(Yet Another) Home Networking Question

Rishi Chopra rchopra at cal.berkeley.edu
Mon Jan 12 19:08:22 PST 2004 

Thanks for the generally good info; the 'me' keyword was the key piece 
of info that I needed =)

Lowell Gilbert wrote:

>Rishi Chopra <rchopra at cal.berkeley.edu> writes:
>
>  
>
>>Perhaps someone can help me with this small part of rc.firewall:
>>
>>[Ss][Ii][Mm][Pp][Ll][Ee])
>>        ############
>>        # This is a prototype setup for a simple firewall.  Configure this
>>        # machine as a named server and ntp server, and point all the machines
>>        # on the inside at this machine for those services.
>>        ############
>>
>>        # set these to your outside interface network and netmask and ip
>>        oif="ed0"
>>        onet="192.0.2.0"
>>        omask="255.255.255.0"
>>        oip="192.0.2.1"
>>
>>        # set these to your inside interface network and netmask and ip
>>        iif="ed1"
>>        inet="192.0.2.1"
>>        imask="255.255.255.0"
>>        iip="192.0.2.17"
>>
>>I'm curious about the difference between 'inet' and 'iip', what each
>>one stands for, and how to configure 'onet/oip' if the outside
>>interface network is configured via DHCP.
>>    
>>
>
>Look a little more closely at the comment right before those lines.
>'iif' is "Inside InterFace," 'inet' is "Inside NETwork," 'imask' is
>"Inside netMASK," and 'iip' is "Inside IP address."
>
>If your ouside address is assigned by DHCP, you can't set those in the
>script.  You can use the "me" keyword (see "man 8 ipfw"), or set up
>the firewall in a DHCP hook, or just skip the address (it doesn't
>actually give you any extra security if you've got a single address on
>a single Ethernet network).
>
>  
>
>>I'm also curious about this little snippet (under the 'simple' profile):
>>
>>        # Everything else is denied by default, unless the
>>        # IPFIREWALL_DEFAULT_TO_ACCEPT option is set in your kernel
>>        # config file.
>>
>>What happens if this option is set in my kernel config file?  Can I
>>safely comment out this line and use the 'simple' profile without
>>affecting natd?
>>    
>>
>
>It doesn't affect natd either way.  Defaulting to deny is definitely
>the way to configure a firewall for security purposes -- don't accept
>anything you haven't explicitly configured yourself to let in.
>
>  
>

More information about the freebsd-questions mailing list