Date: Fri, 14 Apr 2006 04:42:53 -0700 From: "Brett Proctor" <brettproctor@gmail.com> To: doc@freebsd.org Subject: 26.6 IPFW: Couple things Message-ID: <3e19003d0604140442y29756ff5s3d05ff17a840575b@mail.gmail.com>
index | next in thread | raw e-mail
First off, let me say thank you to whoever is responsible for writing all this. Really helpfull stuff. I implemented the NAT-ed statefull ruleset (the last example) and found a bug I believe. The offending line: # Allow out access to my ISP's Domain name server. # x.x.x.x must be the IP address of your ISP's DNS # Dup these lines if your ISP has more than one DNS server # Get the IP addresses from /etc/resolv.conf file $cmd 020 $skip tcp from any to x.x.x.x 53 out via $pif setup keep-state the TCP part should be UDP I believe. In some previous sections it seemed it listed both TCP and UDP rules for DNS, but I believe that DNS only uses TCP. Also, is this a bit logically inconsistent? (Very last line) # This is skipto location for outbound stateful rules $cmd 800 divert natd ip from any to any out via $pif $cmd 801 allow ip from any to any # Everything else is denied by default # deny and log all packets that fell through to see what they are $cmd 999 deny log all from any to any Isn't it impossible for anything to get past rule 801? Doesn't it essentially make it a default allow-all policy? If i'm not mistaken shouldn't rule 999 be moved and changed to 799? Thanks again for all this. The handbook is truly an invaluable resource.home | help
Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3e19003d0604140442y29756ff5s3d05ff17a840575b>