Is this a hole in my firewall?

Ruben de Groot mail25 at bzerk.org
Mon Nov 29 07:13:13 PST 2004


On Mon, Nov 29, 2004 at 02:44:58PM +0000, Jonathon McKitrick typed:
> On Mon, Nov 29, 2004 at 03:09:30PM +0100, Ruben de Groot wrote:
> : On Mon, Nov 29, 2004 at 01:21:14PM +0000, Jonathon McKitrick typed:
> : > On Mon, Nov 29, 2004 at 12:30:20PM +0100, Ruben de Groot wrote:
> : > : He's using ppp-nat. So packets from his laptop will first hit rule #300 and
> : > : only after that get "nat'ed". I believe this is normal behaviour.
> : > 
> : > Ah, yes.  I always forget about ppp-nat.
> : > 
> : > So, then, is this the best way to allow my laptop packets out?  Or does it
> : > still leave the laptop exposed?  I'd like to protect all the machines with
> : > one firewall, while keeping it simple, if possible.
> : 
> : Your laptop won't be "exposed" by this. You could however finetune your
> : ruleset a little bit by modifying rule 300 to something like:
> : 
> : allow ip from ${INTERNAL_NET} to any keep-state out xmit tun0
> : 
> : where INTERNAL_NET would be e.g. 192.168.0.0/24
> 
> Should I also run a firewall on the laptop then, since all traffic to the
> laptop is allowed to pass?

No. Only traffic on connections that were initiated by your laptop is 
allowed to pass. That what a stateful firewall does.

Ruben

> 
> jm
> -- 


More information about the freebsd-questions mailing list