(Yet Another) Home Networking Question

Lowell Gilbert freebsd-questions-local at be-well.ilk.org
Mon Jan 12 18:51:50 PST 2004 

Rishi Chopra <rchopra at cal.berkeley.edu> writes:

> Perhaps someone can help me with this small part of rc.firewall:
> 
> [Ss][Ii][Mm][Pp][Ll][Ee])
>         ############
>         # This is a prototype setup for a simple firewall.  Configure this
>         # machine as a named server and ntp server, and point all the machines
>         # on the inside at this machine for those services.
>         ############
> 
>         # set these to your outside interface network and netmask and ip
>         oif="ed0"
>         onet="192.0.2.0"
>         omask="255.255.255.0"
>         oip="192.0.2.1"
> 
>         # set these to your inside interface network and netmask and ip
>         iif="ed1"
>         inet="192.0.2.1"
>         imask="255.255.255.0"
>         iip="192.0.2.17"
> 
> I'm curious about the difference between 'inet' and 'iip', what each
> one stands for, and how to configure 'onet/oip' if the outside
> interface network is configured via DHCP.

Look a little more closely at the comment right before those lines.
'iif' is "Inside InterFace," 'inet' is "Inside NETwork," 'imask' is
"Inside netMASK," and 'iip' is "Inside IP address."

If your ouside address is assigned by DHCP, you can't set those in the
script.  You can use the "me" keyword (see "man 8 ipfw"), or set up
the firewall in a DHCP hook, or just skip the address (it doesn't
actually give you any extra security if you've got a single address on
a single Ethernet network).

> I'm also curious about this little snippet (under the 'simple' profile):
> 
>         # Everything else is denied by default, unless the
>         # IPFIREWALL_DEFAULT_TO_ACCEPT option is set in your kernel
>         # config file.
> 
> What happens if this option is set in my kernel config file?  Can I
> safely comment out this line and use the 'simple' profile without
> affecting natd?

It doesn't affect natd either way.  Defaulting to deny is definitely
the way to configure a firewall for security purposes -- don't accept
anything you haven't explicitly configured yourself to let in.

-- 
Lowell Gilbert, embedded/networking software engineer, Boston area: 
		resume/CV at http://be-well.ilk.org:8088/~lowell/resume/
		username/password "public"

More information about the freebsd-questions mailing list