Date: Fri, 4 Feb 2005 15:09:36 -0500 From: Bill Moran <wmoran@potentialtech.com> To: Duane Winner <dwinner-lists@att.net> Cc: freebsd-security@freebsd.org Subject: Re: need ipfw clarification Message-ID: <20050204150936.70e843fd.wmoran@potentialtech.com> In-Reply-To: <4203D4BC.30409@att.net> References: <42028032.2020701@att.net> <4202834D.7030000@supsi.ch> <4203D4BC.30409@att.net>
next in thread | previous in thread | raw e-mail | index | archive | help
--Signature=_Fri__4_Feb_2005_15_09_36_-0500_yi97vpzL6z1h7xWg Content-Type: text/plain; charset=US-ASCII Content-Disposition: inline Content-Transfer-Encoding: 7bit Duane Winner <dwinner-lists@att.net> wrote: > Thanks Roberto, > > Just to make sure I understand though, I only need to be concerned > "forwarding" and "forward rules" if I'm setting up a multi-homed host > (i.e., router), is this correct? It doesn't even apply then. IPFW forwarding forwards packets and rewrites their IP headers to make one machine look like another. While this is commonly used on firewalls, it's not the same thing as turning on forwarding (i.e. routing between interfaces) and isn't required to set up a multi-homed "router". For example, I use IPFW forwarding so that my firewall forwards VNC packets to my desktop, so outsiders can connect directly to my desktop through the firewall. > If I'm just using ipfw for single-host based firewall protection, then > forwarding doesn't apply, right? That's correct. > > Thanks again, > Duane > > > > Roberto Nunnari wrote: > > > Hi Duane. > > > > I had the same problem.. With 5.2.1 I had working forward rules > > and that were broke with 5.3 > > > > after some fiddling I managed to have that work again.. just > > add them to your kernel: > > > > options IPFIREWALL > > options IPFIREWALL_DEFAULT_TO_ACCEPT > > options IPFIREWALL_VERBOSE > > options IPFIREWALL_FORWARD > > > > if you don't add them to your kernel, forwarding in ipfw will > > be disabled. > > > > Ciao. > > > > > > Duane Winner wrote: > > > >> Hello, > >> > >> I noticed that after enabling firewall in my kernel (5.3-release), my > >> dmesg now gives me this: > >> > >> ipfw2 initialized, divert disabled, rule-based forwarding disabled, > >> default to accept, logging limited to 5 packets/entry by default > >> > >> > >> On 5.2.1, I used to get this: > >> > >> ipfw2 initialized, divert disabled, rule-based forwarding enabled, > >> default to accept, logging disabled > >> > >> If both cases, I am adding this to my KERNEL config: > >> > >> options IPFIREWALL > >> options IPFIREWALL_DEFAULT_TO_ACCEPT > >> > >> > >> It seems that the major difference between 5.2.1 and 5.3 is that now > >> rule-based forwarding is disabled. > >> > >> Is this correct? And what exactly is rule-based forwarding? I'm > >> guessing that it doesn't really apply to my situation, as in these > >> cases, I am using IPFW to create a deny all inbound to my laptop when > >> I'm on the road. But I just want to make sure. > >> > >> Thanks, > >> DW > >> _______________________________________________ > >> freebsd-security@freebsd.org mailing list > >> http://lists.freebsd.org/mailman/listinfo/freebsd-security > >> To unsubscribe, send any mail to > >> "freebsd-security-unsubscribe@freebsd.org" > > > > > > > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" -- Bill Moran Potential Technologies http://www.potentialtech.com --Signature=_Fri__4_Feb_2005_15_09_36_-0500_yi97vpzL6z1h7xWg Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.0 (FreeBSD) iD8DBQFCA9aAYOm/CGAEZUARAiN/AKCC042SSDQ+q1TI1Z4W27ZibXnlfACgzQcT rdStOrfppkVtN9df5Lpc30U= =uEg4 -----END PGP SIGNATURE----- --Signature=_Fri__4_Feb_2005_15_09_36_-0500_yi97vpzL6z1h7xWg--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20050204150936.70e843fd.wmoran>