From owner-freebsd-hackers Tue Aug 6 6:38:22 2002 Delivered-To: freebsd-hackers@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8DF5637B400 for ; Tue, 6 Aug 2002 06:38:19 -0700 (PDT) Received: from services.webwarrior.net (overlord-host99.dsl.visi.com [209.98.86.99]) by mx1.FreeBSD.org (Postfix) with ESMTP id 28AFF43E6A for ; Tue, 6 Aug 2002 06:38:19 -0700 (PDT) (envelope-from friar_josh@webwarrior.net) Received: from twincat.vladsempire.net (12-218-27-215.client.mchsi.com [12.218.27.215]) by services.webwarrior.net (Postfix) with ESMTP id AF3F2838203; Tue, 6 Aug 2002 08:38:17 -0500 (CDT) Content-Type: text/plain; charset="iso-8859-1" From: Josh Paetzel To: "Daniel O'Connor" , Darren Pilgrim Subject: Re: Routing question Date: Tue, 6 Aug 2002 08:36:36 +0000 X-Mailer: KMail [version 1.4] Cc: freebsd-hackers@freebsd.org References: <1028626347.16577.96.camel@chowder.gsoft.com.au> <3D4FAEEB.131312DE@pantherdragon.org> <1028635431.20786.8.camel@chowder.dons.net.au> In-Reply-To: <1028635431.20786.8.camel@chowder.dons.net.au> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Message-Id: <200208060836.36434.friar_josh@webwarrior.net> Sender: owner-freebsd-hackers@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Tuesday 06 August 2002 12:03, Daniel O'Connor wrote: > On Tue, 2002-08-06 at 20:41, Darren Pilgrim wrote: > > > I know, I already have one. I'd just rather have less administrative > > > complexity. > > > > How do you define administrative complexity? > > Well, if I want to change rules it takes careful consideration so I > don't block or allow something inadvertently. > > It almost doubles the number of needed rules :( > > > > > Disable NAT. > > > > > > Not possible.. > > > > Why not? > > Uhh cause I only have 1 IP? > What point are you trying to make? > > -- > Daniel O'Connor software and network engineer If you are using IPFW then just refer to the external interface by name. IPFW doesn't care a bit whether you call the interface tun0, or 12.23.34.45, or anything else. I have used that setup for well over a year, and my firewall ruleset is about 14 lines long. Deny all the rfc 1918 stuff in and out, tunnel through 22 and 80, allow a tcp setup out on any port, allow a response in, and do what you will with udp. (I personally allow it all. :-/) I actually don't see any advantage to having a static IP and using the IP in your ruleset. It's not like you can deny packets coming from your isp to that IP or anything. ;) Josh To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message