From owner-freebsd-ipfw Sun Nov 5 16: 6:35 2000 Delivered-To: freebsd-ipfw@freebsd.org Received: from jasper.nighttide.net (jasper.nighttide.net [216.227.178.18]) by hub.freebsd.org (Postfix) with ESMTP id 9231D37B4D7 for ; Sun, 5 Nov 2000 16:06:31 -0800 (PST) Received: from localhost (darren@localhost) by jasper.nighttide.net (8.9.3/8.9.3) with ESMTP id TAA15429 for ; Sun, 5 Nov 2000 19:06:23 -0500 (EST) Date: Sun, 5 Nov 2000 19:06:23 -0500 (EST) From: Darren Henderson To: freebsd-ipfw@freebsd.org Subject: ipfw + bridging + divert (or what would be the solution of choice) In-Reply-To: <20001105222230.E300637B4CF@hub.freebsd.org> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG Howdy, We're in the process of swaping providers and now I have to decide the best way to configure the resources we're going to have. From my searching I'm guessing that the following is probably not possible but some of the docs and discussions were a bit dated so perhaps things are changed.... Essentially I would like to bridge and route in one box, doing natd on the routed net, using three cards. ie isdn firewall isp ------ Cisco804 -------- ed0 ed1 -------- intranet/non-private ip's dmz ed2 | (natd) +------------ intranet/private 10/8 I've got a 4 bit subnet from the isp that I want to split between the segements attatched to ed0 and ed1 as flexibly as possible so I would like to bridge between ed0 (which I gather should be configured with an ip) and ed1 (which should not have an ip). All possible and the function of a bridging firewall. Now, I would like to also have another private address segment which utilizes natd and is able to talk to both the ed0 and ed1 side. All the while being able to make use of ipfw's rules of course. Possible or out of the question? My basic problem is deciding how to make the best use of the ip addresses they are giving us. Currently we have 1 ip address and are using natd over a dedicated dial up. Moving to a new provider and we're being given 15 addresses. Now I could keep my current intranet just as it is and replace my ppp0 interface with an ed1 and using the ip addresses for things in the dmz. So.... isdn firewall isp ------ Cisco804 -------- ed0 ed1 -------- intranet/private ip's dmz natd Just that I don't have a use currently for all of the ips in the dmz and its like that I won't in the near future. I could slpit them in two but that only leave's 6 addresses that could be used on the intranet and isn't sufficient for the device count without having the mixxed private(natd') and non-private addresses. Another alternatve I've seen mentioned is to use a private network space in the dmz and use all the rest on the intranet side but this doesn't seem as flexible. Thoughts, ideas or directions? Thanks. ______________________________________________________________________ Darren Henderson darren@nighttide.net Help fight junk e-mail, visit http://www.cauce.org/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Sun Nov 5 16:13:27 2000 Delivered-To: freebsd-ipfw@freebsd.org Received: from jasper.nighttide.net (jasper.nighttide.net [216.227.178.18]) by hub.freebsd.org (Postfix) with ESMTP id 3E4CA37B4CF for ; Sun, 5 Nov 2000 16:13:20 -0800 (PST) Received: from localhost (darren@localhost) by jasper.nighttide.net (8.9.3/8.9.3) with ESMTP id TAA15451 for ; Sun, 5 Nov 2000 19:13:17 -0500 (EST) Date: Sun, 5 Nov 2000 19:13:16 -0500 (EST) From: Darren Henderson To: freebsd-ipfw@FreeBSD.ORG Subject: what the heck, talk about tacky In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG Some has subscribed an autoresponder for ads (see below) to the mailing list? How nasty. ______________________________________________________________________ Darren Henderson darren@nighttide.net Help fight junk e-mail, visit http://www.cauce.org/ From freebsd-ipfw@FreeBSD.ORG Sun Nov 5 19:11:44 2000 Return-Path: Received: from ns3.usww.net (machine.annamaria.net [216.104.145.140] (may be forged)) by jasper.nighttide.net (8.9.3/8.9.3) with ESMTP id TAA15439 for ; Sun, 5 Nov 2000 19:07:22 -0500 (EST) Received: (from daemon@localhost) by ns3.usww.net (8.8.8/8.8.8) id TAA15901 for darren@nighttide.net; Sun, 5 Nov 2000 19:06:49 -0500 (EST) (envelope-from daemon) X-info0: (Date:Sun, 5 Nov 2000 19:06:49 -0500 (EST))(Date:Sun, 5 Nov 2000 19:06:49 -0500 (EST))(unk:0) X-info1: (Date:Sun Nov 5 19:06:49 2000)(Unk:) X-info2: (Ret:daemon)(Ret:daemon)(DestHost:nighttide.net.)(CID:TAA15901) X-info3: (Loc:ns3.usww.net)(Loc:ns3.usww.net)(Unk:)(FQDN:usww.net)(MAILDA:MAILER-DAEM ON)(Unk:) X-info4: (PID:15901)(Unk:)(E-SMTP:)(FromH:)(Date:200011060006) X-info5: (To:darren@nighttide.net)(Ver:8.8.8)(Host:ns3)(LclUser:Owner of many system processes)(Unk::) X-info6: (Unk:)(CD:)(CD:)(Unk:)(Unk:)(CD:) X-info7: (CD:)(Frm:daemon@localhost)(CD:)(CD:)(CD:) Date: Sun, 5 Nov 2000 19:06:49 -0500 (EST) Message-Id: <200011060006.TAA15901@ns3.usww.net> X-Accept-Language: en MIME-Version: 1.0 From: freebsd-ipfw@FreeBSD.ORG (freebsd-ipfw@FreeBSD.ORG Auto Responder) Reply-To: freebsd-ipfw@FreeBSD.ORG To: darren@nighttide.net Subject: Re: ipfw + bridging + divert (or what would be the solution of choice) Content-Type: text/html; charset=us-ascii Content-Transfer-Encoding: 7bit

Thank you for your Email

darren@nighttide.net,

Your message concerning "ipfw + bridging + divert (or what would be the solution of choice)" was received. We will attend to it as soon as possible.

Thank you,
freebsd-ipfw@FreeBSD.ORG


Be sure to visit the links below for free programs and information
Web sites, Racks Space, Colo Servers
Many things of interest
Search Engine. Add your URL Free
Free Banner Exchange.500 Free Displays
Quick Business web site. 1 Minute setup
Quick Personal web site. 1 Minute setup
Free Classified Advertising


If you are concerned about viruses click here
This system is protected by the USWW Server Side Virus scanner and auto responder. Protecting you before you know you need protection. 



 ---First 50 lines of original message included below----


 
 Howdy,
 
 We're in the process of swaping providers and now I have to decide the
 best way to configure the resources we're going to have.
 
 From my searching I'm guessing that the following is probably not possible
 but some of the docs and discussions were a bit dated so perhaps things
 are changed....
 
 Essentially I would like to bridge and route in one box, doing natd on the
 routed net, using three cards. ie
 
      isdn                    firewall          
 isp ------ Cisco804 -------- ed0 ed1 -------- intranet/non-private ip's
                       dmz      ed2
                                 |  (natd)
                                 +------------ intranet/private 10/8
 
 I've got a 4 bit subnet from the isp that I want to split between the
 segements attatched to ed0 and ed1 as flexibly as possible so I would like
 to bridge between ed0 (which I gather should be configured with an ip) and
 ed1 (which should not have an ip). All possible and the function of a
 bridging firewall.
 
 Now, I would like to also have another private address segment which
 utilizes natd and is able to talk to both the ed0 and ed1 side.
 
 All the while being able to make use of ipfw's rules of course. 
 
 Possible or out of the question?
 
 My basic problem is deciding how to make the best use of the ip addresses
 they are giving us. Currently we have 1 ip address and are using natd
 over a dedicated dial up. Moving to a new provider and we're being given
 15 addresses. Now I could keep my current intranet just as it is and
 replace my ppp0 interface with an ed1 and using the ip addresses for
 things in the dmz. So....
 
      isdn                    firewall          
 isp ------ Cisco804 -------- ed0 ed1 -------- intranet/private ip's
                       dmz              natd
 
 Just that I don't have a use currently for all of the ips in the dmz and
 its like that I won't in the near future. I could slpit them in two but
 that only leave's 6 addresses that could be used on the intranet and isn't
 sufficient for the device count without having the mixxed
 private(natd') and non-private addresses.
To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Sun Nov 5 18:11:28 2000 Delivered-To: freebsd-ipfw@freebsd.org Received: from rapidnet.com (rapidnet.com [205.164.216.1]) by hub.freebsd.org (Postfix) with ESMTP id 7BC3937B4CF for ; Sun, 5 Nov 2000 18:11:20 -0800 (PST) Received: from localhost (nick@localhost) by rapidnet.com (8.9.3/8.9.3) with ESMTP id TAA71940; Sun, 5 Nov 2000 19:11:09 -0700 (MST) Date: Sun, 5 Nov 2000 19:11:09 -0700 (MST) From: Nick Rogness To: Darren Henderson Cc: freebsd-ipfw@freebsd.org Subject: Re: ipfw + bridging + divert (or what would be the solution of choice) In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG On Sun, 5 Nov 2000, Darren Henderson wrote: > > Howdy, Hello! > > We're in the process of swaping providers and now I have to decide the > best way to configure the resources we're going to have. > > >From my searching I'm guessing that the following is probably not possible > but some of the docs and discussions were a bit dated so perhaps things > are changed.... > > Essentially I would like to bridge and route in one box, doing natd on the > routed net, using three cards. ie > > isdn firewall > isp ------ Cisco804 -------- ed0 ed1 -------- intranet/non-private ip's > dmz ed2 > | (natd) > +------------ intranet/private 10/8 > > I've got a 4 bit subnet from the isp that I want to split between the > segements attatched to ed0 and ed1 as flexibly as possible so I would like > to bridge between ed0 (which I gather should be configured with an ip) and > ed1 (which should not have an ip). All possible and the function of a > bridging firewall. > Why would you want to bridge between ed0 and ed1? Why not run 2 different netblocks, 1 range on ed2 and 1 range on ed1. Running nat on the firewall. It would be the easiest way to manage (IMO). It all depends on how the ISP is assigning address to you. Use proxy arp on the firewall to handle the assigned addresses if they are assigning the address space to your dialup connection as directly connected (Your dialup interface on the cisco and the netblock they assigned are on the same network). They could also route the network to your dialup connection over an already connected ip dialup interface (Your dialup interface is on a different network then the assigned address. In this case you would route the netblock to your BSD firewall in your cisco. You can bridge though, it's just a matter of opinion ;-) > Now, I would like to also have another private address segment which > utilizes natd and is able to talk to both the ed0 and ed1 side. > > All the while being able to make use of ipfw's rules of course. > > Possible or out of the question? > Whichever way you choose, it is doable. > My basic problem is deciding how to make the best use of the ip addresses > they are giving us. Currently we have 1 ip address and are using natd > over a dedicated dial up. Moving to a new provider and we're being given > 15 addresses. Now I could keep my current intranet just as it is and > replace my ppp0 interface with an ed1 and using