Date: Wed, 24 Sep 2003 17:04:28 +0800 From: "Michael Lee(HINET)" <kuniaki.lee@msa.hinet.net> To: <freebsd-questions@freebsd.org> Subject: Re: Question for ipf setting on single NIC box Message-ID: <002c01c3827a$dc7768e0$ca00a8c0@michael> References: <001501c3826e$cecc1300$ca00a8c0@michael> <20030924080354.GA26881@rock.stable.ch>
next in thread | previous in thread | raw e-mail | index | archive | help
Hi Tom, Thanks for your reply. My connection for the single NIC FreeBSD Box ( previously worked fine ) , the ethernet switch, DSL Modem, and the internal network is as follow: ( I am sorry that I cannot draw it well. ) --------------- | FreeBSD Box | | ipf,ipnat | | runs here | de0_alias0 --------------- =192.168.1.0/24 (int.) | de0 = aaa.bbb.ccc.ddd/24 ( ext. ) (* de0 =12.168.1.0/24) | (* tun0 = dynamically assigned ) | --------------- --------------- | Switch |---------| DSL Modem | --------- Telephone Line | | | | --------------- --------------- | | | |------------------- | | --------------- --------------- | Windows 2000| |other PC | | | | | --------------- --------------- IP = 192.168.1.10 IP=192.168.1.11 (assigned by DHCPD ) (assigned by DHCPD) * Previously, I used ppp & ipnat, ipf for dialup link to ISP It was OK to set filtering rules for tun0 for ipf.rules The ipf run perfectly and filter the unwanted packets then. My previous ipf.rules block in on tun0 all block in quick on tun0 from 0.0.0.0/7 to any block in quick on tun0 from 2.0.0.0/8 to any block in quick on tun0 from 5.0.0.0/8 to any block in quick on tun0 from 10.0.0.0/8 to any block in quick on tun0 from 23.0.0.0/8 to any block in quick on tun0 from 27.0.0.0/8 to any block in quick on tun0 from 31.0.0.0/8 to any block in quick on tun0 from 70.0.0.0/7 to any block in quick on tun0 from 72.0.0.0/5 to any block in quick on tun0 from 83.0.0.0/8 to any block in quick on tun0 from 84.0.0.0/6 to any block in quick on tun0 from 88.0.0.0/5 to any block in quick on tun0 from 96.0.0.0/3 to any block in quick on tun0 from 127.0.0.0/8 to any block in quick on tun0 from 128.0.0.0/16 to any block in quick on tun0 from 128.66.0.0/16 to any block in quick on tun0 from 169.254.0.0/16 to any block in quick on tun0 from 172.16.0.0/12 to any block in quick on tun0 from 191.255.0.0/16 to any block in quick on tun0 from 192.0.0.0/19 to any block in quick on tun0 from 192.0.48.0/20 to any block in quick on tun0 from 192.0.64.0/18 to any block in quick on tun0 from 192.0.128.0/17 to any block in quick on tun0 from 192.168.0.0/16 to any block in quick on tun0 from 197.0.0.0/8 to any block in quick on tun0 from 201.0.0.0/8 to any block in quick on tun0 from 204.152.64.0/23 to any block in quick on tun0 from 219.0.0.0/8 to any block in quick on tun0 from 220.0.0.0/6 to any block in quick on tun0 from 224.0.0.0/3 to any block in quick on tun0 from 192.168.1.0/24 to any # Your pass rules come here... pass in quick all block out on tun0 all block out quick on tun0 from !192.168.1.0/24 to any block out quick on tun0 from 192.168.1.0/24 to 0.0.0.0/7 block out quick on tun0 from 192.168.1.0/24 to 2.0.0.0/8 block out quick on tun0 from 192.168.1.0/24 to 5.0.0.0/8 block out quick on tun0 from 192.168.1.0/24 to 10.0.0.0/8 block out quick on tun0 from 192.168.1.0/24 to 23.0.0.0/8 block out quick on tun0 from 192.168.1.0/24 to 27.0.0.0/8 block out quick on tun0 from 192.168.1.0/24 to 31.0.0.0/8 block out quick on tun0 from 192.168.1.0/24 to 70.0.0.0/7 block out quick on tun0 from 192.168.1.0/24 to 72.0.0.0/5 block out quick on tun0 from 192.168.1.0/24 to 83.0.0.0/8 block out quick on tun0 from 192.168.1.0/24 to 84.0.0.0/6 block out quick on tun0 from 192.168.1.0/24 to 88.0.0.0/5 block out quick on tun0 from 192.168.1.0/24 to 96.0.0.0/3 block out quick on tun0 from 192.168.1.0/24 to 127.0.0.0/8 block out quick on tun0 from 192.168.1.0/24 to 128.0.0.0/16 block out quick on tun0 from 192.168.1.0/24 to 128.66.0.0/16 block out quick on tun0 from 192.168.1.0/24 to 169.254.0.0/16 block out quick on