From owner-freebsd-doc@FreeBSD.ORG Fri Apr 14 11:42:54 2006 Return-Path: X-Original-To: doc@freebsd.org Delivered-To: freebsd-doc@FreeBSD.ORG Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E865116A404 for ; Fri, 14 Apr 2006 11:42:54 +0000 (UTC) (envelope-from brettproctor@gmail.com) Received: from wproxy.gmail.com (wproxy.gmail.com [64.233.184.234]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8942F43D45 for ; Fri, 14 Apr 2006 11:42:54 +0000 (GMT) (envelope-from brettproctor@gmail.com) Received: by wproxy.gmail.com with SMTP id i31so32255wra for ; Fri, 14 Apr 2006 04:42:54 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:mime-version:content-type:content-transfer-encoding:content-disposition; b=V7nHgTqjJb7u7OEkpIxyzPu/zRObGl8l0BDiGdst+rEd9w0pxZGfWGQr7dt3/QoVWl/4CKuU0iUn5Nt4yxqA583ecY0CrcOZI5TR/gmOTuAdCmzr80W/YE12GvTIsNOvZy4ztGTGZMfmbY3iO753bkuEZ0hd2AyLI/9dEzOkEco= Received: by 10.65.224.3 with SMTP id b3mr930918qbr; Fri, 14 Apr 2006 04:42:53 -0700 (PDT) Received: by 10.65.126.18 with HTTP; Fri, 14 Apr 2006 04:42:53 -0700 (PDT) Message-ID: <3e19003d0604140442y29756ff5s3d05ff17a840575b@mail.gmail.com> Date: Fri, 14 Apr 2006 04:42:53 -0700 From: "Brett Proctor" To: doc@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Content-Disposition: inline Cc: Subject: 26.6 IPFW: Couple things X-BeenThere: freebsd-doc@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Documentation project List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 14 Apr 2006 11:42:55 -0000 First off, let me say thank you to whoever is responsible for writing all this. Really helpfull stuff. I implemented the NAT-ed statefull ruleset (the last example) and found a bug I believe. The offending line: # Allow out access to my ISP's Domain name server. # x.x.x.x must be the IP address of your ISP's DNS # Dup these lines if your ISP has more than one DNS server # Get the IP addresses from /etc/resolv.conf file $cmd 020 $skip tcp from any to x.x.x.x 53 out via $pif setup keep-state the TCP part should be UDP I believe. In some previous sections it seemed it listed both TCP and UDP rules for DNS, but I believe that DNS only uses TCP. Also, is this a bit logically inconsistent? (Very last line) # This is skipto location for outbound stateful rules $cmd 800 divert natd ip from any to any out via $pif $cmd 801 allow ip from any to any # Everything else is denied by default # deny and log all packets that fell through to see what they are $cmd 999 deny log all from any to any Isn't it impossible for anything to get past rule 801? Doesn't it essentially make it a default allow-all policy? If i'm not mistaken shouldn't rule 999 be moved and changed to 799? Thanks again for all this. The handbook is truly an invaluable resource.