Skip site navigation (1)Skip section navigation (2)
Date:      Sat, 29 Dec 2001 13:07:34 +0100
From:      "Simon 'corecode' Schubert" <corecode@corecode.ath.cx>
To:        "Joe & Fhe Barbish" <barbish@a1poweruser.com>
Cc:        questions@FreeBSD.ORG
Subject:   Re: IPFW rc.firewall
Message-ID:  <20011229130734.596f3a12.corecode@corecode.ath.cx>
In-Reply-To: <LPBBIGIAAKKEOEJOLEGOKEJNCKAA.barbish@a1poweruser.com>
References:  <20011228120842.0f3205df.corecode@corecode.ath.cx> <LPBBIGIAAKKEOEJOLEGOKEJNCKAA.barbish@a1poweruser.com>

next in thread | previous in thread | raw e-mail | index | archive | help
--=.p?C(JU7CUT8jw/
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit

On Fri, 28 Dec 2001 11:19:38 -0500 "Joe & Fhe Barbish"
<barbish@a1poweruser.com> wrote:

> I reviewed your tutorial. I see that it's a copy of the
> rc.firewall file with the symbolic variables for the
> "simple" network filled in for your environment. You have
> the second statement under the comments  #stop spoofing
> commented out because in a user ppp dialout to the ISP you
> are getting dynamic IP's and this rule needs {onet) & {omask)
> a static IP value, which you don't have because it always
> changes each time you dial your ISP.
> 
> # Stop spoofing
>      ${fwcmd} add deny all from ${inet}:${imask} to any in via ${oif}
> # ${fwcmd} add deny all from ${onet}:${omask} to any in via ${iif}

well, yes, kinda... :)
in the first place i disabled it to enable spoofing from inside ;] 
but you are right, without knowledge of the onet (which is pretty much
0/0) this rule doesn't work.

> I am in this same situation.  I think there is a way to get
> the info needed for {onet} & {omask}. The rc.conf file controls
> the startup sequence of FBSD functions. If user ppp statements
> come before the IPFW statements in rc.conf then FBSD will know
> the dynamic IP address before IPFW starts.

this is only the reason if you just dial out once the system starts. if
you dial out later your ip changes but the ruleset doesn't get loaded.

if you want to set the rules according to your current ip address you
could use a /etc/ppp/linkup script that resets the ipfw ruleset.

but with my ruleset this is not needed. i wrote it just with the use of
 ... via ${oif}
and ... keep-state

i think this is a pretty good ruleset (for nat'ed users) but it has a
disadvantage: connections time out if not used (because of the
keep-state). but i don't mind much about this stuff as i can live with
it and it improves the security (well i think it does).

cheerz
  corecode

-- 
/"\   http://corecode.ath.cx/
\ /
 \     ASCII Ribbon Campaign
/ \  Against HTML Mail and News

--=.p?C(JU7CUT8jw/
Content-Type: application/pgp-signature

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (FreeBSD)

iD8DBQE8LbIKr5S+dk6z85oRAi1aAJ9rjhnY6+ZfISz1uCquPRn1JSaQhQCfbf4Y
gGPi3JrUr91WPP4xoWP/evM=
=5WGH
-----END PGP SIGNATURE-----

--=.p?C(JU7CUT8jw/--


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20011229130734.596f3a12.corecode>