Srot BULL wrote:
Hi to everyone,
I have 2 FreeBSD machines both running FreeBSD Stable 5.3 and both have
ipfw as firewalls...
One is running ipfw with NAT functions. Below is the is the rulesets
for the machine:
< -- snip rulesets -->
As you can see I am using the rulesets that are found in the Handbook.
I have tried
$CMD 00070 $SKIP tcp from me to any out via $INIC setup $KS uid root
but still no go
$CMD 00070 $SKIP tcp from me to any 5999 out via $INIC setup $KS
but still no go
Can anybody share their ipfw rulesets with me? To allow my other PC to
cvsup...
Thanks in advance...
Srot BULL
_______________________________________________
I also had problems using a similar "stateful" ruleset with IPFW & NAT.
As I understand it, a stateful ruleset will not allow passive ftp
connections from machines behind the firewall (although I was able
to establish passive ftp from my gateway/router/firewall machine itself)
This problem is documented in the mailing lists if you want to research
it.
I ended up changing to a much simpler, non-stateful ruleset on my
gateway/router/firewall machine:
#!/bin/sh
ipfw -q -f flush
# Set rules command prefix
cmd="ipfw -q add"
pif="dc1" # public interface name of Nic card
# facing the public internet
$cmd 005 allow all from any to any via dc0
$cmd 050 divert natd ip from any to any via $pif
$cmd 100 allow ip from any to any via lo0
$cmd 200 deny ip from any to 127.0.0.0/8
$cmd 300 deny ip from 127.0.0.0/8 to any
$cmd 65000 allow ip from any to any
$cmd 65535 deny log all ip from any to any
This ruleset allows me establish passive ftp from any machine behind
the firewall, including accomplishing CVSUP.
So far I haven't had any problems with security.
HTH
Jim Coulter
--
James A. Coulter
[EMAIL PROTECTED]
http://jacoulter.net
_______________________________________________
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
