From owner-freebsd-questions Thu Nov 29 6:46:35 2001 Delivered-To: freebsd-questions@freebsd.org Received: from bunning.skiltech.com (bunning.skiltech.com [216.235.79.240]) by hub.freebsd.org (Postfix) with ESMTP id B1E7C37B43A for ; Thu, 29 Nov 2001 06:46:33 -0800 (PST) Received: (from minter@localhost) by bunning.skiltech.com (8.11.6/8.11.6) id fATEkVN30393; Thu, 29 Nov 2001 09:46:31 -0500 (EST) (envelope-from minter) Date: Thu, 29 Nov 2001 09:46:30 -0500 (EST) From: "H. Wade Minter" X-X-Sender: minter@bunning.skiltech.com To: Scott Nolde Cc: questions@FreeBSD.ORG Subject: Re: Allowing IPSec through FreeBSD/ipfw gateway In-Reply-To: <20011129093152.P95091-100000@bsd.smnolde.com> Message-ID: <20011129094514.Y30301-100000@bunning.skiltech.com> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Thu, 29 Nov 2001, Scott Nolde wrote: > Make your rules simpler without degrading the effectiveness of your > firewall. I run natd on my firewall, but have these rules in place before > the divert statement: > > ipfw allow ip from any to ${VPN} > ipfw allow ip from ${VPN} to any > > where ${VPN} is the other enpoint of the VPN server. > > Try that and then get a little tighter once you sniff the traffic more. Adding that before my divert statement hung the FreeS/WAN connection earlier than the other rules did. :-/ The connection works if I dial up via mindspring, in case I didn't add that before. --Wade -- Do your part in the fight against injustice. Free Dmitry Sklyarov! http://www.freesklyarov.org/ Fight the DMCA! http://www.anti-dmca.org/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message