From owner-freebsd-questions Sat Dec 29 4: 9:29 2001 Delivered-To: freebsd-questions@freebsd.org Received: from mailout04.sul.t-online.com (mailout04.sul.t-online.com [194.25.134.18]) by hub.freebsd.org (Postfix) with ESMTP id C7A7637B41E for ; Sat, 29 Dec 2001 04:09:24 -0800 (PST) Received: from fwd01.sul.t-online.de by mailout04.sul.t-online.de with smtp id 16KIH8-0003vH-0G; Sat, 29 Dec 2001 13:07:42 +0100 Received: from spirit.corecode.ath.cx (320050403952-0001@[217.82.63.104]) by fmrl01.sul.t-online.com with esmtp id 16KIH7-0tXKPwC; Sat, 29 Dec 2001 13:07:41 +0100 Received: from elevation.zuhause.stoert.net (elevation.zuhause.stoert.net [192.168.66.46]) by spirit.corecode.ath.cx (8.11.6/8.11.6) with ESMTP id fBTC7eg22849; Sat, 29 Dec 2001 13:07:40 +0100 (CET) (envelope-from corecode@elevation.zuhause.stoert.net) Received: (from corecode@localhost) by elevation.zuhause.stoert.net (8.11.6/8.11.6) id fBTC7cr00303; Sat, 29 Dec 2001 13:07:38 +0100 (CET) (envelope-from corecode) Date: Sat, 29 Dec 2001 13:07:34 +0100 From: "Simon 'corecode' Schubert" To: "Joe & Fhe Barbish" Cc: questions@FreeBSD.ORG Subject: Re: IPFW rc.firewall Message-Id: <20011229130734.596f3a12.corecode@corecode.ath.cx> In-Reply-To: References: <20011228120842.0f3205df.corecode@corecode.ath.cx> X-Mailer: Sylpheed version 0.6.6claws (GTK+ 1.2.10; i386--freebsd4.4) Mime-Version: 1.0 Content-Type: multipart/signed; protocol="application/pgp-signature"; boundary="=.p?C(JU7CUT8jw/" X-Sender: 320050403952-0001@t-dialin.net Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG --=.p?C(JU7CUT8jw/ Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit On Fri, 28 Dec 2001 11:19:38 -0500 "Joe & Fhe Barbish" wrote: > I reviewed your tutorial. I see that it's a copy of the > rc.firewall file with the symbolic variables for the > "simple" network filled in for your environment. You have > the second statement under the comments #stop spoofing > commented out because in a user ppp dialout to the ISP you > are getting dynamic IP's and this rule needs {onet) & {omask) > a static IP value, which you don't have because it always > changes each time you dial your ISP. > > # Stop spoofing > ${fwcmd} add deny all from ${inet}:${imask} to any in via ${oif} > # ${fwcmd} add deny all from ${onet}:${omask} to any in via ${iif} well, yes, kinda... :) in the first place i disabled it to enable spoofing from inside ;] but you are right, without knowledge of the onet (which is pretty much 0/0) this rule doesn't work. > I am in this same situation. I think there is a way to get > the info needed for {onet} & {omask}. The rc.conf file controls > the startup sequence of FBSD functions. If user ppp statements > come before the IPFW statements in rc.conf then FBSD will know > the dynamic IP address before IPFW starts. this is only the reason if you just dial out once the system starts. if you dial out later your ip changes but the ruleset doesn't get loaded. if you want to set the rules according to your current ip address you could use a /etc/ppp/linkup script that resets the ipfw ruleset. but with my ruleset this is not needed. i wrote it just with the use of ... via ${oif} and ... keep-state i think this is a pretty good ruleset (for nat'ed users) but it has a disadvantage: connections time out if not used (because of the keep-state). but i don't mind much about this stuff as i can live with it and it improves the security (well i think it does). cheerz corecode -- /"\ http://corecode.ath.cx/ \ / \ ASCII Ribbon Campaign / \ Against HTML Mail and News --=.p?C(JU7CUT8jw/ Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) iD8DBQE8LbIKr5S+dk6z85oRAi1aAJ9rjhnY6+ZfISz1uCquPRn1JSaQhQCfbf4Y gGPi3JrUr91WPP4xoWP/evM= =5WGH -----END PGP SIGNATURE----- --=.p?C(JU7CUT8jw/-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message