From owner-freebsd-questions  Sat Jun 15 12:38:31 2002
Delivered-To: freebsd-questions@freebsd.org
Received: from shell.tsoft.com (shell.tsoft.com [198.144.192.5])
	by hub.freebsd.org (Postfix) with ESMTP id 0E26837B401
	for <freebsd-questions@freebsd.org>; Sat, 15 Jun 2002 12:38:29 -0700 (PDT)
Received: (from jnewlin@localhost)
	by shell.tsoft.com (8.8.7/8.8.7) id MAA26712
	for freebsd-questions@freebsd.org; Sat, 15 Jun 2002 12:38:28 -0700 (PDT)
From: John Newlin <jnewlin@tsoft.com>
Message-Id: <200206151938.MAA26712@shell.tsoft.com>
Subject: natd, ipfw, ipsec, upd  and ftp questions
To: freebsd-questions@freebsd.org
Date: Sat, 15 Jun 2002 12:38:28 -0700 (PDT)
X-Mailer: ELM [version 2.5 PL2]
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Sender: owner-freebsd-questions@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-questions.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-questions>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-questions>
X-Loop: FreeBSD.ORG

Hi,

I have a setup like so:

                -----------
Internet <---> | natd/ipfw | <----> Internal private net 192.168.0.0
                -----------

I'm using a slightly modified Simple ipfw ruleset that comes with the 4.5 Release.

Questions:
  ftp does not work from the internal net, except in passive mode.  What is the magik
  required to make ftp work?

UPD Question:
  I play games that open up upd connections.  I want to open up the minimum number
  of UPD sockets.  Is the proper thing to do to allow incoming UPD on the 
  portrange specified in:
   net.inet.ip.portrange.first: 1024
   net.inet.ip.portrange.last: 5000
  for udp
  something like:
   ipfw add allow udp from any 1024-5000 to any via ${oif}

  and any internal above 1024 to outside should be safe:
   ipfw add allow udp from any to any 1024-65535 via {$iif}

That look ok?  Or are there some stupid upd services that broadcast
above 1024, that I should be wary of?



IPSec question:
  I have an IPSec client on my internal Windows machine that I use to connect
  to my office.  I added the following ruleset:

   ipfw add allow esp from any to any
   ipfw add allow gre from any to any
   ipfw add allow ah  from any to any

Is this safe, or is there a way to tighten that up?


Thanks for your input,

-John



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message