Skip site navigation (1)Skip section navigation (2)
Date:      Mon, 06 Jan 1997 19:47:15 -0600
From:      Alex Nash <nash@mcs.com>
To:        Brandon Gillespie <brandon@cold.org>
Cc:        security@freebsd.org
Subject:   Re: FreeBSD as a cleanwall
Message-ID:  <32D1AB23.167EB0E7@mcs.com>
References:  <Pine.NEB.3.95.970106143712.23715A-100000@cold.org>

next in thread | previous in thread | raw e-mail | index | archive | help
[hackers removed]

Brandon Gillespie wrote:
> 
> Does anybody have a configuration for packet filtering through a FreeBSD
> router to run a cleanwall?  Basically to keep all addresses of a specific
> IP set (say a class C) on the right sides.  I.e. only set addresses of
> that set leave the network and don't allow any addresses of that set onto
> the network?  I'm mulling through the docs now, but figured to look here
> for any possible pointers, as this seems like it would be a common enough
> operation..

If I understand you correctly, I think what you want is this 
extract from /etc/rc.firewall:

    ############
    # This is a prototype setup for a simple firewall.  Configure this machine 
    # as a named server and ntp server, and point all the machines on the inside
    # at this machine for those services.
    ############

    # set these to your outside interface network and netmask and ip
    oif="ed0"
    onet="192.168.4.0"
    omask="255.255.255.0"
    oip="192.168.4.17"

    # set these to your inside interface network and netmask and ip
    iif="ed1"
    inet="192.168.3.0"
    imask="255.255.255.0"
    iip="192.168.3.17"

    # Stop spoofing
    /sbin/ipfw add deny all from ${inet}:${imask} to any in via ${oif}
    /sbin/ipfw add deny all from ${onet}:${omask} to any in via ${iif}

Alex



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?32D1AB23.167EB0E7>