From owner-freebsd-questions@FreeBSD.ORG  Sun Nov 28 04:48:50 2004
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 70C0016A4CE
	for <freebsd-questions@freebsd.org>;
	Sun, 28 Nov 2004 04:48:50 +0000 (GMT)
Received: from yearning.mcc.ac.uk (yearning.mcc.ac.uk [130.88.203.23])
	by mx1.FreeBSD.org (Postfix) with ESMTP id DBBE743D46
	for <freebsd-questions@freebsd.org>;
	Sun, 28 Nov 2004 04:48:49 +0000 (GMT)
	(envelope-from jcm@FreeBSD-uk.eu.org)
Received: from dogma.freebsd-uk.eu.org ([130.88.200.97])
	by yearning.mcc.ac.uk with esmtp (Exim 4.43 (FreeBSD))
	id 1CYGzR-000Dbo-3T; Sun, 28 Nov 2004 04:48:49 +0000
Received: from dogma.freebsd-uk.eu.org (localhost [127.0.0.1])
	iAS4mmlZ001555;	Sun, 28 Nov 2004 04:48:48 GMT
	(envelope-from jcm@dogma.freebsd-uk.eu.org)
Received: (from jcm@localhost)
	by dogma.freebsd-uk.eu.org (8.12.10/8.12.6/Submit) id iAS4mlwV001554;
	Sun, 28 Nov 2004 04:48:47 GMT
Date: Sun, 28 Nov 2004 04:48:47 +0000
From: Jonathon McKitrick <jcm@FreeBSD-uk.eu.org>
To: Giorgos Keramidas <keramida@ceid.upatras.gr>
Message-ID: <20041128044847.GA1435@dogma.freebsd-uk.eu.org>
References: <20041127215612.GA86416@dogma.freebsd-uk.eu.org>
	<20041128013135.GD662@gothmog.gr>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20041128013135.GD662@gothmog.gr>
User-Agent: Mutt/1.4i
cc: freebsd-questions@freebsd.org
Subject: Re: Is this a hole in my firewall?
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>,
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>,
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sun, 28 Nov 2004 04:48:50 -0000

On Sun, Nov 28, 2004 at 03:31:35AM +0200, Giorgos Keramidas wrote:
: AFAIK, rule 00300 will never be hit by packets going out tun0 as long as
: you also have rule 00200 in there.

Hmmm.... here's a run after having the laptop running for a bit.  I don't
see why 200 doesn't cover the case either.

root@neptune:~# ipfw show
00100    0       0 check-state
00200 6709 1277079 allow ip from me to any keep-state out xmit tun0
00300 2093  645797 allow ip from any to any keep-state out xmit tun0
00400   91    7308 deny tcp from any to any in recv tun0 established
00500   43    6869 allow ip from any to any via vr0
00600   52    3080 allow ip from any to any via lo0
00700    0       0 deny ip from any to 127.0.0.0/8
00800    0       0 deny ip from 127.0.0.0/8 to any
00900    0       0 allow tcp from any to me 22 keep-state in recv vr0 setup
01000    0       0 allow icmp from any to any via tun0 icmptype 0,3,8,11,12
01100   11    1371 deny log logamount 100 ip from any to any
65535    0       0 deny ip from any to any
root@neptune:~# 


jm
--
My other computer is your Windows box.