From owner-freebsd-hackers Fri May 28 4: 3:23 1999 Delivered-To: freebsd-hackers@freebsd.org Received: from chmls06.mediaone.net (chmls06.mediaone.net [24.128.1.71]) by hub.freebsd.org (Postfix) with ESMTP id AB4EC15A0F for ; Fri, 28 May 1999 04:03:16 -0700 (PDT) (envelope-from housley@frenchknot.ne.mediaone.net) Received: from frenchknot.ne.mediaone.net (frenchknot.ne.mediaone.net [24.218.96.75]) by chmls06.mediaone.net (8.8.7/8.8.7) with ESMTP id HAA18873 for ; Fri, 28 May 1999 07:03:15 -0400 (EDT) Received: from frenchknot.ne.mediaone.net (housley@localhost [127.0.0.1]) by frenchknot.ne.mediaone.net (8.9.3/8.9.3) with ESMTP id HAA18367 for ; Fri, 28 May 1999 07:03:15 -0400 (EDT) (envelope-from housley@frenchknot.ne.mediaone.net) Message-ID: <374E77F3.CAA34E6@frenchknot.ne.mediaone.net> Date: Fri, 28 May 1999 07:03:15 -0400 From: "James E. Housley" X-Mailer: Mozilla 4.51 [en] (X11; U; FreeBSD 3.2-BETA i386) X-Accept-Language: en MIME-Version: 1.0 To: hackers@freebsd.org Subject: [Fwd: ipfw/natd limitation: controlling access of an unregistered net tothe internet] Content-Type: multipart/mixed; boundary="------------201000ACCCA176B44F769977" Sender: owner-freebsd-hackers@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG This is a multi-part message in MIME format. --------------201000ACCCA176B44F769977 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit -- James E. Housley PGP: 1024/03983B4D System Supply, Inc. 2C 3F 3A 0D A8 D8 C3 13 Pager: pagejim@notepage.com 7C F0 B5 BF 27 8B 92 FE "The box said 'Requires Windows 95, NT, or better,' so I installed FreeBSD" --------------201000ACCCA176B44F769977 Content-Type: message/rfc822 Content-Transfer-Encoding: 8bit Content-Disposition: inline X-Mozilla-Status2: 00000000 Message-ID: <374E7764.8FFA5D4D@frenchknot.ne.mediaone.net> Date: Fri, 28 May 1999 07:00:52 -0400 From: "James E. Housley" X-Mailer: Mozilla 4.51 [en] (X11; U; FreeBSD 3.2-BETA i386) X-Accept-Language: en MIME-Version: 1.0 To: Konstantinos.DRYLLERAKIS@DG21.cec.be CC: freebsd-question@FreeBSD.ORG Subject: Re: ipfw/natd limitation: controlling access of an unregistered net tothe internet References: Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Konstantinos.DRYLLERAKIS@DG21.cec.be wrote: > > Dear all, > > > It seems to me that outgoing packets through the outer interface should first be run (somehow) through the firewall and if succesfull pass through natd (without a further re-injection to the firewall ruleset) whereas incoming packets should pass first from natd and then pass through the firewall rules (the existing operation). [ It is clear that only "deny" rules can be added before the "divert" rule to control the outgoing packets of internal machines and this can prove very tricky and tedious ]. > Lets assume the out0 it the interface to the internet and in0 is you internal interface. And that 192.168.0.x is your internal network. If that is true you should be able to do:  allow all from 192.168.0.0/24 to 192.168.0.0/24 # allow all internal to # talk to each other allow tcp from 192.169.0.0/24 to any 25 # Every has mail allow udp from 192.168.0.0/25 to any 53 # DNS lookup allow all from boss to any # boss has full reign deny tcp from secretary to any 80 # no web for secretary divert 8668 ip from any to any via out0 deny tcp from any to any 137-139 in via out0 # Block netbios deny udp from any to any 53 in via out0 # Allow DNS in ..... the other program to look at is ipfilter. -- James E. Housley PGP: 1024/03983B4D System Supply, Inc. 2C 3F 3A 0D A8 D8 C3 13 Pager: pagejim@notepage.com 7C F0 B5 BF 27 8B 92 FE "The box said 'Requires Windows 95, NT, or better,' so I installed FreeBSD" --------------201000ACCCA176B44F769977-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message