the ip addresses for > things in the dmz. So.... > > isdn firewall > isp ------ Cisco804 -------- ed0 ed1 -------- intranet/private ip's > dmz natd > > Just that I don't have a use currently for all of the ips in the dmz and > its like that I won't in the near future. I could slpit them in two but > that only leave's 6 addresses that could be used on the intranet and isn't > sufficient for the device count without having the mixxed > private(natd') and non-private addresses. > > Another alternatve I've seen mentioned is to use a private network space > in the dmz and use all the rest on the intranet side but this doesn't seem > as flexible. Use private addresses in your Private and DMZ. Then you will have a 1 stop shop for public IP allocation: Your firewall with natd. You can bring up machines in your DMZ without having a dramatic affect on your public assigned addresses...that is until you assigned them via natd (redirect_address) on your BSd firewall: Firewall isp ---- Cisco804 --- (NAT) --- ed0 ed1 --- DMZ (Private addresses ed2 192.168/16 or whatever) | | Private net (Private addresses 10/8) Of course if you use bridging you don't have this luxury. Just my 2 cents. Nick Rogness - Drive defensively. Buy a tank. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Mon Nov 6 0:22:40 2000 Delivered-To: freebsd-ipfw@freebsd.org Received: from whale.sunbay.crimea.ua (whale.sunbay.crimea.ua [212.110.138.65]) by hub.freebsd.org (Postfix) with ESMTP id EDF3237B4C5 for ; Mon, 6 Nov 2000 00:22:33 -0800 (PST) Received: (from ru@localhost) by whale.sunbay.crimea.ua (8.11.0/8.11.0) id eA68MO201674; Mon, 6 Nov 2000 10:22:24 +0200 (EET) (envelope-from ru) Date: Mon, 6 Nov 2000 10:22:24 +0200 From: Ruslan Ermilov To: Ray Qiu Cc: freebsd-ipfw@FreeBSD.ORG Subject: Re: Natd Message-ID: <20001106102224.A97309@sunbay.com> Mail-Followup-To: Ray Qiu , freebsd-ipfw@FreeBSD.ORG References: <20001103181102.45572.qmail@web9108.mail.yahoo.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20001103181102.45572.qmail@web9108.mail.yahoo.com>; from ray_qiu@yahoo.com on Fri, Nov 03, 2000 at 10:11:02AM -0800 Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG On Fri, Nov 03, 2000 at 10:11:02AM -0800, Ray Qiu wrote: > Hi, > > I am running IPFW and NATd. How can I view the internal natd session table? > There is no way (currently). > How can I change the natd timeout(per session) parameter? > No way as well. -- Ruslan Ermilov Oracle Developer/DBA, ru@sunbay.com Sunbay Software AG, ru@FreeBSD.org FreeBSD committer, +380.652.512.251 Simferopol, Ukraine http://www.FreeBSD.org The Power To Serve http://www.oracle.com Enabling The Information Age To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Mon Nov 6 2: 1:30 2000 Delivered-To: freebsd-ipfw@freebsd.org Received: from waterblue.imgsrc.co.jp (waterblue.imgsrc.co.jp [210.226.20.160]) by hub.freebsd.org (Postfix) with ESMTP id A2A4C37B4C5 for ; Mon, 6 Nov 2000 02:01:25 -0800 (PST) Received: from waterblue.imgsrc.co.jp (localhost [127.0.0.1]) by waterblue.imgsrc.co.jp (8.11.0/8.11.0) with ESMTP id eA6A1Jb28754 for ; Mon, 6 Nov 2000 19:01:20 +0900 (JST) Date: Mon, 06 Nov 2000 19:01:19 +0900 Message-ID: <7maebd2zdc.wl@waterblue.imgsrc.co.jp> From: Jun Kuriyama To: FreeBSD IPFW Subject: Re: deny question... In-Reply-To: <02ad01c044f7$6dc1c440$0200000a@mike> References: <02ad01c044f7$6dc1c440$0200000a@mike> User-Agent: Wanderlust/2.3.92 (Roam) SEMI/1.13.7 (Awazu) FLIM/1.13.2 (Kasanui) MULE XEmacs/21.1 (patch 12) (Channel Islands) (i386--freebsd) MIME-Version: 1.0 (generated by SEMI 1.13.7 - "Awazu") Content-Type: text/plain; charset=US-ASCII Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG At 2 Nov 2000 18:05:18 GMT, Daryl Chance wrote: > ipfw: -1 Refuse TCP 209.1.224.186 24.95.125.205 in via rl0 Fragment = 147 I saw this message in old -current box, but it seemed fixed in recent -current. -- Jun Kuriyama // IMG SRC, Inc. // FreeBSD