Skip site navigation (1)Skip section navigation (2) 
Date:      Sun, 02 Dec 2001 13:43:34 
From:      "Thor Legvold" <tlegvold@hotmail.com>
To:        cjc@FreeBSD.ORG
Cc:        freebsd-questions@FreeBSD.ORG
Subject:   Re: Firewall rules (ipfw)
Message-ID:  <F101YbZhoItg3V3Ny2A000137f7@hotmail.com>
next in thread | raw e-mail | index | archive | help 
Crist wrote:

>These DHCP rules are a bit messed up. ITYM something more like,

Duly noted. Thanks. BTW, what's ITYM mean?

> > # Allow GRE & PPTP control connection
> > ${fwcmd} add allow tcp from any to any 1723 in recv cable0 setup
> > ${fwcmd} add allow gre from any to any via cable0
>
>Nothing here allows you to talk back on that TCP connection.

Meaning I should allow TCP on 1723 both ways? Are both mahines using 1723, 
or only the PPTP server (client in that case on >1023?)

> > # Stop all other traffic via cable0 - only GRE/PPTP/DHCP allowed
> > ${fwcmd} add deny log all from any to any via cable0
>
>Nothing else at all is going to go in or out? OK.

Well, my intention was to allow GRE only incoming to nat (as only GRE 
packets are intended for my machine over the cable0/pptp link - all else is 
garbage, or dhcp), and anything outgoing (via nat). That would reduce 80% of 
the traffic on the cable0 iface reaching nat and my LAN. Seems that's not 
really feasable though.

> > # NAT
> > ${fwcmd} add divert natd log all from any to any via tun0
>
>OK.

Not ok. Nothing reaches nat (tried it today). I also tried allowing only GRE 
to nat (instead of all), that didn't work either (I think becuase while 
incoming packets are gre, outgoing one's arent...)

Guess I'll go back to diverting all and concentrate on getting the rules 
right when the packets appear on the tun0 iface coming in.

>--
>Crist J. Clark                     |     cjclark@alum.mit.edu
>                                    |     cjclark@jhu.edu
>http://people.freebsd.org/~cjc/    |     cjc@freebsd.org

Regards,
Thor


_________________________________________________________________
Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?F101YbZhoItg3V3Ny2A000137f7>