From owner-freebsd-questions  Sun Dec  2  5:43:45 2001
Delivered-To: freebsd-questions@freebsd.org
Received: from hotmail.com (f101.law3.hotmail.com [209.185.241.101])
	by hub.freebsd.org (Postfix) with ESMTP
	id DD74537B417; Sun,  2 Dec 2001 05:43:34 -0800 (PST)
Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC;
	 Sun, 2 Dec 2001 05:43:34 -0800
Received: from 213.225.121.247 by lw3fd.law3.hotmail.msn.com with HTTP;
	Sun, 02 Dec 2001 13:43:34 GMT
X-Originating-IP: [213.225.121.247]
From: "Thor Legvold" <tlegvold@hotmail.com>
To: cjc@FreeBSD.ORG
Cc: freebsd-questions@FreeBSD.ORG
Subject: Re: Firewall rules (ipfw)
Date: Sun, 02 Dec 2001 13:43:34 
Mime-Version: 1.0
Content-Type: text/plain; format=flowed
Message-ID: <F101YbZhoItg3V3Ny2A000137f7@hotmail.com>
X-OriginalArrivalTime: 02 Dec 2001 13:43:34.0549 (UTC) FILETIME=[565DCC50:01C17B37]
Sender: owner-freebsd-questions@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-questions.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-questions>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-questions>
X-Loop: FreeBSD.ORG

Crist wrote:

>These DHCP rules are a bit messed up. ITYM something more like,

Duly noted. Thanks. BTW, what's ITYM mean?

> > # Allow GRE & PPTP control connection
> > ${fwcmd} add allow tcp from any to any 1723 in recv cable0 setup
> > ${fwcmd} add allow gre from any to any via cable0
>
>Nothing here allows you to talk back on that TCP connection.

Meaning I should allow TCP on 1723 both ways? Are both mahines using 1723, 
or only the PPTP server (client in that case on >1023?)

> > # Stop all other traffic via cable0 - only GRE/PPTP/DHCP allowed
> > ${fwcmd} add deny log all from any to any via cable0
>
>Nothing else at all is going to go in or out? OK.

Well, my intention was to allow GRE only incoming to nat (as only GRE 
packets are intended for my machine over the cable0/pptp link - all else is 
garbage, or dhcp), and anything outgoing (via nat). That would reduce 80% of 
the traffic on the cable0 iface reaching nat and my LAN. Seems that's not 
really feasable though.

> > # NAT
> > ${fwcmd} add divert natd log all from any to any via tun0
>
>OK.

Not ok. Nothing reaches nat (tried it today). I also tried allowing only GRE 
to nat (instead of all), that didn't work either (I think becuase while 
incoming packets are gre, outgoing one's arent...)

Guess I'll go back to diverting all and concentrate on getting the rules 
right when the packets appear on the tun0 iface coming in.

>--
>Crist J. Clark                     |     cjclark@alum.mit.edu
>                                    |     cjclark@jhu.edu
>http://people.freebsd.org/~cjc/    |     cjc@freebsd.org

Regards,
Thor


_________________________________________________________________
Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message