IPFW: 24.6.5.7 An Example NAT and Stateful Ruleset

fbsd_user fbsd_user at a1poweruser.com
Fri May 6 05:32:30 PDT 2005


If you remove those 2 rules your firewall is completely open.
This means you will be deactivating your firewall protection.

You have to describe your environment in detail and post rc.conf,
ipf.rules, and dmesg.boot files for people to look at.
Just saying you can not get to public internet does not mean
anything, you have to state just what you are trying to do.
When you run test look at the firewall log file to see what ip
address and port numbers you are logging.
This will give you pointers into true nature of your problem.

>From what you posted I would say you do not know what you are doing
and that ipfw is not the firewall for you.
IPFILTER is more likely better suited to your knowledge level.

-----Original Message-----
From: owner-freebsd-questions at freebsd.org
[mailto:owner-freebsd-questions at freebsd.org]On Behalf Of Иванов Илья
Sent: Friday, May 06, 2005 6:01 AM
To: questions at FreeBSD.org
Subject: IPFW: 24.6.5.7 An Example NAT and Stateful Ruleset


Hallo! I read article
(http://freebsd.vinf.ru/doc/en/books/handbook/firewalls-ipfw.html)
and use your example from "An Example NAT and Stateful Ruleset"
part.
So, when I use this script for ipfw, I can't be able to use
internet,
but if I disable the rules 400, 450 I can use internet.

I use FreeBSD 4.10, nat, ipfw, squid.

# Reject & Log all unauthorized incoming connections from the public
Internet
$cmd 400 deny log all from any to any in via $pif

# Reject & Log all unauthorized out going connections to the public
Internet
$cmd 450 deny log all from any to any out via $pif

My question is: can I use this script for ipfw without rules 400 and
450 or it is a potential threat of security of my system?

May be we can put me a link to any article about this?

With a best regards, Ivanov Ilya.


_______________________________________________
freebsd-questions at freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to
"freebsd-questions-unsubscribe at freebsd.org"



More information about the freebsd-questions mailing list