From owner-freebsd-security Tue Jul 25 16:34:42 2000 Delivered-To: freebsd-security@freebsd.org Received: from rover.village.org (rover.village.org [204.144.255.49]) by hub.freebsd.org (Postfix) with ESMTP id AC95337BB80 for ; Tue, 25 Jul 2000 16:34:33 -0700 (PDT) (envelope-from imp@harmony.village.org) Received: from harmony.village.org (harmony.village.org [10.0.0.6]) by rover.village.org (8.9.3/8.9.3) with ESMTP id RAA28533; Tue, 25 Jul 2000 17:34:29 -0600 (MDT) (envelope-from imp@harmony.village.org) Received: from harmony.village.org (localhost.village.org [127.0.0.1]) by harmony.village.org (8.9.3/8.8.3) with ESMTP id RAA24713; Tue, 25 Jul 2000 17:34:09 -0600 (MDT) Message-Id: <200007252334.RAA24713@harmony.village.org> To: Stephen Montgomery-Smith Subject: Re: Problems with natd and simple firewall Cc: freebsd-security@FreeBSD.ORG In-reply-to: Your message of "Tue, 25 Jul 2000 03:04:22 CDT." <397D4A06.9CFAF1FA@math.missouri.edu> References: <397D4A06.9CFAF1FA@math.missouri.edu> <397C8F30.8DFCE0E9@math.missouri.edu> Date: Tue, 25 Jul 2000 17:34:08 -0600 From: Warner Losh Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I don't think we need a special option. We have the following in our firewall rules: # # filter_net # # Takes one or two arguments. # # This will filter out traffic to/from these networks. The first # argument # will be filtered. If there is a second argument, it is the # interface to # filter on # filter_net() { via=${2:+via $2} $fwcmd add deny log ip from any to $1 ${via} $fwcmd add deny log ip from $1 to any ${via} } inet_if=fxp0 filter_net 192.168.0.0:255.255.0.0 filter_net 172.16.0.0:255.240.0.0 filter_net 10.0.0.0:255.0.0.0 ${inet_if} and this has been verified to work. we use net10 internally and we need for the router that we have to be able to pass those packets through the router, but not out to the internet, which is on fxp0. Warner To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message