From owner-freebsd-security  Fri Dec  8 05:05:34 1995
Return-Path: owner-security
Received: (from root@localhost)
          by freefall.freebsd.org (8.7.3/8.7.3) id FAA03180
          for security-outgoing; Fri, 8 Dec 1995 05:05:34 -0800 (PST)
Received: from bsd.tseinc.com (bsd.tseinc.com [199.217.191.65])
          by freefall.freebsd.org (8.7.3/8.7.3) with SMTP id FAA03175
          for <freebsd-security@freebsd.org>; Fri, 8 Dec 1995 05:05:29 -0800 (PST)
Received: (from jlwest@localhost) by bsd.tseinc.com (8.6.11/8.6.9) id HAA01534; Fri, 8 Dec 1995 07:04:29 GMT
Date: Fri, 8 Dec 1995 07:04:28 +0000 ()
From: "Jay L. West" <jlwest@tseinc.com>
To: freebsd-security@freebsd.org
Subject: ipfw schtuff
Message-ID: <Pine.BSF.3.91.951208065740.1497C-100000@bsd.tseinc.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-security@freebsd.org
Precedence: bulk

I have a multihomed freebsd gateway to my internet provider.  The freebsd
machine has an ethernet card which connects to other local pc's and 
workstations, and a ppp link to my isp.

I compiled the kernel with options for ipfw as well as "options GATEWAY". 
>From an ethernet attached workstation I can telnet to sites on the
internet.  However, if I issue "ipfw policy deny" on the freebsd machine 
those same internal ethernet attached workstations can still telnet 
outside. I thought a policy of deny would prevent this.  Can anyone 
provide assistance? I suspect options GATEWAY overrides the ipfw stuff, but
if so how do I then allow some outside access? If static routes between 
enet and ppp are the answer, what should they look like? THANKS!

Jay West