From owner-freebsd-questions  Fri Jun 30 06:15:05 1995
Return-Path: questions-owner
Received: (from majordom@localhost)
          by freefall.cdrom.com (8.6.10/8.6.6) id GAA01813
          for questions-outgoing; Fri, 30 Jun 1995 06:15:05 -0700
Received: from tserv.lodgenet.com (root@dial10.iw.net [204.157.148.59])
          by freefall.cdrom.com (8.6.10/8.6.6) with ESMTP id GAA01789
          for <freebsd-questions@freefall.cdrom.com>; Fri, 30 Jun 1995 06:13:41 -0700
Received: from jake.lodgenet.com (jake.lodgenet.com [204.124.120.30]) by tserv.lodgenet.com (8.6.12/8.6.12) with ESMTP id IAA16052; Fri, 30 Jun 1995 08:14:19 -0500
Received: from localhost (localhost [127.0.0.1]) by jake.lodgenet.com (8.6.11/8.6.9) with SMTP id IAA19580; Fri, 30 Jun 1995 08:14:13 -0500
Message-Id: <199506301314.IAA19580@jake.lodgenet.com>
X-Authentication-Warning: jake.lodgenet.com: Host localhost didn't use HELO protocol
X-Mailer: exmh version 1.6 4/21/95
To: M C Wong <mcw@hpato.aus.hp.com>
cc: freebsd-questions@freefall.cdrom.com (freebsd-questions@freefall.cdrom.com)
Subject: Re: ipfw and socks again 
In-reply-to: Your message of "Fri, 30 Jun 1995 13:08:32 EST."
             <199506300308.AA168761720@relay.hp.com> 
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Date: Fri, 30 Jun 1995 08:14:12 -0500
From: "Eric L. Hernes" <erich@jake.lodgenet.com>
Sender: questions-owner@FreeBSD.org
Precedence: bulk

> Hi,
>   I was under the impression that if I am to use sockd on FreeBSD as
> a firewall machine, I should have all other machines on behind it
> have the IP_FORWARDING off, except the firewall machine itself should
> haveIP_FORWARDING on, is this correct ? Is this also correct with the
> kernel ipfw ?
> 

I don't think that you even need ipfw turned on on the firewall machine.
The sockd stuff handles the forwarding.  We have a connection to a providor
who doesn't know how to route, so we use a ppp connection with a sockd host.

The sockd host's ppp interface is on the providor's net, of course.  If we
use the kernel level ip forwarding, traffic off of our local net gets to
our providor, who can't route back to us.  The sockd makes connections to
the internet on behalf of the local machines, so the providor's net doesn't
need to know the routes back.

All in all it's more of a firewall based in ignorance on our providor's part.

> --
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>  M.C Wong                                  Email: mcw@hpato.aus.hp.com 
>  Australian Telecom Operation              Voice: +61 3 272 8058        
>  Hewlett-Packard Australia Ltd             Fax:   +61 3 898 9257        
>  31 Joseph St, Blackburn 3130, Australia   OS: FreeBSD-1.1.5.1
>  http://hpautow.aus.hp.com:9999/~mcw/mcw.html (or http://hpautorf/~mcw)
> 

eric.
--
erich@lodgenet.com
erich@rrnet.com