Date: Fri, 14 Apr 2006 04:42:53 -0700 From: "Brett Proctor" <brettproctor@gmail.com> To: doc@freebsd.org Subject: 26.6 IPFW: Couple things Message-ID: <3e19003d0604140442y29756ff5s3d05ff17a840575b@mail.gmail.com>
next in thread | raw e-mail | index | archive | help
First off, let me say thank you to whoever is responsible for writing all this. Really helpfull stuff. I implemented the NAT-ed statefull ruleset (the last example) and found a bug I believe. The offending line: # Allow out access to my ISP's Domain name server. # x.x.x.x must be the IP address of your ISP's DNS # Dup these lines if your ISP has more than one DNS server # Get the IP addresses from /etc/resolv.conf file $cmd 020 $skip tcp from any to x.x.x.x 53 out via $pif setup keep-state the TCP part should be UDP I believe. In some previous sections it seemed it listed both TCP and UDP rules for DNS, but I believe that DNS only uses TCP. Also, is this a bit logically inconsistent? (Very last line) # This is skipto location for outbound stateful rules $cmd 800 divert natd ip from any to any out via $pif $cmd 801 allow ip from any to any # Everything else is denied by default # deny and log all packets that fell through to see what they are $cmd 999 deny log all from any to any Isn't it impossible for anything to get past rule 801? Doesn't it essentially make it a default allow-all policy? If i'm not mistaken shouldn't rule 999 be moved and changed to 799? Thanks again for all this. The handbook is truly an invaluable resource.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3e19003d0604140442y29756ff5s3d05ff17a840575b>