From owner-freebsd-questions Mon Aug 28 15: 1:16 2000 Delivered-To: freebsd-questions@freebsd.org Received: from rmx602-mta.mail.com (rmx602-mta.mail.com [165.251.48.51]) by hub.freebsd.org (Postfix) with ESMTP id 6BF9E37B43C for ; Mon, 28 Aug 2000 15:01:11 -0700 (PDT) Received: from web302-mc.mail.com (web302-mc.mail.com [165.251.48.163]) by rmx602-mta.mail.com (8.9.3/8.9.3) with SMTP id SAA26383 for ; Mon, 28 Aug 2000 18:01:06 -0400 (EDT) Message-ID: <384197957.967500064518.JavaMail.root@web302-mc.mail.com> Date: Mon, 28 Aug 2000 18:01:04 -0400 (EDT) From: Bruce Petro To: freebsd-questions Subject: RE: ipfw setup when dhcp? Mime-Version: 1.0 Content-Type: text/plain Content-Transfer-Encoding: 7bit X-Mailer: mail.com X-WM-FaxTo: X-Originating-IP: 207.43.195.201 Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG Michael, thanks for the reply - yes, you have a good point, after I reviewed the contents of the rc.firewall that they had documented on http://www.mostgraveconcern.com/freebsd/ (The dual-homed host article - which is what I was going by), I see that the only use of the actual onet and omask and inet and imask was to perform the rules he titles: # Stop spoofing. (see details below). So, can anyone share is the #stop spoofing possible to do when you are under dhcp and not able to know ahead of time what your onet and omask are going to be? I know inet and imask are static, and well, I guess you could assume the omask is pretty static, but still the onet address remains quite dynamic... Any ideas? Thanks, Bruce. ************************************************************ PS: HERE IS THE TEXT FROM mostgraveconcern.com TO SHOW WHAT THEY ARE DOING TO ACCOMPLISH THE SPOOFING PROTECTION ... # Outside interface network and netmask and ip oif="dc0" onet="123.45.67.0" omask="255.255.252.0" oip="123.45.67.89" # Inside interface network and netmask and ip iif="ep0" inet="10.0.0.0" imask="255.255.255.0" iip="10.0.0.1" # Stop spoofing ${fwcmd} add deny log all from ${inet}:${imask} to any in via ${oif} ${fwcmd} add deny log all from ${onet}:${omask} to any in via ${iif} ************************************************************* Michael wrote: > >Bruce, I use roadrunner myself, and I have not had to enter this info in >rc.firewall. Have a look at >http://www.defcon1.org//html/Networking_Articles/Firewall-Ipfw/firewall-ipfw >.html > >This is the guide I used to setup my firewall. Setup up two of them, and >they work like champs. > >...Michael... > >> -----Original Message----- >> From: owner-freebsd-questions@FreeBSD.ORG >> [mailto:owner-freebsd-questions@FreeBSD.ORG]On Behalf Of Bruce Petro >> Sent: Monday, August 28, 2000 11:59 AM >> To: freebsd-questions >> Subject: ipfw setup when dhcp? >> >> >> Can someone advise what to do in this - I know in setting up >> ipfw, part of what you should do is setup the following in >> rc.firewall... >> >> # Outside interface network and netmask and ip >> oif="dc0" >> onet="123.45.67.0" >> omask="255.255.252.0" >> oip="123.45.67.89" >> >> But when you are connecting to dhcp (roadrunner) what are you >> supposed to put into these? Should you put your 'currently >> assigned' address with the current mask and that in effect >> would define you possible addresses? Or is there some >> notation that will simply echo whatever address I've been >> given this time? >> >> ______________________________________________ >> FREE Personalized Email at Mail.com >> Sign up at http://www.mail.com/?sr=signup >> >> >> >> To Unsubscribe: send mail to majordomo@FreeBSD.org >> with "unsubscribe freebsd-questions" in the body of the message >> ______________________________________________ FREE Personalized Email at Mail.com Sign up at http://www.mail.com/?sr=signup To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message