From owner-freebsd-questions Thu Sep 21 23:40:54 2000 Delivered-To: freebsd-questions@freebsd.org Received: from pioneernet.net (pop3.pioneernet.net [208.240.196.25]) by hub.freebsd.org (Postfix) with ESMTP id DC00137B423 for ; Thu, 21 Sep 2000 23:40:50 -0700 (PDT) Received: from wiegand.org [208.194.173.26] by pioneernet.net with ESMTP (SMTPD32-6.03) id A2606CEB005E; Thu, 21 Sep 2000 23:55:28 -0700 Message-ID: <39CAFF54.88010B25@wiegand.org> Date: Thu, 21 Sep 2000 23:42:28 -0700 From: Chip X-Mailer: Mozilla 4.74 [en] (X11; U; FreeBSD 4.0-RELEASE i386) X-Accept-Language: en MIME-Version: 1.0 To: cjclark@alum.mit.edu Cc: "seafug@dub.net" , "freebsd-questions@freebsd.org" Subject: Re: natd does port forwarding? References: <39C6FCCC.D0103226@wiegand.org> <20000918225104.I367@149.211.6.64.reflexcom.com> <39C70308.EF52766F@wiegand.org> <20000919000233.L367@149.211.6.64.reflexcom.com> <39C84A4B.766B5B24@wiegand.org> <20000919232213.Q367@149.211.6.64.reflexcom.com> <20000921003240.B367@149.211.6.64.reflexcom.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG Okay, all's well now when the rc.conf is set to firewall type open. When I change it to client or simple, the installed defaults, I no longer can access anything outside my network. I have recompiled the kernel and removed the default-to-accept line, now the ipfw show shows- 00100 divert 8668 ip from any to any via ep1 00100 allow ip from any to any via lo0 00200 deny ip from any to 127.0.0.0/8 65000 allow ip from any to any 65535 deny ip from any to any One of my previous messages had the rc.firewall attached, I assume that is still available in the archive for review. I had it running the client rules for about 10 minutes then it mysteriously started preventing access outside my network. I switched between open and client several times, with open allowing outside access each time and client not allowing outside access each time. Any and all suggestions are welcome. -- Chip W. www.wiegand.org Alternative Operating Systems "Crist J . Clark" wrote: > > On Wed, Sep 20, 2000 at 10:33:38PM -0700, Chip wrote: > > [Attribution to me lost] > > > Not only do you have the distributed "open" firewall running, but you > > > must have built a kernel with the, > > > > > > options IPFIREWALL_DEFAULT_TO_ACCEPT > > > > > > Which is not recommended. Other than that, no suprises. > > > > So, is it okay to go back and recompile the kernel without this > > option? What effect will that have on my currant set up? > > None. But when you actually want to build rules to protect your net, > default deny is the way to go. > -- > Crist J. Clark cjclark@alum.mit.edu > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-questions" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message