From owner-freebsd-stable Mon Jul 10 10:22: 3 2000 Delivered-To: freebsd-stable@freebsd.org Received: from resnet.uoregon.edu (resnet.uoregon.edu [128.223.122.47]) by hub.freebsd.org (Postfix) with ESMTP id ACA8837B724 for ; Mon, 10 Jul 2000 10:21:58 -0700 (PDT) (envelope-from dwhite@resnet.uoregon.edu) Received: from localhost (dwhite@localhost) by resnet.uoregon.edu (8.10.1/8.10.1) with ESMTP id e6AHLsk19030; Mon, 10 Jul 2000 10:21:54 -0700 (PDT) Date: Mon, 10 Jul 2000 10:21:54 -0700 (PDT) From: Doug White To: Colin Cc: freebsd-stable@FreeBSD.ORG Subject: Re: natd inconsistencies In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-stable@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG On Sun, 9 Jul 2000, Colin wrote: > I've just finished setting up FreeBSD 4.0R with ipfw and natd and I've noticed > either a discrepency between the actual functionality and the man page or a > misunderstanding on my part. > The man page recommends putting the divert rule as close to the beginning > of the rule set as possible, and the default rule sets seem consistent > with this. I noticed, though, that if I didn't put the rule "deny ip from > 192.168.0.0/24 to any in recv ed1" before the divert rule nothing from my > internal network (which just happens to be 192.168.0.0/24) would get through. I > assume the prevent-spoofing rules for private networks rules would have the sam > e issue depending on the internal network used. I also noticed several other > default rules caused some problems. This rule would block traffic destined for your own network -- you antispoofed yourself! :) It *MUST* be before translation takes place, and also make sure ed1 is the external interface. The 'log' option and 'ipfw show' are handy for firewall debugging. Doug White | FreeBSD: The Power to Serve dwhite@resnet.uoregon.edu | www.FreeBSD.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message