From owner-freebsd-security  Mon Jan  6 17:49:29 1997
Return-Path: <owner-security>
Received: (from root@localhost)
          by freefall.freebsd.org (8.8.4/8.8.4) id RAA20174
          for security-outgoing; Mon, 6 Jan 1997 17:49:29 -0800 (PST)
Received: from zen.nash.org (nash.pr.mcs.net [204.95.47.72])
          by freefall.freebsd.org (8.8.4/8.8.4) with ESMTP id RAA20168
          for <security@freebsd.org>; Mon, 6 Jan 1997 17:49:23 -0800 (PST)
Received: from zen.nash.org (localhost [127.0.0.1]) by zen.nash.org (8.8.4/8.6.12) with SMTP id TAA04045; Mon, 6 Jan 1997 19:47:15 -0600 (CST)
Message-ID: <32D1AB23.167EB0E7@mcs.com>
Date: Mon, 06 Jan 1997 19:47:15 -0600
From: Alex Nash <nash@mcs.com>
X-Mailer: Mozilla 3.01Gold (X11; I; FreeBSD 2.2-RELEASE i386)
MIME-Version: 1.0
To: Brandon Gillespie <brandon@cold.org>
CC: security@freebsd.org
Subject: Re: FreeBSD as a cleanwall
References: <Pine.NEB.3.95.970106143712.23715A-100000@cold.org>
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Sender: owner-security@freebsd.org
X-Loop: FreeBSD.org
Precedence: bulk

[hackers removed]

Brandon Gillespie wrote:
> 
> Does anybody have a configuration for packet filtering through a FreeBSD
> router to run a cleanwall?  Basically to keep all addresses of a specific
> IP set (say a class C) on the right sides.  I.e. only set addresses of
> that set leave the network and don't allow any addresses of that set onto
> the network?  I'm mulling through the docs now, but figured to look here
> for any possible pointers, as this seems like it would be a common enough
> operation..

If I understand you correctly, I think what you want is this 
extract from /etc/rc.firewall:

    ############
    # This is a prototype setup for a simple firewall.  Configure this machine 
    # as a named server and ntp server, and point all the machines on the inside
    # at this machine for those services.
    ############

    # set these to your outside interface network and netmask and ip
    oif="ed0"
    onet="192.168.4.0"
    omask="255.255.255.0"
    oip="192.168.4.17"

    # set these to your inside interface network and netmask and ip
    iif="ed1"
    inet="192.168.3.0"
    imask="255.255.255.0"
    iip="192.168.3.17"

    # Stop spoofing
    /sbin/ipfw add deny all from ${inet}:${imask} to any in via ${oif}
    /sbin/ipfw add deny all from ${onet}:${omask} to any in via ${iif}

Alex