From owner-freebsd-ipfw Mon Oct 30 13:32:26 2000 Delivered-To: freebsd-ipfw@freebsd.org Received: from virtual.sysadmin-inc.com (lists.sysadmin-inc.com [209.16.228.140]) by hub.freebsd.org (Postfix) with ESMTP id 9F4D637B479 for ; Mon, 30 Oct 2000 13:32:23 -0800 (PST) Received: from 98wkst ([10.10.1.71]) by virtual.sysadmin-inc.com (8.9.1/8.9.1) with SMTP id QAA23909 for ; Mon, 30 Oct 2000 16:32:42 -0500 Reply-To: From: "Peter Brezny" To: Subject: rc.firewall by default does not allow nat of private internal addresses? Date: Mon, 30 Oct 2000 16:32:28 -0500 Message-ID: <001701c042b8$e7f54340$47010a0a@fire.sysadmininc.com> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook CWS, Build 9.0.2416 (9.0.2910.0) Importance: Normal X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG Could someone explain to me why the default configuratoin of rc.firewall using the 'simple' configuration does not allow privat ip's to be used on the internal network? I was assuming that since the natd rule is _above_ the deny ip from 10.0.0.0/8 to any via ${oif} ipfw would not 'realize' that the packet originated on 10.0.0.0/8 and would pass it (since natd should have already translated the packet to the external ip before it leaves via the ${oif}...right? any enlightenment on this issue would be greatly appreciated. but as written, it appears to me that the rc.firewall provided with 4.1 is useless unless you pull out the limits of RFC1918 or at least change them to deny all from 10.0.0.0/8 to any in via ${oif} TIA. Peter Brezny SysAdmin Services, Inc. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message