Date: Fri, 28 May 1999 07:03:15 -0400 From: "James E. Housley" <housley@frenchknot.ne.mediaone.net> To: hackers@freebsd.org Subject: [Fwd: ipfw/natd limitation: controlling access of an unregistered net tothe internet] Message-ID: <374E77F3.CAA34E6@frenchknot.ne.mediaone.net>
next in thread | raw e-mail | index | archive | help
This is a multi-part message in MIME format.
--------------201000ACCCA176B44F769977
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
--
James E. Housley PGP: 1024/03983B4D
System Supply, Inc. 2C 3F 3A 0D A8 D8 C3 13
Pager: pagejim@notepage.com 7C F0 B5 BF 27 8B 92 FE
"The box said 'Requires Windows 95, NT, or better,' so I installed
FreeBSD"
--------------201000ACCCA176B44F769977
Content-Type: message/rfc822
Content-Transfer-Encoding: 8bit
Content-Disposition: inline
X-Mozilla-Status2: 00000000
Message-ID: <374E7764.8FFA5D4D@frenchknot.ne.mediaone.net>
Date: Fri, 28 May 1999 07:00:52 -0400
From: "James E. Housley" <housley@frenchknot.ne.mediaone.net>
X-Mailer: Mozilla 4.51 [en] (X11; U; FreeBSD 3.2-BETA i386)
X-Accept-Language: en
MIME-Version: 1.0
To: Konstantinos.DRYLLERAKIS@DG21.cec.be
CC: freebsd-question@FreeBSD.ORG
Subject: Re: ipfw/natd limitation: controlling access of an unregistered net
tothe internet
References: <WIN944-990528091513-3DA7*/G=KONSTANTINOS/S=DRYLLERAKIS/O=DG21/PRMD=CEC/ADMD=RTT/C=BE/@MHS>
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Konstantinos.DRYLLERAKIS@DG21.cec.be wrote:
>
> Dear all,
>
>
> It seems to me that outgoing packets through the outer interface should first be run (somehow) through the firewall and if succesfull pass through natd (without a further re-injection to the firewall ruleset) whereas incoming packets should pass first from natd and then pass through the firewall rules (the existing operation). [ It is clear that only "deny" rules can be added before the "divert" rule to control the outgoing packets of internal machines and this can prove very tricky and tedious ].
>
Lets assume the out0 it the interface to the internet and in0 is you
internal interface. And that 192.168.0.x is your internal network. If
that is true you should be able to do:
allow all from 192.168.0.0/24 to 192.168.0.0/24 # allow all internal to
# talk to each other
allow tcp from 192.169.0.0/24 to any 25 # Every has mail
allow udp from 192.168.0.0/25 to any 53 # DNS lookup
allow all from boss to any # boss has full reign
deny tcp from secretary to any 80 # no web for secretary
divert 8668 ip from any to any via out0
deny tcp from any to any 137-139 in via out0 # Block netbios
deny udp from any to any 53 in via out0 # Allow DNS in
.....
the other program to look at is ipfilter.
--
James E. Housley PGP: 1024/03983B4D
System Supply, Inc. 2C 3F 3A 0D A8 D8 C3 13
Pager: pagejim@notepage.com 7C F0 B5 BF 27 8B 92 FE
"The box said 'Requires Windows 95, NT, or better,' so I installed
FreeBSD"
--------------201000ACCCA176B44F769977--
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-hackers" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?374E77F3.CAA34E6>