If the variables for the 'SIMPLE' rules are setup properly, 'SIMPLE' should be no different than using 'OPEN' from your win2k's perspective. This is assuming you don't have a broken rc.firewall file.
Looking at your original post, your sample was missing the 'onet' variable. # set these to your outside interface network and netmask and ip oif="rl0" onet="???.???.???.???" omask="255.255.255.0" <-- make sure this is right!!! oip="me" # set these to your inside interface network and netmask and ip iif="rl1" inet="192.168.0.1" imask="255.255.255.0" iip="192.168.0.1" Also, you shouldn't be using IPFIREWALL_DEFAULT_TO_ACCEPT in your kernel configuration. I use: options IPFIREWALL options IPFIREWALL_VERBOSE options IPDIVERT Also see IPFIREWALL_VERBOSE_LIMIT in the firewall section of the Handbook. IPFIREWALL_VERBOSE allows you to get helpfull information in /var/log/security. If you are having troubles with connectivity, look in /var/log/security to see if it shows what's being blocked and by what rule. Hope this helps. James On Thu, 2004-01-22 at 04:54, Rishi Chopra wrote: > James, > > I've configured my Win2k box to contact DNS directly, and both Direct > Connect and VNC Server are running smoothly (port forwarding is being > accomplished (per your suggestion) by natd.conf). > > I've set the firewall type to 'OPEN' (the Win2k client has ZoneAlarm > protection of its own); this is truly the only sticking point. I'm > under the impression that selecting 'SIMPLE' rather than 'OPEN' provides > an additional layer of protection to the gateway by preventing certain > spoofing attacks. Unfortunately, I seem unable to switch the firewall > type without crippling my Win2k box's functionality. Perhaps I'll give > it a go again sometime in the future. > > > Here's a copy of the relevant files: > > //natd.conf > > unregistered_only > interface rl0 > use_sockets > dynamic > redirect_port tcp 192.168.0.2:5800 5800 > redirect_port tcp 192.168.0.2:5900 5900 > redirect_port tcp 192.168.0.2:412 412 > redirect_port tcp 192.168.0.2:1412 1412 > punch_fw 2000:50 > > //rc.conf > > gateway_enable="YES" > hostname="usha.dyndns.org" > ifconfig_rl0="DHCP" > ifconfig_rl1="inet 192.168.0.1 netmask 255.255.255.0" > kern_securelevel_enable="NO" > firewall_enable="YES" > firewall_type="OPEN" > # firewall_type="SIMPLE" > firewall_quiet="NO" > natd_enable="YES" > natd_interface="rl0" > natd_flags="-f /etc/natd.conf" > linux_enable="YES" > sendmail_enable="NO" > sshd_enable="YES" > > -R _______________________________________________ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
