From owner-freebsd-questions Sun Sep 2 18:49: 5 2001 Delivered-To: freebsd-questions@freebsd.org Received: from web12003.mail.yahoo.com (web12003.mail.yahoo.com [216.136.172.211]) by hub.freebsd.org (Postfix) with SMTP id 079C637B401 for ; Sun, 2 Sep 2001 18:49:01 -0700 (PDT) Message-ID: <20010903014900.6124.qmail@web12003.mail.yahoo.com> Received: from [144.137.148.249] by web12003.mail.yahoo.com via HTTP; Mon, 03 Sep 2001 11:49:00 EST Date: Mon, 3 Sep 2001 11:49:00 +1000 (EST) From: =?iso-8859-1?q?Keith=20Spencer?= Subject: Re: ipfilter firewall...how to? To: Fernando Gleiser , Keith Spencer Cc: fbsd In-Reply-To: <20010902205845.Q506-100000@cactus.fi.uba.ar> MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Hi Fernando et al, Thanks for that..I presume therefore that for a tun0 iface and a a static ip, it would be instead of 0/32 pass out quick on proto udp from 203.56.200.253 port = 68 to any port = 67 pass in quick on proto udp from any port = 68 to any port = 67 Would this be correct?? What about samba connections to the machine from outside?? Is this just too risky? Any way to allow it safely? Thanks for that!!! --- Fernando Gleiser wrote: > On Mon, 3 Sep 2001, Keith Spencer wrote: > > > Hi all, > > I have followed a tute on building a solid > firewall. > > (Schlacter's) It was a great tute but too specific > to > > a machine. dhcp etc. How can i get some quick and > > dirty info on how to hack the conf files (rules) > to > > get the darn thing to work when I don't know the > DHCP > > server ip and/or using a static ip as well as > other > > stuff > > What do you need? Allow DHCP through the firewall? > Configure the public interface of the firewall using DHCP? > > For the later you need to add the following rules to > your ipfilter conf file: > > pass out quick on proto udp from 0/32 port = 68 > to any port = 67 > pass in quick on proto udp from any port = 68 > to any port = 67 > > To use a dynamic IP, use 0/32 which means "whatever > IP the interface has" > For example, the following rule allows outgoing ssh: > > pass out quick on tun0 proto tcp from 0/32 to any > port = 22 flags S keep state > > > Fer > > > > Thanks Keith > > > > http://travel.yahoo.com.au - Yahoo! Travel > > - Got Itchy feet? Get inspired! > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-questions" in the body > of the message > > > http://travel.yahoo.com.au - Yahoo! Travel - Got Itchy feet? Get inspired! To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message