From owner-freebsd-security Tue Apr 11 7:47:37 2000 Delivered-To: freebsd-security@freebsd.org Received: from ns1.via-net-works.net.ar (ns1.via-net-works.net.ar [200.10.100.10]) by hub.freebsd.org (Postfix) with ESMTP id 5A3A837B997 for ; Tue, 11 Apr 2000 07:47:30 -0700 (PDT) (envelope-from fpscha@ns1.via-net-works.net.ar) Received: (from fpscha@localhost) by ns1.via-net-works.net.ar (8.9.3/8.9.3) id LAA24588; Tue, 11 Apr 2000 11:46:33 -0300 (GMT) From: Fernando Schapachnik Message-Id: <200004111446.LAA24588@ns1.via-net-works.net.ar> Subject: Re: (no subject) In-Reply-To: <38F2880D.473F8F8D@mediaone.net> from Ron Smith at "Apr 11, 0 03:03:57 am" To: ronnet@mediaone.net (Ron Smith) Date: Tue, 11 Apr 2000 11:46:29 -0300 (GMT) Cc: freebsd-security@FreeBSD.ORG Reply-To: Fernando Schapachnik X-Mailer: ELM [version 2.4ME+ PL40 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 8bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org En un mensaje anterior, Ron Smith escribió: > Thanks to all, > > I have a dual-homed gateway running FreeBSD. The internal LAN (NIC) is > class "C" (192.168.c.d). The external NIC has been assigned a static IP > address from the ISP (63.203.c.d). I'm running NAT, and would like to > know if this will provide enough protection for the internal LAN? I also > have a firewall compiled into the kernel, but the rules prevent NAT from > working whenever the firewall is in any other state except allowing "any > to any". When the firewall is using "open" rules (allowing any to any) > is NAT still providing protection to the internal network? If not, does > anyone have any additional suggestions? My advice would be to tcpdump the external interface and see what packets it generates. This will give you an idea about how to handcraft your firewall rules. Regards. Fernando P. Schapachnik Administración de la red VIA NET.WORKS ARGENTINA S.A. fernando@via-net-works.net.ar (54-11) 4323-3333 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message