Skip site navigation (1)Skip section navigation (2)
Date:      Mon, 29 Nov 2004 15:09:30 +0100
From:      Ruben de Groot <mail25@bzerk.org>
To:        Jonathon McKitrick <jcm@FreeBSD-uk.eu.org>
Cc:        freebsd-questions@freebsd.org
Subject:   Re: Is this a hole in my firewall?
Message-ID:  <20041129140930.GA73929@ei.bzerk.org>
In-Reply-To: <20041129132114.GA66047@dogma.freebsd-uk.eu.org>
References:  <20041127215612.GA86416@dogma.freebsd-uk.eu.org> <20041128013135.GD662@gothmog.gr> <20041128044847.GA1435@dogma.freebsd-uk.eu.org> <20041128122741.GB43088@gothmog.gr> <20041129113020.GA72673@ei.bzerk.org> <20041129132114.GA66047@dogma.freebsd-uk.eu.org>

next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, Nov 29, 2004 at 01:21:14PM +0000, Jonathon McKitrick typed:
> On Mon, Nov 29, 2004 at 12:30:20PM +0100, Ruben de Groot wrote:
> : He's using ppp-nat. So packets from his laptop will first hit rule #300 and
> : only after that get "nat'ed". I believe this is normal behaviour.
> 
> Ah, yes.  I always forget about ppp-nat.
> 
> So, then, is this the best way to allow my laptop packets out?  Or does it
> still leave the laptop exposed?  I'd like to protect all the machines with
> one firewall, while keeping it simple, if possible.

Your laptop won't be "exposed" by this. You could however finetune your
ruleset a little bit by modifying rule 300 to something like:

allow ip from ${INTERNAL_NET} to any keep-state out xmit tun0

where INTERNAL_NET would be e.g. 192.168.0.0/24

Ruben



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20041129140930.GA73929>