From owner-freebsd-questions  Mon Jul  6 07:11:59 1998
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id HAA14266
          for freebsd-questions-outgoing; Mon, 6 Jul 1998 07:11:59 -0700 (PDT)
          (envelope-from owner-freebsd-questions@FreeBSD.ORG)
Received: from cyclops.xtra.co.nz (cyclops.xtra.co.nz [202.27.184.96])
          by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id HAA14237
          for <freebsd-questions@FreeBSD.ORG>; Mon, 6 Jul 1998 07:11:45 -0700 (PDT)
          (envelope-from junkmale@pop3.xtra.co.nz)
Received: from wocker (210-55-210-87.ipnets.xtra.co.nz [210.55.210.87])
	by cyclops.xtra.co.nz (8.8.8/8.8.8) with SMTP id UAA17014;
	Mon, 6 Jul 1998 20:49:12 +1200 (NZST)
Message-Id: <199807060849.UAA17014@cyclops.xtra.co.nz>
From: "Dan Langille" <junkmale@xtra.co.nz>
Organization: DVL Software Limited
To: freebsd-questions@FreeBSD.ORG
Date: Mon, 6 Jul 1998 20:49:13 +1200
MIME-Version: 1.0
Content-type: text/plain; charset=US-ASCII
Content-transfer-encoding: 7BIT
Subject: Re: using IPFW as a firewall
Reply-to: junkmale@xtra.co.nz
CC: Julian Elischer <julian@whistle.com>
References: <199807060226.OAA25536@cyclops.xtra.co.nz>
In-reply-to: <Pine.BSF.3.95.980705214223.11619F-100000@current1.whistle.com>
X-mailer: Pegasus Mail for Win32 (v3.01b)
Sender: owner-freebsd-questions@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.ORG

On 5 Jul 98, at 21:42, Julian Elischer wrote:

> see /etc/rc.firewall.
> 
> 
> On Mon, 6 Jul 1998, Dan Langille wrote:
> 
> > I've started playing around with IPFW in order to boost up the
> > protection around my home network.  I've seen some 
recommendations as to
> > what to filter out, but I haven't seen many explicit examples of what
> > rules will make up a nice simple firewall.

Well, I'm finally getting somewhere.  I've chosen the simple firewall.  But 
three rules within /etc/rc.firewall must be commented out in order for 
some stuff to work.  Can anyone educate me as to why these rules 
prevent ping, news, mail, etc from running on machines on my home 
network?  Those section of rc.firewall appear below.

---
# Stop RFC1918 nets on the outside interface
$fwcmd add deny all from 192.168.0.0:255.255.0.0 to any via ${oif}

# Allow TCP through if setup succeeded
$fwcmd add pass tcp from any to any established

# Allow setup of any other TCP connection
$fwcmd add pass tcp from any to any setup
---

I'm also running natd.  Where's the best place to put the rules pertaining 
to natd?  e.g.  add divert natd all from any to any via ed0
I can't put them in rc.firewall as natd doesn't seem to be active at that 
time.

--
Dan Langille
DVL Software Limited
http://www.dvl-software.com : for race timing solutions

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message