From owner-freebsd-questions  Fri Apr 13  7:37:35 2001
Delivered-To: freebsd-questions@freebsd.org
Received: from chmod.ath.cx (CC2-861.charter-stl.com [24.217.115.99])
	by hub.freebsd.org (Postfix) with ESMTP id D944E37B424
	for <freebsd-questions@FreeBSD.ORG>; Fri, 13 Apr 2001 07:37:30 -0700 (PDT)
	(envelope-from ajh3@chmod.ath.cx)
Received: by chmod.ath.cx (Postfix, from userid 1001)
	id 9FCC5A921; Fri, 13 Apr 2001 09:36:41 -0500 (CDT)
Date: Fri, 13 Apr 2001 09:36:41 -0500
From: Andrew Hesford <ajh3@chmod.ath.cx>
To: Radical <Radical@hardcore.lt>
Cc: freebsd-questions@FreeBSD.ORG
Subject: Re: ipfw+natd "napster"
Message-ID: <20010413093641.A13856@cec.wustl.edu>
References: <20010412135604.A1163@home.com> <HJEHLLFKGILMAKFJEGJKKEHDCJAA.Radical@hardcore.lt>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.2.5i
In-Reply-To: <HJEHLLFKGILMAKFJEGJKKEHDCJAA.Radical@hardcore.lt>; from Radical@hardcore.lt on Fri, Apr 13, 2001 at 10:59:14AM +0200
X-Loop: Andrew Hesford
Sender: owner-freebsd-questions@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.ORG

On Fri, Apr 13, 2001 at 10:59:14AM +0200, Radical wrote:
> Hello
> 
> I'm running gateway on freeBSD 4.2.
> I have configured on it ipfw and natd.
> Everything works very well but I was confused when found that napster do not
> work properly.
> So maybe some one already solve this problem and has correct rules for ipfw

The problem is trivial, if you use stateful rules. There are plenty of
instructions on how to do this, if you look around, so I'm not going to
restate them here.

Basically, since I trust every machine in my LAN, my
router/NATbox/packet filter allows any connection that originates
inside the LAN to do what it wants. It then lets return packets from
that connection back inside the LAN.

However, the packet filter systematically drops all packets destined for
my boxen when there is no active connection originating on the inside.
The result is very cool... For instance, I can ping any host I want, but
nobody can ping me. Likewise, telnet and ftp ports are sealed off to the
outside world, but I can telnet and ftp anywhere I like. I only keep
three ports open: ssh (for easy remote access to my workstation), smtp
(for the ability to receive precious freebsd mailing list messages) and
http (for no real reason except it's cool to run a webserver).

With this configuration, napster has never been a problem for me. I'm
not sure how it affects people you try to take my MP3s, but I'm the BOFH
of the napster world; I don't give a damn about people who want to take
MY music, and if I do see connections (I can't remember any right now),
I kill them.

--
Andrew Hesford
ajh3@chmod.ath.cx

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message