From owner-freebsd-security Thu Oct 22 09:30:11 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id JAA17277 for freebsd-security-outgoing; Thu, 22 Oct 1998 09:30:11 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from cyclops.xtra.co.nz (cyclops.xtra.co.nz [202.27.184.96]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id JAA17243 for ; Thu, 22 Oct 1998 09:30:07 -0700 (PDT) (envelope-from junkmale@pop3.xtra.co.nz) Received: from wocker (210-55-210-87.ipnets.xtra.co.nz [210.55.210.87]) by cyclops.xtra.co.nz (8.9.1/8.9.1) with SMTP id FAA27065 for ; Fri, 23 Oct 1998 05:29:37 +1300 (NZDT) Message-Id: <199810221629.FAA27065@cyclops.xtra.co.nz> From: "Dan Langille" Organization: DVL Software Limited To: freebsd-security@FreeBSD.ORG Date: Fri, 23 Oct 1998 05:29:47 +1300 MIME-Version: 1.0 Content-type: text/plain; charset=US-ASCII Content-transfer-encoding: 7BIT Subject: default rules in rc.firewall cause problem Reply-to: junkmale@xtra.co.nz X-mailer: Pegasus Mail for Win32 (v3.01b) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I've been setting up a firewall using the open model supplied in /etc/rc.firewall as the basis of our security. I've found that one of the rules, designed to "# Stop RFC1918 nets on the outside interface" does not seem to be very useful, at least in my situation. The rule in question is: $fwcmd add deny all from any to 192.168.0.0:255.255.0.0 via ${oif} The subnet is within the 192.168.*.* range. ed1 is the subnet, and ed0 is the ISP. In order for any traffic to get outside, I need to modify the above rule to: $fwcmd add deny all from any to 192.168.0.0:255.255.0.0 via ${oif} out Does this make sense? I suspect the other rules will exhibit the same characteristics with their respective subnets. -- Dan Langille DVL Software Limited The FreeBSD Diary - my [mis]adventures http://www.FreeBSDDiary.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message