natd and open firewall problem
Bill Hacker
wbh at conducive.org
Sun Feb 27 01:08:58 PST 2005
Matthew Dillon wrote:
I agree... the pass-all should use a fixed, high numbered rule, like
65000. The rule should be added near the beginning of the script,
like it was before, just as a safety precaution in case the script dies
somewhere. I think those are the only real problems. I'm not rabid
about placement, lets just get it fixed and committed :-)
-Matt
Tested, but not submitted, the following in /etc/rc.firewall:
- Changed the pass-all rule number from 1 to 65000
- Commented-out previous rule under 'deny_rest', leaving just the label
(for now), as this is handled by implicit rule 65535.
Whether 65535 defaults to deny-all or to pass-all is historically set
elsewhere, no entry needed in /etc/rc.firewall.
man ipfw.
Result matches FreeBSD 4.X ruleset exactly.
- if that is what the community wishes.
Bill
More information about the Users
mailing list