need ipfw clarification

Bill Moran wmoran at potentialtech.com
Fri Feb 4 12:09:41 PST 2005 

Duane Winner <dwinner-lists at att.net> wrote:

> Thanks Roberto,
> 
> Just to make sure I understand though, I only need to be concerned 
> "forwarding" and "forward rules" if I'm setting up a multi-homed host 
> (i.e., router), is this correct?

It doesn't even apply then.  IPFW forwarding forwards packets and rewrites
their IP headers to make one machine look like another.  While this is
commonly used on firewalls, it's not the same thing as turning on
forwarding (i.e. routing between interfaces) and isn't required to set
up a multi-homed "router".

For example, I use IPFW forwarding so that my firewall forwards VNC
packets to my desktop, so outsiders can connect directly to my desktop
through the firewall.

> If I'm just using ipfw for  single-host based firewall protection, then 
> forwarding doesn't apply, right?

That's correct.

> 
> Thanks again,
> Duane
> 
> 
> 
> Roberto Nunnari wrote:
> 
> > Hi Duane.
> >
> > I had the same problem.. With 5.2.1 I had working forward rules
> > and that were broke with 5.3
> >
> > after some fiddling I managed to have that work again.. just
> > add them to your kernel:
> >
> > options         IPFIREWALL
> > options         IPFIREWALL_DEFAULT_TO_ACCEPT
> > options         IPFIREWALL_VERBOSE
> > options         IPFIREWALL_FORWARD
> >
> > if you don't add them to your kernel, forwarding in ipfw will
> > be disabled.
> >
> > Ciao.
> >
> >
> > Duane Winner wrote:
> >
> >> Hello,
> >>
> >> I noticed that after enabling firewall in my kernel (5.3-release), my 
> >> dmesg now gives me this:
> >>
> >> ipfw2 initialized, divert disabled, rule-based forwarding disabled, 
> >> default to accept, logging limited to 5 packets/entry by default
> >>
> >>
> >> On 5.2.1, I used to get this:
> >>
> >> ipfw2 initialized, divert disabled, rule-based forwarding enabled, 
> >> default to accept, logging disabled
> >>
> >> If both cases, I am adding this to my KERNEL config:
> >>
> >> options         IPFIREWALL
> >> options         IPFIREWALL_DEFAULT_TO_ACCEPT
> >>
> >>
> >> It seems that the major difference between 5.2.1 and 5.3 is that now 
> >> rule-based forwarding is disabled.
> >>
> >> Is this correct? And what exactly is rule-based forwarding? I'm 
> >> guessing that it doesn't really apply to my situation, as in these 
> >> cases, I am using IPFW to create a deny all inbound to my laptop when 
> >> I'm on the road. But I just want to make sure.
> >>
> >> Thanks,
> >> DW
> >> _______________________________________________
> >> freebsd-security at freebsd.org mailing list
> >> http://lists.freebsd.org/mailman/listinfo/freebsd-security
> >> To unsubscribe, send any mail to 
> >> "freebsd-security-unsubscribe at freebsd.org"
> >
> >
> >
> _______________________________________________
> freebsd-security at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-security
> To unsubscribe, send any mail to "freebsd-security-unsubscribe at freebsd.org"


-- 
Bill Moran
Potential Technologies
http://www.potentialtech.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-security/attachments/20050204/5502d905/attachment.bin

More information about the freebsd-security mailing list