From owner-freebsd-questions Mon Jan 24 18:10:56 2000 Delivered-To: freebsd-questions@freebsd.org Received: from vinyl.sentex.ca (vinyl.sentex.ca [209.112.4.14]) by hub.freebsd.org (Postfix) with ESMTP id C193E15982 for ; Mon, 24 Jan 2000 18:10:53 -0800 (PST) (envelope-from mike@sentex.net) Received: from granite.sentex.net (granite-atm.sentex.ca [209.112.4.1]) by vinyl.sentex.ca (8.9.3/8.9.3) with ESMTP id VAA87460; Mon, 24 Jan 2000 21:10:50 -0500 (EST) (envelope-from mike@sentex.net) Received: from ospf-mdt.sentex.net (ospf-mdt.sentex.net [205.211.164.81]) by granite.sentex.net (8.8.8/8.6.9) with SMTP id VAA23302; Mon, 24 Jan 2000 21:10:49 -0500 (EST) From: mike@sentex.net (Mike Tancsa) To: sean@bebits.com ("Sean Heber") Cc: questions@freebsd.org Subject: Re: Quick firewall rule question.. Date: Tue, 25 Jan 2000 02:09:39 GMT Message-ID: <388d03f2.165456873@mail.sentex.net> References: In-Reply-To: X-Mailer: Forte Agent .99e/32.227 Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG On 23 Jan 2000 21:49:14 -0500, in sentex.lists.freebsd.questions you wrote: >I got the following info from my colocation provider: > >Allocation: 216.218.200.112/28 >Gateway: 216.218.200.113 >Netmask 255.255.255.240 >Range: 216.218.200.114 - 216.218.200.126 > >I know where gateway and netmask go and stuff for the regular networking >config, but how does this work for my firewall config? I want to be totaly >sure as I don't want to be locked out when the server is a few thousand >miles away.. :-) When updating stuff remotely, I usually add a temp rule to make sure I can get in. For example, if your interface is fxp0, and you are connecting to your machine from the dialup IP 192.168.1.1, add something like this temporarily ipfw add 1000 allow ip from 192.168.1.1 to any ipfw add 1010 allow ip from any to 192.168.1.1 then add your new rules after that. In your case, ipfw add 2000 allow all from 216.218.200.113 to any ipfw add 2100 deny log ip from 216.218.200.112/28 in via fxp0 2000 lets stuff in from your gateway, and 2100 stops packets coming at you with an internal source address. Then try and reach some third party machine (e.g. lynx http://www.freebsd.org) to make sure other boxes can still get to you and vice versa. If thats the case, then you can get rid of rules 1000 and 1010. ---Mike Mike Tancsa (mdtancsa@sentex.net) Sentex Communications Corp, Waterloo, Ontario, Canada "Given enough time, 100 monkeys on 100 routers could setup a national IP network." (KDW2) To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message