Project To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Mon Nov 6 22:17: 5 2000 Delivered-To: freebsd-ipfw@freebsd.org Received: from home.intranet.vardanega.net (unknown [200.195.244.168]) by hub.freebsd.org (Postfix) with ESMTP id 230C637B479 for ; Mon, 6 Nov 2000 22:17:00 -0800 (PST) Received: from conrado (conrado.intranet.vardanega.net [192.168.51.5]) by home.intranet.vardanega.net (8.10.2/8.10.2) with SMTP id eA76GmI19652 for ; Tue, 7 Nov 2000 04:16:48 -0200 From: "Conrado Vardanega" To: Subject: fwd Date: Tue, 7 Nov 2000 04:16:24 -0300 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2910.0) Importance: Normal X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2919.6700 Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG Hi. I'm planning to setup a firewall with TWO internet connectionseach one to a different backbone. This system will have three incoming interfaces (users acessing internet) and two outgoing interfaces (connected to the routers). My questions: 1. According to my conclusions on reading ipfw's manpages, I can control through what connection each network is going out. 2. Is 1 is OK, does the TWO outgoing interfaces have to be set as default routes, considering that both goes to internet? 3. Assuming that all this is OK, consider the following situation: An ipfw rule is set to allow incoming connections with "keep-state" option (passing through the firewall), that is, using dynamic rules. How the outgoing packets are going to be handled at the firewall? Does it some "dynamically" forward to the proper interface? If anyone has a setup like this, please let me know. Thanks. Conrado To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Tue Nov 7 10:43:22 2000 Delivered-To: freebsd-ipfw@freebsd.org Received: from rush.interage.com.br (est11.interage.com.br [200.248.249.189]) by hub.freebsd.org (Postfix) with ESMTP id DA57537B4C5 for ; Tue, 7 Nov 2000 10:43:16 -0800 (PST) Received: from stumpf (est12.interage.com.br [200.248.249.190]) by rush.interage.com.br with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2650.21) id WNXBFJL9; Tue, 7 Nov 2000 16:43:29 -0300 Reply-To: From: "Alexandre Stumpf" To: Subject: Natd Date: Tue, 7 Nov 2000 16:43:27 -0300 Message-ID: <007001c048f3$00535d10$bef9f8c8@stumpf> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook CWS, Build 9.0.2416 (9.0.2910.0) X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 Importance: Normal Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG Hi, I want to use a PPTP client behind a FreeBSD 2.2.8 with natd. The version of natd did not translate GRE (IP ancapsulation protocol), it only works with TCP, UDP and ICMP. Does the new version of natd included in FreeBSD 4.1.1 translate GRE packets ? Thanks Alex To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Tue Nov 7 21: 1:23 2000 Delivered-To: freebsd-ipfw@freebsd.org Received: from InterJet.dellroad.org (adsl-63-194-81-26.dsl.snfc21.pacbell.net [63.194.81.26]) by hub.freebsd.org (Postfix) with ESMTP id AF26637B479 for ; Tue, 7 Nov 2000 21:01:21 -0800 (PST) Received: from curve.dellroad.org (curve.dellroad.org [10.1.1.30]) by InterJet.dellroad.org (8.9.1a/8.9.1) with ESMTP id VAA58474; Tue, 7 Nov 2000 21:01:21 -0800 (PST) Received: (from archie@localhost) by curve.dellroad.org (8.11.0/8.11.0) id eA851KH96361; Tue, 7 Nov 2000 21:01:20 -0800 (PST) (envelope-from archie) From: Archie Cobbs Message-Id: <200011080501.eA851KH96361@curve.dellroad.org> Subject: Re: Natd In-Reply-To: <007001c048f3$00535d10$bef9f8c8@stumpf> "from Alexandre Stumpf at Nov 7, 2000 04:43:27 pm" To: stumpf@interage.com.br Date: Tue, 7 Nov 2000 21:01:20 -0800 (PST) Cc: freebsd-ipfw@FreeBSD.ORG X-Mailer: ELM [version 2.4ME+ PL82 (25)] MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset=US-ASCII Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG Alexandre Stumpf writes: > I want to use a PPTP client behind a FreeBSD 2.2.8 with natd. The version of > natd did not translate GRE (IP ancapsulation protocol), it only works with > TCP, UDP and ICMP. Does the new version of natd included in FreeBSD 4.1.1 > translate GRE packets ? Yes, newer FreeBSD's support translating on behalf of PPTP clients. -Archie __________________________________________________________________________ Archie Cobbs * Packet Design * http://www.packetdesign.