Date: Wed, 22 Jan 2003 13:19:30 -0600 From: "Brian Davis" <stargate@cableone.net> To: <freebsd-questions@freebsd.org> Subject: Re: "simple" ipfw question Message-ID: <001b01c2c24b$30a6d1d0$0200a8c0@Tower> References: <000501c2c214$99dbd290$0200a8c0@Tower> <3E2E9E9D.3020502@potentialtech.com>
next in thread | previous in thread | raw e-mail | index | archive | help
> > Greetings, > > > > I am attempting to build a dual-homed firewall using FreeBSD 4.7 > > RELEASE. The PC is presently connected to a corporate LAN with DHCP and > > DNS servers and a broadband connection to the Internet. > > > > The outside interface (rl0) is configured as follows: > > IP address: a.b.148.62 (dynamically assigned) > > Subnet: 255.255.248.0 > > Gateway: a.b.144.254 > > DNS: a.b.144.1 > > > > The inside interface (rl1) is configured as follows: > > IP address: 192.168.1.1 > > Subnet: 255.255.255.0 > > > > My private network consists of one workstation which is set up as > > follows: > > IP address: 192.168.1.2 > > Subnet: 255.255.255.0 > > Gateway: 192.168.168.1 > > DNS: a.b.144.1 > > > > When I use the "open" ruleset in /etc/rc.firewall, the workstation on my > > private network can get through the firewall to the LAN and the > > Internet. When I switch to the "simple" ruleset, the firewall stops > > forwarding packets. From the console, I can ping the outside and inside > > interfaces, but nothing else. Everything looks normal in dmesg. > > Additional info upon request! > > Did you tweak the /etc/rc.firewall script to insert your IP address ranges > into it? (look for the "simple" section of the script and tweak the iif, > iip, oif, oip, etc ... values) > If that doesn't help, try posting the output of 'ipfw show' to the list. > It'll make it a lot easier for folks to diagnose. > > -- > Bill Moran > Potential Technologies > http://www.potentialtech.com > Hope this helps: /etc/rc.firewall: [simple section] oif="rl0" onet="a.b.144.0" omask="255.255.248.0" oip="a.b.148.62" iif="rl1" inet="192.168.1.0" imask="255.255.255.0" iip="192.168.1.1" /etc/rc.conf: gateway_enable="YES" hostname="(hostname.domain)" ifconfig_rl0="DHCP" kern_securelevel="2" kern_securelevel_enable="YES" moused_enable="YES" nfs_server_enable="NO" saver="green" sendmail_enable="NO" sshd_enable="NO" ifconfig_rl1="inet 192.168.1.1 netmask 255.255.255.0" firewall_enable="YES" firewall_type="simple" natd_enable="YES" natd_interface="rl0" defaultrouter="a.b.144.254" natd_flags="-dynamic" Compiled kernel with these options: options IPDIVERT options IPFIREWALL options IPFIREWALL_VERBOSE options IPFIREWALL_VERBOSE_LIMIT=10 ipfw show: 00100 0 0 allow ip from any to any via 1o0 00200 0 0 deny ip from any to 127.0.0.0/0 00300 0 0 deny ip from 127.0.0.0/8 to any 00400 0 0 deny ip from 192.168.1.0/24 to any in recv rl0 00500 0 0 deny ip from a.b.144.0/21 to any in recv rl1 00600 0 0 deny ip from any to 10.0.0.0/8 via rl0 00700 0 0 deny ip from any to 172.16.0.0/12 via rl0 00800 0 0 deny ip from any to 192.168.0.0/16 via rl0 00900 0 0 deny ip from any to 0.0.0.0/8 via rl0 01000 0 0 deny ip from any to 169.254.0.0/16 via rl0 01100 0 0 deny ip from any to 192.0.2.0/24 via rl0 01200 0 0 deny ip from any to 224.0.0.0/4 via rl0 01300 9 773 deny ip from any to 240.0.0.0/24 via rl0 01400 73 9535 divert 8668 ip from any to any via rl0 01500 0 0 deny ip from 10.0.0.0/8 to any via rl0 01600 0 0 deny ip from 172.16.0.0/12 to any via rl0 01700 0 0 deny ip from 192.168.0.0/16 to any via rl0 01800 0 0 deny ip 0.0.0.0/8 to any via rl0 01900 0 0 169.254.0.0/16 to any via rl0 02000 0 0 deny ip from 192.0.2.0/24 to any via rl0 02100 0 0 deny ip from 224.0.0.0/4 to any via rl0 02200 0 0 deny ip from 240.0.0.0/4 to any via rl0 02300 0 0 allow tcp form any to any established 02400 0 0 allow ip from any to any frag 02500 0 0 allow tcp from any to a.b.148.62 25 setup 02600 0 0 allow tcp from any to a.b.148.62 53 setup 02700 0 0 allow udp from any to a.b.148.62 53 02800 0 0 allow udp from a.b.148.62 53 to any 02900 0 0 allow tcp from any to a.b.148.62 80 setup 03000 0 0 deny log logamount 10 tcp from any to any in recv rl0 setup 03100 0 0 allow tcp from any to any setup 03200 26 1912 allow udp from a.b.148.62 to any 53 keep-state 03300 0 0 allow udp from a.b.148.62 to any 123 keep-state 65535 58 9215 deny ip from any to any The counts for rules 1300, 1400, 3200 and 65535 keep incrementing. All other rules are goose eggs. BTW, I run 'ifconfig rl0' occasionally to make sure my dynamic IP address has not changed. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?001b01c2c24b$30a6d1d0$0200a8c0>