From owner-freebsd-questions  Tue Feb 29 20:19:39 2000
Delivered-To: freebsd-questions@freebsd.org
Received: from charon.khoral.com (charon.khoral.com [209.75.155.97])
	by hub.freebsd.org (Postfix) with SMTP id 632AE37B6D7
	for <questions@FreeBSD.ORG>; Tue, 29 Feb 2000 20:19:37 -0800 (PST)
	(envelope-from steve@khoral.com)
Received: from zen.alb.khoral.com by charon.khoral.com
          via smtpd (for hub.FreeBSD.ORG [204.216.27.18]) with SMTP; 1 Mar 2000 04:19:37 UT
Received: (from steve@localhost)
	by zen.alb.khoral.com (8.9.3/8.9.3) id VAA18525;
	Tue, 29 Feb 2000 21:19:29 -0700 (MST)
From: Steve Jorgensen <steve@khoral.com>
Message-Id: <200003010419.VAA18525@zen.alb.khoral.com>
Subject: Re: packet filtering from ppp
To: bhishan@cytosine.dhs.org (Bhishan Hemrajani)
Date: Tue, 29 Feb 2000 21:19:29 -0700 (MST)
Cc: questions@FreeBSD.ORG
In-Reply-To: <200003010415.UAA13595@cytosine.dhs.org> from "Bhishan Hemrajani" at Feb 29, 2000 08:15:03 PM
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Sender: owner-freebsd-questions@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.ORG

Bhishan Hemrajani wrote
>> Try using rc.firewall in /etc to limit that stuff..
>> man ipfw
>> 
	I didn't think you could use the ipfw and rc.firewall stuff on
	the tun0 device.  Am I mistaken?

						Steve
>> --bhishan
>> > 
>> > 	I have a little 16 IP number net, that is connected
>> > 	to the internet via the user ppp on the gateway machine.
>> > 	I'm running on a FreeBSD 3.4-STABLE machine last cvsup'ed
>> > 	about a month ago.  Since I have real IP numbers, I'm
>> > 	NOT using the -nat options to ppp, but I would like to use
>> > 	the set filter syntax to protect myself from prying external
>> > 	programs (in fact, I've been getting probed on my samba port for
>> > 	the last couple of weeks from various external ip numbers)
>> > 
>> > 	Anyway, I set up my rules based on instructions I found
>> > 	in the ppp tutorial at http://www.freebsd.org/tutorials/ppp/x870.html,
>> > 	but I can't seem to get things to work right.  The example shown
>> > 	indicates that only the specified services will be allowed to
>> > 	operate through the tun device, and all other packets will be
>> > 	blocked.  However, when I run it, it either lets everything
>> > 	through or disallows any new external to internal connections
>> > 	to be started.  This behavior is based on the following lines
>> > 
>> > set filter in  6 permit 0/0 MYGATEWAYADDR/24
>> > set filter out 6 permit MYGATEWAYADDR/24 0/0
>> > 
>> > 	If I have these two lines set, it doesn't matter if I have any
>> > 	of the other lines in the tutorial, it allows all packets through.
>> > 	If I comment those two lines out, no new external connections
>> > 	can be established.  Any help is appreciated, and I can make
>> > 	my full set filter lines available if it's necessary.
>> > 
>> > 						Steve

-- 
-----------------------------------------------------------
Steven Jorgensen      steve@khoral.com	 steve@spukhaus.com
------------------------------+----------------------------
Khoral Research Inc.          | PHONE: (505) 837-6500
6200 Uptown Blvd, Suite 200   | FAX:   (505) 881-3842
Albuquerque, NM 87110         | URL: http://www.khoral.com/
-----------------------------------------------------------


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message