From owner-freebsd-security Sat Sep 25 3:55: 2 1999 Delivered-To: freebsd-security@freebsd.org Received: from foobar.franken.de (foobar.franken.de [194.94.249.81]) by hub.freebsd.org (Postfix) with ESMTP id AFCD214D1D for ; Sat, 25 Sep 1999 03:54:54 -0700 (PDT) (envelope-from logix@foobar.franken.de) Received: (from logix@localhost) by foobar.franken.de (8.8.8/8.8.5) id MAA13953; Sat, 25 Sep 1999 12:51:09 +0200 (CEST) Message-ID: <19990925125108.A13871@foobar.franken.de> Date: Sat, 25 Sep 1999 12:51:08 +0200 From: Harold Gutch To: Brett Glass , Nate Williams Cc: Monte Westlund , freebsd-security@FreeBSD.ORG Subject: Re: default rc.firewall References: <4.2.0.58.19990924111600.04809a90@localhost> <3.0.5.32.19990923152232.007c94c0@memes.com> <4.2.0.58.19990924111600.04809a90@localhost> <199909241733.LAA27644@mt.sri.com> <4.2.0.58.19990924113626.0480db00@localhost> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.93.2i In-Reply-To: <4.2.0.58.19990924113626.0480db00@localhost>; from Brett Glass on Fri, Sep 24, 1999 at 11:41:55AM -0600 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Fri, Sep 24, 1999 at 11:41:55AM -0600, Brett Glass wrote: > At 11:33 AM 9/24/99 -0600, Nate Williams wrote: > > >Why are you allowing connections from your WWW server to folks? WWW > >traffic isn't generated *from* your server, but to your server. > > Ah, but the same box is also doing NAT for internal machines. If > connections on port 80 weren't allowed OUT, then people on the > local "subnet 10" couldn't browse the Web. The person who posted > the original message of this thread seemed to want NAT to work > (please correct me if I'm wrong here). > But in this case you don't want to allow SYN-Packets coming from the inside with *source* port 80, but with *destination* port 80. Instead of $fwcmd add pass tcp from ${oip} 80 to any setup you'd want $fwcmd add pass tcp from ${oip} to any 80 setup Alternatively set up a proxy that your users have to use. bye, Harold -- Sleep is an abstinence syndrome wich occurs due to lack of caffein. Wed Mar 4 04:53:33 CET 1998 #unix, ircnet To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message