If the variables for the 'SIMPLE' rules are setup properly, 'SIMPLE'
should be no different than using 'OPEN' from your win2k's perspective.
This is assuming you don't have a broken rc.firewall file.
Looking at your original post, your sample was missing the 'onet'
# set these to your outside interface network and netmask and ip
omask="255.255.255.0" <-- make sure this is right!!!
# set these to your inside interface network and netmask and ip
Also, you shouldn't be using IPFIREWALL_DEFAULT_TO_ACCEPT in your kernel
configuration. I use:
Also see IPFIREWALL_VERBOSE_LIMIT in the firewall section of the
IPFIREWALL_VERBOSE allows you to get helpfull information in
/var/log/security. If you are having troubles with connectivity, look
in /var/log/security to see if it shows what's being blocked and by what
Hope this helps.
On Thu, 2004-01-22 at 04:54, Rishi Chopra wrote:
> I've configured my Win2k box to contact DNS directly, and both Direct
> Connect and VNC Server are running smoothly (port forwarding is being
> accomplished (per your suggestion) by natd.conf).
> I've set the firewall type to 'OPEN' (the Win2k client has ZoneAlarm
> protection of its own); this is truly the only sticking point. I'm
> under the impression that selecting 'SIMPLE' rather than 'OPEN' provides
> an additional layer of protection to the gateway by preventing certain
> spoofing attacks. Unfortunately, I seem unable to switch the firewall
> type without crippling my Win2k box's functionality. Perhaps I'll give
> it a go again sometime in the future.
> Here's a copy of the relevant files:
> interface rl0
> redirect_port tcp 192.168.0.2:5800 5800
> redirect_port tcp 192.168.0.2:5900 5900
> redirect_port tcp 192.168.0.2:412 412
> redirect_port tcp 192.168.0.2:1412 1412
> punch_fw 2000:50
> ifconfig_rl1="inet 192.168.0.1 netmask 255.255.255.0"
> # firewall_type="SIMPLE"
> natd_flags="-f /etc/natd.conf"
[EMAIL PROTECTED] mailing list
To unsubscribe, send any mail to "[EMAIL PROTECTED]"