From owner-freebsd-questions@FreeBSD.ORG Mon Jan 12 18:51:50 2004 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A3F5416A4CE for ; Mon, 12 Jan 2004 18:51:50 -0800 (PST) Received: from sccrmhc13.comcast.net (sccrmhc13.comcast.net [204.127.202.64]) by mx1.FreeBSD.org (Postfix) with ESMTP id 27B9F43D1D for ; Mon, 12 Jan 2004 18:51:49 -0800 (PST) (envelope-from freebsd-questions-local@be-well.ilk.org) Received: from be-well.no-ip.com ([66.30.200.37]) by comcast.net (sccrmhc13) with ESMTP id <2004011302514601600fjelee>; Tue, 13 Jan 2004 02:51:47 +0000 Received: by be-well.no-ip.com (Postfix, from userid 1147) id C69C73A; Mon, 12 Jan 2004 21:51:46 -0500 (EST) Sender: lowell@be-well.ilk.org To: Rishi Chopra References: <200401111053.QAA05193@manage.24online> <40035568.6010306@cal.berkeley.edu> From: Lowell Gilbert Date: 12 Jan 2004 21:51:46 -0500 In-Reply-To: <40035568.6010306@cal.berkeley.edu> Message-ID: <44ptdolfwd.fsf@be-well.ilk.org> Lines: 55 User-Agent: Gnus/5.09 (Gnus v5.9.0) Emacs/21.3 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii cc: freebsd-questions@FreeBSD.ORG Subject: Re: (Yet Another) Home Networking Question X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: freebsd-questions@FreeBSD.ORG List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 13 Jan 2004 02:51:50 -0000 Rishi Chopra writes: > Perhaps someone can help me with this small part of rc.firewall: > > [Ss][Ii][Mm][Pp][Ll][Ee]) > ############ > # This is a prototype setup for a simple firewall. Configure this > # machine as a named server and ntp server, and point all the machines > # on the inside at this machine for those services. > ############ > > # set these to your outside interface network and netmask and ip > oif="ed0" > onet="192.0.2.0" > omask="255.255.255.0" > oip="192.0.2.1" > > # set these to your inside interface network and netmask and ip > iif="ed1" > inet="192.0.2.1" > imask="255.255.255.0" > iip="192.0.2.17" > > I'm curious about the difference between 'inet' and 'iip', what each > one stands for, and how to configure 'onet/oip' if the outside > interface network is configured via DHCP. Look a little more closely at the comment right before those lines. 'iif' is "Inside InterFace," 'inet' is "Inside NETwork," 'imask' is "Inside netMASK," and 'iip' is "Inside IP address." If your ouside address is assigned by DHCP, you can't set those in the script. You can use the "me" keyword (see "man 8 ipfw"), or set up the firewall in a DHCP hook, or just skip the address (it doesn't actually give you any extra security if you've got a single address on a single Ethernet network). > I'm also curious about this little snippet (under the 'simple' profile): > > # Everything else is denied by default, unless the > # IPFIREWALL_DEFAULT_TO_ACCEPT option is set in your kernel > # config file. > > What happens if this option is set in my kernel config file? Can I > safely comment out this line and use the 'simple' profile without > affecting natd? It doesn't affect natd either way. Defaulting to deny is definitely the way to configure a firewall for security purposes -- don't accept anything you haven't explicitly configured yourself to let in. -- Lowell Gilbert, embedded/networking software engineer, Boston area: resume/CV at http://be-well.ilk.org:8088/~lowell/resume/ username/password "public"