From owner-freebsd-security Tue Nov 14 16: 2:50 2000 Delivered-To: freebsd-security@freebsd.org Received: from pt-quorum.com (pt-quorum.com [209.10.167.210]) by hub.freebsd.org (Postfix) with ESMTP id 421B137B4C5 for ; Tue, 14 Nov 2000 16:02:48 -0800 (PST) Received: from n2 (d128239.lsb.PT.EU.net [193.126.128.239]) by pt-quorum.com (8.9.3/8.9.3) with SMTP id XAA32762; Tue, 14 Nov 2000 23:57:16 GMT Message-ID: <001c01c04e97$c69c3c90$0200a8c0@n2> From: "Nuno Teixeira" To: "Steve Reid" Cc: References: <00c801c04dc4$12a89220$0200a8c0@n2> <20001114144513.A888@grok> Subject: Re: PPP NAT Gateway security Date: Wed, 15 Nov 2000 00:05:28 -0000 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4133.2400 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hi, I've configured a 'client' firewall (in the /etc/rc.firewall) in FreeBSD for a private class C IP numbers of my network. It works ok inside the network but I can't get access to the Internet. I believe that this problem is related to my ISP (PPP analog modem) doesn't give me a static IP but a dinamic one. What I'd like to do is something like BlackIce do in Windows OS. Can I do the same work with IPFW? Thanks very much, Nuno Teixeira ----- Original Message ----- From: "Steve Reid" To: "Nuno Teixeira" Cc: Sent: Tuesday, November 14, 2000 10:45 PM Subject: Re: PPP NAT Gateway security > On Mon, Nov 13, 2000 at 10:50:05PM -0000, Nuno Teixeira wrote: > > ppp -background -nat MYISP > > It works OK and I have access to a lot of Internet services. > > My question is: do I need to configure this machine with firewall, so I can > > protect my internal network from the outside net? > > You probably don't _need_ a firewall, but it usually is a good idea. In > practice NAT provides some protection, but that is not what NAT is > intended for so I wouldn't rely on it. > > The usual way to do it is with ipfw or ipfilter. "man ipfw" and "man > ipf" respectively. Because you're using userland PPP you can also do it > via the ppp daemon ("man ppp"). I would recommend using ipfw or > ipfilter though, as then you don't have to re-write your filter rules > if you ever change to a non-ppp interface. You'll probably find more > ipf/ipfw information than ppp filter information, because ipf and ipfw > are more widely used. Google search for "ipfw howto" or "ipf howto" > should turn up some nice docs. > > Both ipfw and ipf are stateful now, so AFAICS the remaining differences > are relatively minor for most people. ipf has been ported to systems > other than FreeBSD; ipfw works with ethernet bridging. There may be > other differences I'm not aware of- I'm an ipf user myself and haven't > used ipfw in years. > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message