Is this a hole in my firewall?

Sat Nov 27 17:32:50 PST 2004

On 2004-11-27 21:56, Jonathon McKitrick <jcm at FreeBSD-uk.eu.org> wrote:
> root at neptune:~# ipfw show
> 00100 0   0 check-state
> 00200 2 144 allow ip from me to any keep-state out xmit tun0
> 00300 0   0 allow ip from any to any keep-state out xmit tun0
> 00400 0   0 deny tcp from any to any in recv tun0 established
> 00500 0   0 allow ip from any to any via vr0
> 00600 0   0 allow ip from any to any via lo0
> 00700 0   0 deny ip from any to 127.0.0.0/8
> 00800 0   0 deny ip from 127.0.0.0/8 to any
> 00900 0   0 allow tcp from any to me 22 keep-state in recv vr0 setup
> 01000 0   0 allow icmp from any to any via tun0 icmptype 0,3,8,11,12
> 01100 0   0 deny log logamount 100 ip from any to any
> 65535 0   0 deny ip from any to any
>
> I added rule 300 so that my laptop on my wireless network can connect,
> ping, and get DNS and DHCP.  Is there a better way to specify this?

AFAIK, rule 00300 will never be hit by packets going out tun0 as long as
you also have rule 00200 in there.