(Yet Another) Home Networking Question
Rishi Chopra
rchopra at cal.berkeley.edu
Mon Jan 12 19:08:22 PST 2004
Thanks for the generally good info; the 'me' keyword was the key piece
of info that I needed =)
Lowell Gilbert wrote:
>Rishi Chopra <rchopra at cal.berkeley.edu> writes:
>
>
>
>>Perhaps someone can help me with this small part of rc.firewall:
>>
>>[Ss][Ii][Mm][Pp][Ll][Ee])
>> ############
>> # This is a prototype setup for a simple firewall. Configure this
>> # machine as a named server and ntp server, and point all the machines
>> # on the inside at this machine for those services.
>> ############
>>
>> # set these to your outside interface network and netmask and ip
>> oif="ed0"
>> onet="192.0.2.0"
>> omask="255.255.255.0"
>> oip="192.0.2.1"
>>
>> # set these to your inside interface network and netmask and ip
>> iif="ed1"
>> inet="192.0.2.1"
>> imask="255.255.255.0"
>> iip="192.0.2.17"
>>
>>I'm curious about the difference between 'inet' and 'iip', what each
>>one stands for, and how to configure 'onet/oip' if the outside
>>interface network is configured via DHCP.
>>
>>
>
>Look a little more closely at the comment right before those lines.
>'iif' is "Inside InterFace," 'inet' is "Inside NETwork," 'imask' is
>"Inside netMASK," and 'iip' is "Inside IP address."
>
>If your ouside address is assigned by DHCP, you can't set those in the
>script. You can use the "me" keyword (see "man 8 ipfw"), or set up
>the firewall in a DHCP hook, or just skip the address (it doesn't
>actually give you any extra security if you've got a single address on
>a single Ethernet network).
>
>
>
>>I'm also curious about this little snippet (under the 'simple' profile):
>>
>> # Everything else is denied by default, unless the
>> # IPFIREWALL_DEFAULT_TO_ACCEPT option is set in your kernel
>> # config file.
>>
>>What happens if this option is set in my kernel config file? Can I
>>safely comment out this line and use the 'simple' profile without
>>affecting natd?
>>
>>
>
>It doesn't affect natd either way. Defaulting to deny is definitely
>the way to configure a firewall for security purposes -- don't accept
>anything you haven't explicitly configured yourself to let in.
>
>
>
More information about the freebsd-questions
mailing list