From owner-freebsd-questions@FreeBSD.ORG Wed Sep 24 00:38:15 2003 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 38B2116A4B3 for ; Wed, 24 Sep 2003 00:38:15 -0700 (PDT) Received: from msr32.hinet.net (msr32.hinet.net [168.95.4.132]) by mx1.FreeBSD.org (Postfix) with ESMTP id 65D9B43FCB for ; Wed, 24 Sep 2003 00:38:13 -0700 (PDT) (envelope-from kuniaki.lee@msa.hinet.net) Received: from michael (211-21-27-38.HINET-IP.hinet.net [211.21.27.38]) by msr32.hinet.net (8.9.3/8.9.3) with SMTP id PAA21876 for ; Wed, 24 Sep 2003 15:38:11 +0800 (CST) Message-ID: <001501c3826e$cecc1300$ca00a8c0@michael> From: "Michael Lee(HINET)" To: Date: Wed, 24 Sep 2003 15:38:11 +0800 MIME-Version: 1.0 Content-Type: text/plain; charset="Windows-1252" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2800.1158 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165 Subject: Question for ipf setting on single NIC box X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 24 Sep 2003 07:38:15 -0000 Hi all, I only have a NIC on my FreeBSD Box. Here is my configuration: ifconfig de0 aaa.bbb.ccc.ddd netmask 255.255.255.0 ( My External Interface ) ifconfig de0_alias0 192.168.1.254 netmask 255.255.255.0 ( My Virtual Internal Interface ) and this is the result shown for ifconfig -L de0: flags=8843 mtu 1500 inet aaa.bbb.ccc.ddd netmask 0xffffff00 broadcast aaa.bbb.ccc.255 inet 192.168.1.254 netmask 0xffffff00 broadcast 192.168.1.255 ether 00:80:c8:f6:7b:c7 media: Ethernet autoselect (100baseTX ) status: active ( aaa.bbb.ccc.ddd is the static IP I got from the ISP ) Everything seems OK to me that the NIC binds the virtual IP. The question is that while configuring ipf.rules and ipnat.rules ( Originally, I use tun0 as the external interface for ppp dialup. It is OK to set the ipf rules to block the incoming and outgoing packet through tun0. ) But now I switched to static IP DSL and I failed to configure the de0 ( ext. if ) while applying the following rules: block in quick on de0 from 192.168.0.0/16 to any block out quick on de0 from 192.168.0.0/16 to any After applying the above rules, ipf seems to block the packet on de0_alias0. DHCPD cannot even send out packet to the local subnet ( 192.168.1.0/24 ) ( ipf block all traffic that should be block in the outside interface ) I can only add pass in quick all and pass out quick all now or the traffic will be completely blocked . However, to add only pass in quick all and pass out quick all seems not a good idea for the firewall. Is there anyway to solve the problem ? Or if I wrongly configure ipf ? Thank you! Michael Lee