Date: Fri, 21 Apr 2000 19:41:33 +0100 From: Nik Clayton <nik@freebsd.org> To: Marc Silver <marcs@draenor.org> Cc: freebsd-doc@freebsd.org Subject: Re: ipfw and nat over ppp documentation Message-ID: <20000421194133.C30157@catkin.nothing-going-on.org> In-Reply-To: <20000414210740.U19472@draenor.org>; from marcs@draenor.org on Fri, Apr 14, 2000 at 09:07:40PM %2B0200 References: <20000414210740.U19472@draenor.org>
index | next in thread | previous in thread | raw e-mail
Marc, On Fri, Apr 14, 2000 at 09:07:40PM +0200, Marc Silver wrote: > I have written the following documentation on how to set up ipfw over a > ppp connection. I hope this is the right place to submit it, but if > not, please let me know. A copy of this (for better viewing) is at > http://draenor.org/ipfw > > Something like this is missing from the FAQ and handbook (or if it's > there I certainly missed it) so perhaps it could be included with a bit > of work?? Thanks for this. However. . . (there's always a "however" :-) ) I've got a couple of questions. Perhaps if you could answer them in the document it would be more useful? 1. Why are you using natd, instead of PPP's built in address translation facilities? What are the pros and cons of each? 2. [ This is the kicker ] Suppose you're using nat (either in PPP, or with natd) to run some private net IP addresses internally. How do you firewall them? It's my understanding (and I haven't done this, so I could be wrong) that if you are using 192.168.1/24 internally then you can't do something like $fwcmd add deny all from any to 192.168.0.0:255.255.0.0 via tun0 as the address translation happens to incoming packets *before* the firewall gets to intercept them. 3. From a text point of view it looks fine. Would you care to run it past some people on the security mailing list, so they can make sure the advice is sound from a security perspective as well? Any thoughts? And thanks for taking the time to write this up. N -- Internet connection, $19.95 a month. Computer, $799.95. Modem, $149.95. Telephone line, $24.95 a month. Software, free. USENET transmission, hundreds if not thousands of dollars. Thinking before posting, priceless. Somethings in life you can't buy. For everything else, there's MasterCard. -- Graham Reed, in the Scary Devil Monastery To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-doc" in the body of the messagehelp
Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20000421194133.C30157>