Date: Tue, 6 Aug 2002 08:36:36 +0000 From: Josh Paetzel <friar_josh@webwarrior.net> To: "Daniel O'Connor" <doconnor@gsoft.com.au>, Darren Pilgrim <dmp@pantherdragon.org> Cc: freebsd-hackers@freebsd.org Subject: Re: Routing question Message-ID: <200208060836.36434.friar_josh@webwarrior.net> In-Reply-To: <1028635431.20786.8.camel@chowder.dons.net.au> References: <1028626347.16577.96.camel@chowder.gsoft.com.au> <3D4FAEEB.131312DE@pantherdragon.org> <1028635431.20786.8.camel@chowder.dons.net.au>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tuesday 06 August 2002 12:03, Daniel O'Connor wrote: > On Tue, 2002-08-06 at 20:41, Darren Pilgrim wrote: > > > I know, I already have one. I'd just rather have less administrative > > > complexity. > > > > How do you define administrative complexity? > > Well, if I want to change rules it takes careful consideration so I > don't block or allow something inadvertently. > > It almost doubles the number of needed rules :( > > > > > Disable NAT. > > > > > > Not possible.. > > > > Why not? > > Uhh cause I only have 1 IP? > What point are you trying to make? > > -- > Daniel O'Connor software and network engineer If you are using IPFW then just refer to the external interface by name. IPFW doesn't care a bit whether you call the interface tun0, or 12.23.34.45, or anything else. I have used that setup for well over a year, and my firewall ruleset is about 14 lines long. Deny all the rfc 1918 stuff in and out, tunnel through 22 and 80, allow a tcp setup out on any port, allow a response in, and do what you will with udp. (I personally allow it all. :-/) I actually don't see any advantage to having a static IP and using the IP in your ruleset. It's not like you can deny packets coming from your isp to that IP or anything. ;) Josh To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200208060836.36434.friar_josh>