My ruleset so far contains the below rules, and I wonder if someone can tell me if there's anything incorrect about them (with regard to correctly using NAT and dynamic rulesets):
bash-2.05b# ipfw -a list 00100 3155 1100714 divert 8668 ip from any to any via rl0 00200 0 0 check-state 00300 200 25128 allow ip from me to me 00400 1991 131910 allow ip from 192.168.0.0/24 to any keep-state 00500 3928 2038665 allow ip from 192.168.1.0/24 to any keep-state 65535 1 338 deny ip from any to any
I'm not asking if these rules are battleship secure - I'm sure I have a lot of work to do yet in creating a tigher ruleset. What I want to know is: are these rules correctly allowing NAT to work with dynamic rules, or is there some gaping security flaw that I'm missing?
With the above rules, I can use the gateway machine to connect to the Internet (well, any website of my choice), and I can also use a machine on the 192.168.1 subnet to connect through the gateway to any website, mail server, etc. So NAT seems to be working.
If I remove the keep-state option from the 192.168.1 line, then the LAN machine can send a request to a website, but never gets a reply. Removing the keep-state from the 192.168.0 line stops the gateway asking for pages. So the dynamic rule system seems to be working.
So it would seem that NAT and dynamic rules are working harmoniously together. But how naive am I being? What might I be missing?
Also, if I have got them working together correctly, why do I end up with a lot of packets denied by the `deny ip from any to any` rule? What are these few packets, and what tried to send them? Any ideas?
(By The Way... I remember why I stopped using Usenet all those years ago - have you seen what's being done to c.u.b.freebsd.misc lately? Not the correct way to promote Windows and discredit Linux.) -- Bob
_______________________________________________ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
