From owner-freebsd-security Thu Oct 22 11:39:16 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id LAA07277 for freebsd-security-outgoing; Thu, 22 Oct 1998 11:39:16 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from dt053nb4.san.rr.com (dt053nb4.san.rr.com [204.210.34.180]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id LAA07272 for ; Thu, 22 Oct 1998 11:39:15 -0700 (PDT) (envelope-from Studded@gorean.org) Received: from gorean.org (Studded@localhost [127.0.0.1]) by dt053nb4.san.rr.com (8.8.8/8.8.8) with ESMTP id LAA03197; Thu, 22 Oct 1998 11:38:42 -0700 (PDT) (envelope-from Studded@gorean.org) Message-ID: <362F7BB1.71A13EF3@gorean.org> Date: Thu, 22 Oct 1998 11:38:41 -0700 From: Studded Organization: Triborough Bridge & Tunnel Authority X-Mailer: Mozilla 4.5 [en] (X11; I; FreeBSD 2.2.7-STABLE-1015 i386) X-Accept-Language: en MIME-Version: 1.0 To: junkmale@xtra.co.nz CC: freebsd-security@FreeBSD.ORG Subject: Re: default rules in rc.firewall cause problem References: <199810221629.FAA27065@cyclops.xtra.co.nz> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org This is about the 8th time I've seen this post of yours. You are missing several important aspects of this situation. First off, the outside interface should NEVER see traffic from RFC 1918 space, so if you have to modify this rule to get your system to work then your system is screwed. Second, there is no possible way that anyone can help you with this problem if you don't post the details of your setup. The fragment that you've posted here is virtually meaningless, and the only reason I understand what you're talking about is that I've read this or similar posts so many times. If you want help, post your whole firewall setup to freebsd-questions and ask for help. However if you're not interested in help, please stop making this post as you are incorrect and I for one am tired of seeing it. Doug Dan Langille wrote: > > I've been setting up a firewall using the open model supplied in > /etc/rc.firewall as the basis of our security. I've found that one of the > rules, designed to "# Stop RFC1918 nets on the outside interface" does not > seem to be very useful, at least in my situation. The rule in question is: > > $fwcmd add deny all from any to 192.168.0.0:255.255.0.0 via ${oif} > > The subnet is within the 192.168.*.* range. ed1 is the subnet, and ed0 is > the ISP. In order for any traffic to get outside, I need to modify the > above rule to: > > $fwcmd add deny all from any to 192.168.0.0:255.255.0.0 via ${oif} out > > Does this make sense? > > I suspect the other rules will exhibit the same characteristics with their > respective subnets. > > -- > Dan Langille > DVL Software Limited > The FreeBSD Diary - my [mis]adventures > http://www.FreeBSDDiary.com > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message -- *** Chief Operations Officer, DALnet IRC network *** Go PADRES! To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message