From owner-freebsd-questions Wed Mar 10 13: 5:21 1999 Delivered-To: freebsd-questions@freebsd.org Received: from mailhub.scl.ameslab.gov (mailhub.scl.ameslab.gov [147.155.137.127]) by hub.freebsd.org (Postfix) with ESMTP id 4F966154F4 for ; Wed, 10 Mar 1999 13:05:12 -0800 (PST) (envelope-from ghelmer@scl.ameslab.gov) Received: from demios.ether.scl.ameslab.gov ([147.155.137.54]) by mailhub.scl.ameslab.gov with esmtp (Exim 1.90 #1) id 10KqA4-0005EM-00; Wed, 10 Mar 1999 15:05:04 -0600 Date: Wed, 10 Mar 1999 15:04:25 -0600 From: Guy Helmer To: wildcardus freakis Cc: freebsd-questions@freebsd.org Subject: Re: 3.1R firewall wierdness. In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG On Wed, 10 Mar 1999, wildcardus freakis wrote: > Ran into something wierd, when I enable firewall type "simple" all > network functionality fails... > > the interface setup looks right to me? > oif="ep0" > onet="206.206.121.0" > omask="255.255.255.0" > oip="206.206.121.43" > > iif="ep0" > inet="192.168.0.0" > imask="255.255.0.0" > iip="192.168.250.1" > > I didn't change any of the rules at all, and I also already added the > ifconfig_ep0_alias for 192.168.250.1 into rc.conf I haven't tried NAT yet > but that is my eventual goal, I need a working machine before I do that. There is a problem with running the supplied "simple" rules on a machine where both the internal and external addresses are on the same interface. The first two rules that stop spoofing will match all packets entering the single interface, so you'll have to comment out the first two rules (the spoofing rules). You'll also need to comment out the next six rules (the RFC1918 rules) since you are using an RFC1918 address for the inside network. The rule # Reject&Log all setup of incoming connections from the outside $fwcmd add deny log tcp from any to any in via ${oif} setup will need work as well; you might be able to replace it with something like this: # Reject&Log all setup of incoming connections from the outside $fwcmd add allow tcp from ${inet}:${imask} to any setup $fwcmd add allow tcp from ${oip} to any setup $fwcmd add deny log tcp from any to ${inet}:${imask} setup $fwcmd add deny log tcp from any to ${oip} setup Hope this gets you started, Guy Guy Helmer, Ph.D. Candidate, Iowa State University Dept. of Computer Science Research Assistant, Ames Laboratory --- ghelmer@scl.ameslab.gov Research Assistant, Dept. of Computer Science --- ghelmer@cs.iastate.edu http://www.cs.iastate.edu/~ghelmer To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message