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Fri Nov 10 13:13: 9 2000 Delivered-To: freebsd-ipfw@freebsd.org Received: from vexpert.dbai.tuwien.ac.at (vexpert.dbai.tuwien.ac.at [128.130.111.12]) by hub.freebsd.org (Postfix) with ESMTP id 46ED337B479; Fri, 10 Nov 2000 13:13:00 -0800 (PST) Received: from [128.130.111.75] (procyon [128.130.111.75]) by vexpert.dbai.tuwien.ac.at (8.9.3/8.9.3) with ESMTP id WAA15847; Fri, 10 Nov 2000 22:12:57 +0100 (MET) Date: Fri, 10 Nov 2000 22:13:00 +0100 (CET) From: Toni Pisjak Reply-To: Admin To: , Cc: Admin Subject: Re: Problem: Setup ipfw Firewall In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG Hello ! (Sorry to the "ipfw" mailinglist, but i didn't get an answer from freebsd-questions, but perhaps you can help me). I have problems to setup a firewall on FreeBSD 4.1. I still work with my simple test configuration (firewall between two clients): > client-0 firewall client-1 > > .111.29/:4b:a8----------.111.9/:97:55 > (= IP/MAC) .111.9/:9b:1f-----------.112.50/:a2:59 Can anybody tell me, if the following conditions are sufficient to forward packets through an "open" (i.e. with rule "allow all from any to any") firewall, because this is what i'm not able to do. - Install two NICS into firewall (the two NICs have the same IP number) - Build new kernel with options IP_FIREWALL and IPFIREWALL_VERBOSE Is the kernel option BRIDGE necessary or harmful or does not matter ? - Routing tables shown below - Apply firewall rule "allow all from any to any" resp. the rules "allow all from to via " Another question: The decision to send a packet to which NIC is only made through the firewall rules, or is there another thing to do ? Thanks in advance: Toni. On Tue, 7 Nov 2000, Toni Pisjak wrote: > Hello ! > > I have problems to setup a firewall on FreeBSD-4.1., though following the > directions in the FreeBSD handbook. I made a special (e.g. simple) test > configuration, shown in the following draft (firewall between two clients, > shown with abbreviated IP address / MAC address): > > > client-0 firewall client-1 > > .111.29/:4b:a8----------.111.9/:97:55 > .111.9/:9b:1f-----------.112.50/:a2:59 > > > Because of the kernel variable net.inet.ip.forwarding set to 1, i think, > that packets arriving on one firewall NIC should be forwarded to the other > NIC, considering the following configuration: > > The firewall routing table: > > Destination Gateway Flags Netif Expire > -------------------------------------------------------------------------- > default xxx.yyy.111.1 UGSc 0 0 fxp0 > 127.0.0.1 127.0.0.1 UH 0 0 lo0 > xxx.yyy link#2 UC 0 0 fxp1 => > xxx.yyy.111/25 link#1 UC 0 0 fxp0 => > xxx.yyy.111.1 link#1 UHLW 1 0 fxp0 => > -------------------------------------------------------------------------- > xxx.yyy.111.29 ...:a2:59 UHLW 1 21 fxp0 725 > xxx.yyy.112.50 ...:4b:a8 UHLW 0 7 fxp1 83 > > The first five routings are the default routings, the last two routings > were added, when i did a ping from the clients to the firewall. These last > two routings (surprisingly ?) have the schema: > dest = ; gateway = <*client* mac address> > ^^^^^^ > > > > The routing table of client0 (client1 is analogue; the firewall should > be transparent, so i dont want to write it into the routings): > > Destination Gateway Flags Netif Expire > ------------------------------------------------------------------- > ...111.0 ...111.29 > ...default ...111.29 > > > > > The firewall rules i tried were: > > 1. allow all from any to any > 2. allow all from client0 