From owner-freebsd-questions@FreeBSD.ORG Wed May 7 01:50:26 2003 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6E13337B401 for ; Wed, 7 May 2003 01:50:26 -0700 (PDT) Received: from ns2.weronet.com (chello213047208163.surfer.at [213.47.208.163]) by mx1.FreeBSD.org (Postfix) with SMTP id ED32943F93 for ; Wed, 7 May 2003 01:50:24 -0700 (PDT) (envelope-from freebsd@werosoft.com) Received: (qmail 61468 invoked from network); 7 May 2003 09:31:46 -0000 Received: from unknown (HELO sonne) (213.47.208.170) by ns2.weronet.com with SMTP; 7 May 2003 09:31:46 -0000 From: "Ronald Weinrich" To: freebsd-questions@freebsd.org Date: Wed, 07 May 2003 10:52:32 +0200 MIME-Version: 1.0 Message-ID: <3EB8E570.5774.8DA49D3@localhost> Priority: normal In-reply-to: <20030507025544.GB50255@users.munk.nu> References: <3EB87C2C.16955.73F15B3@localhost> X-mailer: Pegasus Mail for Windows (v4.02, DE v4.02 R1) Content-type: text/plain; charset=US-ASCII Content-transfer-encoding: 7BIT Content-description: Mail message body Subject: Re: no route to host X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: freebsd@werosoft.com List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 07 May 2003 08:50:26 -0000 Hi Jez Hancock, yesterday it was 4h in the morning so I had to go, I hope you get this mess. I did what you said - now I'm able to ping from the firewall-box to ep0 192.168.0.1 from the firewall-box to ed0-213.47.28.166 from intranet 192,168,0,xx to ep0 192.168.0.1 and from intranet 192,168,0,xx to ed0 213.47.28.166 from intranet not to the DNS1-box in inet 213.47.28.160/8 on 213.47.28.162 or to the router 213.47.28.161 I guess that's the reason I can't conect to the internet (does 160/8 mean 160 -175?) from outside 213.47.28.160/8 to ed0 213.47.28.166 works is that a ipnat problem? or a routing problem? I add > Try adding a simple /etc/ipf.rules ruleset: > pass out all > pass in all > ipfilter_enable="YES" > ipfilter_rules="/etc/ipf.rules" > you have no entry for the ep0 interface and your ifconfig output > suggests ep0 isn't active (or even present). therefore I run a script at boot-time ifconf.sh #!/bin/sh /sbin/ifconfig ep0 down /sbin/ifconfig ep0 inet 192.168.0.1 netmask 0xffffff00 broadcast 192.168.5.255 /sbin/ifconfig ep0 up [ -x /sbin/ipnat ] && /sbin/ipnat -CF -f /etc/ipnat.conf && ipf - y && echo -n 'ipnat' > On Wed, May 07, 2003 at 03:23:24AM +0200, Ronald Weinrich wrote: > > I build the kernel with > > options IPFILTER > > options IPFILTER_LOG > > options IPFILTER_DEFAULT_BLOCK > Do you have an ipf ruleset loading on boot? > > > in rc.conf is > > hostname="firewall" > > defaultrouter="213.47.28.161" ?????? > > gateway_enable="YES" > > ipnat_enable="YES" > > ifconfig_ed0="inet 213.47.28.166 netmask 255.255.255.240" > > kern_securelevel_enable="NO" > > linux_enable="NO" > > nfs_reserved_port_only="YES" > > sendmail_enable="YES" > > sshd_enable="YES" > It looks like the answer is no ;/ > > If this is the case then because of the 'IPFILTER_DEFAULT_BLOCK' line in > your kern conf everything will be blocked by default. Try adding a > simple /etc/ipf.rules ruleset: > > pass out all > pass in all > > and make sure you add this to /etc/rc.conf: > > ipfilter_enable="YES" > ipfilter_rules="/etc/ipf.rules" > > To implement the 'allow all' ruleset either reboot or just do: > > ipf -Fa -f /etc/ipf.rules > > > With luck this should allow you connectivity. > > Regards, > Jez > > PS > > ifconfig_ed0="inet 213.47.28.166 netmask 255.255.255.240" > Do you have an ifconfig line in /etc/rc.conf for your local network > interface??? > In your other post with the network diagram you say > you have 'ep0' interface configured for your LAN, > but in the rc.conf snippet above > you have no entry for the ep0 interface and your ifconfig output > suggests ep0 isn't active (or even present). > _______________________________________________ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.org" >