natd and open firewall problem

Bill Hacker wbh at conducive.org
Sun Feb 27 01:08:58 PST 2005


Matthew Dillon wrote:

    I agree... the pass-all should use a fixed, high numbered rule, like
    65000.   The rule should be added near the beginning of the script,
    like it was before, just as a safety precaution in case the script dies
    somewhere.  I think those are the only real problems.  I'm not rabid 
    about placement, lets just get it fixed and committed :-)

						-Matt
Tested, but not submitted, the following in /etc/rc.firewall:

- Changed the pass-all rule number from 1 to 65000

- Commented-out previous rule under 'deny_rest', leaving just the label 
(for now), as this is handled by implicit rule 65535.

Whether 65535 defaults to deny-all or to pass-all is historically set 
elsewhere, no entry needed in /etc/rc.firewall.
man ipfw.

Result matches FreeBSD 4.X ruleset exactly.

- if that is what the community wishes.

Bill







More information about the Users mailing list