[-- Message reformatted to fix Outlook format --] On 2004-07-31 14:17, JJB <[EMAIL PROTECTED]> wrote: >Giorgos Keramidas wrote on July 31, 2004 1:36 PM >>On 2004-07-31 12:08, "James A. Coulter" <[EMAIL PROTECTED] wrote: >>> My LAN is configured with static IP addresses, 192.168.1.x. >>> >>> I have no problems communicating within the LAN. >>> >>> I have full connectivity with the internet from every machine on >>> my LAN when the firewall is open. >>> >>> When I use the rule set in question, I can ping and send mail but >>> I cannot access the DNS servers listed in resolv.conf. >> >> There are many ways in which your ruleset might break. Two of the >> most important comments I wanted to make when I first saw the posts >> of this thread are: [...] >> >> b) Why do you use so many rules that 'filter' outgoing traffic? >> >> I saw smtp, pop3, time, http, https and many others. You >> don't need to explicitly allow outgoing connections unless >> the users in the internal LAN are not to be trusted at all >> and even then IPFW is most of the time not the right way to >> do it. > > If you had read the start of the thread you would have read the new > handbook firewall section rewrite which explains in detail why there > are rules to control access to the public internet from LAN users.
I've read a very detailed guide that you wrote, linked by one of your posts and available online at: http://freebsd.a1poweruser.com:6088/FBSD_firewall/ This guide contains a great deal of useful information and it would be cool if it was somehow incorporated to the Handbook. It's not yet, but I like most of the text so I hope it gets converted to SGML and added to the Handbook either in parts or as a whole. If by "... which explains in detail why..." you refer to this particular quote from that document, I'm not sure that it is always a good idea but that's my own opinion: "The Outbound section in the following rule set only contains `pass' rules which contain selection values that uniquely identify the service that is authorized for public internet access." In a corporate environment, where access to the Internet has to be limited and/or controlled in a more or less strict manner, it looks like a great idea. At home, where a couple of machines share a single Internet connection through a dialup or DSL line, this might be a bit too limiting ;-) - Giorgos _______________________________________________ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"