[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: IP-Masquerade

Guilherme Soares Zahn wrote:
> The HOWTO suggested I should try something like
> ipfwadm -F -p deny (setting 'deny' as the default rule)
> ipfwadm -F -a masquerade -P tcp -D
> (and the same for udp)
The problem here is that packets are given permission to flow only one
way through the firewall. They need permission to flow bothways.
Basically if you want to let packets out, you need to let packets in.
You can use the -b command-line parameter to say the rule is

> I removed both lines and tried:
> ipfwadm -F -p accept -m (default policy: accept, masquerading)
> Now everuthing works fine, but I'm somehow suspicious this may open a
> whole in our security... does it? Is there a safer way to do it?
The firewall itself is the only computer at direct risk here. Because of
masquerading, the computers on the inside of the firewall are safe as
long as someone does not break into the firewall itself. From the
firewall machine they can travel to inner parts of the network.

Paul Miller

Where do all the bits go when the computer is done with them?

Reply to: