From owner-freebsd-questions Tue Feb 29 20:15:13 2000 Delivered-To: freebsd-questions@freebsd.org Received: from cytosine.dhs.org (cx272244-a.orng1.occa.home.com [24.1.177.149]) by hub.freebsd.org (Postfix) with ESMTP id B236B37BFA4 for ; Tue, 29 Feb 2000 20:15:10 -0800 (PST) (envelope-from bhishan@cytosine.dhs.org) Received: (from bhishan@localhost) by cytosine.dhs.org (8.9.3/8.9.3) id UAA13595; Tue, 29 Feb 2000 20:15:04 -0800 (PST) (envelope-from bhishan) From: Bhishan Hemrajani Message-Id: <200003010415.UAA13595@cytosine.dhs.org> Subject: Re: packet filtering from ppp In-Reply-To: <200003010412.VAA18392@zen.alb.khoral.com> from Steve Jorgensen at "Feb 29, 2000 09:12:14 pm" To: Steve Jorgensen Date: Tue, 29 Feb 2000 20:15:03 -0800 (PST) Cc: questions@FreeBSD.ORG X-Mailer: ELM [version 2.4ME+ PL68 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG Try using rc.firewall in /etc to limit that stuff.. man ipfw --bhishan > > I have a little 16 IP number net, that is connected > to the internet via the user ppp on the gateway machine. > I'm running on a FreeBSD 3.4-STABLE machine last cvsup'ed > about a month ago. Since I have real IP numbers, I'm > NOT using the -nat options to ppp, but I would like to use > the set filter syntax to protect myself from prying external > programs (in fact, I've been getting probed on my samba port for > the last couple of weeks from various external ip numbers) > > Anyway, I set up my rules based on instructions I found > in the ppp tutorial at http://www.freebsd.org/tutorials/ppp/x870.html, > but I can't seem to get things to work right. The example shown > indicates that only the specified services will be allowed to > operate through the tun device, and all other packets will be > blocked. However, when I run it, it either lets everything > through or disallows any new external to internal connections > to be started. This behavior is based on the following lines > > set filter in 6 permit 0/0 MYGATEWAYADDR/24 > set filter out 6 permit MYGATEWAYADDR/24 0/0 > > If I have these two lines set, it doesn't matter if I have any > of the other lines in the tutorial, it allows all packets through. > If I comment those two lines out, no new external connections > can be established. Any help is appreciated, and I can make > my full set filter lines available if it's necessary. > > Steve > > -- > ----------------------------------------------------------- > Steven Jorgensen steve@khoral.com steve@spukhaus.com > ------------------------------+---------------------------- > Khoral Research Inc. | PHONE: (505) 837-6500 > 6200 Uptown Blvd, Suite 200 | FAX: (505) 881-3842 > Albuquerque, NM 87110 | URL: http://www.khoral.com/ > ----------------------------------------------------------- > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-questions" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message