Date: Mon, 04 Jun 2001 08:11:03 -0400 From: Bill Moran <wmoran@iowna.com> To: tinnakorn kunasit <tinnakorn2000@hotmail.com> Cc: freebsd-questions@FreeBSD.ORG Subject: Re: ipfirewall Message-ID: <3B1B7AD7.A3336A54@iowna.com> References: <F99eKljq65Rn8P5o7P60000d21f@hotmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
tinnakorn kunasit wrote: > 1. add options for ipfirewall and recompile kernel > > options IPFIREWALL > options IPDIVERT > options IPFIREWALL_VERBOSE > options IPFIREWALL_VERBOSE_LIMIT=100 > options IPFIREWALL_DEFAULT_TO_ACCEPT Did you rebuild, install the kernel after this? > 4. edit file /etc/rc.firewall > /sbin/ipfw -f flush > /sbin/ipfw -q add 100 pass all from any to any via lo0 > /sbin/ipfw -q add 200 pass all from any to 127.0.0.0/8 > /sbin/ipfw -q add 300 pass all from any to any > > /sbin/sysctl -n -w net.inet.ip.forwarding=1 > /sbin/natd -l -d auth -m -u -n rl1 -dynamic > /sbin/ipfw add divert natd all from any to any out > /sbin/ipfw add divert natd all from any to any in Hmm ... A minimal ruleset would be: add 100 divert natd ip from any to any via rl0 add 200 allow ip from any to any lo0 add 300 deny ip from any to 127.0.0.0/8 add 400 allow ip from any to any Considering that you don't seem to be using it to protect anything. The default rc.firewall would work fine in "OPEN" mode. Read the natd/firewall section in the man page for rc.conf for details. -Bill -- If a bird in the hand is worth two in the bush, then what can I get for two hands in the bush? To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3B1B7AD7.A3336A54>