If the variables for the 'SIMPLE' rules are setup properly, 'SIMPLE'
should be no different than using 'OPEN' from your win2k's perspective. 
This is assuming you don't have a broken rc.firewall file.

Looking at your original post, your sample was missing the 'onet'

# set these to your outside interface network and netmask and ip
omask=""  <-- make sure this is right!!!

# set these to your inside interface network and netmask and ip

Also, you shouldn't be using IPFIREWALL_DEFAULT_TO_ACCEPT in your kernel
configuration.  I use:

options         IPFIREWALL
options         IPFIREWALL_VERBOSE
options         IPDIVERT

Also see IPFIREWALL_VERBOSE_LIMIT in the firewall section of the

IPFIREWALL_VERBOSE allows you to get helpfull information in
/var/log/security.  If you are having troubles with connectivity, look
in /var/log/security to see if it shows what's being blocked and by what

Hope this helps.


On Thu, 2004-01-22 at 04:54, Rishi Chopra wrote:
> James,
> I've configured my Win2k box to contact DNS directly, and both Direct 
> Connect and VNC Server are running smoothly (port forwarding is being 
> accomplished (per your suggestion) by natd.conf).
> I've set the firewall type to 'OPEN' (the Win2k client has ZoneAlarm 
> protection of its own); this is truly the only sticking point.  I'm 
> under the impression that selecting 'SIMPLE' rather than 'OPEN' provides 
> an additional layer of protection to the gateway by preventing certain 
> spoofing attacks.  Unfortunately, I seem unable to switch the firewall 
> type without crippling my Win2k box's functionality.  Perhaps I'll give 
> it a go again sometime in the future.
> Here's a copy of the relevant files:
> //natd.conf
> unregistered_only
> interface rl0
> use_sockets
> dynamic
> redirect_port tcp 5800
> redirect_port tcp 5900
> redirect_port tcp 412
> redirect_port tcp 1412
> punch_fw 2000:50
> //rc.conf
> gateway_enable="YES"
> hostname="usha.dyndns.org"
> ifconfig_rl0="DHCP"
> ifconfig_rl1="inet netmask"
> kern_securelevel_enable="NO"
> firewall_enable="YES"
> firewall_type="OPEN"
> # firewall_type="SIMPLE"
> firewall_quiet="NO"
> natd_enable="YES"
> natd_interface="rl0"
> natd_flags="-f /etc/natd.conf"
> linux_enable="YES"
> sendmail_enable="NO"
> sshd_enable="YES"
> -R

[EMAIL PROTECTED] mailing list
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Reply via email to