me matches any IP address configured on an interface in the system. The address list is evaluated at the time the packet is analysed.
If I set my oif to 'rl0' (a nic in my system) and I set the oip to 'me', what should the onet address be set to? Can I set the onet address to 'me' also? The oif has its address assigned by DHCP.
Lowell Gilbert wrote:
Rishi Chopra <[EMAIL PROTECTED]> writes:
Perhaps someone can help me with this small part of rc.firewall:
[Ss][Ii][Mm][Pp][Ll][Ee]) ############ # This is a prototype setup for a simple firewall. Configure this # machine as a named server and ntp server, and point all the machines # on the inside at this machine for those services. ############
# set these to your outside interface network and netmask and ip oif="ed0" onet="192.0.2.0" omask="255.255.255.0" oip="192.0.2.1"
# set these to your inside interface network and netmask and ip iif="ed1" inet="192.0.2.1" imask="255.255.255.0" iip="192.0.2.17"
I'm curious about the difference between 'inet' and 'iip', what each
one stands for, and how to configure 'onet/oip' if the outside
interface network is configured via DHCP.
Look a little more closely at the comment right before those lines. 'iif' is "Inside InterFace," 'inet' is "Inside NETwork," 'imask' is "Inside netMASK," and 'iip' is "Inside IP address."
If your ouside address is assigned by DHCP, you can't set those in the script. You can use the "me" keyword (see "man 8 ipfw"), or set up the firewall in a DHCP hook, or just skip the address (it doesn't actually give you any extra security if you've got a single address on a single Ethernet network).
I'm also curious about this little snippet (under the 'simple' profile):
# Everything else is denied by default, unless the # IPFIREWALL_DEFAULT_TO_ACCEPT option is set in your kernel # config file.
What happens if this option is set in my kernel config file? Can I
safely comment out this line and use the 'simple' profile without
It doesn't affect natd either way. Defaulting to deny is definitely the way to configure a firewall for security purposes -- don't accept anything you haven't explicitly configured yourself to let in.
_______________________________________________ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"