From owner-freebsd-questions Sun Oct 15 15:32:53 2000 Delivered-To: freebsd-questions@freebsd.org Received: from cluttered.com (w024.z064002058.sjc-ca.dsl.cnc.net [64.2.58.24]) by hub.freebsd.org (Postfix) with ESMTP id C7B2037B66F for ; Sun, 15 Oct 2000 15:32:50 -0700 (PDT) Received: from Pretension.collab.net (jsd [10.10.10.3]) by cluttered.com (Postfix) with ESMTP id 9A230A6 for ; Sun, 15 Oct 2000 15:32:56 -0700 (PDT) Message-Id: <4.3.2.7.2.20001015152808.00b275f8@lasvegas.sfo.collab.net> X-Sender: jsd@lasvegas.sfo.collab.net X-Mailer: QUALCOMM Windows Eudora Version 4.3.2 Date: Sun, 15 Oct 2000 15:32:26 -0700 To: freebsd-questions@freebsd.org From: Jon Drukman Subject: natd + ipfw in default deny mode Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG I am running 4.1.1-R and doing the typical natd + ipfw thing to let my windows boxes connect to my DSL line through the FreeBSD box. I was wondering if it is possible to run the FreeBSD ipfw configuration in "default deny" mode. I can't get it to work by doing firewall type "simple". Unless I have a pass all rule in the ipfw config, I get this message from natd: Oct 14 19:42:33 cluttered natd[98]: failed to write packet back (Permission denied) I thought having the divert rule early on would work around all the deny rules, but I haven't stumbled on the magic formula. Any example firewall configs would be appreciated. Right now I'm running in "open" mode and explicitly blocking a few troublesome ports (windows networking for example) but obviously it would be nicer to block everything and only accept what I specifically need. In case it matters, the external network (dsl) is on interface dc0. The internal net is 10.10.10.0/24 on interface ed0. My natd lines in rc.conf are: natd_enable="YES" natd_interface="dc0" natd_flags="" My firewall lines are: firewall_enable="YES" firewall_type="open" firewall_logging="YES" -jsd- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message