From owner-freebsd-security  Mon Apr  1 18:37:43 2002
Delivered-To: freebsd-security@freebsd.org
Received: from smtp-server6.tampabay.rr.com (smtp-server6.tampabay.rr.com [65.32.1.43])
	by hub.freebsd.org (Postfix) with ESMTP id B2F3A37B419
	for <freebsd-security@freebsd.org>; Mon,  1 Apr 2002 18:37:36 -0800 (PST)
Received: from dual866 (6534115hfc67.swfla.rr.com [65.34.115.67] (may be forged))
	by smtp-server6.tampabay.rr.com (8.12.2/8.11.2) with ESMTP id g322bU1F013140
	for <freebsd-security@freebsd.org>; Mon, 1 Apr 2002 21:37:30 -0500 (EST)
Date: Mon, 1 Apr 2002 21:38:51 -0500
From: nobody@cyberstreet.com
X-Mailer: The Bat! (v1.53d) Educational
X-Priority: 3 (Normal)
Message-ID: <1065771453.20020401213851@email.com>
To: freebsd-security@freebsd.org
Subject: linksys 8 port router and ipfw
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org


     
        thanks in advance. i have 8 windows clients behind a linksys router (befsr81 with
     updated firmware) on a hub that links to a freebsd box (4.5 release) running natd and
     connected to the net via cable; no dhcp anywhere. i can make it work, BUT, i am unsure of
     how well i have done it and how well it is protected. i have omitted the more mundane lo0
     and spoofing entries for brevity. xl0 is internal interface.
     
     ipfw rules
     
         add divert natd all from any to any via xl1
         add check-state
         add allow tcp from "the-router" to any 22 in setup keep-state
         add deny tcp from any to any 22
         add allow all from "the-router" to any keep-state
         add allow all from any to any out
         default to deny

     #1 how can i change this so i doesn't suck and so the i can browse and ftp from
     bsd box?

     #2 see below, not as important as #1 but i didnt want to cross-post to questions.


     ***side note*** the strange thing about router. ssh works until i use the router.
     i googled and found other people that said to change to mtu on the nic and router,
     didnt work. the router only breaks ssh, (it is in /etc/hosts) you can still browse
     and ftp. remove the router and all works, without any other changes. i cheated and
     changed my sshd_config to listen on all interfaces and it will work through the
     router; not working on xl0 only xl1. i dont think this is, however, the best answer.

     again, i thank you all for any time and help.


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message