Skip site navigation (1)Skip section navigation (2)
Date:      12 Jan 2004 21:51:46 -0500
From:      Lowell Gilbert <freebsd-questions-local@be-well.ilk.org>
To:        Rishi Chopra <rchopra@cal.berkeley.edu>
Cc:        freebsd-questions@FreeBSD.ORG
Subject:   Re: (Yet Another) Home Networking Question
Message-ID:  <44ptdolfwd.fsf@be-well.ilk.org>
In-Reply-To: <40035568.6010306@cal.berkeley.edu>
References:  <200401111053.QAA05193@manage.24online> <40035568.6010306@cal.berkeley.edu>

next in thread | previous in thread | raw e-mail | index | archive | help
Rishi Chopra <rchopra@cal.berkeley.edu> writes:

> Perhaps someone can help me with this small part of rc.firewall:
> 
> [Ss][Ii][Mm][Pp][Ll][Ee])
>         ############
>         # This is a prototype setup for a simple firewall.  Configure this
>         # machine as a named server and ntp server, and point all the machines
>         # on the inside at this machine for those services.
>         ############
> 
>         # set these to your outside interface network and netmask and ip
>         oif="ed0"
>         onet="192.0.2.0"
>         omask="255.255.255.0"
>         oip="192.0.2.1"
> 
>         # set these to your inside interface network and netmask and ip
>         iif="ed1"
>         inet="192.0.2.1"
>         imask="255.255.255.0"
>         iip="192.0.2.17"
> 
> I'm curious about the difference between 'inet' and 'iip', what each
> one stands for, and how to configure 'onet/oip' if the outside
> interface network is configured via DHCP.

Look a little more closely at the comment right before those lines.
'iif' is "Inside InterFace," 'inet' is "Inside NETwork," 'imask' is
"Inside netMASK," and 'iip' is "Inside IP address."

If your ouside address is assigned by DHCP, you can't set those in the
script.  You can use the "me" keyword (see "man 8 ipfw"), or set up
the firewall in a DHCP hook, or just skip the address (it doesn't
actually give you any extra security if you've got a single address on
a single Ethernet network).

> I'm also curious about this little snippet (under the 'simple' profile):
> 
>         # Everything else is denied by default, unless the
>         # IPFIREWALL_DEFAULT_TO_ACCEPT option is set in your kernel
>         # config file.
> 
> What happens if this option is set in my kernel config file?  Can I
> safely comment out this line and use the 'simple' profile without
> affecting natd?

It doesn't affect natd either way.  Defaulting to deny is definitely
the way to configure a firewall for security purposes -- don't accept
anything you haven't explicitly configured yourself to let in.

-- 
Lowell Gilbert, embedded/networking software engineer, Boston area: 
		resume/CV at http://be-well.ilk.org:8088/~lowell/resume/
		username/password "public"



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?44ptdolfwd.fsf>