > [SMTP:Konstantinos.DRYLLERAKIS@DG21.cec.be] > Sent: Friday, May 28, 1999 11:15 AM > To: freebsd-hackers@freebsd.org; freebsd-question@freebsd.org > Subject: ipfw/natd limitation: controlling access of an > unregistered net to the internet > > It seems to me that outgoing packets through the outer interface > should first be run (somehow) through the firewall and if succesfull > pass through natd (without a further re-injection to the firewall > ruleset) whereas incoming packets should pass first from natd and then > pass through the firewall rules (the existing operation). [ It is > clear that only "deny" rules can be added before the "divert" rule to > control the outgoing packets of internal machines and this can prove > very tricky and tedious ]. > [ML] Did you consider using a firewall-cleanwall combination? In the essence, the idea is very simple: the cleanwall is inside the firewall and it does not allow unprivileged packets to reach the nat/firewall. I think that Bellowin's book explains this in detail. The downside is that you need two machines. /Marino To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message