From owner-freebsd-questions@FreeBSD.ORG  Mon Apr  7 14:31:08 2003
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 37F2937B401
	for <freebsd-questions@freebsd.org>;
	Mon,  7 Apr 2003 14:31:08 -0700 (PDT)
Received: from joloxbox.joshualokken.com (12-225-249-250.client.attbi.com
	[12.225.249.250])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 5D5E243FAF
	for <freebsd-questions@freebsd.org>;
	Mon,  7 Apr 2003 14:31:07 -0700 (PDT)
	(envelope-from joshualokken@attbi.com)
Received: from joloxbox.joshualokken.com (localhost.joshualokken.com
	[127.0.0.1])h37LVjbF007712;	Mon, 7 Apr 2003 14:31:45 -0700 (PDT)
	(envelope-from joshualokken@attbi.com)
Received: (from jolok@localhost)
	by joloxbox.joshualokken.com (8.12.9/8.12.9/Submit) id h37LVYLD007711;
	Mon, 7 Apr 2003 14:31:34 -0700 (PDT)
X-Authentication-Warning: joloxbox.joshualokken.com: jolok set sender to
	joshualokken@attbi.com using -f
Date: Mon, 7 Apr 2003 14:31:34 -0700
From: Joshua Lokken <joshualokken@attbi.com>
To: Brian McCann <bjm1287@ritvax.rit.edu>
Message-ID: <20030407213134.GB6383@joloxbox.joshualokken.com>
References: <000001c2f8cb$6e4f5e60$2f811581@garfield>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <000001c2f8cb$6e4f5e60$2f811581@garfield>
User-Agent: Mutt/1.4i
Organization: little to none
X-OS: FreeBSD joloxbox.joshualokken.com 4.8-STABLE i386
cc: freebsd-questions@freebsd.org
Subject: Re: NATD & IPFW
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>,
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>,
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 07 Apr 2003 21:31:08 -0000

* Brian McCann (bjm1287@ritvax.rit.edu) wrote:
==> Hi all.  I'm having an issue with security while trying to get natd to
==> work with ipfw.  I got my ipfw rules working great, so I added the natd
==> line in:
==> 
==>   ipfw add divert 8668 all from any to any via $EXTERNAL_INTERFACE
==> 
==> But I can't do anything (ping, fetch, etc) until I add:
==>   ipfw add pass all from any to any
==> 
==> Now, I may be wrong, but doesn't this pretty much open the box up?  I
==> tried changing the first "any" to my internal network, but that didn't
==> work, and I know I've got to be missing something.
==> 
==> If anyone would like to help me off-list, I could send you a copy of my
==> rule set if you'd like.
==> 
==> Thanks in advance,
==> --Brian

I had trouble with this, too, and I found that when I changed the location
of the divert rule, the behavior changed.

--
Joshua