NATD & IPFW
Mark-Nathaniel Weisman
mark at outlander.us
Tue Apr 1 23:28:16 PST 2003
The entry I added to my ruleset was:
# Allow outbound pings
ipfw add pass icmp from any to any in recv $external icmptypes 0
ipfw add pass icmp from any to any out xmit $external icmptypes 8
# Allow outbound traceroutes
ipfw add pass icmp from any to any in recv $internal icmptypes 3
ipfw add pass icmp from any to any in recv $internal icmptypes 11
I don't use fetch, so I'm not sure which port it uses, nor am I familiar with which protocol it needs to use. Sorry. These two are self-explanatory. Hope this helps.
A Faithful Servant,
Mark-Nathaniel Weisman
President / CEO
Infinite Visions Educational Systems Inc.
Anchorage, AK
weismanm at ivedsys.org
-----Original Message-----
From: Brian McCann [mailto:bjm1287 at ritvax.isc.rit.edu]
Sent: Tuesday, April 01, 2003 6:54 PM
To: freebsd-questions at freebsd.org
Subject: NATD & IPFW
Hi all. I'm having an issue with security while trying to get natd to work with ipfw. I got my ipfw rules working great, so I added the natd line in:
ipfw add divert 8668 all from any to any via $EXTERNAL_INTERFACE
But I can't do anything (ping, fetch, etc) until I add:
ipfw add pass all from any to any
Now, I may be wrong, but doesn't this pretty much open the box up? I tried changing the first "any" to my internal network, but that didn't work, and I know I've got to be missing something.
If anyone would like to help me off-list, I could send you a copy of my rule set if you'd like.
Thanks in advance,
--Brian
_______________________________________________
freebsd-questions at freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscribe at freebsd.org"
More information about the freebsd-questions
mailing list