tun0 from 192.168.1.0/24 to 172.16.0.0/12 block out quick on tun0 from 192.168.1.0/24 to 191.255.0.0/16 block out quick on tun0 from 192.168.1.0/24 to 192.0.0.0/19 block out quick on tun0 from 192.168.1.0/24 to 192.0.48.0/20 block out quick on tun0 from 192.168.1.0/24 to 192.0.64.0/18 block out quick on tun0 from 192.168.1.0/24 to 192.0.128.0/17 block out quick on tun0 from 192.168.1.0/24 to 192.168.0.0/16 block out quick on tun0 from 192.168.1.0/24 to 197.0.0.0/8 block out quick on tun0 from 192.168.1.0/24 to 201.0.0.0/8 block out quick on tun0 from 192.168.1.0/24 to 204.152.64.0/23 block out quick on tun0 from 192.168.1.0/24 to 219.0.0.0/8 block out quick on tun0 from 192.168.1.0/24 to 220.0.0.0/6 block out quick on tun0 from 192.168.1.0/24 to 224.0.0.0/3 # Your pass rules come here... pass out quick all Of course, I substitute tun0 for de0 ( my new outside interface ) but ipf seems to block every packets no matter it is destined for de0_alias0 ( my internal interface ) or to the ext. interface (de0) Thank you again! Michael ----- Original Message ----- From: "Thomas Spreng" <spreng@socket.ch> To: <freebsd-questions@freebsd.org> Sent: Wednesday, September 24, 2003 4:03 PM Subject: Re: Question for ipf setting on single NIC box > Hello, > > On Wed, Sep 24, 2003 at 03:38:11PM +0800, Michael Lee(HINET) wrote: > > Hi all, > > > > I only have a NIC on my FreeBSD Box. > > > > Here is my configuration: > > ifconfig de0 aaa.bbb.ccc.ddd netmask 255.255.255.0 ( My External Interface ) > > ifconfig de0_alias0 192.168.1.254 netmask 255.255.255.0 ( My Virtual > > Internal Interface ) > > beware...de_alias0 is not a network interface, its just an alias. > > > and this is the result shown for ifconfig -L > > > > de0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500 > > inet aaa.bbb.ccc.ddd netmask 0xffffff00 broadcast aaa.bbb.ccc.255 > > inet 192.168.1.254 netmask 0xffffff00 broadcast 192.168.1.255 > > ether 00:80:c8:f6:7b:c7 > > media: Ethernet autoselect (100baseTX <full-duplex>) > > status: active > > > > ( aaa.bbb.ccc.ddd is the static IP I got from the ISP ) > > > > Everything seems OK to me that the NIC binds the virtual IP. > > > > The question is that while configuring ipf.rules and ipnat.rules > > ( Originally, I use tun0 as the external interface for ppp dialup. > > It is OK to set the ipf rules to block the incoming and outgoing packet > > through tun0. ) > > But now I switched to static IP DSL and I failed to configure the de0 ( ext. > > if ) > > while applying the following rules: > > > > block in quick on de0 from 192.168.0.0/16 to any > > block out quick on de0 from 192.168.0.0/16 to any > > this will block all traffic from your de0 alias ip to anywhere else and all > traffic from 192.168.0.0/16 to either your real inet address or to your > alias. > > > After applying the above rules, ipf seems to block the packet on de0_alias0. > > DHCPD cannot even send out packet to the local subnet ( 192.168.1.0/24 ) > > ( ipf block all traffic that should be block in the outside interface ) > > ipf is supposed to block that because you blocked all traffic from > 192.168.0.0/16 which includes 192.168.1.0/24. The alias and the real > inet have the same interface name, that is 'de0'. > But can you tell me where that local subnet is attached if you only have > one nic in your box? > > > I can only add pass in quick all and pass out quick all now or the traffic > > will be completely blocked . > > However, to add only pass in quick all and pass out quick all seems not a > > good idea for the firewall. > > > > Is there anyway to solve the problem ? Or if I wrongly configure ipf ? > > if you need more help, please tell exactly what and where do you want to > bock/allow the traffic and how your network layout looks like. > > cheers, > tom > _______________________________________________ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.org" >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?002c01c3827a$dc7768e0$ca00a8c0>