Date: Mon, 10 Jul 2000 10:21:54 -0700 (PDT) From: Doug White <dwhite@resnet.uoregon.edu> To: Colin <cwass99@home.com> Cc: freebsd-stable@FreeBSD.ORG Subject: Re: natd inconsistencies Message-ID: <Pine.BSF.4.21.0007101020421.23759-100000@resnet.uoregon.edu> In-Reply-To: <XFMail.000709211617.cwass99@home.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sun, 9 Jul 2000, Colin wrote: > I've just finished setting up FreeBSD 4.0R with ipfw and natd and I've noticed > either a discrepency between the actual functionality and the man page or a > misunderstanding on my part. > The man page recommends putting the divert rule as close to the beginning > of the rule set as possible, and the default rule sets seem consistent > with this. I noticed, though, that if I didn't put the rule "deny ip from > 192.168.0.0/24 to any in recv ed1" before the divert rule nothing from my > internal network (which just happens to be 192.168.0.0/24) would get through. I > assume the prevent-spoofing rules for private networks rules would have the sam > e issue depending on the internal network used. I also noticed several other > default rules caused some problems. This rule would block traffic destined for your own network -- you antispoofed yourself! :) It *MUST* be before translation takes place, and also make sure ed1 is the external interface. The 'log' option and 'ipfw show' are handy for firewall debugging. Doug White | FreeBSD: The Power to Serve dwhite@resnet.uoregon.edu | www.FreeBSD.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.21.0007101020421.23759-100000>