From owner-freebsd-questions@FreeBSD.ORG Mon Nov 29 15:15:10 2004 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0A46616A4CF for ; Mon, 29 Nov 2004 15:15:10 +0000 (GMT) Received: from aiolos.otenet.gr (aiolos.otenet.gr [195.170.0.23]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5906E43D2D for ; Mon, 29 Nov 2004 15:15:08 +0000 (GMT) (envelope-from keramida@ceid.upatras.gr) Received: from orion.daedalusnetworks.priv (aris.bedc.ondsl.gr [62.103.39.226])iATFE3b6022487; Mon, 29 Nov 2004 17:14:04 +0200 Received: from orion.daedalusnetworks.priv (orion [127.0.0.1]) iATFDxfq005419; Mon, 29 Nov 2004 17:13:59 +0200 (EET) (envelope-from keramida@ceid.upatras.gr) Received: (from keramida@localhost)iATFDil5005410; Mon, 29 Nov 2004 17:13:44 +0200 (EET) (envelope-from keramida@ceid.upatras.gr) Date: Mon, 29 Nov 2004 17:13:44 +0200 From: Giorgos Keramidas To: Jonathon McKitrick Message-ID: <20041129151344.GA5368@orion.daedalusnetworks.priv> References: <20041127215612.GA86416@dogma.freebsd-uk.eu.org> <20041128013135.GD662@gothmog.gr> <20041128044847.GA1435@dogma.freebsd-uk.eu.org> <20041128122741.GB43088@gothmog.gr> <20041129113020.GA72673@ei.bzerk.org> <20041129132114.GA66047@dogma.freebsd-uk.eu.org> <20041129140930.GA73929@ei.bzerk.org> <20041129144458.GA69798@dogma.freebsd-uk.eu.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20041129144458.GA69798@dogma.freebsd-uk.eu.org> cc: freebsd-questions@freebsd.org Subject: Re: Is this a hole in my firewall? X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 29 Nov 2004 15:15:10 -0000 On 2004-11-29 14:44, Jonathon McKitrick wrote: > On Mon, Nov 29, 2004 at 03:09:30PM +0100, Ruben de Groot wrote: > : Your laptop won't be "exposed" by this. You could however finetune your > : ruleset a little bit by modifying rule 300 to something like: > : > : allow ip from ${INTERNAL_NET} to any keep-state out xmit tun0 > : > : where INTERNAL_NET would be e.g. 192.168.0.0/24 > > Should I also run a firewall on the laptop then, since all traffic to the > laptop is allowed to pass? Probably, irrelevant to the original question, but... In general, it's not a bad idea. You won't have to "remember" to turn on firewalling when the laptop is connected to a different network; one that shouldn't really be trusted so much.