From owner-freebsd-questions@FreeBSD.ORG Fri Jul 22 08:53:10 2005 Return-Path: X-Original-To: questions@freebsd.org Delivered-To: freebsd-questions@FreeBSD.ORG Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 638F416A449 for ; Fri, 22 Jul 2005 08:53:10 +0000 (GMT) (envelope-from cswiger@mac.com) Received: from pi.codefab.com (pi.codefab.com [199.103.21.227]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2CA8E43D55 for ; Fri, 22 Jul 2005 08:53:05 +0000 (GMT) (envelope-from cswiger@mac.com) Received: from localhost (localhost [127.0.0.1]) by pi.codefab.com (Postfix) with ESMTP id 5D5DC5EEB; Fri, 22 Jul 2005 04:53:04 -0400 (EDT) Received: from pi.codefab.com ([127.0.0.1]) by localhost (pi.codefab.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 06952-08; Fri, 22 Jul 2005 04:52:54 -0400 (EDT) Received: from [192.168.1.3] (pool-68-161-54-113.ny325.east.verizon.net [68.161.54.113]) by pi.codefab.com (Postfix) with ESMTP id 74CDE5C74; Fri, 22 Jul 2005 04:52:53 -0400 (EDT) Message-ID: <42E0B3E8.8030000@mac.com> Date: Fri, 22 Jul 2005 04:52:56 -0400 From: Chuck Swiger Organization: The Courts of Chaos User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.8) Gecko/20050511 X-Accept-Language: en-us, en MIME-Version: 1.0 To: Dirk GOUDERS References: <200507220726.j6M7Qfw3075675@musashi.et.bocholt.fh-gelsenkirchen.de> In-Reply-To: <200507220726.j6M7Qfw3075675@musashi.et.bocholt.fh-gelsenkirchen.de> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit X-Virus-Scanned: amavisd-new at codefab.com Cc: questions@freebsd.org Subject: Re: ipfw and tun0 X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 22 Jul 2005 08:53:10 -0000 Dirk GOUDERS wrote: >>> I just started to use an ADSL line with PPPoE and want run a firewall >>> between it and my local network. What I am wondering about is that even >>> if I only have the default everything-blocking rule (deny ip from any to >>> any) I still see incoming packets on tun0 with tcpdump. If you are using PPPoE, the system de-encapsulates the IP traffic off of the PPP session via the tun0 interface. tun0 can be treated as your "external interface" when writing firewall rules, setting up NAT, etc. [ ... ] > Another example is that I saw several SYN packets directed to > unprivileged ports that got answered with a RST packet by my machine. > When I block those SYN packets, I still see them on tun0 but the RST > responses disappear. Also, ipfw's counters show that it recognizes > those packets... Right. This implies that the firewall rules are working. If you want to see what the situation looks like to a client machine behind the firewall, either tcpdump on a client machine, or tcpdump on the internal interface of the firewall box... -- -Chuck