> -----Original Message----- > From: konstantinos.dryllera...@dg21.cec.be > [SMTP:konstantinos.dryllera...@dg21.cec.be] > Sent: Friday, May 28, 1999 11:15 AM > To: freebsd-hackers@freebsd.org; freebsd-quest...@freebsd.org > Subject: ipfw/natd limitation: controlling access of an > unregistered net to the internet > > It seems to me that outgoing packets through the outer interface > should first be run (somehow) through the firewall and if succesfull > pass through natd (without a further re-injection to the firewall > ruleset) whereas incoming packets should pass first from natd and then > pass through the firewall rules (the existing operation). [ It is > clear that only "deny" rules can be added before the "divert" rule to > control the outgoing packets of internal machines and this can prove > very tricky and tedious ]. > [ML] Did you consider using a firewall-cleanwall combination? In the essence, the idea is very simple: the cleanwall is inside the firewall and it does not allow unprivileged packets to reach the nat/firewall. I think that Bellowin's book explains this in detail. The downside is that you need two machines.
/Marino To Unsubscribe: send mail to majord...@freebsd.org with "unsubscribe freebsd-hackers" in the body of the message