From owner-freebsd-questions@FreeBSD.ORG Sun Nov 28 04:48:50 2004 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 70C0016A4CE for ; Sun, 28 Nov 2004 04:48:50 +0000 (GMT) Received: from yearning.mcc.ac.uk (yearning.mcc.ac.uk [130.88.203.23]) by mx1.FreeBSD.org (Postfix) with ESMTP id DBBE743D46 for ; Sun, 28 Nov 2004 04:48:49 +0000 (GMT) (envelope-from jcm@FreeBSD-uk.eu.org) Received: from dogma.freebsd-uk.eu.org ([130.88.200.97]) by yearning.mcc.ac.uk with esmtp (Exim 4.43 (FreeBSD)) id 1CYGzR-000Dbo-3T; Sun, 28 Nov 2004 04:48:49 +0000 Received: from dogma.freebsd-uk.eu.org (localhost [127.0.0.1]) iAS4mmlZ001555; Sun, 28 Nov 2004 04:48:48 GMT (envelope-from jcm@dogma.freebsd-uk.eu.org) Received: (from jcm@localhost) by dogma.freebsd-uk.eu.org (8.12.10/8.12.6/Submit) id iAS4mlwV001554; Sun, 28 Nov 2004 04:48:47 GMT Date: Sun, 28 Nov 2004 04:48:47 +0000 From: Jonathon McKitrick To: Giorgos Keramidas Message-ID: <20041128044847.GA1435@dogma.freebsd-uk.eu.org> References: <20041127215612.GA86416@dogma.freebsd-uk.eu.org> <20041128013135.GD662@gothmog.gr> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20041128013135.GD662@gothmog.gr> User-Agent: Mutt/1.4i cc: freebsd-questions@freebsd.org Subject: Re: Is this a hole in my firewall? X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 28 Nov 2004 04:48:50 -0000 On Sun, Nov 28, 2004 at 03:31:35AM +0200, Giorgos Keramidas wrote: : AFAIK, rule 00300 will never be hit by packets going out tun0 as long as : you also have rule 00200 in there. Hmmm.... here's a run after having the laptop running for a bit. I don't see why 200 doesn't cover the case either. root@neptune:~# ipfw show 00100 0 0 check-state 00200 6709 1277079 allow ip from me to any keep-state out xmit tun0 00300 2093 645797 allow ip from any to any keep-state out xmit tun0 00400 91 7308 deny tcp from any to any in recv tun0 established 00500 43 6869 allow ip from any to any via vr0 00600 52 3080 allow ip from any to any via lo0 00700 0 0 deny ip from any to 127.0.0.0/8 00800 0 0 deny ip from 127.0.0.0/8 to any 00900 0 0 allow tcp from any to me 22 keep-state in recv vr0 setup 01000 0 0 allow icmp from any to any via tun0 icmptype 0,3,8,11,12 01100 11 1371 deny log logamount 100 ip from any to any 65535 0 0 deny ip from any to any root@neptune:~# jm -- My other computer is your Windows box.