From owner-freebsd-questions@FreeBSD.ORG Tue Jan 6 20:32:43 2004 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0386716A4CE for ; Tue, 6 Jan 2004 20:32:43 -0800 (PST) Received: from TheWorld.com (pcls3.std.com [192.74.137.143]) by mx1.FreeBSD.org (Postfix) with ESMTP id 92C0C43D39 for ; Tue, 6 Jan 2004 20:32:41 -0800 (PST) (envelope-from kwc@shell.TheWorld.com) Received: from shell.TheWorld.com (pip1-5.std.com [192.74.137.185]) by TheWorld.com (8.12.8p1/8.12.8) with ESMTP id i074Wd9v019756; Tue, 6 Jan 2004 23:32:39 -0500 Received: (from kwc@localhost) by shell.TheWorld.com (8.9.3/8.9.3) id XAA14594728; Tue, 6 Jan 2004 23:32:34 -0500 (EST) Date: Tue, 6 Jan 2004 23:32:34 -0500 (EST) From: Kenneth W Cochran Message-Id: <200401070432.XAA14594728@shell.TheWorld.com> To: freebsd-questions@freebsd.org Subject: Trying to understand ipfirewall/divert/nat X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 07 Jan 2004 04:32:43 -0000 Hello: I'm trying to grok overall firewall & natd (ipnat?) configuration strategy using ipfirewall. Interfaces: dc0 - "public" to outside network(s) dc1 - internal 192.168.0.1/24 dc2 - internal 192.168.1.100/24, currently unused dc3 - currently unused OS: FreeBSD 4.9-STABLE as of 10 December 2003 firewall: ipfw2 Running natd between dc0 & dc1 dc0 gets its IP address, etc., via DHCP/dhclient. Problems/questions: ICMP (for example): Would like to be able to: Ping/traceroute, etc from any machine on the local net to anywhere. Be "invisible" to ICMP Echo Request from outside. Be "visible" to other relevant ICMP messages from outside, e.g. traceroute, Path MTU Discovery For example, the following ruleset (from the Ipfw-HOWTO at http://www.freebsd-howto.com/) takes care of icmp echo request/reply on the outside-exposed machine, but breaks that (& traceroute) on internal machines. 1000 allow icmp from any to any out icmptypes 8 1100 allow icmp from any to any in icmptypes 0 1200 deny icmp from any to any in icmptypes 8 Would like to do similar things, e.g. allow/deny & get all that to play nicely with divert/natd. For example, with divert, it appears that we should have a ruleset for "before" the divert & another "mirror-image" ruleset for "after" divert. Where might I find some nice explanations of the logic/strategy with this? I guess what confuses me is /etc/rc.firewall does things one way & the firewall(7) manpage another. Where are some, umm, good sources of information about ipfirewall (ipfw)? Seems all the books talk about are Linux's ipchains & iptables & *bsd's ipf. Thanks, -kc