to client1 in via NIC0 > allow all from -"- out via NIC1 > allow all from client1 to client0 in via NIC1 > allow all from -"- out via NIC0 > > In both cases pinging between firewall and client0/1 works, but pinging > between the two clients fails (in case of *directly* connected clients > (without firewall), ping works with the above configuration). > > > > "tcpdump" (running on the firewall) shows, that the ping request reaches > the firewall at the appropriate NIC, but there's no output to the other > NIC (i.e. no forwarding). > > PS: Another strange thing: If the firewall NICs are both set to the ip > address ...111.9 via *rc.conf*, the pinging from client1 to the firewall > via NIC-1 does *not* work after booting. But if i *then* set the ip > address manually (ifconfig), the following error message appears ...: > > /kernel: rtinit: wrong ifa (0xc0e00480) was (0xc0e00700) > > ... but ping works (!). > > > Any suggestions ? > > Thanks in advance: Toni. > > > > > > PPS: > > Excerpt of my /etc/rc.conf: > --------------- > ifconfig_fxp1="inet xxx.yyy.111.9 netmask 255.255.255.128" > ifconfig_fxp0="inet xxx.yyy.111.9 netmask 255.255.255.128" > hostname="aaa.bbb.ccc.ddd" > router_enable="NO" > gateway_enable="YES" > defaultrouter="xxx.yyy.111.1" > firewall_enable="YES" > tcp_extensions="NO" > ---------------- > > Additions to the GENERIC kernel: > -------------------- > options IPFIREWALL > options IPFIREWALL_VERBOSE > > > > > > > > > > -- Toni Pisjak Technische Universitaet Wien pisjak@dbai.tuwien.ac.at http://www.dbai.tuwien.ac.at To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Fri Nov 10 13:58:26 2000 Delivered-To: freebsd-ipfw@freebsd.org Received: from rapidnet.com (rapidnet.com [205.164.216.1]) by hub.freebsd.org (Postfix) with ESMTP id 1F15737B479; Fri, 10 Nov 2000 13:58:22 -0800 (PST) Received: from localhost (nick@localhost) by rapidnet.com (8.9.3/8.9.3) with ESMTP id OAA20849; Fri, 10 Nov 2000 14:58:17 -0700 (MST) Date: Fri, 10 Nov 2000 14:58:17 -0700 (MST) From: Nick Rogness To: Admin Cc: freebsd-ipfw@freebsd.org, freebsd-questions@freebsd.org Subject: Re: Problem: Setup ipfw Firewall In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG On Fri, 10 Nov 2000, Toni Pisjak wrote: > Hello ! > > (Sorry to the "ipfw" mailinglist, but i didn't get an answer from > freebsd-questions, but perhaps you can help me). > > I have problems to setup a firewall on FreeBSD 4.1. I still work > with my simple test configuration (firewall between two clients): > > > client-0 firewall client-1 > > > > .111.29/:4b:a8----------.111.9/:97:55 > > (= IP/MAC) .111.9/:9b:1f-----------.112.50/:a2:59 > > Can anybody tell me, if the following conditions are sufficient to > forward packets through an "open" (i.e. with rule "allow all from any to > any") firewall, because this is what i'm not able to do. > > - Install two NICS into firewall (the two NICs have the same IP number) Not a good idea to have 2 NIC's with the same IP. The NIC with MAC of :9b:1f should have an IP on the 112.X network...if you want to route. > - Build new kernel with options IP_FIREWALL and IPFIREWALL_VERBOSE > Is the kernel option BRIDGE necessary or harmful or does not matter ? If Client0 and Client1 on the same network (logical) then you will want to BRIDGE. If not, then route. It appears in the above example that the 2 networks are on different (layer3) networks, so route! > Another question: The decision to send a packet to which NIC is only made > through the firewall rules, or is there another thing to do ? No. The routing decisions are made by the FreeBSD routing internals, not the firewalling. Firewalling looks at those packets and performs actions based on rules. There are, of course, certain instances when firewalling can change a packets destination/etc...like the fwd option of ipfw. Nick Rogness - Drive defensively. Buy a tank. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message