First off, let me say thank you to whoever is responsible for writing all this. Really helpfull stuff. I implemented the NAT-ed statefull ruleset (the last example) and found a bug I believe. The offending line: # Allow out access to my ISP's Domain name server. # x.x.x.x must be the IP address of your ISP's DNS # Dup these lines if your ISP has more than one DNS server # Get the IP addresses from /etc/resolv.conf file $cmd 020 $skip tcp from any to x.x.x.x 53 out via $pif setup keep-state the TCP part should be UDP I believe. In some previous sections it seemed it listed both TCP and UDP rules for DNS, but I believe that DNS only uses TCP. Also, is this a bit logically inconsistent? (Very last line) # This is skipto location for outbound stateful rules $cmd 800 divert natd ip from any to any out via $pif $cmd 801 allow ip from any to any # Everything else is denied by default # deny and log all packets that fell through to see what they are $cmd 999 deny log all from any to any Isn't it impossible for anything to get past rule 801? Doesn't it essentially make it a default allow-all policy? If i'm not mistaken shouldn't rule 999 be moved and changed to 799? Thanks again for all this. The handbook is truly an invaluable resource. _______________________________________________ freebsd-doc@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-doc To unsubscribe, send any mail to "freebsd-doc-unsubscribe@freebsd.org"