Date: Sun, 28 Nov 2004 04:48:47 +0000 From: Jonathon McKitrick <jcm@FreeBSD-uk.eu.org> To: Giorgos Keramidas <keramida@ceid.upatras.gr> Cc: freebsd-questions@freebsd.org Subject: Re: Is this a hole in my firewall? Message-ID: <20041128044847.GA1435@dogma.freebsd-uk.eu.org> In-Reply-To: <20041128013135.GD662@gothmog.gr> References: <20041127215612.GA86416@dogma.freebsd-uk.eu.org> <20041128013135.GD662@gothmog.gr>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sun, Nov 28, 2004 at 03:31:35AM +0200, Giorgos Keramidas wrote: : AFAIK, rule 00300 will never be hit by packets going out tun0 as long as : you also have rule 00200 in there. Hmmm.... here's a run after having the laptop running for a bit. I don't see why 200 doesn't cover the case either. root@neptune:~# ipfw show 00100 0 0 check-state 00200 6709 1277079 allow ip from me to any keep-state out xmit tun0 00300 2093 645797 allow ip from any to any keep-state out xmit tun0 00400 91 7308 deny tcp from any to any in recv tun0 established 00500 43 6869 allow ip from any to any via vr0 00600 52 3080 allow ip from any to any via lo0 00700 0 0 deny ip from any to 127.0.0.0/8 00800 0 0 deny ip from 127.0.0.0/8 to any 00900 0 0 allow tcp from any to me 22 keep-state in recv vr0 setup 01000 0 0 allow icmp from any to any via tun0 icmptype 0,3,8,11,12 01100 11 1371 deny log logamount 100 ip from any to any 65535 0 0 deny ip from any to any root@neptune:~# jm -- My other computer is your Windows box.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20041128044847.GA1435>