On Mon, Nov 18, 2002 at 01:22:19AM -0800, Daniel Eggert wrote:
> Im running NAT and have a private subnet 192.168.0.0/24, but in contrast to the case usually described in the documentation, my private subnet is _not_ trusted.
> 
> My question: How should I set up my ipf rules for the nic that connects the 192.168.0.0/24 network? I want to allow all traffic to my ISP, but nothing to my NetBSD box.
> 

The NetBSD machine works as router/nat, it doesnt need to
run any services at all. So disable all services on the NetBSD machine.
Because you're doing nat, no one can just initiate a connection
to a machine on your internal subnet. Unless you redirect certain
traffic if you have certain servers running on your private network?
This setup provides basic security, but it's a start.
The ipf pages contain a lot of info on more things you can
do to improve things.
But by all means ... don't end up with a big rule base,
it makes things unnecessary complex, downgrades performance and security.
Bye,

Mipam.