Skip site navigation (1)Skip section navigation (2) 
Date:      Thu, 22 Oct 1998 11:38:41 -0700
From:      Studded <Studded@gorean.org>
To:        junkmale@xtra.co.nz
Cc:        freebsd-security@FreeBSD.ORG
Subject:   Re: default rules in rc.firewall cause problem
Message-ID:  <362F7BB1.71A13EF3@gorean.org>
References:  <199810221629.FAA27065@cyclops.xtra.co.nz>
next in thread | previous in thread | raw e-mail | index | archive | help 
	This is about the 8th time I've seen this post of yours. You are
missing several important aspects of this situation. First off, the
outside interface should NEVER see traffic from RFC 1918 space, so if
you have to modify this rule to get your system to work then your system
is screwed. 

	Second, there is no possible way that anyone can help you with this
problem if you don't post the details of your setup. The fragment that
you've posted here is virtually meaningless, and the only reason I
understand what you're talking about is that I've read this or similar
posts so many times. 

	If you want help, post your whole firewall setup to freebsd-questions
and ask for help. However if you're not interested in help, please stop
making this post as you are incorrect and I for one am tired of seeing
it. 

Doug


Dan Langille wrote:
> 
> I've been setting up a firewall using the open model supplied in
> /etc/rc.firewall as the basis of our security.  I've found that one of the
> rules, designed to "# Stop RFC1918 nets on the outside interface" does not
> seem to be very useful, at least in my situation.  The rule in question is:
> 
> $fwcmd add deny all from any to 192.168.0.0:255.255.0.0 via ${oif}
> 
> The subnet is within the 192.168.*.* range.  ed1 is the subnet, and ed0 is
> the ISP.  In order for any traffic to get outside, I need to modify the
> above rule to:
> 
> $fwcmd add deny all from any to 192.168.0.0:255.255.0.0 via ${oif} out
> 
> Does this make sense?
> 
> I suspect the other rules will exhibit the same characteristics with their
> respective subnets.
> 
> --
> Dan Langille
> DVL Software Limited
> The FreeBSD Diary - my [mis]adventures
> http://www.FreeBSDDiary.com
> 
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-security" in the body of the message

-- 
***           Chief Operations Officer, DALnet IRC network          ***

    Go PADRES!

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?362F7BB1.71A13EF3>