From owner-freebsd-questions Tue Nov 5 15:38:56 2002 Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id BD86037B401 for ; Tue, 5 Nov 2002 15:38:53 -0800 (PST) Received: from cumulonimbus.cloudfactory.org (ssh.cloudfactory.org [205.179.129.23]) by mx1.FreeBSD.org (Postfix) with ESMTP id C033C43E8A for ; Tue, 5 Nov 2002 15:38:52 -0800 (PST) (envelope-from terrac@cloudfactory.org) Received: from cumulonimbus.cloudfactory.org (localhost [127.0.0.1]) by cumulonimbus.cloudfactory.org (8.12.3/8.12.3/Debian -4) with ESMTP id gA5Ncnwj013369 (version=TLSv1/SSLv3 cipher=EDH-RSA-DES-CBC3-SHA bits=168 verify=FAIL); Tue, 5 Nov 2002 15:38:49 -0800 Received: from localhost (terrac@localhost) by cumulonimbus.cloudfactory.org (8.12.3/8.12.3/Debian -4) with ESMTP id gA5NcnCP013365; Tue, 5 Nov 2002 15:38:49 -0800 X-Authentication-Warning: cumulonimbus.cloudfactory.org: terrac owned process doing -bs Date: Tue, 5 Nov 2002 15:38:49 -0800 (PST) From: Terrac Skiens To: David Cramblett Cc: freebsd-questions@FreeBSD.ORG Subject: Re: IPFW, natd, redirect_address help needed In-Reply-To: <3DC85565.2060900@mesd.k12.or.us> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG since this is a super small distribution I do not have the default open, closed, and client firewall configs. The set I am using is based on the client one though, however I adjusted it to allow traffic from the inside to the outside on specific ports and hopefully keep-state to let the returning packets back in. Thats right isn't it? -terrac On Tue, 5 Nov 2002, David Cramblett wrote: > Do you have gateway_enable="YES" in your firewall? > > Can you get packets through both directions just fine with the firewall > set to "OPEN"? > > David > > > Terrac Skiens wrote: > > >Hi there, > > > > I have been trying to set up an embedded system from soekris, running a > >small version of freebsd on it's internal compact flash hard disk. > > > > The machine is built, I have remote access to it and I intend to use it > >as a firewall + nat appliance. Directing traffic from machines internally > >to external IP addresses. > > > > I have gotten everything running, however my test for the machines > >behind the new firewall keep failing. I can ping the firewall itself, but > >not anything past it. The pings just dissapear. From the firewall I can > >ping anythign by either hostname or IP. > > > > What I have not figured out is why my machines behind the firewall cannot > >ping out past the firewall, or get any other traffic out either. > > > >my ipfw list is: > >--------------------------------------- > >00100 allow ip from any to any via lo0 > >00200 deny ip from any to 127.0.0.0/8 > >00300 deny ip from 127.0.0.0/8 to any > >00400 deny ip from any to 172.16.0.0/12 via sis0 > >00500 deny ip from any to 192.168.0.0/16 via sis0 > >00600 deny ip from any to 0.0.0.0/8 via sis0 > >00700 deny ip from any to 169.254.0.0/16 via sis0 > >00800 deny ip from any to 192.0.2.0/24 via sis0 > >00900 deny ip from any to 224.0.0.0/4 via sis0 > >01000 deny ip from any to 240.0.0.0/4 via sis0 > >01100 divert 8668 ip from any to any via sis0 > >01200 deny ip from 172.16.0.0/12 to any via sis0 > >01300 deny ip from 192.168.0.0/16 to any via sis0 > >01400 deny ip from 0.0.0.0/8 to any via sis0 > >01500 deny ip from 169.254.0.0/16 to any via sis0 > >01600 deny ip from 192.0.2.0/24 to any via sis0 > >01700 deny ip from 224.0.0.0/4 to any via sis0 > >01800 deny ip from 240.0.0.0/4 to any via sis0 > >01900 allow tcp from any to any established > >02000 allow ip from any to any frag > >10000 deny log logamount 100 tcp from any to any in recv sis0 setup > >10100 allow tcp from any to any setup > >10200 allow udp from any to any 53 keep-state out xmit sis0 > >10300 allow udp from any to any 53 keep-state in recv sis0 > >10400 allow udp from any to any 123 keep-state out xmit sis0 > >10500 allow udp from any to any 123 keep-state in recv sis1 > >10600 allow tcp from any to any 53 keep-state out xmit sis0 > >10700 allow tcp from any to any 53 keep-state in recv sis1 > >10800 allow tcp from any to any 25 keep-state out xmit sis0 > >10900 allow tcp from any to any 25 keep-state in recv sis1 > >11000 allow tcp from any to any 22 keep-state out xmit sis0 > >11100 allow tcp from any to any 22 keep-state in recv sis1 > >11200 allow udp from me to any 67 keep-state out xmit sis0 > >11300 allow icmp from any to any > >65535 deny ip from any to any > > > >and my netstat -rn is: > >--------------------------------------- > >Routing table: > >-------------- > >Destination Gateway Flags Netif Use > >default 66.180.229.177 UGSc sis0 2 > >10.1.1.0/24 link#2 UC sis1 0 > >xxx.xxx.xxx.xxx link#1 UC sis0 0 <- network > >xxx.xxx.xxx.xxx link#1 UHLW sis0 0 <- gateway > >127.0.0.1 127.0.0.1 UH lo0 0 > > > > > > > > > >To Unsubscribe: send mail to majordomo@FreeBSD.org > >with "unsubscribe freebsd-questions" in the body of the message > > > > > > > > -- > David Cramblett > Network and Information Services > Multnomah Education Service District > phn: 503-257-1535 > fax: 503-257-1538 > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-questions" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message