From owner-freebsd-ipfw@FreeBSD.ORG Mon May 3 08:09:32 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C4E7D16A4CE for ; Mon, 3 May 2004 08:09:32 -0700 (PDT) Received: from natsmtp00.rzone.de (natsmtp00.rzone.de [81.169.145.165]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0010643D2D for ; Mon, 3 May 2004 08:09:31 -0700 (PDT) (envelope-from andrea@ae4u.de) Received: from ae4u.de (mail.engel-kg.com [62.80.41.218]) by post.webmailer.de (8.12.10/8.12.10) with ESMTP id i43F9Tpt028570; Mon, 3 May 2004 17:09:30 +0200 (MEST) Message-ID: <40967D45.3080708@ae4u.de> Date: Mon, 03 May 2004 17:11:33 +0000 From: "Andrea E." Organization: http://www.ae4u.de/ User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.5b) Gecko/20030903 X-Accept-Language: de-de, en-us, en MIME-Version: 1.0 To: Supote Leelasupphakorn References: <20040502051806.68324.qmail@web40602.mail.yahoo.com> In-Reply-To: <20040502051806.68324.qmail@web40602.mail.yahoo.com> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit cc: freebsd-ipfw@FreeBSD.org Subject: Re: ipfw with NAT and ARP X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 03 May 2004 15:09:33 -0000 hi, i have installed and configured freebsd 5.2.1 new. now i can do ping and all other network commands. at this moment I don't know, what the problem was. thanks for all your help Andrea Supote Leelasupphakorn wrote: > Hi Andrea E. > > From my understand if you'd like to ping from EXTERNAL ip > to EXTERNAL ip, the firewall is not involve because it will > reach each other directly. Could you confirm that you'd like > to "ping from EXTERNAL ip to EXTERNAL ip" so someone can find > out the solution ? > > Cheers, > pjn > > --- Supote Leelasupphakorn wrote: > Hi, > >>I am a newbie and my question is very easy perhaps. I work >>with >>FreeBSD >>5.2.1 >> >>I would like to configure a firewall with to interfaces (xl0 = >>LAN, xl1 >>= External) >> >>For NAT I have configured like discribed in the manualpage of >>natd: >> >>ipfw -f flush >>ipfw add divert natd all from any to any via xl1 >>ipfw add allow all from any to any >> >>-> all is fine. >> >>But, I wont so a simple firewall and for this reason, first I >>want to >>configure the ICMP-protocol: >> >>ip_ext => External IP-Address >> >>ipfw -f flush >>ipfw add divert natd all from any to any via xl1 >>ipfw add allow icmp from $ip_ext to any icmptypes 8 out via >>xl1 >>ipfw add allow icmp from any to $ip_ext icmptypes 0 in via >>xl1 >> >>-> It's not ok. With "ethereal" no pakets are going out (test >>from an >>other system, connected with a HUP.) >> >>When testing "ping" from external to external IP-Adress of my >>firewall, >>the ARP-request: to broadcast Who has xxx.xxx.xxx.xxx? Tell >>xxx.xxx.xxx.xxx fails >> >>-> seems to have a problem to let ARP through the firewall. >> >>Above -> "ipfw add allow all from any to any" let ARP through >>the >>firewall. So I think, thats the configuration of the rest of >>my >>computer >>(like kernel, rc.conf, etc. ist ok) >> >>And there are no ARP-protocol in /etc/protocols, so I don't >>know, what I >>can do now. >> >>There is a bug: >>After restarting system with above configuration of >>icmp-protocol no >>ping-request is going out. After a flush of all rules and >>configuring of >>"ipfw add allow all from any to any" ping-request get an >>answer. >>Very interesting is to flush all rules und to configure the >>firewall >>like the first configuring (to allow special rules for >>icmp-protocol -> >>all works very fine. ping-request get an answer. Whenn >>restarting system >>the ping-request get no answer again, I mean, the ping-request >>is not >>send out. >> >>Can anybody help me? Hope to get an answer. >> >>I hope you can understand me, my English isn't very well. >> >>Greatings from Berlin, >> >> Andrea E. >> >> >> > > ________________________________________________________________________ > >>Yahoo! Messenger - Communicate instantly..."Ping" >>your friends today! Download Messenger Now >>http://uk.messenger.yahoo.com/download/index.html > > > ________________________________________________________________________ > Yahoo! Messenger - Communicate instantly..."Ping" > your friends today! Download Messenger Now > http://uk.messenger.yahoo.com/download/index.html >