> -----Original Message-----
> From: konstantinos.dryllera...@dg21.cec.be
> [SMTP:konstantinos.dryllera...@dg21.cec.be]
> Sent: Friday, May 28, 1999 11:15 AM
> To: freebsd-hackers@freebsd.org; freebsd-quest...@freebsd.org
> Subject: ipfw/natd limitation: controlling access of an
> unregistered net to the internet
>
> It seems to me that outgoing packets through the outer interface
> should first be run (somehow) through the firewall and if succesfull
> pass through natd (without a further re-injection to the firewall
> ruleset) whereas incoming packets should pass first from natd and then
> pass through the firewall rules (the existing operation). [ It is
> clear that only "deny" rules can be added before the "divert" rule to
> control the outgoing packets of internal machines and this can prove
> very tricky and tedious ].
>
[ML] Did you consider using a firewall-cleanwall combination?
In the essence, the idea is very simple: the cleanwall is inside
the firewall and it does not allow unprivileged packets to reach the
nat/firewall. I think that Bellowin's book explains this in detail.
The downside is that you need two machines.
/Marino
To Unsubscribe: send mail to majord...@freebsd.org
with "unsubscribe freebsd-hackers" in the body of the message
