Date: Mon, 12 Jan 2004 19:07:16 -0800 From: Rishi Chopra <rchopra@cal.berkeley.edu> To: freebsd-questions@FreeBSD.ORG Subject: Re: (Yet Another) Home Networking Question Message-ID: <400360E4.3020401@cal.berkeley.edu> In-Reply-To: <44ptdolfwd.fsf@be-well.ilk.org> References: <200401111053.QAA05193@manage.24online> <40035568.6010306@cal.berkeley.edu> <44ptdolfwd.fsf@be-well.ilk.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Thanks for the generally good info; the 'me' keyword was the key piece of info that I needed =) Lowell Gilbert wrote: >Rishi Chopra <rchopra@cal.berkeley.edu> writes: > > > >>Perhaps someone can help me with this small part of rc.firewall: >> >>[Ss][Ii][Mm][Pp][Ll][Ee]) >> ############ >> # This is a prototype setup for a simple firewall. Configure this >> # machine as a named server and ntp server, and point all the machines >> # on the inside at this machine for those services. >> ############ >> >> # set these to your outside interface network and netmask and ip >> oif="ed0" >> onet="192.0.2.0" >> omask="255.255.255.0" >> oip="192.0.2.1" >> >> # set these to your inside interface network and netmask and ip >> iif="ed1" >> inet="192.0.2.1" >> imask="255.255.255.0" >> iip="192.0.2.17" >> >>I'm curious about the difference between 'inet' and 'iip', what each >>one stands for, and how to configure 'onet/oip' if the outside >>interface network is configured via DHCP. >> >> > >Look a little more closely at the comment right before those lines. >'iif' is "Inside InterFace," 'inet' is "Inside NETwork," 'imask' is >"Inside netMASK," and 'iip' is "Inside IP address." > >If your ouside address is assigned by DHCP, you can't set those in the >script. You can use the "me" keyword (see "man 8 ipfw"), or set up >the firewall in a DHCP hook, or just skip the address (it doesn't >actually give you any extra security if you've got a single address on >a single Ethernet network). > > > >>I'm also curious about this little snippet (under the 'simple' profile): >> >> # Everything else is denied by default, unless the >> # IPFIREWALL_DEFAULT_TO_ACCEPT option is set in your kernel >> # config file. >> >>What happens if this option is set in my kernel config file? Can I >>safely comment out this line and use the 'simple' profile without >>affecting natd? >> >> > >It doesn't affect natd either way. Defaulting to deny is definitely >the way to configure a firewall for security purposes -- don't accept >anything you haven't explicitly configured yourself to let in. > > >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?400360E4.3020401>